Certified Information Systems Security Professional (CISSP)
- 480 exam-style questions
- Detailed explanations and references
- Simulation and custom modes
- Custom exam settings to drill down into specific topics
- 180-day access period
- Pass or money back guarantee
What is in the package
The tone, style, and complexity of our questions mimic the actual (ISC)² CISSP exam experience. Along with detailed explanations and strategic exam tips provided for each question, we have extensively referenced the official (ISC)² CISSP Common Body of Knowledge (CBK) and relevant industry standards to get you thoroughly prepared across all eight domains tested for the CISSP certification.
Beyond exam preparation, our practice exams serve as a lasting reference guide. From understanding security and risk management principles to designing secure architectures and managing security operations, you will find the knowledge and insights needed for real-world scenarios. Whether you're an experienced security professional seeking certification or aiming to solidify your expertise, CertVista CISSP will equip you with the tools to advance your career and excel in the critical field of information security.
Complete CISSP domains coverage
Security and Risk Management
This domain establishes the foundation, focusing on core security principles (Confidentiality, Integrity, Availability), governance structures, compliance with laws and regulations, implementing risk management frameworks, developing security policies, planning for business continuity and disaster recovery (BCP/DR), and fostering security awareness.
Asset Security
Concerns the identification, classification, and protection of information assets. Key concepts include managing the entire data lifecycle (from creation to destruction), implementing appropriate data security controls, understanding data handling requirements, addressing privacy protection, and defining asset retention policies.
Security Architecture and Engineering
Addresses the design and implementation of secure systems. Topics include fundamental secure design principles, understanding various security models, securing system components, applying cryptography concepts effectively, addressing cloud and IoT security challenges, and implementing physical security measures.
Communication and Network Security
Focuses on securing network infrastructure and data transmission. This involves understanding secure network architecture (TCP/IP, OSI models), configuring network components (firewalls, routers, switches), implementing secure communication protocols (like VPNs and TLS), securing wireless networks, and preventing network-based attacks.
Identity and Access Management (IAM)
Centers on ensuring appropriate access to resources. It covers processes for identification, methods of authentication (including multi-factor), authorization mechanisms, different access control models (MAC, DAC, RBAC), identity provisioning and deprovisioning, implementing federation and single sign-on (SSO), and managing identity lifecycles.
Security Assessment and Testing
Involves validating security control effectiveness. Key activities include designing and performing security tests, conducting vulnerability assessments and penetration tests, performing security audits, reviewing logs for anomalies, implementing security monitoring, and collecting data to measure security posture.
Security Operations
Covers the practical, day-to-day activities required to maintain security. This includes incident response procedures, foundational digital forensics and investigation techniques, logging and monitoring practices, configuration and change management, patch management strategies, executing disaster recovery plans, and overseeing physical security operations.
Software Development Security
Focuses on embedding security throughout the software development lifecycle (SDLC). Important aspects include applying secure coding standards, performing code reviews, utilizing application security testing tools (SAST, DAST), managing security risks in third-party software, securing databases, and implementing security within development methodologies like DevOps/DevSecOps.
What's in the CISSP exam
The CISSP® exam is available in eight languages: English, Chinese, Japanese, Korean, German, Spanish-Modern, Brazilian Portuguese, and French. The English exam uses CISSP® CAT (Computerized Adaptive Testing, see below), while the other languages are administered as linear, fixed-form exams.
The English exam now has between 100 and 150 questions, with a 3-hour time limit. Three hours may sound like a long time, but until you do the math, 150 questions in 180 minutes leave 72 seconds to answer each question. The exam is long and can be grueling; it's also a race against the clock. Preparation is the key to success.
Note that the content on the CISSP® exam is usually updated every 3 years. Note that (ISC)2® occasionally changes the number of questions on the exam and the time limit (while leaving the testable content unchanged). Always check https://www.isc2.org/Certifications/CISSP for the most recent information regarding the CISSP® exam.
Steps to Becoming a CISSP®
Becoming a CISSP® requires four steps:
- Proper professional information security experience
- Agreeing to the (ISC)2® code of ethics
- Passing the CISSP® exam
- Endorsement by another CISSP®
Additional details are available on the examination registration form available at https://www.isc2.org.
