(ISC) 2 Certified in Cybersecurity – Exam Prep |
Latest 2025/2026 Practice Questions & Study
Guide
Document specific requirements that a customer has about any aspect of a vendor's
service performance.
A) DLR
B) Contract
C) SLR
D) NDA - correct answerC) SLR (Service-Level Requirements)
_________ identifies and triages risks. - correct answerRisk Assessment
_________ are external forces that jeopardize security. - correct answerThreats
_________ are methods used by attackers. - correct answerThreat Vectors
_________ are the combination of a threat and a vulnerability. - correct answerRisks
We rank risks by _________ and _________. - correct answerLikelihood and impact
_________ use subjective ratings to evaluate risk likelihood and impact. - correct
answerQualitative Risk Assessment
_________ use objective numeric ratings to evaluate risk likelihood and impact. -
correct answerQuantitative Risk Assessment
_________ analyzes and implements possible responses to control risk. - correct
answerRisk Treatment
_________ changes business practices to make a risk irrelevant. - correct answerRisk
Avoidance
_________ reduces the likelihood or impact of a risk. - correct answerRisk Mitigation
An organization's _________ is the set of risks that it faces. - correct answerRisk Profile
_________ Initial Risk of an organization. - correct answerInherent Risk
_________ Risk that remains in an organization after controls. - correct answerResidual
Risk
,_________ is the level of risk an organization is willing to accept. - correct answerRisk
Tolerance
_________ reduce the likelihood or impact of a risk and help identify issues. - correct
answerSecurity Controls
_________ stop a security issue from occurring. - correct answerPreventive Control
_________ identify security issues requiring investigation. - correct answerDetective
Control
_________ remediate security issues that have occurred. - correct answerRecovery
Control
Hardening == Preventative - correct answerVirus == Detective
Backups == Recovery - correct answerFor exam (Local and Technical Controls are the
same)
_________ use technology to achieve control objectives. - correct answerTechnical
Controls
_________ use processes to achieve control objectives. - correct answerAdministrative
Controls
_________ impact the physical world. - correct answerPhysical Controls
_________ tracks specific device settings. - correct answerConfiguration Management
_________ provide a configuration snapshot. - correct answerBaselines (track changes)
_________ assigns numbers to each version. - correct answerVersioning
_________ serve as important configuration artifacts. - correct answerDiagrams
_________ and _________ help ensure a stable operating environment. - correct
answerChange and Configuration Management
Purchasing an insurance policy is an example of which risk management strategy? -
correct answerRisk Transference
What two factors are used to evaluate a risk? - correct answerLikelihood and Impact
What term best describes making a snapshot of a system or application at a point in
time for later comparison? - correct answerBaselining
,What type of security control is designed to stop a security issue from occurring in the
first place? - correct answerPreventive
What term describes risks that originate inside the organization? - correct
answerInternal
What four items belong to the security policy framework? - correct answerPolicies,
Standards, Guidelines, Procedures
_________ describe an organization's security expectations. - correct answerPolicies
(mandatory and approved at the highest level of an organization)
_________ describe specific security controls and are often derived from policies. -
correct answerStandards (mandatory)
_________ describe best practices. - correct answerGuidelines
(recommendations/advice and compliance is not mandatory)
_________ step-by-step instructions. - correct answerProcedures (not mandatory)
_________ describe authorized uses of technology. - correct answerAcceptable Use
Policies (AUP)
_________ describe how to protect sensitive information. - correct answerData
Handling Policies
_________ cover password security practices. - correct answerPassword Policies
_________ cover use of personal devices with company information. - correct
answerBring Your Own Device (BYOD) Policies
_________ cover the use of personally identifiable information. - correct answerPrivacy
Policies
_________ cover the documentation, approval, and rollback of technology changes. -
correct answerChange Management Policies
Which element of the security policy framework includes suggestions that are not
mandatory? - correct answerGuidelines
What law applies to the use of personal information belonging to European Union
residents? - correct answerGDPR
What type of security policy normally describes how users may access business
information with their own devices? - correct answerBYOD Policy
, _________ the set of controls designed to keep a business running in the face of
adversity, whether natural or man-made. - correct answerBusiness Continuity Planning
(BCP)
BCP is also known as _________. - correct answerContinuity of Operations Planning
(COOP)
Defining the BCP Scope: - correct answerWhat business activities will the plan cover?
What systems will it cover? What controls will it consider?
_________ identifies and prioritizes risks. - correct answerBusiness Impact Assessment
BCP in the cloud requires _________ between providers and customers. - correct
answerCollaboration
_________ protects against the failure of a single component. - correct
answerRedundancy
_________ identifies and removes SPOFs. - correct answerSingle Point of Failure
Analysis
_________ continues until the cost of addressing risks outweighs the benefit. - correct
answerSPOF Analysis
_________ uses multiple systems to protect against service failure. - correct
answerHigh Availability
_________ makes a single system resilient against technical failures. - correct
answerFault Tolerance
_________ spreads demand across systems. - correct answerLoad Balancing
3 Common Points of Failure in a system. - correct answerPower Supply, Storage Media,
Networking
Disk Mirroring is which RAID level? - correct answer1
Disk striping with parity is which RAID level? - correct answer5 (uses 3 or more disks to
store data)
What goal of security is enhanced by a strong business continuity program? - correct
answerAvailability
What is the minimum number of disk required to perform RAID level 5? - correct
answer3
Latest 2025/2026 Practice Questions & Study
Guide
Document specific requirements that a customer has about any aspect of a vendor's
service performance.
