CISSP PRACTICE EXAM 2026 Questions
with Answers and Detailed Rationales
1. An organization is implementing a Zero Trust Architecture (ZTA). Which of the following
principles is MOST fundamental to ZTA implementation?
A. Trust but verify all internal network traffic
B. Assume breach and verify explicitly every access request
C. Rely on perimeter firewalls as the primary security control
D. Grant broad access rights to reduce administrative overhead
Correct Answer: B
Rationale for Option A: Incorrect. "Trust but verify" is a traditional security model that assumes
internal traffic is trustworthy, which contradicts Zero Trust principles that eliminate implicit
trust regardless of network location.
Rationale for Option B: Correct. Zero Trust Architecture is built on the principle of "never trust,
always verify," assuming breach as a baseline and requiring explicit verification for every access
request regardless of source, identity, or location.
Rationale for Option C: Incorrect. Relying on perimeter defenses is the opposite of Zero Trust,
which eliminates the concept of a trusted network perimeter and focuses on protecting
resources directly through micro-segmentation and identity-centric controls.
Rationale for Option D: Incorrect. Granting broad access rights violates the principle of least
privilege, which is core to Zero Trust. Access should be granular, contextual, and continuously
evaluated.
2. A security manager is reviewing data classification policies. Which classification level should
be applied to customer personally identifiable information (PII) that, if disclosed, could result in
legal penalties and reputational damage?
,A. Public
B. Internal Use Only
C. Confidential
D. Top Secret
Correct Answer: C
Rationale for Option A: Incorrect. Public information is intended for unrestricted dissemination
and carries no sensitivity; applying this to PII would violate privacy regulations and expose the
organization to significant risk.
Rationale for Option B: Incorrect. Internal Use Only is for information that should not leave the
organization but does not carry the same legal or regulatory implications as PII; it lacks the
protective controls required for sensitive personal data.
Rationale for Option C: Correct. Confidential classification is appropriate for sensitive
information like PII that requires protection due to legal, regulatory, or business impact if
disclosed, ensuring appropriate handling, encryption, and access controls.
Rationale for Option D: Incorrect. Top Secret is typically reserved for national security or
extremely sensitive government/military information; it is excessive for commercial PII and may
impose unnecessary operational burdens.
3. During a risk assessment, a security professional identifies that a critical server has a
vulnerability with a CVSS score of 9.8. The server processes financial transactions but has
compensating controls including network segmentation and intrusion prevention. What is the
MOST appropriate risk treatment strategy?
A. Avoid the risk by decommissioning the server immediately
B. Transfer the risk by purchasing cyber insurance
C. Mitigate the risk by applying patches and validating controls
D. Accept the risk without further action due to compensating controls
Correct Answer: C
Rationale for Option A: Incorrect. Avoidance by decommissioning a critical financial server
would cause unacceptable business disruption; risk treatment should balance security with
business continuity unless the risk is catastrophic and unavoidable.
Rationale for Option B: Incorrect. While cyber insurance can transfer financial impact, it does
not address the technical vulnerability or reduce the likelihood of exploitation; insurance
should complement, not replace, technical mitigation.
,Rationale for Option C: Correct. Mitigation is the most appropriate strategy for a high-severity
vulnerability on a critical asset. Applying patches addresses the root cause, while validating
compensating controls ensures defense-in-depth, aligning with risk management best practices.
Rationale for Option D: Incorrect. Accepting a critical vulnerability on a financial system without
remediation is irresponsible, even with compensating controls. Compensating controls reduce
but do not eliminate risk; active mitigation is required for high-severity findings.
4. Which of the following cryptographic methods provides both confidentiality and non-
repudiation for email communications?
A. AES-256 encryption
B. RSA digital signatures with S/MIME
C. SHA-3 hashing
D. Diffie-Hellman key exchange
Correct Answer: B
Rationale for Option A: Incorrect. AES-256 provides strong confidentiality through symmetric
encryption but does not provide non-repudiation since the same key is shared between parties,
making it impossible to prove which party encrypted the message.
Rationale for Option B: Correct. RSA digital signatures with S/MIME provide both confidentiality
(through encryption) and non-repudiation (through digital signatures that bind the sender's
identity to the message using their private key, which only they possess).
Rationale for Option C: Incorrect. SHA-3 is a cryptographic hash function that provides integrity
verification but does not provide confidentiality (it doesn't encrypt data) or non-repudiation
(hashes can be computed by anyone with the data).
