ISC2 CYBERSECURITY ACTUAL EXAM
2025 QUESTIONS AND ANSWERS
Document specific requirements that a customer has about any aspect of a vendor's service
performance.
A) DLR
B) Contract
C) SLR
D) NDA - ANS C) SLR (Service-Level Requirements)
_________ identifies and triages risks. - ANS Risk Assessment
_________ are external forces that jeopardize security. - ANS Threats
_________ are methods used by attackers. - ANS Threat Vectors
_________ are the combination of a threat and a vulnerability. - ANS Risks
We rank risks by _________ and _________. - ANS Likelihood and impact
_________ use subjective ratings to evaluate risk likelihood and impact. - ANS Qualitative
Risk Assessment
1 Copyright ©BRIGHSTARS ALL RIGHTS RESERVED 2025
,_________ use objective numeric ratings to evaluate risk likelihood and impact. -
ANS Quantitative Risk Assessment
_________ analyzes and implements possible responses to control risk. - ANS Risk Treatment
_________ changes business practices to make a risk irrelevant. - ANS Risk Avoidance
_________ reduces the likelihood or impact of a risk. - ANS Risk Mitigation
An organization's _________ is the set of risks that it faces. - ANS Risk Profile
_________ Initial Risk of an organization. - ANS Inherent Risk
_________ Risk that remains in an organization after controls. - ANS Residual Risk
_________ is the level of risk an organization is willing to accept. - ANS Risk Tolerance
_________ reduce the likelihood or impact of a risk and help identify issues. - ANS Security
Controls
_________ stop a security issue from occurring. - ANS Preventive Control
_________ identify security issues requiring investigation. - ANS Detective Control
_________ remediate security issues that have occurred. - ANS Recovery Control
Hardening == Preventative - ANS Virus == Detective
2 Copyright ©BRIGHSTARS ALL RIGHTS RESERVED 2025
,Backups == Recovery - ANS For exam (Local and Technical Controls are the same)
_________ use technology to achieve control objectives. - ANS Technical Controls
_________ use processes to achieve control objectives. - ANS Administrative Controls
_________ impact the physical world. - ANS Physical Controls
_________ tracks specific device settings. - ANS Configuration Management
_________ provide a configuration snapshot. - ANS Baselines (track changes)
_________ assigns numbers to each version. - ANS Versioning
_________ serve as important configuration artifacts. - ANS Diagrams
_________ and _________ help ensure a stable operating environment. - ANS Change and
Configuration Management
Purchasing an insurance policy is an example of which risk management strategy? - ANS Risk
Transference
What two factors are used to evaluate a risk? - ANS Likelihood and Impact
What term best describes making a snapshot of a system or application at a point in time for
later comparison? - ANS Baselining
What type of security control is designed to stop a security issue from occurring in the first
place? - ANS Preventive
3 Copyright ©BRIGHSTARS ALL RIGHTS RESERVED 2025
, What term describes risks that originate inside the organization? - ANS Internal
What four items belong to the security policy framework? - ANS Policies, Standards,
Guidelines, Procedures
_________ describe an organization's security expectations. - ANS Policies (mandatory and
approved at the highest level of an organization)
_________ describe specific security controls and are often derived from policies. -
ANS Standards (mandatory)
_________ describe best practices. - ANS Guidelines (recommendations/advice and
compliance is not mandatory)
_________ step-by-step instructions. - ANS Procedures (not mandatory)
_________ describe authorized uses of technology. - ANS Acceptable Use Policies (AUP)
_________ describe how to protect sensitive information. - ANS Data Handling Policies
_________ cover password security practices. - ANS Password Policies
_________ cover use of personal devices with company information. - ANS Bring Your Own
Device (BYOD) Policies
_________ cover the use of personally identifiable information. - ANS Privacy Policies
_________ cover the documentation, approval, and rollback of technology changes. -
ANS Change Management Policies
4 Copyright ©BRIGHSTARS ALL RIGHTS RESERVED 2025
2025 QUESTIONS AND ANSWERS
Document specific requirements that a customer has about any aspect of a vendor's service
performance.
