CISSP 2026/2027 Advanced Study Guide Masterclass | Comprehensive 8-Domain Review, CAT Strategy & Full Practice Exams with Explanations

2026/2027


Certified Information Systems Security
Professional (CISSP) 2026/2027 Advanced
Study Guide with Practice Exams and
Detailed Explanations

1. Question:
What is a key principle of risk management programs?

A. Eliminate all risks at any cost
B. Accept all risks below regulatory limits
C. Transfer all risks to third parties
D. Do not spend more to protect an asset than it is worth

Correct Answer: D. Do not spend more to protect an asset than it is worth

Rationale: This principle ensures cost-effective security by balancing protection costs
against asset value. Option A is incorrect because eliminating all risks is unrealistic.
Option B is incorrect because not all risks should be automatically accepted. Option C
is incorrect because not all risks can or should be transferred.


2. Question:
Adam is evaluating a web server and identifies a flaw allowing SQL injection. What
term best describes this issue?

A. Incident
B. Threat
C. Vulnerability
D. Exploit

Correct Answer: C. Vulnerability

Rationale: A vulnerability is a weakness in a system that can be exploited. Option A is
incorrect because an incident is an actual security event. Option B is incorrect because
a threat is a potential danger. Option D is incorrect because an exploit is the method
used to take advantage of a vulnerability.


3. Question:
Adam's company suffered a breach through SQL injection. What best describes this
activity?

A. Vulnerability
B. Incident

,2026/2027

C. Risk
D. Threat actor

Correct Answer: B. Incident

Rationale: An incident is a confirmed security breach or event. Option A is incorrect
because vulnerability is the weakness. Option C is incorrect because risk is the
potential for loss. Option D is incorrect because a threat actor is the attacker.


4. Question:
Joe manages industrial control systems for a power plant. What environment is this?

A. Cloud computing environment
B. Enterprise LAN
C. SCADA environment
D. Virtualized environment

Correct Answer: C. SCADA environment

Rationale: SCADA systems control industrial processes. Option A is incorrect
because cloud computing is unrelated. Option B is incorrect because LAN is generic
networking. Option D is incorrect because virtualization is not specific to industrial
control.


5. Question:
Beth is assessing reputational impact of a security incident. What risk assessment type
is best?

A. Quantitative
B. Qualitative
C. Operational
D. Statistical

Correct Answer: B. Qualitative

Rationale: Qualitative assessment evaluates non-numeric impacts like reputation.
Option A is incorrect because quantitative uses numbers. Option C is incorrect
because operational is not a risk type. Option D is incorrect because statistical is not
commonly used in this context.


6. Question:
What is the exposure factor if a $10 million asset suffers $2 million loss?

A. 10%
B. 20%
C. 25%
D. 30%

, 2026/2027

Correct Answer: B. 20%

Rationale: Exposure factor = loss ÷ asset value = 2M ÷ 10M = 20%. Other options are
incorrect calculations.


7. Question:
What is the Single Loss Expectancy (SLE) in this scenario: $2 million damage?

A. $10,000
B. $200,000
C. $2,000,000
D. $20,000

Correct Answer: C. $2,000,000

Rationale: SLE equals the expected loss from a single incident. Other options are
incorrect values not matching loss.


8. Question:
What is the Annualized Loss Expectancy (ALE) if ARO is 1% and SLE is $2,000,000?

A. $200,000
B. $20,000
C. $2,000,000
D. $10,000

Correct Answer: B. $20,000

Rationale: ALE = SLE × ARO = 2,000,000 × 0.01 = 20,000. Other options are
incorrect multiplications.


9. Question:
Purchasing insurance is an example of which risk strategy?

A. Avoid
B. Reduce
C. Transfer
D. Accept

Correct Answer: C. Transfer

Rationale: Insurance shifts financial risk to another party. Other options do not
involve transferring liability.


10. Question:
Encrypting mobile devices after theft incidents is what risk response?