CISSP Certification Practice Exam
2026|||questions and answers with
rationales/graded A+/2026
update/100% correct /instant
download
Domain-by-Domain Updated Test
Total Questions: 85 | Passing Score: 70% (60 correct) | Time: 180 minutes
(suggested)
Domain 1: Security and Risk Management (10 questions)
Q1. A multinational corporation must comply with the EU’s updated AI Act (2026)
and China’s new data export law. Which governance approach best reduces legal
risk?
A) Implement a single global policy based on the strictest regulation
B) Maintain separate policies per region with automated policy mapping
C) Follow only the country of origin’s laws
D) Outsource compliance to a third-party
Correct Answer: B
Rationale: Policy mapping (B) allows tailored compliance without overburdening
low-risk regions. (A) is inefficient; (C) violates extraterritorial laws; (D) transfers
but doesn’t eliminate risk.
Q2. After a ransomware attack, the CEO demands restoration within 2 hours. The
current RPO is 4 hours, RTO is 8 hours. What should the security team advise?
A) Accept the CEO’s demand as a new RTO
B) Recalculate RPO based on acceptable data loss
C) Ignore the demand as unrealistic without budget increase
D) Immediately change DR plan to meet 2-hour RTO
Correct Answer: B
Rationale: Business needs define RPO/RTO. Changing RTO without considering
,cost/feasibility (A/D) is risky. (C) ignores business input. Recalculating RPO
aligns recovery with data loss tolerance.
Q3. Which 2026 NIST CSF 2.0 function specifically addresses supply chain risk
management (SCRM)?
A) Identify
B) Protect
C) Govern (new)
D) Respond
Correct Answer: C
Rationale: NIST CSF 2.0 (2024/2026 updates) added the Govern function,
covering SCRM, roles, and policies. (A) Identify is asset management; (B) Protect
is safeguards; (D) Respond is incident handling.
Q4. A BIA for an e-commerce site shows that a payment gateway failure costs
$500,000/hour. Maximum tolerable downtime is 30 minutes. What is the minimum
recovery requirement?
A) MTD = 30 min, RTO ≤ 30 min
B) MTD = 60 min, RTO ≤ 60 min
C) RPO = 30 min, RTO = any
D) Only backup required
Correct Answer: A
Rationale: Maximum Tolerable Downtime (MTD) = 30 min. Recovery Time
Objective (RTO) must be ≤ MTD to avoid unacceptable loss. RPO relates to data
age, not downtime cost.
Q5. An employee posts a company secret on a public forum after being threatened
with physical harm. What type of threat actor is this?
A) Hacktivist
B) Competitor
C) Unintentional insider
D) Duress victim
Correct Answer: D
Rationale: Duress (coercion) changes intent. (C) implies no malice; here,
disclosure is intentional under threat. (A) and (B) are external.
Q6. Which legal concept allows a company to terminate an employee for violating
an AUP even without a signed acknowledgment?
, A) Implied consent
B) Constructive notice
C) Due process
D) Binding arbitration
Correct Answer: B
Rationale: Constructive notice means policies are communicated (e.g., posted on
intranet), and continued employment implies acceptance. Implied consent (A) is
less precise.
Q7. A SOC 2 Type II report over a 12-month period shows a single control failure
on day 1 that was fixed on day 2. For a prospective client, this indicates:
A) The service provider is unreliable
B) Controls operated effectively over time except a minor exception
C) The report should be rejected
D) Type I report would be better
Correct Answer: B
Rationale: SOC 2 Type II tests effectiveness over time. A one-day failure with
immediate correction is a minor exception, not a systemic issue.
Q8. Which risk treatment is being used when a company buys cyber insurance to
cover ransomware payments, but does not change its security posture?
A) Risk avoidance
B) Risk transfer
C) Risk mitigation
D) Risk acceptance
Correct Answer: B
Rationale: Insurance transfers financial risk to the insurer. No security change
means no mitigation (C). Avoidance (A) would stop the activity.