Rationale for Option D: Incorrect. Diffie-Hellman is a key exchange protocol that enables secure
key establishment but does not provide confidentiality for message content or non-repudiation
of sender identity.
5. In a cloud migration project, an organization chooses a Cloud Access Security Broker (CASB)
to enforce security policies. Which CASB deployment mode provides real-time policy
enforcement with minimal latency for user activities?
A. API-based mode
B. Forward proxy mode
C. Reverse proxy mode
D. Log collector mode
, Correct Answer: B
Rationale for Option A: Incorrect. API-based mode operates asynchronously by interfacing with
cloud service APIs, which is excellent for data at rest scanning and compliance monitoring but
cannot provide real-time enforcement for user actions as they occur.
Rationale for Option B: Correct. Forward proxy mode intercepts user traffic in real-time before
it reaches the cloud service, enabling immediate policy enforcement (like blocking uploads or
scanning for malware) with minimal latency, ideal for active user sessions.
Rationale for Option C: Incorrect. Reverse proxy mode sits in front of cloud applications to
protect them from external threats but is typically used for inbound traffic to applications the
organization hosts, not for controlling outbound user access to third-party cloud services.
Rationale for Option D: Incorrect. Log collector mode is passive, gathering logs from cloud
services for analysis and reporting; it provides visibility but cannot enforce policies in real-time
since it operates after events have occurred.
6. A security architect is designing authentication for a mobile banking application. Which
combination provides the STRONGEST multi-factor authentication (MFA) while maintaining
usability?
A. Password + SMS one-time code
B. Password + biometric fingerprint + device binding
C. Security questions + email verification
D. Username + password + security token displayed on screen
Correct Answer: B
Rationale for Option A: Incorrect. While SMS OTP provides a second factor, it is vulnerable to
SIM swapping, interception, and social engineering attacks; NIST and security best practices
discourage SMS for high-risk applications like banking.
Rationale for Option B: Correct. This combines something you know (password), something you
are (biometric), and something you have (bound device), providing strong MFA with good
usability. Device binding adds context-aware security, and biometrics reduce friction compared
to tokens.
Rationale for Option C: Incorrect. Security questions are weak knowledge-based factors often
guessable or researchable, and email verification is susceptible to account takeover if the email
is compromised; this combination lacks strong independent factors.
with Answers and Detailed Rationales
1. An organization is implementing a Zero Trust Architecture (ZTA). Which of the following
principles is MOST fundamental to ZTA implementation?
A. Trust but verify all internal network traffic
B. Assume breach and verify explicitly every access request
C. Rely on perimeter firewalls as the primary security control
D. Grant broad access rights to reduce administrative overhead
Correct Answer: B
Rationale for Option A: Incorrect. "Trust but verify" is a traditional security model that assumes
internal traffic is trustworthy, which contradicts Zero Trust principles that eliminate implicit
trust regardless of network location.
Rationale for Option B: Correct. Zero Trust Architecture is built on the principle of "never trust,
always verify," assuming breach as a baseline and requiring explicit verification for every access
request regardless of source, identity, or location.
Rationale for Option C: Incorrect. Relying on perimeter defenses is the opposite of Zero Trust,
which eliminates the concept of a trusted network perimeter and focuses on protecting
resources directly through micro-segmentation and identity-centric controls.
Rationale for Option D: Incorrect. Granting broad access rights violates the principle of least
privilege, which is core to Zero Trust. Access should be granular, contextual, and continuously
evaluated.
2. A security manager is reviewing data classification policies. Which classification level should
be applied to customer personally identifiable information (PII) that, if disclosed, could result in
legal penalties and reputational damage?
,A. Public
B. Internal Use Only
C. Confidential
D. Top Secret
Correct Answer: C
Rationale for Option A: Incorrect. Public information is intended for unrestricted dissemination
and carries no sensitivity; applying this to PII would violate privacy regulations and expose the
organization to significant risk.
Rationale for Option B: Incorrect. Internal Use Only is for information that should not leave the
organization but does not carry the same legal or regulatory implications as PII; it lacks the
protective controls required for sensitive personal data.
Rationale for Option C: Correct. Confidential classification is appropriate for sensitive
information like PII that requires protection due to legal, regulatory, or business impact if
disclosed, ensuring appropriate handling, encryption, and access controls.
Rationale for Option D: Incorrect. Top Secret is typically reserved for national security or
extremely sensitive government/military information; it is excessive for commercial PII and may
impose unnecessary operational burdens.