The exam requires 5 years of professional experience in 2 or more of the eight knowledge domains. You may waive 1 year with a college degree or approved certification; see the examination registration form for more information. You may pass the exam before you have enough professional experience and become an "Associate of (ISC)2®." Once you meet the experience requirement, you can complete the process and become a CISSP®.
Computer-Based Testing (CBT)
(ISC)2® has partnered with Pearson VUE to provide computer-based testing (CBT). Pearson VUE has testing centers in over 160 countries; go to their website to schedule your exam. Note that the information regarding CBT is subject to change: please check the (ISC) 2®'s exam registration site for any updates to the CBT process.
According to (ISC)2®, "Candidates will receive their unofficial test result at the test center." The Test Administrator will hand out the results during the checkout process. (ISC)2® will then follow up with an official result via email. In some instances, real-time results may not be available:
CISSP® CAT
CAT is the computerized delivery of exam items uniquely tailored to the ability of an individual candidate. Unlike fixed-form, linear exams, adaptive testing delivers items based on the demonstrated ability of a candidate during the exam. With CAT, the difficulty of each item a candidate receives is optimized to measure their ability with the greatest degree of efficiency possible.
After each item is answered, the item selection algorithm determines the next item to present to the candidate with the expectation that a candidate should have approximately a 50% chance of answering that item correctly.
This means the better a candidate does, the harder the exam gets. Remember that the exam score is scaled, and 50 questions are pre-test (research) questions that don't count toward the final score.
How to Take the Exam
A candidate who is doing well on the exam can literally be missing (well) over half the questions. Most passing students report that they were convinced they failed or were completely unsure of how they did until they received their results. This includes students who passed with 125 questions (meaning they did extremely well). Studies have shown that doing well on the first 5–10 questions is critical:
spending more time and attention on the first five or ten items on a computer adaptive test will improve an examinee's final ability estimate.
Doing well in the beginning means the exam will become more difficult as the exam engine attempts to present questions that a candidate will get correct 50% of the time.
This can add to exam-day stress: the better a candidate does, the harder it gets. If the exam ends in 100 questions, it means one of two things: the candidate either aced the exam or failed. The candidate is somewhere in between if the exam continues past 100 questions. The exam may end at any point after that and will end with question 150.
Taking the Exam
The English exam has between 100 and 150 questions, comprised of four types:
- Multiple choice
- Scenario
- Drag/drop
- Hotspot
Multiple-choice questions have four possible answers, lettered A, B, C, or D. Each multiple-choice question has exactly one correct answer. A blank answer is a wrong answer: guessing does not hurt you.
Scenario questions contain a long paragraph of information, followed by several multiple-choice questions based on the scenario. The questions are multiple-choice, with one correct answer only, as with other multiple-choice questions.
The scenario is often quite long and contains unnecessary information. Reading the scenario questions first is often helpful: this method will guide keywords to look for in the scenario.
Drag and drop questions are visual multiple-choice questions that may have multiple correct answers. You'll need to drag and drop the appropriate object from the left and match them to the objects on the right.
Hotspot questions are visual multiple-choice questions with one answer. They will ask you to click on an area on an image; network maps are a common example.
The questions will be mixed from the 8 domains; the questions do not (overtly) state the domain they are based on. Some pre-test (research) questions do not count towards your final score. These questions are not marked: you must answer all questions as if they count.
Sample CISSP questions
Get a taste of the AWS Certified AI Practitioner exam with our carefully curated sample questions below. These questions mirror the actual exam's style, complexity, and subject matter, giving you a realistic preview of what to expect. Each question comes with comprehensive explanations, relevant AWS documentation references, and valuable test-taking strategies from our expert instructors.
While these sample questions provide excellent study material, we encourage you to try our free demo for the complete exam preparation experience. The demo features our state-of-the-art test engine that simulates the real exam environment, helping you build confidence and familiarity with the exam format. You'll experience timed testing, question marking, and review capabilities – just like the actual AWS certification exam.
In Federated Identity Management (FIM), which of the following represents the concept of federation?
