CISSP Official ISC2 practice tests (All
domains) Exam Question & Answers
2026
1. What is the final step of a quantitative risk analysis?
A. Determine asset value.
B. Assess the annualized rate of occurrence.
C. Derive the annualized loss expectancy.
D. Conduct a cost.benefit analysis. - CORRECT
ANSWERS ✔✔D.
The final step of a quantitative risk analysis is conducting
a cost/benefit analysis to
determine whether the organisation should implement
proposed countermeasure(s).
2. An evil twin attack that broadcasts a legitimate SSID
for an unauthorised network is an example of what
category of threat?
A. Spoofing
B. Information disclosure
C. Repudiation
D. Tampering - CORRECT ANSWERS ✔✔A.
,CISSP Official ISC2 practice tests (All
domains) Exam Question & Answers
2026
Spoofing attacks use falsified identities. Spoofing attacks
may use false IP addresses, email addresses, names, or,
in the case of an evil twin attack, SSIDs.
3. Under the Digital Millennium Copyright Act (DMCA),
what type of offenses do not require prompt action by an
Internet service provider after it receives a notification of
infringement claim from a copyright holder?
A. Storage of information by a customer on a provider's
server
B. Caching of information by the provider
C. Transmission of information over the provider's
network by a customer
D. Caching of information in a provider search engine -
CORRECT ANSWERS ✔✔C.
The DMCA states that providers are not responsible for
the transitory activities of
their users. Transmission of information over a network
would qualify for this exemption. The other activities
listed are all nontransitory actions that require
remediation by the provider.
,CISSP Official ISC2 practice tests (All
domains) Exam Question & Answers
2026
4. FlyAway Travel has offices in both the European Union
and the United States and transfers personal information
between those offices regularly. Which of the seven
requirements for processing personal information states
that organizations must inform individuals about how the
information they collect is used?
A. Notice
B. Choice
C. Onward Transfer
D. Enforcement - CORRECT ANSWERS ✔✔A.
The Notice principle says that organizations must inform
individuals of the information the organization collects
about individuals and how the organization will use it.
These principles are based upon the Safe Harbor Privacy
Principles issued by the US Department of Commerce in
2000 to help US companies comply with EU and Swiss
privacy laws when collecting, storing, processing or
transmitting data on EU or
Swiss citizens.
5. Which one of the following is not one of the three
common threat modeling techniques?
, CISSP Official ISC2 practice tests (All
domains) Exam Question & Answers
2026
A. Focused on assets
B. Focused on attackers
C. Focused on software
D. Focused on social engineering - CORRECT ANSWERS
✔✔D.
The three common threat modeling techniques are
focused on attackers, software,
and assets. Social engineering is a subset of attackers.
6. Which one of the following elements of information is
not considered personally identifiable information that
would trigger most US state data breach laws?
A. Student identification number
B. Social Security number
C. Driver's license number
D. Credit card number - CORRECT ANSWERS ✔✔A.
Most state data breach notification laws are modeled
after California's law, which
domains) Exam Question & Answers
2026
1. What is the final step of a quantitative risk analysis?
A. Determine asset value.
B. Assess the annualized rate of occurrence.
C. Derive the annualized loss expectancy.
D. Conduct a cost.benefit analysis. - CORRECT
ANSWERS ✔✔D.
The final step of a quantitative risk analysis is conducting
a cost/benefit analysis to
determine whether the organisation should implement
proposed countermeasure(s).
2. An evil twin attack that broadcasts a legitimate SSID
for an unauthorised network is an example of what
category of threat?
A. Spoofing
B. Information disclosure
C. Repudiation
D. Tampering - CORRECT ANSWERS ✔✔A.
,CISSP Official ISC2 practice tests (All
domains) Exam Question & Answers
2026
Spoofing attacks use falsified identities. Spoofing attacks
may use false IP addresses, email addresses, names, or,
in the case of an evil twin attack, SSIDs.
3. Under the Digital Millennium Copyright Act (DMCA),
what type of offenses do not require prompt action by an
Internet service provider after it receives a notification of
infringement claim from a copyright holder?
A. Storage of information by a customer on a provider's
server
B. Caching of information by the provider
C. Transmission of information over the provider's
network by a customer
D. Caching of information in a provider search engine -
CORRECT ANSWERS ✔✔C.
The DMCA states that providers are not responsible for
the transitory activities of
their users. Transmission of information over a network
would qualify for this exemption. The other activities
listed are all nontransitory actions that require
remediation by the provider.
,CISSP Official ISC2 practice tests (All
domains) Exam Question & Answers
2026
4. FlyAway Travel has offices in both the European Union
and the United States and transfers personal information
between those offices regularly. Which of the seven
requirements for processing personal information states
that organizations must inform individuals about how the
information they collect is used?
A. Notice
B. Choice
C. Onward Transfer
D. Enforcement - CORRECT ANSWERS ✔✔A.
The Notice principle says that organizations must inform
individuals of the information the organization collects
about individuals and how the organization will use it.
These principles are based upon the Safe Harbor Privacy
Principles issued by the US Department of Commerce in
2000 to help US companies comply with EU and Swiss
privacy laws when collecting, storing, processing or
transmitting data on EU or
Swiss citizens.
5. Which one of the following is not one of the three
common threat modeling techniques?
, CISSP Official ISC2 practice tests (All
domains) Exam Question & Answers
2026
A. Focused on assets
B. Focused on attackers
C. Focused on software
D. Focused on social engineering - CORRECT ANSWERS
✔✔D.
The three common threat modeling techniques are
focused on attackers, software,
and assets. Social engineering is a subset of attackers.
6. Which one of the following elements of information is
not considered personally identifiable information that
would trigger most US state data breach laws?
A. Student identification number
B. Social Security number
C. Driver's license number
D. Credit card number - CORRECT ANSWERS ✔✔A.
Most state data breach notification laws are modeled
after California's law, which