2026/2027
Certified Information Systems Security
Professional (CISSP) 2026/2027 Advanced
Study Guide with Practice Exams and
Detailed Explanations
1. Question:
What is a key principle of risk management programs?
A. Eliminate all risks at any cost
B. Accept all risks below regulatory limits
C. Transfer all risks to third parties
D. Do not spend more to protect an asset than it is worth
Correct Answer: D. Do not spend more to protect an asset than it is worth
Rationale: This principle ensures cost-effective security by balancing protection costs
against asset value. Option A is incorrect because eliminating all risks is unrealistic.
Option B is incorrect because not all risks should be automatically accepted. Option C
is incorrect because not all risks can or should be transferred.
2. Question:
Adam is evaluating a web server and identifies a flaw allowing SQL injection. What
term best describes this issue?
A. Incident
B. Threat
C. Vulnerability
D. Exploit
Correct Answer: C. Vulnerability
Rationale: A vulnerability is a weakness in a system that can be exploited. Option A is
incorrect because an incident is an actual security event. Option B is incorrect because
a threat is a potential danger. Option D is incorrect because an exploit is the method
used to take advantage of a vulnerability.
3. Question:
Adam's company suffered a breach through SQL injection. What best describes this
activity?
A. Vulnerability
B. Incident
,2026/2027
C. Risk
D. Threat actor
Correct Answer: B. Incident
Rationale: An incident is a confirmed security breach or event. Option A is incorrect
because vulnerability is the weakness. Option C is incorrect because risk is the
potential for loss. Option D is incorrect because a threat actor is the attacker.
4. Question:
Joe manages industrial control systems for a power plant. What environment is this?
A. Cloud computing environment
B. Enterprise LAN
C. SCADA environment
D. Virtualized environment
Correct Answer: C. SCADA environment
Rationale: SCADA systems control industrial processes. Option A is incorrect
because cloud computing is unrelated. Option B is incorrect because LAN is generic
networking. Option D is incorrect because virtualization is not specific to industrial
control.
5. Question:
Beth is assessing reputational impact of a security incident. What risk assessment type
is best?
A. Quantitative
B. Qualitative
C. Operational
D. Statistical
Correct Answer: B. Qualitative
Rationale: Qualitative assessment evaluates non-numeric impacts like reputation.
Option A is incorrect because quantitative uses numbers. Option C is incorrect
because operational is not a risk type. Option D is incorrect because statistical is not
commonly used in this context.
6. Question:
What is the exposure factor if a $10 million asset suffers $2 million loss?
A. 10%
B. 20%
C. 25%
D. 30%
, 2026/2027
Correct Answer: B. 20%
Rationale: Exposure factor = loss ÷ asset value = 2M ÷ 10M = 20%. Other options are
incorrect calculations.
7. Question:
What is the Single Loss Expectancy (SLE) in this scenario: $2 million damage?
A. $10,000
B. $200,000
C. $2,000,000
D. $20,000
Correct Answer: C. $2,000,000
Rationale: SLE equals the expected loss from a single incident. Other options are
incorrect values not matching loss.
8. Question:
What is the Annualized Loss Expectancy (ALE) if ARO is 1% and SLE is $2,000,000?
A. $200,000
B. $20,000
C. $2,000,000
D. $10,000
Correct Answer: B. $20,000
Rationale: ALE = SLE × ARO = 2,000,000 × 0.01 = 20,000. Other options are
incorrect multiplications.
9. Question:
Purchasing insurance is an example of which risk strategy?
A. Avoid
B. Reduce
C. Transfer
D. Accept
Correct Answer: C. Transfer
Rationale: Insurance shifts financial risk to another party. Other options do not
involve transferring liability.
10. Question:
Encrypting mobile devices after theft incidents is what risk response?
Certified Information Systems Security
Professional (CISSP) 2026/2027 Advanced
Study Guide with Practice Exams and
Detailed Explanations
1. Question:
What is a key principle of risk management programs?
A. Eliminate all risks at any cost
B. Accept all risks below regulatory limits
C. Transfer all risks to third parties
D. Do not spend more to protect an asset than it is worth
Correct Answer: D. Do not spend more to protect an asset than it is worth
Rationale: This principle ensures cost-effective security by balancing protection costs
against asset value. Option A is incorrect because eliminating all risks is unrealistic.
Option B is incorrect because not all risks should be automatically accepted. Option C
is incorrect because not all risks can or should be transferred.
2. Question:
Adam is evaluating a web server and identifies a flaw allowing SQL injection. What
term best describes this issue?
A. Incident
B. Threat
C. Vulnerability
D. Exploit
Correct Answer: C. Vulnerability
Rationale: A vulnerability is a weakness in a system that can be exploited. Option A is
incorrect because an incident is an actual security event. Option B is incorrect because
a threat is a potential danger. Option D is incorrect because an exploit is the method
used to take advantage of a vulnerability.
3. Question:
Adam's company suffered a breach through SQL injection. What best describes this
activity?
A. Vulnerability
B. Incident
,2026/2027
C. Risk
D. Threat actor
Correct Answer: B. Incident
Rationale: An incident is a confirmed security breach or event. Option A is incorrect
because vulnerability is the weakness. Option C is incorrect because risk is the
potential for loss. Option D is incorrect because a threat actor is the attacker.
4. Question:
Joe manages industrial control systems for a power plant. What environment is this?
A. Cloud computing environment
B. Enterprise LAN
C. SCADA environment
D. Virtualized environment
Correct Answer: C. SCADA environment
Rationale: SCADA systems control industrial processes. Option A is incorrect
because cloud computing is unrelated. Option B is incorrect because LAN is generic
networking. Option D is incorrect because virtualization is not specific to industrial
control.
5. Question:
Beth is assessing reputational impact of a security incident. What risk assessment type
is best?
A. Quantitative
B. Qualitative
C. Operational
D. Statistical
Correct Answer: B. Qualitative
Rationale: Qualitative assessment evaluates non-numeric impacts like reputation.
Option A is incorrect because quantitative uses numbers. Option C is incorrect
because operational is not a risk type. Option D is incorrect because statistical is not
commonly used in this context.
6. Question:
What is the exposure factor if a $10 million asset suffers $2 million loss?
A. 10%
B. 20%
C. 25%
D. 30%
, 2026/2027
Correct Answer: B. 20%
Rationale: Exposure factor = loss ÷ asset value = 2M ÷ 10M = 20%. Other options are
incorrect calculations.
7. Question:
What is the Single Loss Expectancy (SLE) in this scenario: $2 million damage?
A. $10,000
B. $200,000
C. $2,000,000
D. $20,000
Correct Answer: C. $2,000,000
Rationale: SLE equals the expected loss from a single incident. Other options are
incorrect values not matching loss.
8. Question:
What is the Annualized Loss Expectancy (ALE) if ARO is 1% and SLE is $2,000,000?
A. $200,000
B. $20,000
C. $2,000,000
D. $10,000
Correct Answer: B. $20,000
Rationale: ALE = SLE × ARO = 2,000,000 × 0.01 = 20,000. Other options are
incorrect multiplications.
9. Question:
Purchasing insurance is an example of which risk strategy?
A. Avoid
B. Reduce
C. Transfer
D. Accept
Correct Answer: C. Transfer
Rationale: Insurance shifts financial risk to another party. Other options do not
involve transferring liability.
10. Question:
Encrypting mobile devices after theft incidents is what risk response?