Collection, maintenance, and deactivation of user objects and attributes in one or more systems, directories or applications
Collection of information for common identities in a system
Collection of information logically grouped into a single entity
Collection of domains that have established trust among themselves
The concept of federation in Federated Identity Management (FIM) is represented by the collection of domains that have established trust among themselves. Federation allows for the linking of a user's identity and attributes across multiple autonomous security domains. It implies that different domains agree to trust each other and accept each other's assertions in order to support identity interoperability across organizational boundaries.
The other options are not correct as they do not capture the idea of trust and collaboration between distinct domains or systems. Collection, maintenance, and deactivation of user objects typically describe identity management processes within a single domain or entity. Collection of information for common identities or logically grouped into a single entity could refer to data aggregation but does not necessarily involve trust between independent domains.
When answering questions about federation in FIM, focus on the concept of trust and interoperability across independent domains or organizations. Federation involves agreements or standards that enable shared identity validation.
An organization is trying to secure instant messaging (IM) communications through its network perimeter.
Which of the following is the MOST significant challenge?
IM clients can utilize random port numbers.
IM clients can run as executables that do not require installation.
IM clients can interoperate between multiple vendors.
IM clients can run without administrator privileges.
The most significant challenge in securing instant messaging (IM) communications through a network perimeter is that IM clients can utilize random port numbers. This characteristic makes it difficult for firewall configuration and monitoring tools to effectively identify and control IM traffic. Firewalls typically manage traffic by permitting or denying packets based on specific ports and protocols, and when ports are dynamically allocated or randomized, it significantly complicates the process of enforcing security policies, thereby increasing the risk of unauthorized communications passing through the network.
The other options, while they may present challenges or considerations, are not as directly impactful to network perimeter security:
- "IM clients can run as executables that do not require installation" is a challenge primarily from a host security perspective rather than network perimeter.
- "IM clients can interoperate between multiple vendors" may involve compatibility and standardization issues, but this does not significantly challenge perimeter security.
- "IM clients can run without administrator privileges" relates more to system-level security policies rather than network-level challenges.
When assessing network perimeter security challenges, focus on elements that affect traffic management, such as port and protocol behaviors. Random port usage by applications can significantly complicate firewall configurations.
References:
- NIST Special Publication 800-114: User's Guide to Securing External Devices for Telework and Remote Access
- SANS: Security Issues and Countermeasures for Corporate Instant Messaging
- ISACA Journal: Instant Messaging Security Challenges
- CSO Online: Instant Messaging Security Best Practices
- RFC 3922: Mapping Between the XMPP and Common Presence and Instant Messaging (CPIM)
Using the cipher text and resultant cleartext message to derive the monoalphabetic cipher key is an example of which method of cryptanalytic attack?
Probable-plaintext attack
Frequency analysis
Known-plaintext attack
Ciphertext-only attack
The correct answer is Known-plaintext attack.
In a known-plaintext attack, the attacker has access to both the plaintext (cleartext) and the corresponding ciphertext. The attacker uses this information to derive the encryption key or to uncover further encrypted messages encrypted with the same key. Given the specificity of the scenario where the attacker possesses both the ciphertext and its resultant cleartext message, this aligns perfectly with the concept of a known-plaintext attack.
The other options are incorrect:
- In a probable-plaintext attack, the attacker makes an educated guess about the structure or contents of the plaintext to uncover the ciphertext. This is not applicable as the attacker has explicit rather than probable knowledge of the plaintext.
- Frequency analysis involves studying the frequency of letters or groups of letters in the ciphertext to make assumptions about the key. However, this method doesn't start with known pairs of plaintext and ciphertext.
- In a ciphertext-only attack, the attacker only has access to the ciphertext without any plaintext knowledge. The attacker uses statistical techniques to deduce the plaintext or encryption key.
When approaching questions about cryptanalytic attacks, consider what information the attacker has at their disposal:
- Ciphertext and no plaintext? It's likely a ciphertext-only attack.
- Ciphertext and probable plaintext? It's a probable-plaintext attack.
- Ciphertext and known plaintext? It's a known-plaintext attack.
Understanding the starting conditions of different types of attacks will help you identify the correct cryptanalytic method.
References:
- NIST Special Publication 800-67: Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher
- Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell
- Handbook of Applied Cryptography by Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone
- Cryptanalysis of Classical Ciphers by the National Cryptologic Museum
- Applied Cryptography: Protocols, Algorithms, and Source Code in C by Bruce Schneier
What is the MOST effective method to enhance security of a single sign-on (SSO) solution that interfaces with critical systems?
