2026 CISSP EXAM OUTLINE
QUESTIONS AND ANSWERS
WITH RATIONALES/GRADED
A+/2026 UPDATE/100% CORRECT
/INSTANT DOWNLOAD
Domain 1: Security & Risk Management (Governance, Risk,
Compliance, Law, Ethics)
1. A global enterprise is merging with a competitor based in a country with strict
data sovereignty laws requiring that citizen data never leave the country. The CISO
must integrate the IT systems. What is the primary driver for the security architecture
requirements in this scenario?
A. Business continuity requirements
B. Legal and regulatory compliance
C. Data classification standards
D. Industry best practices (ISO 27001)
Answer: B
Rationale: While all options are factors in security architecture, legal and regulatory
compliance (data sovereignty laws) is mandatory and non-negotiable. Failure to
comply results in legal penalties, making it the primary driver over best practices or
internal standards.
2. What is the primary purpose of a "Security Control Baseline"?
A. To eliminate all identified risks in the environment.
B. To provide a minimum set of security controls to protect an asset based on its
classification.
C. To document specific technical configurations for firewalls.
D. To replace the need for a risk assessment.
Answer: B
Rationale: A baseline establishes a minimum standard of security (e.g., "All High-
,Impact systems must have MFA and logging"). It does not eliminate risk (A), is
broader than technical configs (C), and works with risk assessment (D).
3. A software developer copies an open-source library licensed under the GPL into
the company's proprietary commercial product. The legal team issues a cease-and-
desist. Which ethical principle of the (ISC)² Code of Ethics is most directly violated?
A. Protect society, the common good, and the infrastructure.
B. Act honorably, honestly, justly, responsibly, and legally.
C. Provide diligent and competent service to principals.
D. Advance and protect the profession.
Answer: B
Rationale: Violating software licenses constitutes illegal activity and dishonesty.
While (A) applies to infrastructure, (B) directly addresses legal and honest conduct,
which is the core of this licensing violation.
4. A CISO decides not to implement
a 1millioncontroltomitigateariskwithanAnnualizedLossExpectancy(ALE)
of1millioncontroltomitigateariskwithanAnnualizedLossExpectancy (ALE)o
f50,000. What is this called?
A. Risk Avoidance
B. Risk Transfer
C. Risk Mitigation
D. Risk Acceptance
Answer: D
Rationale: When the cost of the control (safeguard) exceeds the potential loss (ALE),
it is financially sound to accept the risk. Avoidance (A) means ceasing the activity,
Transfer (B) means buying insurance.
5. The "Due Care" principle in information security primarily requires that an
organization:
A. Ensure all data is encrypted at rest.
B. Implement firewalls and antivirus on all systems.
C. Act prudently and establish standards, policies, and procedures to protect
stakeholders.
D. Transfer all residual risk to a third-party insurer.
Answer: C
Rationale: Due Care (or Due Diligence) is the legal concept of acting responsibly. It
means establishing a governance framework (policies, procedures) to show you are
trying to protect assets. It is not a specific technical control.
6. Which threat actor is most likely to use Long-Term Persistent access (APT) to
exfiltrate intellectual property over several years?
, A. Hacktivist
B. Script Kiddie
C. Nation-State
D. Internal Employee (Financial motive)
Answer: C
Rationale: Nation-state actors have the resources, patience, and strategic goals (IP
theft, espionage) to conduct Advanced Persistent Threat (APT) campaigns lasting
years. Hacktivists (A) want visibility; Script Kiddies (B) want quick thrills.
7. A US-based company has customers in the EU. A data breach occurs involving EU
citizen data. Which regulation imposes the largest potential fine (up to 4% of global
annual turnover)?
A. HIPAA
B. SOX
C. PCI-DSS
D. GDPR
Answer: D
Rationale: The General Data Protection Regulation (GDPR) is known for its severe
financial penalties (up to €20 million or 4% of global annual turnover, whichever is
higher). HIPAA (A) and SOX (B) are US-specific; PCI-DSS (C) is contractual, not a law.
8. In quantitative risk analysis, the "Exposure Factor" (EF) represents:
A. The number of threats per year.
B. The percentage of an asset's value lost by a realized risk.
C. The cost of the countermeasure.
D. The single loss expectancy multiplied by the annual rate of occurrence.
Answer: B
Rationale: EF is a key variable in the SLE (Single Loss Expectancy) formula: SLE =
Asset Value * EF. It answers: "If this happens, how much of this asset is destroyed (as
a percentage)?"
Domain 2: Asset Security (Data Management & Retention)
9. A data owner requires that a specific report be deleted 7 years after the fiscal year
end. What specific documentation must define this requirement?
