The CISSP (Certified Information Systems Security Professional) is widely regarded as the gold standard of cybersecurity certifications. Unlike vendor-specific credentials or entry-level exams, CISSP tests your ability to think and make decisions like a seasoned security manager, not just a technician. That means the exam isn't about memorizing protocol numbers or port lists. It's about understanding security from a business and risk management perspective, and choosing the answer that protects the organization best in a given scenario.
This free CertLabz practice test gives you 20 real-style questions spanning all 8 CISSP domains. Each question mimics the format and tone of the actual CAT exam. After selecting an answer, you'll see a full explanation of why the correct answer is right and why the distractors are wrong. Use this to identify your weak domains before upgrading to the full CertLabz CISSP question bank with 250+ scenario-based items, timed mock exams, and blockchain-verified credentials.
Question 1 | Domain 1: Security & Risk Management
A company discovers that a third-party vendor has access to sensitive customer data as part of a service contract. The security manager is creating a formal process to evaluate this risk. Which step should be performed FIRST?
- A Terminate the vendor contract immediately to eliminate the risk
- B Conduct a risk assessment to determine the likelihood and impact of the vendor's access
- C Implement technical controls to monitor all vendor activity in real time
- D Require the vendor to complete a security questionnaire and attestation
Correct Answer: B. Before taking any action, you must understand the risk. A risk assessment identifies the likelihood and impact of threats, which informs the appropriate response. Terminating the vendor (A) may be premature and costly. Technical monitoring (C) is a control, not a risk identification step. A questionnaire (D) is useful but comes after you've established what risk you're evaluating.
Question 2 | Domain 2: Asset Security
An organization is classifying data stored across its systems. A dataset contains anonymized research data, personally identifiable information, and internal financial projections. What is the correct approach to classifying this dataset?
- A Classify the entire dataset at the lowest classification level to simplify access controls
- B Split the dataset into separate stores and classify each component independently
- C Classify the entire dataset at the highest classification level of any component
- D Apply no classification until the data custodian reviews each record manually
Correct Answer: C. When data at different classification levels is stored together, the combined dataset must be classified at the highest level of any individual component. This is the conservative, risk-based approach. Downclassifying to the lowest level (A) would expose sensitive PII and financial data inappropriately. Splitting (B) is often impractical and still requires a classification decision. Manual review (D) delays protection and is not a recognized classification standard.
Question 3 | Domain 3: Security Architecture & Engineering
A security architect is evaluating a new cloud deployment. The architecture must ensure that a compromise of one workload cannot propagate to other workloads. Which principle BEST addresses this requirement?
- A Fail secure
- B Least privilege
- C Defense in depth
- D Isolation and compartmentalization
Correct Answer: D. Isolation and compartmentalization ensure that workloads are separated so that a compromise cannot spread laterally. Least privilege (B) limits what a compromised workload can access but doesn't inherently prevent propagation across workload boundaries. Defense in depth (C) is a broader strategy with multiple layered controls. Fail secure (A) relates to system behavior during a failure, not lateral movement prevention.
Question 4 | Domain 4: Communication & Network Security
An employee working remotely connects to corporate resources over a VPN. Security logs show that after VPN authentication, the user's traffic is being routed through the corporate network regardless of destination. What type of VPN configuration is in use?
- A Full tunnel VPN
- B Split tunnel VPN
- C Site-to-site VPN
- D SSL/TLS VPN
Correct Answer: A. A full tunnel VPN routes ALL traffic, including internet-bound traffic, through the corporate network. This provides maximum visibility and control but increases bandwidth costs. A split tunnel (B) only routes corporate-bound traffic through the VPN, allowing direct internet access. Site-to-site (C) connects two network locations. SSL/TLS VPN (D) is an authentication/encryption method, not a routing decision.
Question 5 | Domain 5: Identity & Access Management
A financial institution requires that no single employee can both approve a transaction and initiate it. This control BEST represents which security principle?
- A Least privilege
- B Separation of duties
- C Need to know
- D Job rotation
Correct Answer: B. Separation of duties requires that two or more people complete a sensitive transaction together, preventing any one individual from having end-to-end control over a process. This is a key fraud-prevention control in financial environments. Least privilege (A) limits what a user can access. Need to know (C) limits what information a user can view. Job rotation (D) moves employees between roles periodically to detect fraud over time.
Question 6 | Domain 6: Security Assessment & Testing
A penetration tester has been given full network documentation, IP ranges, and administrator credentials before beginning an engagement. What type of penetration test is this?