Secure Sockets Layer (SSL) for all communications
High performance encryption algorithms
Reusable tokens for application level authentication
Two-factor authentication
The most effective method to enhance the security of a single sign-on (SSO) solution that interfaces with critical systems is to implement two-factor authentication (2FA). This approach increases security by requiring users to provide two forms of identification before gaining access: something they know (such as a password) and something they have (such as a smartcard or mobile device).
Two-factor authentication is crucial in mitigating risks such as credential theft, which is especially important in systems that manage critical and sensitive data. It enhances the traditional username and password combination, offering an additional layer of security.
While SSL can secure the transmission of data, it does not inherently enhance the authentication process itself. High-performance encryption algorithms are important for data protection but do not specifically address authentication during access. Reusable tokens, although beneficial for maintaining session state, may lead to security vulnerabilities if they are captured or reused fraudulently.
Therefore, two-factor authentication provides a broader security enhancement across different aspects of authentication and access management, especially within an SSO context interfacing with critical systems.
Focus on added security layers when evaluating authentication mechanisms, particularly in environments interconnected with high-stakes or sensitive systems.
When assessing web vulnerabilities, how can navigating the dark web add value to a penetration test?
The actual origin and tools used for the test can be hidden.
Information may be found on related breaches and hacking.
Information may be found on hidden vendor patches.
Vulnerabilities can be tested without impact on the tested environment.
Navigating the dark web can add value to a penetration test primarily by uncovering information on related breaches and hacking activities. The dark web often contains forums and marketplaces where threat actors discuss and distribute stolen data and vulnerabilities, particularly those that may not yet be publicly disclosed. This information can provide penetration testers with insights into potential threats and techniques being used against similar organizations, thereby better preparing the organization to defend against real-world attacks.
The other options are incorrect for the following reasons:
Hiding the origin and tools of the test is not a typical function of the dark web, but rather a basic capability built into penetration testing methodologies, unrelated to the dark web.
Hidden vendor patches are typically not found on the dark web. Such information is usually acquired through vendor notifications or specialized security channels.
Testing vulnerabilities without impacting the environment is a feature of certain testing tools or methodologies and not specifically related to the dark web.
When preparing for questions related to security assessments, focus on distinguishing the unique resources or information that the dark web can provide to enhance security posture.
References:
Which of the following criteria ensures information is protected relative to its importance to the organization?
Legal requirements determined by the organization headquarters' location
The value of the data to the organization's senior management
Organizational stakeholders, with classification approved by the management board
Legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification
The correct answer is the criteria involving the legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification. This answer encapsulates the comprehensive evaluation required to ascertain the level of protection necessary for information assets.
In protecting information, organizations should conduct a detailed assessment that includes understanding not only the legal obligations applicable to the data but also its intrinsic value, its criticality to business operations, and the impact of any potential unauthorized access or alterations. This multi-faceted approach ensures a robust and comprehensive protection strategy.
The other options are incorrect as they fail to cover the full breadth of necessary considerations:
- Legal requirements based solely on headquarters' location may not address all jurisdictions or capture value, criticality, or sensitivity.
- The intrinsic value of the data to the senior management may not factor in legal requirements, sensitivity, or criticality.
- Relying solely on stakeholder input with classification approval by the management board might overlook precise legal mandates or critical operational impacts.
For the CISSP exam, remember that comprehensive information classification systems consider multiple dimensions: legal mandates, intrinsic value to the organization, criticality, and sensitivity. Focusing solely on one dimension might lead to inadequate security measures.
What is the FIRST step when developing an Information Security Continuous Monitoring (ISCM) program?
Establish an ISCM program determining metrics, status monitoring frequencies, and control assessment frequencies.
Collect the security-related information required for metrics, assessments, and reporting.
Define an ISCM strategy based on risk tolerance.
Establish an ISCM technical architecture.
