Unlock hundreds more features
Save your Quiz to the Dashboard
View and Export Results
Use AI to Create Quizzes and Analyse Results

OR
Sign inSign in with Facebook
Sign inSign in with Google
Quizzes > Computers & IT

CISSP domain 1 questions: Security and Risk Management

Quick, free security and risk management quiz. Instant results.

Editorial: Review CompletedCreated By: Lina JcapedingUpdated Aug 27, 2025
Difficulty: Moderate
2-5mins
Learning OutcomesCheat Sheet
Paper art illustration for CISSP Domain 1 practice exam on dark blue background

This quiz helps you practice CISSP Domain 1: Security and Risk Management, with scenario-based questions and instant feedback to check your understanding. Keep building skills with our cybersecurity certification practice quiz, explore core controls in the information assurance quiz, or warm up with a security practice exam.

Which principle of the CIA triad ensures that sensitive information is not disclosed to unauthorized individuals?
Confidentiality
Integrity
Authentication
Availability
Confidentiality in the CIA triad refers to protecting information from unauthorized access. It ensures that only individuals with the proper clearance can view sensitive data. This foundational security concept is vital for protecting privacy and proprietary information. .
What is the primary purpose of an organizational security policy?
To serve as a user training manual
To define detailed technical standards
To provide broad management direction and support for security
To outline network configuration steps
A security policy establishes management's vision and rules for protecting organizational assets. It sets the overarching goals and mandates for security controls. Detailed procedures and standards are derived from this high-level policy. .
Which term describes the concept of doing the right thing by implementing all necessary security measures?
Risk transference
Risk acceptance
Due diligence
Due care
Due care refers to the actions and precautions legal standards require to prevent harm. It is the concept of doing what a reasonable person would do to secure assets. Due diligence is the investigation and assessment process before taking action. .
Which component of the CIA triad ensures that systems and data are accessible when needed?
Integrity
Non-repudiation
Availability
Confidentiality
Availability ensures that data and services are accessible to authorized users when required. It covers redundancy, failover, and recovery measures. Without availability, systems could become unusable at critical times. .
Which regulation mandates data protection and privacy for EU citizens?
FISMA
GDPR
SOX
HIPAA
The General Data Protection Regulation (GDPR) is EU legislation that protects personal data and privacy. It applies to organizations processing the data of EU residents. It imposes strict penalties for non-compliance. .
What differentiates a security standard from a guideline?
Standards are optional and guidelines are mandatory
Guidelines are audited and standards are not
Guidelines define penalties and standards do not
Standards are mandatory and guidelines are advisory
Standards specify mandatory controls and measurable requirements, whereas guidelines offer non-binding advice. Organizations must comply with standards but may choose whether to follow guidelines. Guidelines help achieve the intent of policies and standards. .
Which type of risk assessment categorizes threats based on subjective scales rather than numerical values?
Hybrid risk assessment
Quantitative risk assessment
Automated risk assessment
Qualitative risk assessment
Qualitative risk assessment uses descriptive scales such as high, medium, and low to evaluate risk. It relies on expert judgment rather than numerical data. This method is faster but less precise than quantitative techniques. .
In quantitative risk analysis, which formula defines the Annualized Loss Expectancy (ALE)?
ALE = Loss Magnitude × Impact Frequency
ALE = Asset Value × Exposure Factor
ALE = Threat Probability × Vulnerability Score
ALE = Single Loss Expectancy × Annualized Rate of Occurrence
Annualized Loss Expectancy (ALE) is calculated by multiplying the Single Loss Expectancy (SLE) by the Annualized Rate of Occurrence (ARO). It quantifies expected yearly financial loss. This formula is fundamental to quantitative risk management. .
What does Single Loss Expectancy (SLE) represent in risk management?
The percentage of assets exposed
The annual frequency of a threat
The total cost of all incidents per year
The monetary loss expected from a single incident
SLE is the expected monetary loss when a risk event occurs once. It is calculated as Asset Value multiplied by Exposure Factor. It helps organizations understand the potential impact of individual incidents. .
What term describes the risk remaining after controls are implemented?
Residual risk
Secondary risk
Inherent risk
Tertiary risk
Residual risk is the risk that persists after security measures are applied. It is calculated by subtracting control effectiveness from inherent risk. Organizations accept or transfer this remaining risk based on appetite. .
Which practice involves shifting risk to another party, such as through insurance?
Risk acceptance
Risk avoidance
Risk transference
Risk mitigation
Risk transference assigns the financial consequences of a risk to a third party, commonly via insurance contracts. The original party still faces the event but shifts the monetary impact. This does not reduce risk occurrence, only its financial burden. .
What is the main objective of a Business Impact Analysis (BIA)?
Assess network vulnerabilities
Identify critical functions and their recovery requirements
Develop incident response procedures
Implement security awareness training
A BIA identifies and evaluates the effects of disruptions on critical business functions. It determines Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). The results guide continuity and disaster recovery planning. .