- A Black box test
- B Gray box test
- C White box test
- D Red team exercise
Correct Answer: C. A white box test (also called crystal or glass box) provides the tester with full knowledge of the environment including documentation, source code, and credentials. Black box (A) means no prior knowledge. Gray box (B) means partial knowledge (e.g., credentials but no documentation). A red team exercise (D) typically uses a black or gray box approach to simulate real-world adversaries.
Question 7 | Domain 7: Security Operations
During an incident response, a forensic analyst wants to collect evidence from a running server. In what order should volatile evidence be collected to preserve the most time-sensitive information?
- A CPU registers and cache, RAM contents, network connections, running processes, disk contents
- B Disk contents first, then RAM, then network connections
- C Network connections first, then disk, then RAM
- D Power off the server immediately to preserve disk state
Correct Answer: A. The Order of Volatility (RFC 3227) guides evidence collection from most volatile to least volatile. CPU registers are lost almost instantly. RAM is lost on power-off. Network connections expire. Running processes disappear. Disk contents are non-volatile. Powering off first (D) destroys RAM evidence, which is often critical in malware investigations.
Question 8 | Domain 8: Software Development Security
A developer is implementing input validation for a web form. To prevent SQL injection, which approach provides the STRONGEST protection?
- A Input length restriction to 255 characters
- B Parameterized queries (prepared statements)
- C Client-side JavaScript input validation
- D Blacklisting known SQL keywords like DROP and SELECT
Correct Answer: B. Parameterized queries (prepared statements) separate SQL code from data, making SQL injection structurally impossible regardless of input content. Length restriction (A) doesn't prevent injection in short strings. Client-side validation (C) is trivially bypassed by attackers. Blacklisting (D) is incomplete and attackers routinely bypass keyword filters using encoding, case variations, and comments.
Question 9 | Domain 1: Security & Risk Management
A security manager calculates that a specific server has an Asset Value of $500,000, an Exposure Factor of 40%, and an Annualized Rate of Occurrence of 0.5. What is the Annualized Loss Expectancy (ALE)?
- A $200,000
- B $250,000
- C $100,000
- D $1,000,000
Correct Answer: C. ALE = SLE × ARO, where SLE (Single Loss Expectancy) = Asset Value × Exposure Factor. SLE = $500,000 × 0.40 = $200,000. ALE = $200,000 × 0.5 = $100,000. Memorize this formula. Quantitative risk calculations appear consistently on CISSP. The ALE tells you how much you can spend on a control before it becomes uneconomical.
Question 10 | Domain 5: Identity & Access Management
An organization adopts a model where access decisions are based on user attributes, resource attributes, and environmental conditions rather than predefined roles. Which access control model is being described?
- A Role-Based Access Control (RBAC)
- B Mandatory Access Control (MAC)
- C Discretionary Access Control (DAC)
- D Attribute-Based Access Control (ABAC)
Correct Answer: D. ABAC uses policies that combine attributes from multiple sources (subject attributes, object attributes, environment) to make dynamic access decisions. RBAC (A) assigns permissions based on job roles. MAC (B) uses system-enforced labels and clearances. DAC (C) lets resource owners decide who can access their resources. ABAC is the most flexible and fine-grained model, increasingly adopted in zero trust architectures.
The CISSP exam weights each domain differently. Understanding the relative importance of each domain helps you allocate your study time effectively. Domain 1 alone covers 16% of the exam, making risk management and governance your highest-leverage area.
Click a card to reveal the answer. Use the arrows to navigate through 8 essential CISSP concept cards.
The biggest mistake CISSP candidates make is studying for the wrong exam. Many come from technical backgrounds and approach CISSP like CompTIA Security+, memorizing protocols, port numbers, and algorithm specs. While technical knowledge helps in a few domains, it is not what CISSP tests at its core. CISSP tests whether you think like a security executive who understands risk, governance, and business continuity.
Think Business First
Always ask: what answer protects the business while managing risk appropriately? Security controls must be proportional to risk. Never select an answer that harms business operations unless the alternative creates greater risk.
Identify the Best Answer
CISSP routinely presents four technically correct options. You must select the BEST one. Practice eliminating options that address a symptom rather than the root cause, or that are reactive rather than proactive.
Study All 8 Domains
Many candidates over-invest in technical domains (3, 4, 8) and neglect management domains (1, 2, 6). Domain 1 alone is 16% of the exam. Balanced preparation across all domains is the most reliable strategy.
Train on CertLabz
Use the CertLabz CISSP Domain Refresher course paired with the Cybersecurity Analyst Skill Track to build the management mindset the exam tests. CertLabz delivers 250+ scenario-based questions, full-length CAT-format mock exams, and blockchain-verified credentials so your prep history travels with you to recruiters.