A) DLR
B) Contract
C) SLR
D) NDA - correct answerC) SLR (Service-Level Requirements)
_________ identifies and triages risks. - correct answerRisk Assessment
_________ are external forces that jeopardize security. - correct answerThreats
_________ are methods used by attackers. - correct answerThreat Vectors
_________ are the combination of a threat and a vulnerability. - correct answerRisks
We rank risks by _________ and _________. - correct answerLikelihood and impact
_________ use subjective ratings to evaluate risk likelihood and impact. - correct
answerQualitative Risk Assessment
_________ use objective numeric ratings to evaluate risk likelihood and impact. -
correct answerQuantitative Risk Assessment
_________ analyzes and implements possible responses to control risk. - correct
answerRisk Treatment
_________ changes business practices to make a risk irrelevant. - correct answerRisk
Avoidance
_________ reduces the likelihood or impact of a risk. - correct answerRisk Mitigation
An organization's _________ is the set of risks that it faces. - correct answerRisk Profile
_________ Initial Risk of an organization. - correct answerInherent Risk
_________ Risk that remains in an organization after controls. - correct answerResidual
Risk
,_________ is the level of risk an organization is willing to accept. - correct answerRisk
Tolerance
_________ reduce the likelihood or impact of a risk and help identify issues. - correct
answerSecurity Controls
_________ stop a security issue from occurring. - correct answerPreventive Control
_________ identify security issues requiring investigation. - correct answerDetective
Control
_________ remediate security issues that have occurred. - correct answerRecovery
Control
Hardening == Preventative - correct answerVirus == Detective
Backups == Recovery - correct answerFor exam (Local and Technical Controls are the
same)
_________ use technology to achieve control objectives. - correct answerTechnical
Controls
_________ use processes to achieve control objectives. - correct answerAdministrative
Controls
_________ impact the physical world. - correct answerPhysical Controls
_________ tracks specific device settings. - correct answerConfiguration Management
_________ provide a configuration snapshot. - correct answerBaselines (track changes)
_________ assigns numbers to each version. - correct answerVersioning
_________ serve as important configuration artifacts. - correct answerDiagrams
_________ and _________ help ensure a stable operating environment. - correct
answerChange and Configuration Management
Purchasing an insurance policy is an example of which risk management strategy? -
correct answerRisk Transference
What two factors are used to evaluate a risk? - correct answerLikelihood and Impact
What term best describes making a snapshot of a system or application at a point in
time for later comparison? - correct answerBaselining
,What type of security control is designed to stop a security issue from occurring in the
first place? - correct answerPreventive
What term describes risks that originate inside the organization? - correct
answerInternal
What four items belong to the security policy framework? - correct answerPolicies,
Standards, Guidelines, Procedures
_________ describe an organization's security expectations. - correct answerPolicies
(mandatory and approved at the highest level of an organization)
_________ describe specific security controls and are often derived from policies. -
correct answerStandards (mandatory)
_________ describe best practices. - correct answerGuidelines
(recommendations/advice and compliance is not mandatory)
_________ step-by-step instructions. - correct answerProcedures (not mandatory)
_________ describe authorized uses of technology. - correct answerAcceptable Use
Policies (AUP)
_________ describe how to protect sensitive information. - correct answerData
Handling Policies
_________ cover password security practices. - correct answerPassword Policies
_________ cover use of personal devices with company information. - correct
answerBring Your Own Device (BYOD) Policies
_________ cover the use of personally identifiable information. - correct answerPrivacy
Policies
_________ cover the documentation, approval, and rollback of technology changes. -
correct answerChange Management Policies
Which element of the security policy framework includes suggestions that are not
mandatory? - correct answerGuidelines
What law applies to the use of personal information belonging to European Union
residents? - correct answerGDPR
What type of security policy normally describes how users may access business
information with their own devices? - correct answerBYOD Policy
, _________ the set of controls designed to keep a business running in the face of
adversity, whether natural or man-made. - correct answerBusiness Continuity Planning
(BCP)
BCP is also known as _________. - correct answerContinuity of Operations Planning
(COOP)
Defining the BCP Scope: - correct answerWhat business activities will the plan cover?
What systems will it cover? What controls will it consider?
_________ identifies and prioritizes risks. - correct answerBusiness Impact Assessment
BCP in the cloud requires _________ between providers and customers. - correct
answerCollaboration
_________ protects against the failure of a single component. - correct
answerRedundancy
_________ identifies and removes SPOFs. - correct answerSingle Point of Failure
Analysis
_________ continues until the cost of addressing risks outweighs the benefit. - correct
answerSPOF Analysis
_________ uses multiple systems to protect against service failure. - correct
answerHigh Availability
_________ makes a single system resilient against technical failures. - correct
answerFault Tolerance
_________ spreads demand across systems. - correct answerLoad Balancing
3 Common Points of Failure in a system. - correct answerPower Supply, Storage Media,
Networking
Disk Mirroring is which RAID level? - correct answer1
Disk striping with parity is which RAID level? - correct answer5 (uses 3 or more disks to
store data)
What goal of security is enhanced by a strong business continuity program? - correct
answerAvailability
What is the minimum number of disk required to perform RAID level 5? - correct
answer3
