CISSP Exam Prep Free practice test →

Free CISSP Practice Questions

10 free, exam-style Certified Information Systems Security Professional (CISSP) practice questions with answers and explanations. No signup required. Work through them below, then take the full free CISSP practice test to study every exam domain.

Question 1

An organization's leadership implements security controls based on industry best practices but never reviews them again. This represents:

  1. Due care without due diligence
  2. Due diligence without due care
  3. Both due care and due diligence
  4. Neither due care nor due diligence
Show answer & explanation

Correct answer: A - Due care without due diligence

Question 2

The Data Custodian is PRIMARILY responsible for:

  1. Setting overall data classification policy
  2. Operating systems and protecting the data
  3. Defining the business value of the data
  4. Approving formal exceptions to policy
Show answer & explanation

Correct answer: B - Operating systems and protecting the data

Question 3

A user with Top Secret clearance attempts to write a document classified at the Confidential level. Under the Bell-LaPadula model, the result is:

  1. Allowed by the simple security property
  2. Denied by the simple security property
  3. Allowed by the star (★) property
  4. Denied by the star (★) property
Show answer & explanation

Correct answer: D - Denied by the star (★) property

Question 4

The "harvest now, decrypt later" attack model assumes that:

  1. Modern encryption is unbreakable, so defense is unnecessary going forward
  2. Old encrypted backups can be recovered using only password guessing
  3. Encrypted data captured today may be decrypted by future quantum computers
  4. Symmetric algorithms have no risk from any future cryptanalytic advances
Show answer & explanation

Correct answer: C - Encrypted data captured today may be decrypted by future quantum computers

Question 5

WPA2 is vulnerable to which notable attack on its 4-way handshake?

  1. Heartbleed attack
  2. KRACK attack
  3. Beast attack
  4. Logjam attack
Show answer & explanation

Correct answer: B - KRACK attack

Question 6

A common security mistake in modern web architecture is to:

  1. Issue access tokens to authorized client applications
  2. Treat OAuth 2.0 as an authentication protocol
  3. Combine OAuth 2.0 with the OpenID Connect layer
  4. Use OAuth 2.0 for delegated API access
Show answer & explanation

Correct answer: B - Treat OAuth 2.0 as an authentication protocol

Question 7

A SOC 2 report focuses on which Trust Services Criteria?

  1. Hardware, Software, Network, Storage, and Compute resources
  2. Identification, Authentication, Authorization, Audit, and Accounting
  3. Security, Availability, Processing Integrity, Confidentiality, Privacy
  4. Marketing, Sales, Operations, Finance, and Human Resources
Show answer & explanation

Correct answer: C - Security, Availability, Processing Integrity, Confidentiality, Privacy

Question 8

An analyst disconnects an infected host from the network during an active incident. According to the NIST SP 800-61 incident response lifecycle, this action is BEST classified as:

  1. Eradication of the malware
  2. Recovery of the system
  3. Containment of the threat
  4. Lessons learned activity
Show answer & explanation

Correct answer: C - Containment of the threat

Question 9

A development team needs to determine whether their application is exposed to the Log4Shell vulnerability (CVE-2021-44228). Which testing approach is BEST suited to find this exposure?

  1. Manual peer code review of all source files
  2. DAST scanning of the running application
  3. SAST scanning of the team's source code
  4. SCA scanning of third-party dependencies
Show answer & explanation

Correct answer: D - SCA scanning of third-party dependencies

Question 10

A race condition exploit known as TOCTOU specifically targets:

  1. The size of the network MTU between hosts
  2. The expiration window of a TLS certificate
  3. The complexity of user-chosen passwords
  4. The gap between time-of-check and time-of-use
Show answer & explanation

Correct answer: D - The gap between time-of-check and time-of-use

Ready for the real thing?

Practice hundreds more CISSP questions with instant scoring, weak-area drills, and full exam simulations.

Start the free practice test See pricing