1 | Page
CISMP Questions and Correct Answers
Why is a working group a good idea? Ans: You get perspective
from all stakeholders across the business
Confidentiality Ans: The property that information is not made
available or disclosed to unauthorised individuals, entities or
processes
Integrity Ans: The property of accuracy and completeness
Availability Ans: The property of informatiuo being accessible
upon demand by an authorised entity
Asset Ans: Anything that has value to an organiation
What are the 3 main types of asset? Ans: 1. Physical
2. Software
3. Pure information (in any format)
What is the difference between data and information? Ans: Data is
the basic facts and stats that can be analysed. Information is the
result of this analysis
Threat Ans: A potential cause of an unwanted incident that can
result in harm to an organisation
© 2025 All rights reserved
, 2 | Page
Vulnerability Ans: A weakness of an asset or control that can be
exploited by one or more threats
Risk Ans: The effect of uncertainty on objectives and the
combination of a threat and a vulnerability
Impact Ans: The result of an info security incident, caused by a
threat, which affects assets
True or False
The threat and vulnerability must be present for a risk to exist
Ans: True
What is the purpose of a control? Ans: An activity that is taken to
manage an identified risk
What are the three main types of strategic control? Ans: Eliminate
(Risk avoidance)
Reduce
Transfer
Accept
What is risk avoidance? Ans: The informed decision not to be
involved in, or to withdraw from, an activity in order not to be
exposed to a particular risk
© 2025 All rights reserved
, 3 | Page
What is risk reduction? Ans: Action is taken to lessen the
probability, negative consequences associated with the risk
What is Risk Transfer? Ans: A form of risk treatment involving
the agreed distribution of risk with other parties
Why does risk transfer help? Ans: It moves accountability for a
risk to another organization that will take on future risk
management. For instance, insurance or writing contracts.
True or False?
Risk transfer will reduce accountability and impact Ans: False.
The impact will remain the same
Identity Ans: Info that distinguishes one entity from another
Authentication Ans: Provision of assurance of the claimed identity
of an entity
Authorization Ans: The right or permission that is granted to a
system entity to access a systemresource
Accountability Ans: The property that ensures that the actions of
an entity can be traced uniquely to the entity
© 2025 All rights reserved
, 4 | Page
Audit Ans: The review of a party's capacity to meet, or continue to
meet, the initial and ongoing approval agreements as a service
provider
Compliance Ans: Meeting or exceeding all applicable requirements
or a standard or other published set of requirements
What is an Info Security Management System (ISMS)? Ans: Part of
the overall management system, based on a business risk
approach, used to establish, implement, operate, monitor, review,
maintain, and improve info security
What is the core principle behind ISMS? Ans: There should be a
'one-stop shop' for all information pertinent to the assurance of
information within an organization
Information security Ans: Preservation of confidentiality,
integrity, and availability of information. Other properties such as
authenticity, accountability, non-repudiation, and reliability can be
involves too.
Information Assurance Ans: The confidence that information
systems will protect the info that they carry. They will also
function as they need to under the control of legitimate users
What are the 3 types of control needed to accomplish IA tasks?
Ans: Physical, technical, and administrative
© 2025 All rights reserved
CISMP Questions and Correct Answers
Why is a working group a good idea? Ans: You get perspective
from all stakeholders across the business
Confidentiality Ans: The property that information is not made
available or disclosed to unauthorised individuals, entities or
processes
Integrity Ans: The property of accuracy and completeness
Availability Ans: The property of informatiuo being accessible
upon demand by an authorised entity
Asset Ans: Anything that has value to an organiation
What are the 3 main types of asset? Ans: 1. Physical
2. Software
3. Pure information (in any format)
What is the difference between data and information? Ans: Data is
the basic facts and stats that can be analysed. Information is the
result of this analysis
Threat Ans: A potential cause of an unwanted incident that can
result in harm to an organisation
© 2025 All rights reserved
, 2 | Page
Vulnerability Ans: A weakness of an asset or control that can be
exploited by one or more threats
Risk Ans: The effect of uncertainty on objectives and the
combination of a threat and a vulnerability
Impact Ans: The result of an info security incident, caused by a
threat, which affects assets
True or False
The threat and vulnerability must be present for a risk to exist
Ans: True
What is the purpose of a control? Ans: An activity that is taken to
manage an identified risk
What are the three main types of strategic control? Ans: Eliminate
(Risk avoidance)
Reduce
Transfer
Accept
What is risk avoidance? Ans: The informed decision not to be
involved in, or to withdraw from, an activity in order not to be
exposed to a particular risk
© 2025 All rights reserved
, 3 | Page
What is risk reduction? Ans: Action is taken to lessen the
probability, negative consequences associated with the risk
What is Risk Transfer? Ans: A form of risk treatment involving
the agreed distribution of risk with other parties
Why does risk transfer help? Ans: It moves accountability for a
risk to another organization that will take on future risk
management. For instance, insurance or writing contracts.
True or False?
Risk transfer will reduce accountability and impact Ans: False.
The impact will remain the same
Identity Ans: Info that distinguishes one entity from another
Authentication Ans: Provision of assurance of the claimed identity
of an entity
Authorization Ans: The right or permission that is granted to a
system entity to access a systemresource
Accountability Ans: The property that ensures that the actions of
an entity can be traced uniquely to the entity
© 2025 All rights reserved
, 4 | Page
Audit Ans: The review of a party's capacity to meet, or continue to
meet, the initial and ongoing approval agreements as a service
provider
Compliance Ans: Meeting or exceeding all applicable requirements
or a standard or other published set of requirements
What is an Info Security Management System (ISMS)? Ans: Part of
the overall management system, based on a business risk
approach, used to establish, implement, operate, monitor, review,
maintain, and improve info security
What is the core principle behind ISMS? Ans: There should be a
'one-stop shop' for all information pertinent to the assurance of
information within an organization
Information security Ans: Preservation of confidentiality,
integrity, and availability of information. Other properties such as
authenticity, accountability, non-repudiation, and reliability can be
involves too.
Information Assurance Ans: The confidence that information
systems will protect the info that they carry. They will also
function as they need to under the control of legitimate users
What are the 3 types of control needed to accomplish IA tasks?
Ans: Physical, technical, and administrative
© 2025 All rights reserved