Which NIST Cybersecurity Framework function focuses on detecting cybersecurity events?
Protect
Detect
Identify
Recover
The Detect function includes activities to identify the occurrence of cybersecurity events quickly. It covers continuous monitoring and anomaly detection. Effective detection helps minimize impact and response times. NIST Cybersecurity Framework Functions.
Separation of duties primarily helps mitigate which type of risk?
Natural disasters
Deliberate downtime
External hacking
Fraud and error
Separation of duties divides critical tasks among multiple individuals to reduce the chance of fraud and unintentional errors. It ensures no single person has full control over a sensitive process. This internal control is central to robust security governance. .
What role acts as a liaison between IT security teams and business units to promote security best practices?
Business continuity manager
Data owner
Security champion
Incident responder
A security champion is embedded in business units to advocate for security in projects. They bridge the gap between IT security and operations, ensuring policies are applied. This role improves communication and compliance. .
Which U.S. federal law requires publicly traded companies to implement internal controls and report on their effectiveness?
Health Insurance Portability and Accountability Act
Gramm-Leach-Bliley Act
Sarbanes-Oxley Act
Federal Information Security Management Act
The Sarbanes-Oxley Act (SOX) mandates internal control assessments and auditor reports for public companies. It aims to improve financial disclosures and prevent corporate fraud. Section 404 specifically addresses IT controls. .
In the context of risk management, what is inherent risk?
Risk accepted without action
Risk transferred to a third party
The risk remaining after controls
The level of risk before any controls are applied
Inherent risk represents the exposure level before any security measures are implemented. It serves as a baseline for evaluating the impact of controls. By comparing inherent and residual risks, organizations determine control effectiveness. .
Which framework focuses on IT governance and aligns IT processes with business objectives?
ITIL
COSO
NIST CSF
COBIT
COBIT (Control Objectives for Information and Related Technologies) is an IT governance framework that ensures IT aligns with business goals. It provides best practices and maturity models for process improvement. COSO covers broader internal controls, while ITIL focuses on service management. .
What type of policy defines high-level principles and management intent?
Standard operating procedure
Enterprise Information Security Policy
Issue-specific policy
System-specific policy
An Enterprise Information Security Policy states the organization's overall security strategy and principles. It sets management's expectations and direction. Issue-specific and system-specific policies address particular concerns or systems. .
Which process measures a control's performance and compares it to objectives?
Change management
Configuration management
Control assessment
Incident management
Control assessment evaluates whether security controls function as intended and meet objectives. It involves testing, audit, and monitoring activities. Findings guide improvements and risk decisions. .
Which standard provides guidelines for implementing an information security management system (ISMS)?
ITIL v4
ISO 9001
ISO/IEC 27001
COBIT 5
ISO/IEC 27001 specifies requirements for establishing, implementing, maintaining, and improving an ISMS. It covers risk assessment, treatment, control selection, and continual improvement. Organizations use it to achieve formal certification. .
Which risk response strategy involves eliminating exposure by discontinuing the activity?
Risk acceptance
Risk mitigation
Risk avoidance
Risk transference
Risk avoidance removes the cause of risk by stopping the activity altogether. It eliminates both the threat and associated potential benefits. While effective, it can also mean missing business opportunities. .
Which component of a risk register captures the likelihood and impact scores?
Risk rating
Control description
Mitigation plan
Risk owner
Risk rating summarizes both likelihood and impact into a combined value to prioritize risks. It helps stakeholders focus on high-priority threats. The risk register documents these ratings for ongoing monitoring. .
Which advanced quantitative technique uses random sampling to model and analyze the probability of different outcomes in risk analysis?
Decision tree analysis
Monte Carlo simulation
Fault tree analysis
Sensitivity analysis
Monte Carlo simulation runs thousands of randomized trials to estimate risk outcome distributions. It provides probabilistic insights into uncertainties. This technique is powerful for complex systems with interdependent variables. .
Under ISO 31000, which principle emphasizes that risk management should be tailored to the organization's external and internal context?
Customization and integration
Structure and comprehensiveness
Human and cultural factors
Continual improvement
ISO 31000 highlights that risk management must be customized to the organization's unique context. This ensures relevance and effectiveness of processes. Tailoring also involves integrating risk management into all governance layers. .
0
{"name":"Which principle of the CIA triad ensures that sensitive information is not disclosed to unauthorized individuals?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"Which principle of the CIA triad ensures that sensitive information is not disclosed to unauthorized individuals?, What is the primary purpose of an organizational security policy?, Which term describes the concept of doing the right thing by implementing all necessary security measures?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}

