CISSP Practice Questions: 10 Free Exam-Style Q&A
Try 10 free CISSP practice questions with answers and explanations across all 8 ISC2 domains, plus the exam format, domain weights, and a proven study plan.
In this guide
- CISSP exam format, 8 domains & weights
- 10 free CISSP practice questions with answers
- How to study with CISSP practice exams
- Get CISSP-ready with Boost eLearning
- CISSP sample questions: exam FAQ
The CISSP (Certified Information Systems Security Professional) is ISC2’s flagship credential for security leaders, and the fastest way to gauge your readiness is to work real, exam-style items. The CISSP practice questions below are original and written to mirror how ISC2 actually asks — favoring the “best,” “first,” or “most effective” answer over pure recall. Attempt each one before revealing the explanation. Around the quiz you will find the verified exam format, the eight domains and their weights, and a study plan that turns practice into a pass.
CISSP exam format, 8 domains & weights
Per ISC2, the CISSP is delivered as a Computerized Adaptive Test (CAT). The English exam runs up to 3 hours and contains 100 to 150 items, and you need a scaled score of 700 out of 1000 to pass (ISC2 CISSP Exam Outline, effective April 15, 2024). Because the test is adaptive, each answer shapes the difficulty of the next question, and the exam ends once the engine is statistically confident in your result. About 25 items are unscored pretest questions, so treat every question as if it counts.
The exam draws from eight domains. Their weights show where to invest study time — Security and Risk Management alone is 16% of the exam.
| # | CISSP domain (per ISC2) | Weight |
|---|---|---|
| 1 | Security and Risk Management | 16% |
| 2 | Asset Security | 10% |
| 3 | Security Architecture and Engineering | 13% |
| 4 | Communication and Network Security | 13% |
| 5 | Identity and Access Management (IAM) | 13% |
| 6 | Security Assessment and Testing | 12% |
| 7 | Security Operations | 13% |
| 8 | Software Development Security | 10% |
Two lessons follow. First, no single domain dominates, so broad competence beats narrow depth. Second, the adaptive engine tests breadth — a severe weakness in even a 10% domain can sink an otherwise strong result.
10 free CISSP practice questions with answers
These CISSP sample questions span all eight domains in order. Read the stem, eliminate distractors, commit to an answer, then open the explanation. In manager-mindset items, more than one option is often technically valid — choose the one that is most effective or comes first.
-
Domain 1 — Security and Risk Management. A newly appointed CISO is building an enterprise information security program. Which action should come first?
- A. Deploy a SIEM to centralize log collection
- B. Perform an enterprise-wide risk assessment
- C. Secure visible commitment and sponsorship from senior management
- D. Publish an acceptable use policy
Reveal answer & explanation
Answer: C. A security program runs on executive sponsorship — it supplies the authority, budget, and “tone at the top” that every later step, from risk assessments to policies and tooling, depends on.
-
Domain 1 — Security and Risk Management. A server is valued at $80,000. A fire would destroy an estimated 50% of its value, and analysts expect one such fire every 10 years. What is the annualized loss expectancy (ALE)?
- A. $40,000
- B. $8,000
- C. $4,000
- D. $800
Reveal answer & explanation
Answer: C ($4,000). Single loss expectancy = asset value × exposure factor = $80,000 × 0.50 = $40,000. ALE = SLE × annualized rate of occurrence = $40,000 × 0.10 = $4,000.
-
Domain 2 — Asset Security. In a formal data classification program, who holds primary responsibility for assigning a data set’s classification level?
- A. The data custodian who maintains the storage systems
- B. The data owner
- C. The security administrator who configures access controls
- D. The end users who process the data
Reveal answer & explanation
Answer: B. The data owner — usually a senior business manager accountable for the information — sets its classification and value. Custodians and administrators only implement and enforce the controls the owner specifies.
-
Domain 3 — Security Architecture and Engineering. Which mechanism best provides non-repudiation for an electronic message?
- A. A shared symmetric session key
- B. A cryptographic hash of the message
- C. A digital signature created with the sender’s private key
- D. A message authentication code (MAC)
Reveal answer & explanation
Answer: C. A digital signature encrypts a hash with the sender’s private key, so only the sender could have produced it — proving origin and integrity. A hash gives integrity alone, and a MAC uses a shared key, so either party could have generated it.
-
Domain 4 — Communication and Network Security. After an attacker compromises one workstation, which control most effectively limits lateral movement to critical systems?
- A. Enforcing a longer password policy
- B. Segmenting the network into isolated zones
- C. Updating antivirus signatures daily
- D. Encrypting data at rest on servers
Reveal answer & explanation
Answer: B. Segmentation with VLANs, subnets, and internal firewalls confines a breach to one zone and blocks pivoting toward critical assets. The other controls address different threats and do little to stop movement inside a flat network.
-
Domain 5 — Identity and Access Management. Through several role changes, an employee has accumulated permissions well beyond their current job. Which control most directly corrects this authorization creep?
- A. Periodic access reviews and recertification
- B. Mandatory password changes every 90 days
- C. Account lockout after failed logins
- D. Single sign-on (SSO)
Reveal answer & explanation
Answer: A. Access reviews reconcile each user’s entitlements against current job needs and revoke the excess, directly countering privilege creep. The other options handle authentication or convenience, not entitlement accuracy.