A. The Data Classification Policy
B. The Data Retention Policy
QUESTIONS AND ANSWERS
WITH RATIONALES/GRADED
A+/2026 UPDATE/100% CORRECT
/INSTANT DOWNLOAD
Domain 1: Security & Risk Management (Governance, Risk,
Compliance, Law, Ethics)
1. A global enterprise is merging with a competitor based in a country with strict
data sovereignty laws requiring that citizen data never leave the country. The CISO
must integrate the IT systems. What is the primary driver for the security architecture
requirements in this scenario?
A. Business continuity requirements
B. Legal and regulatory compliance
C. Data classification standards
D. Industry best practices (ISO 27001)
Answer: B
Rationale: While all options are factors in security architecture, legal and regulatory
compliance (data sovereignty laws) is mandatory and non-negotiable. Failure to
comply results in legal penalties, making it the primary driver over best practices or
internal standards.
2. What is the primary purpose of a "Security Control Baseline"?
A. To eliminate all identified risks in the environment.
B. To provide a minimum set of security controls to protect an asset based on its
classification.
C. To document specific technical configurations for firewalls.
D. To replace the need for a risk assessment.
Answer: B
Rationale: A baseline establishes a minimum standard of security (e.g., "All High-
,Impact systems must have MFA and logging"). It does not eliminate risk (A), is
broader than technical configs (C), and works with risk assessment (D).
3. A software developer copies an open-source library licensed under the GPL into
the company's proprietary commercial product. The legal team issues a cease-and-
desist. Which ethical principle of the (ISC)² Code of Ethics is most directly violated?
A. Protect society, the common good, and the infrastructure.
B. Act honorably, honestly, justly, responsibly, and legally.
C. Provide diligent and competent service to principals.
D. Advance and protect the profession.
Answer: B
Rationale: Violating software licenses constitutes illegal activity and dishonesty.
While (A) applies to infrastructure, (B) directly addresses legal and honest conduct,
which is the core of this licensing violation.
4. A CISO decides not to implement
a 1millioncontroltomitigateariskwithanAnnualizedLossExpectancy(ALE)
of1millioncontroltomitigateariskwithanAnnualizedLossExpectancy (ALE)o
f50,000. What is this called?
A. Risk Avoidance
B. Risk Transfer
C. Risk Mitigation
D. Risk Acceptance
Answer: D
Rationale: When the cost of the control (safeguard) exceeds the potential loss (ALE),
it is financially sound to accept the risk. Avoidance (A) means ceasing the activity,
Transfer (B) means buying insurance.
5. The "Due Care" principle in information security primarily requires that an
organization:
A. Ensure all data is encrypted at rest.
B. Implement firewalls and antivirus on all systems.
C. Act prudently and establish standards, policies, and procedures to protect
stakeholders.
D. Transfer all residual risk to a third-party insurer.
Answer: C
Rationale: Due Care (or Due Diligence) is the legal concept of acting responsibly. It
means establishing a governance framework (policies, procedures) to show you are
trying to protect assets. It is not a specific technical control.
6. Which threat actor is most likely to use Long-Term Persistent access (APT) to
exfiltrate intellectual property over several years?
, A. Hacktivist
B. Script Kiddie
C. Nation-State
D. Internal Employee (Financial motive)
Answer: C
Rationale: Nation-state actors have the resources, patience, and strategic goals (IP
theft, espionage) to conduct Advanced Persistent Threat (APT) campaigns lasting
years. Hacktivists (A) want visibility; Script Kiddies (B) want quick thrills.
7. A US-based company has customers in the EU. A data breach occurs involving EU
citizen data. Which regulation imposes the largest potential fine (up to 4% of global
annual turnover)?
A. HIPAA
B. SOX
C. PCI-DSS
D. GDPR
Answer: D
Rationale: The General Data Protection Regulation (GDPR) is known for its severe
financial penalties (up to €20 million or 4% of global annual turnover, whichever is
higher). HIPAA (A) and SOX (B) are US-specific; PCI-DSS (C) is contractual, not a law.
8. In quantitative risk analysis, the "Exposure Factor" (EF) represents:
A. The number of threats per year.
B. The percentage of an asset's value lost by a realized risk.
C. The cost of the countermeasure.
D. The single loss expectancy multiplied by the annual rate of occurrence.
Answer: B
Rationale: EF is a key variable in the SLE (Single Loss Expectancy) formula: SLE =
Asset Value * EF. It answers: "If this happens, how much of this asset is destroyed (as
a percentage)?"
Domain 2: Asset Security (Data Management & Retention)
9. A data owner requires that a specific report be deleted 7 years after the fiscal year
end. What specific documentation must define this requirement?
A. The Data Classification Policy
B. The Data Retention Policy