3. During a risk assessment, a security professional identifies that a critical server has a
vulnerability with a CVSS score of 9.8. The server processes financial transactions but has
compensating controls including network segmentation and intrusion prevention. What is the
MOST appropriate risk treatment strategy?
A. Avoid the risk by decommissioning the server immediately
B. Transfer the risk by purchasing cyber insurance
C. Mitigate the risk by applying patches and validating controls
D. Accept the risk without further action due to compensating controls
Correct Answer: C
Rationale for Option A: Incorrect. Avoidance by decommissioning a critical financial server
would cause unacceptable business disruption; risk treatment should balance security with
business continuity unless the risk is catastrophic and unavoidable.
Rationale for Option B: Incorrect. While cyber insurance can transfer financial impact, it does
not address the technical vulnerability or reduce the likelihood of exploitation; insurance
should complement, not replace, technical mitigation.
,Rationale for Option C: Correct. Mitigation is the most appropriate strategy for a high-severity
vulnerability on a critical asset. Applying patches addresses the root cause, while validating
compensating controls ensures defense-in-depth, aligning with risk management best practices.
Rationale for Option D: Incorrect. Accepting a critical vulnerability on a financial system without
remediation is irresponsible, even with compensating controls. Compensating controls reduce
but do not eliminate risk; active mitigation is required for high-severity findings.
4. Which of the following cryptographic methods provides both confidentiality and non-
repudiation for email communications?
A. AES-256 encryption
B. RSA digital signatures with S/MIME
C. SHA-3 hashing
D. Diffie-Hellman key exchange
Correct Answer: B
Rationale for Option A: Incorrect. AES-256 provides strong confidentiality through symmetric
encryption but does not provide non-repudiation since the same key is shared between parties,
making it impossible to prove which party encrypted the message.
Rationale for Option B: Correct. RSA digital signatures with S/MIME provide both confidentiality
(through encryption) and non-repudiation (through digital signatures that bind the sender's
identity to the message using their private key, which only they possess).
Rationale for Option C: Incorrect. SHA-3 is a cryptographic hash function that provides integrity
verification but does not provide confidentiality (it doesn't encrypt data) or non-repudiation
(hashes can be computed by anyone with the data).
Rationale for Option D: Incorrect. Diffie-Hellman is a key exchange protocol that enables secure
key establishment but does not provide confidentiality for message content or non-repudiation
of sender identity.
5. In a cloud migration project, an organization chooses a Cloud Access Security Broker (CASB)
to enforce security policies. Which CASB deployment mode provides real-time policy
enforcement with minimal latency for user activities?
A. API-based mode
B. Forward proxy mode
C. Reverse proxy mode
D. Log collector mode
, Correct Answer: B
Rationale for Option A: Incorrect. API-based mode operates asynchronously by interfacing with
cloud service APIs, which is excellent for data at rest scanning and compliance monitoring but
cannot provide real-time enforcement for user actions as they occur.
Rationale for Option B: Correct. Forward proxy mode intercepts user traffic in real-time before
it reaches the cloud service, enabling immediate policy enforcement (like blocking uploads or
scanning for malware) with minimal latency, ideal for active user sessions.
Rationale for Option C: Incorrect. Reverse proxy mode sits in front of cloud applications to
protect them from external threats but is typically used for inbound traffic to applications the
organization hosts, not for controlling outbound user access to third-party cloud services.
Rationale for Option D: Incorrect. Log collector mode is passive, gathering logs from cloud
services for analysis and reporting; it provides visibility but cannot enforce policies in real-time
since it operates after events have occurred.
6. A security architect is designing authentication for a mobile banking application. Which
combination provides the STRONGEST multi-factor authentication (MFA) while maintaining
usability?
A. Password + SMS one-time code
B. Password + biometric fingerprint + device binding
C. Security questions + email verification
D. Username + password + security token displayed on screen
Correct Answer: B
Rationale for Option A: Incorrect. While SMS OTP provides a second factor, it is vulnerable to
SIM swapping, interception, and social engineering attacks; NIST and security best practices
discourage SMS for high-risk applications like banking.
Rationale for Option B: Correct. This combines something you know (password), something you
are (biometric), and something you have (bound device), providing strong MFA with good
usability. Device binding adds context-aware security, and biometrics reduce friction compared
to tokens.
Rationale for Option C: Incorrect. Security questions are weak knowledge-based factors often
guessable or researchable, and email verification is susceptible to account takeover if the email
is compromised; this combination lacks strong independent factors.