-
Domain 6 — Security Assessment and Testing. Management wants assurance that a critical application’s controls would withstand a real attacker, not merely a list of possible weaknesses. Which assessment is most appropriate?
- A. An automated vulnerability scan
- B. A penetration test
- C. A policy compliance review
- D. A user access audit
Reveal answer & explanation
Answer: B. A penetration test attempts real exploitation, validating whether controls actually hold. A vulnerability scan flags potential weaknesses but never confirms they can be exploited.
-
Domain 7 — Security Operations. An alert confirms malware actively spreading from a compromised server. Following the incident response process, what should the team do first after detection?
- A. Eradicate the malware from the server
- B. Restore the server from a known-good backup
- C. Contain the incident to prevent further spread
- D. Notify external law enforcement
Reveal answer & explanation
Answer: C. The incident response lifecycle places containment before eradication and recovery: isolating affected systems limits damage and preserves evidence. Cleanup and restoration follow once the incident is contained.
-
Domain 8 — Software Development Security. At which point in the software development lifecycle is fixing a security flaw most cost-effective?
- A. During the requirements and design phases
- B. During system and integration testing
- C. Immediately after production release
- D. During ongoing maintenance
Reveal answer & explanation
Answer: A. Flaws are cheapest to fix the earlier they are caught. Building security into requirements and design (“shifting left”) avoids the far greater cost of reworking or patching code after release.
-
Domain 8 — Software Development Security. Which is the most effective defense against SQL injection?
- A. Parameterized queries (prepared statements)
- B. Client-side input validation in the browser
- C. Suppressing detailed database error messages
- D. Placing the database behind a network firewall
Reveal answer & explanation
Answer: A. Parameterized queries bind user input as data rather than executable code, so input cannot alter the query’s structure. Client-side validation is easily bypassed, and error suppression or firewalls never address the root cause.
How to study with CISSP practice exams
Passing the CISSP is less about memorizing facts than about consistently choosing the risk-based, management-level answer. Use this approach:
- Budget time by weight. Study all eight domains, but give Security and Risk Management (16%) the most attention and never skip a “small” domain, because the adaptive engine tests breadth.
- Adopt the manager mindset. ISC2 wants the best, first, or most effective action. When two answers both work, pick the one that reduces risk, protects human life first, follows policy, and fixes the root cause rather than a symptom.
- Study explanations, not just scores. Learn why each distractor is wrong; the reasoning transfers to unfamiliar questions far better than memorized answers.
- Master high-yield concepts. Risk formulas (SLE, ARO, ALE), data roles, cryptographic services (confidentiality, integrity, authentication, non-repudiation), the incident response lifecycle, and secure SDLC recur constantly.
- Simulate the format. Take timed, mixed-domain sets so adaptive pacing feels routine and you cannot lean on domain context clues.
- Plan your eligibility. The CISSP requires five years of cumulative paid experience in two or more domains; a relevant degree or approved certification waives one year. Arrange your endorsement early.
Structured practice under expert guidance shortens the path — applying each domain hands-on builds the judgment the exam rewards.
Get CISSP-ready with Boost eLearning
Free CISSP practice questions show you where you stand; a structured course closes the gap. Boost eLearning’s CISSP training covers all eight ISC2 domains with instructor-led sessions, hands-on Live Labs, and full-length adaptive practice exams that mirror the real CAT format. Choose online self-paced, live virtual, or on-site delivery to fit your schedule, and prepare with confidence backed by our money-back Pass Guarantee. You bring the commitment; we bring the curriculum, the labs, and the exam strategy that turns preparation into a first-attempt pass.
CISSP sample questions: exam FAQ
How many questions are on the CISSP exam?
Per ISC2, the English CISSP is a Computerized Adaptive Test of 100 to 150 items delivered in up to 3 hours. The count varies because the exam ends once the engine is confident in your score.
What score do you need to pass the CISSP?
You need a scaled score of 700 out of 1000. There is no fixed percentage of correct answers, because the adaptive engine weights items by difficulty.
What are the 8 CISSP domains and their weights?
Security and Risk Management (16%), Asset Security (10%), Security Architecture and Engineering (13%), Communication and Network Security (13%), IAM (13%), Security Assessment and Testing (12%), Security Operations (13%), and Software Development Security (10%).
Are these CISSP practice questions really free?
Yes. All 10 questions above are free and original, written in the exam’s manager-mindset style, each with the correct answer and a short explanation.
How long should I study for the CISSP?
Most candidates spend two to four months, depending on experience. Budget time by domain weight and rehearse mixed, timed question sets to build adaptive stamina.
Do I need work experience to get CISSP certified?
Yes. ISC2 requires five years of cumulative paid experience in two or more domains; a relevant degree or approved certification waives one year. Pass without the experience and you become an Associate of ISC2 while you earn it.
Related Boost eLearning Courses
- Pelatihan Online & Persiapan Sertifikasi CompTIA Security+ (SY0-701) — Live Labs & Pass Guarantee included
- تدريب عبر الإنترنت وشهادة تحضيرية لـ CompTIA Security+ (SY0-701) — Live Labs & Pass Guarantee included
- CompTIA Security+ (SY0-701) ऑनलाइन ट्रेनिंग और प्रमाणन तैयारी — Live Labs & Pass Guarantee included
Ready to earn your certification?
Boost eLearning offers Live Labs, a Pass Guarantee, and online, live virtual, and on-site delivery.