The first step when developing an Information Security Continuous Monitoring (ISCM) program is to define an ISCM strategy based on risk tolerance. This is crucial because understanding the organization’s risk tolerance sets the foundation for the whole ISCM program. A risk-oriented strategy ensures that the monitoring efforts are aligned with the organization's risk management goals and business objectives, effectively focusing resources on protecting the most critical assets and systems.
Establishing an ISCM program, collecting security-related information, and establishing the technical architecture are important steps, but they follow the initial strategy definition. Without a clear understanding of risk tolerance and strategy, any monitoring program may lack the focus and alignment with business needs, making it less effective.
Only after the strategy is defined can the organization proceed to establish a program by determining metrics and assessment frequencies, collect necessary information for implementations, and finally establish a suitable technical architecture.
When tackling ISCM-related questions on the CISSP exam, focus on order of operations: strategy should always precede implementation steps. Identifying strategy and governance aspects often precedes technical or operational actions.
References:
A software engineer uses automated tools to review application code and search for application flaws, back doors, or other malicious code.
Which of the following is the FIRST Software Development Life Cycle (SDLC) phase where this takes place?
Design
Development
Test
Deployment
In the context of the Software Development Life Cycle (SDLC), automated tools for reviewing code and searching for flaws or malicious code are typically utilized during the Development phase. This phase involves writing the actual code for the software, and it's the time when static application security testing (SAST) tools can be most beneficial. These tools help identify security vulnerabilities as the developers write code, thereby allowing for issues to be addressed early before the testing phase.
The Design phase revolves around architectural design and planning, where security considerations should be taken into account, but it doesn't involve code analysis.
The Test phase, while also crucial for security, is primarily concerned with dynamic testing and validating that the software functions as expected. Security vulnerabilities identified here might result from testing the running application.
The Deployment phase involves the application of the software to the production environment, completing the SDLC, but it's too late for code review efforts typically meant for earlier stages.
When considering the SDLC phases, remember that static code analysis with automated tools is closely associated with the Development phase because it supports the code-writing process. Be cautious not to confuse this with dynamic testing performed in the Test phase.
A company developed a web application which is sold as a Software as a Service (SaaS) solution to the customer. The application is hosted by a web server running on a specific operating system (OS) on a virtual machine (VM). During the transition phase of the service, it is determined that the support team will need access to the application logs.
Which of the following privileges would be the MOST suitable?
Administrative privileges on the hypervisor
Administrative privileges on the web server
Administrative privileges on the application folders
Administrative privileges on the OS
The most suitable privilege for the support team to access application logs is having administrative privileges on the application folders. This option aligns with the principle of least privilege, which states that users should only have the minimum level of access—or permissions—necessary to accomplish their job.
Administrative privileges on the hypervisor, the web server, or the OS could introduce unnecessary risks by granting excessive access beyond the scope of what is needed for log access. These options could potentially allow modifications to more critical components of the system, thus increasing the risk of errors or malicious actions.
Focusing the privileges specifically on the application folders ensures that the support team can access the logs without exposing the infrastructure or OS to unnecessary risk.
When answering questions about privileges and access, always consider the principle of least privilege. Ask yourself: What is the minimal access required to perform the task?
References:
A security practitioner detects an Endpoint attack on the organization's network. What is the MOST reasonable approach to mitigate future Endpoint attacks?
Remove all non-essential client-side web services from the network.
Block all client-side web exploits at the perimeter.
Screen for harmful exploits of client-side services before implementation.
Harden the client image before deployment.
The correct answer is to harden the client image before deployment. This approach emphasizes establishing a secure baseline for endpoint systems which fundamentally strengthens their resilience against attacks. By ensuring configurations are secured, and unnecessary services are disabled, this preventative measure reduces the attack surface significantly and provides long-term protection.
Removing non-essential client-side web services is a useful step but not as comprehensive as hardening the client image, as it might not address all potential vulnerabilities or ensure a uniform security posture.
Blocking client-side web exploits at the perimeter is a reactive measure focusing on threats as they reach the network edge, but it may miss attacks that bypass this perimeter defense.
Screening for harmful exploits of client-side services before implementation primarily addresses the risks of deploying vulnerable applications. However, it does not necessarily fully secure the endpoint itself.
Focus on the principle of "security in depth"—multiple layers of security controls. Hardening endpoints is part of implementing a strong initial layer which minimizes the chances of successful attacks.