A) DLR
B) Contract
C) SLR
D) NDA - ANS C) SLR (Service-Level Requirements)
_________ identifies and triages risks. - ANS Risk Assessment
_________ are external forces that jeopardize security. - ANS Threats
_________ are methods used by attackers. - ANS Threat Vectors
_________ are the combination of a threat and a vulnerability. - ANS Risks
We rank risks by _________ and _________. - ANS Likelihood and impact
_________ use subjective ratings to evaluate risk likelihood and impact. - ANS Qualitative
Risk Assessment
1 Copyright ©BRIGHSTARS ALL RIGHTS RESERVED 2025
,_________ use objective numeric ratings to evaluate risk likelihood and impact. -
ANS Quantitative Risk Assessment
_________ analyzes and implements possible responses to control risk. - ANS Risk Treatment
_________ changes business practices to make a risk irrelevant. - ANS Risk Avoidance
_________ reduces the likelihood or impact of a risk. - ANS Risk Mitigation
An organization's _________ is the set of risks that it faces. - ANS Risk Profile
_________ Initial Risk of an organization. - ANS Inherent Risk
_________ Risk that remains in an organization after controls. - ANS Residual Risk
_________ is the level of risk an organization is willing to accept. - ANS Risk Tolerance
_________ reduce the likelihood or impact of a risk and help identify issues. - ANS Security
Controls
_________ stop a security issue from occurring. - ANS Preventive Control
_________ identify security issues requiring investigation. - ANS Detective Control
_________ remediate security issues that have occurred. - ANS Recovery Control
Hardening == Preventative - ANS Virus == Detective
2 Copyright ©BRIGHSTARS ALL RIGHTS RESERVED 2025
,Backups == Recovery - ANS For exam (Local and Technical Controls are the same)
_________ use technology to achieve control objectives. - ANS Technical Controls
_________ use processes to achieve control objectives. - ANS Administrative Controls
_________ impact the physical world. - ANS Physical Controls
_________ tracks specific device settings. - ANS Configuration Management
_________ provide a configuration snapshot. - ANS Baselines (track changes)
_________ assigns numbers to each version. - ANS Versioning
_________ serve as important configuration artifacts. - ANS Diagrams
_________ and _________ help ensure a stable operating environment. - ANS Change and
Configuration Management
Purchasing an insurance policy is an example of which risk management strategy? - ANS Risk
Transference
What two factors are used to evaluate a risk? - ANS Likelihood and Impact
What term best describes making a snapshot of a system or application at a point in time for
later comparison? - ANS Baselining
What type of security control is designed to stop a security issue from occurring in the first
place? - ANS Preventive
3 Copyright ©BRIGHSTARS ALL RIGHTS RESERVED 2025
, What term describes risks that originate inside the organization? - ANS Internal
What four items belong to the security policy framework? - ANS Policies, Standards,
Guidelines, Procedures
_________ describe an organization's security expectations. - ANS Policies (mandatory and
approved at the highest level of an organization)
_________ describe specific security controls and are often derived from policies. -
ANS Standards (mandatory)
_________ describe best practices. - ANS Guidelines (recommendations/advice and
compliance is not mandatory)
_________ step-by-step instructions. - ANS Procedures (not mandatory)
_________ describe authorized uses of technology. - ANS Acceptable Use Policies (AUP)
_________ describe how to protect sensitive information. - ANS Data Handling Policies
_________ cover password security practices. - ANS Password Policies
_________ cover use of personal devices with company information. - ANS Bring Your Own
Device (BYOD) Policies
_________ cover the use of personally identifiable information. - ANS Privacy Policies
_________ cover the documentation, approval, and rollback of technology changes. -
ANS Change Management Policies
4 Copyright ©BRIGHSTARS ALL RIGHTS RESERVED 2025
