Edition||questions and answers with
rationales/graded A+/ update/100%
correct /instant download
Target Audience: Aspiring CISSP candidates
Questions: 80
Format: Multiple choice (one best answer)
Correct answers are highlighted in bold.
Rationales provided for each question.
Domain 1: Security and Risk Management (12 questions)
1. A global enterprise is implementing an AI-driven identity governance
system. Which ethical principle is MOST critical to prevent algorithmic bias
in access decisions?
A. Accountability
B. Non-repudiation
C. Fairness
D. Privacy by design
Rationale: Fairness ensures AI models do not discriminate based on protected
attributes. Accountability is important but addresses auditability; fairness directly
mitigates bias.
2. A company adopts the NIST Cybersecurity Framework (CSF) 2.0. Which
new category introduced in CSF 2.0 focuses on continuous improvement of
security processes?
A. Identify
B. Protect
C. Govern
D. Recover
,Rationale: CSF 2.0 added the “Govern” function as a cross-cutting category,
emphasizing organizational context, risk management strategy, and policy
oversight.
3. Which of the following represents the BEST method to quantify risk for a
proposed cloud migration?
A. Qualitative risk assessment
B. Annualized Loss Expectancy (ALE) calculation
C. Single Loss Expectancy (SLE) only
D. Threat modeling only
Rationale: ALE (SLE × ARO) quantifies financial impact over time, allowing cost-
benefit decisions for controls. Qualitative lacks numbers; SLE alone ignores
frequency.
4. A European bank processes personal data of EU citizens. Under GDPR,
what is the maximum fine for non-compliance with data breach notification
requirements?
A. €10 million or 2% of global turnover
B. €20 million or 4% of global turnover, whichever is higher
C. €5 million flat
D. €50 million or 5% of global turnover
Rationale: Article 83(5) GDPR sets higher tier (4% or €20M) for breaches of data
subject rights and notification duties.
5. A business continuity plan (BCP) test is performed by walking through the
plan with key stakeholders without actually activating systems. This is called:
A. Full interruption test
B. Simulation test
C. Structured walkthrough
D. Parallel test
Rationale: Structured walkthrough (tabletop) involves discussing roles and steps.
Parallel test runs systems in recovery mode; full interruption is live failover.
6. Which concept ensures that an employee cannot deny performing an action
due to digital evidence logs?
A. Authorization
B. Non-repudiation
, C. Authenticity
D. Confidentiality
Rationale: Non-repudiation uses digital signatures, audit trails, or blockchain to
prove an action occurred, preventing denial.
7. A new U.S. federal law in 2026 requires real-time reporting of material
cybersecurity incidents within 24 hours. This law most closely aligns with
which SEC rule concept?
A. Regulation SCI
B. Cyber incident materiality disclosure
C. GLBA safeguards rule
D. HIPAA breach rule
Rationale: The SEC’s 2023 rules (and expanded 2026 updates) mandate 4-day
disclosure, but proposed tighter rules push 24 hours for critical infrastructure;
“materiality” is key.
8. Which risk treatment strategy is being used if a company purchases a cyber
insurance policy?
A. Risk avoidance
B. Risk mitigation
C. Risk transference
D. Risk acceptance
Rationale: Transference shifts financial risk to an insurer. Mitigation reduces
likelihood/impact; avoidance eliminates the activity.
9. A security architect adopts “security by design” for a new IoT product. This
means:
A. Adding firewall after development
B. Integrating security controls from initial requirements phase
C. Only testing for vulnerabilities at launch
D. Relying on air gaps
Rationale: Security by design means embedding controls (e.g., secure boot,
encryption) throughout SDLC, not retrofitting.
10. Which type of control is a “captcha” on a login page?
A. Preventive – technical
B. Preventive – logical (or technical)