Q9. A board member asks: “What is our single greatest cyber risk?” According to
FAIR model, risk is defined as:
A) Threat * Vulnerability
B) Asset value * Threat probability
C) Loss event frequency * Probable loss magnitude
D) CVSS score * Business impact
2026|||questions and answers with
rationales/graded A+/2026
update/100% correct /instant
download
Domain-by-Domain Updated Test
Total Questions: 85 | Passing Score: 70% (60 correct) | Time: 180 minutes
(suggested)
Domain 1: Security and Risk Management (10 questions)
Q1. A multinational corporation must comply with the EU’s updated AI Act (2026)
and China’s new data export law. Which governance approach best reduces legal
risk?
A) Implement a single global policy based on the strictest regulation
B) Maintain separate policies per region with automated policy mapping
C) Follow only the country of origin’s laws
D) Outsource compliance to a third-party
Correct Answer: B
Rationale: Policy mapping (B) allows tailored compliance without overburdening
low-risk regions. (A) is inefficient; (C) violates extraterritorial laws; (D) transfers
but doesn’t eliminate risk.
Q2. After a ransomware attack, the CEO demands restoration within 2 hours. The
current RPO is 4 hours, RTO is 8 hours. What should the security team advise?
A) Accept the CEO’s demand as a new RTO
B) Recalculate RPO based on acceptable data loss
C) Ignore the demand as unrealistic without budget increase
D) Immediately change DR plan to meet 2-hour RTO
Correct Answer: B
Rationale: Business needs define RPO/RTO. Changing RTO without considering
,cost/feasibility (A/D) is risky. (C) ignores business input. Recalculating RPO
aligns recovery with data loss tolerance.
Q3. Which 2026 NIST CSF 2.0 function specifically addresses supply chain risk
management (SCRM)?
A) Identify
B) Protect
C) Govern (new)
D) Respond
Correct Answer: C
Rationale: NIST CSF 2.0 (2024/2026 updates) added the Govern function,
covering SCRM, roles, and policies. (A) Identify is asset management; (B) Protect
is safeguards; (D) Respond is incident handling.
Q4. A BIA for an e-commerce site shows that a payment gateway failure costs
$500,000/hour. Maximum tolerable downtime is 30 minutes. What is the minimum
recovery requirement?
A) MTD = 30 min, RTO ≤ 30 min
B) MTD = 60 min, RTO ≤ 60 min
C) RPO = 30 min, RTO = any
D) Only backup required
Correct Answer: A
Rationale: Maximum Tolerable Downtime (MTD) = 30 min. Recovery Time
Objective (RTO) must be ≤ MTD to avoid unacceptable loss. RPO relates to data
age, not downtime cost.
Q5. An employee posts a company secret on a public forum after being threatened
with physical harm. What type of threat actor is this?
A) Hacktivist
B) Competitor
C) Unintentional insider
D) Duress victim
Correct Answer: D
Rationale: Duress (coercion) changes intent. (C) implies no malice; here,
disclosure is intentional under threat. (A) and (B) are external.
Q6. Which legal concept allows a company to terminate an employee for violating
an AUP even without a signed acknowledgment?
, A) Implied consent
B) Constructive notice
C) Due process
D) Binding arbitration
Correct Answer: B
Rationale: Constructive notice means policies are communicated (e.g., posted on
intranet), and continued employment implies acceptance. Implied consent (A) is
less precise.
Q7. A SOC 2 Type II report over a 12-month period shows a single control failure
on day 1 that was fixed on day 2. For a prospective client, this indicates:
A) The service provider is unreliable
B) Controls operated effectively over time except a minor exception
C) The report should be rejected
D) Type I report would be better
Correct Answer: B
Rationale: SOC 2 Type II tests effectiveness over time. A one-day failure with
immediate correction is a minor exception, not a systemic issue.
Q8. Which risk treatment is being used when a company buys cyber insurance to
cover ransomware payments, but does not change its security posture?
A) Risk avoidance
B) Risk transfer
C) Risk mitigation
D) Risk acceptance
Correct Answer: B
Rationale: Insurance transfers financial risk to the insurer. No security change
means no mitigation (C). Avoidance (A) would stop the activity.
Q9. A board member asks: “What is our single greatest cyber risk?” According to
FAIR model, risk is defined as:
A) Threat * Vulnerability
B) Asset value * Threat probability
C) Loss event frequency * Probable loss magnitude
D) CVSS score * Business impact