Study Outcomes

  1. Understand Security and Risk Management Concepts -

    Gain a clear grasp of foundational principles such as confidentiality, integrity, availability, governance, and compliance within the CISSP Domain 1 framework.

  2. Analyze Threats and Vulnerabilities -

    Learn to identify, classify, and evaluate common threats, vulnerabilities, and risk scenarios through realistic CISSP sample test questions.

  3. Apply Risk Assessment Techniques -

    Practice using quantitative and qualitative methods to assess risk and determine appropriate security controls in various scenarios.

  4. Evaluate Legal, Regulatory, and Compliance Requirements -

    Review major laws, regulations, and industry standards that impact information security management and risk governance.

  5. Improve Exam Readiness with Sample Questions -

    Build confidence and sharpen your test-taking strategy by tackling free CISSP practice exam items under simulated exam conditions.

Cheat Sheet

  1. The CIA Triad -

    The Confidentiality, Integrity, Availability (CIA) triad forms the cornerstone of Security and Risk Management, guiding the protection of data at rest and in transit. A handy mnemonic is "CIA" itself - Confidentiality using encryption, Integrity via hashing, and Availability through redundancy. Applying these principles in your cissp sample test questions ensures a balanced defense in your free cissp practice test.

  2. Risk Assessment Methodologies -

    Quantitative risk assessments use formulas like Single Loss Expectancy (SLE = Asset Value × Exposure Factor) and Annualized Rate of Occurrence (ARO) to calculate Annualized Loss Expectancy (ALE = SLE × ARO). Qualitative methods categorize risk levels (High, Medium, Low) and help prioritize controls in a cissp sample test environment. Practicing these calculations under timed conditions on a free cissp practice exam can boost your speed and accuracy.

  3. Security Governance Frameworks -

    Frameworks such as ISO/IEC 27001 and NIST SP 800-53 provide structured approaches to policy development, control implementation, and continuous improvement via the Plan-Do-Check-Act (PDCA) cycle. Understanding how to map organizational objectives to these standards is essential for both exam scenarios and real-world audits. Incorporating practice using a cissp exam sample helps solidify your framework alignment skills.

  4. Legal, Regulations, and Privacy -

    Key regulations like GDPR, HIPAA, and SOX dictate data protection and privacy requirements across jurisdictions; non-compliance can lead to hefty fines and reputational damage. Distinguish between data controller vs. processor roles and apply the principle of least privilege in case studies found in a cissp sample test. Familiarizing yourself with these legal nuances in a free cissp practice test context sharpens your decision-making skills.

  5. Business Continuity and Disaster Recovery -

    Business Impact Analysis (BIA) defines Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) to guide disaster recovery planning and testing calendars. Strategies like redundant sites, offline backups, and tabletop exercises ensure resilience and are frequent topics on cissp sample test questions. Working through these scenarios in a free cissp practice exam builds confidence in your ability to keep operations running under pressure.

Make a Quiz (FREE) Copy & Edit This Quiz Create a Quiz with AI

Computers & IT Quizzes

Powered by: Quiz Maker