CISMP EXAM QUESTIONS AND ANSWERS WITH COMPLETE
SOLUTIONS VERIFIED BY EXPERT 2024/2025
Confidentiality
Information not disclosed to unauthorised people, entities or processes
What should be included in an IA policy?
How IA would be managed, how it should be communicated to users, statement of
support from senior management, protection of IA assets and how they will comply with
legal and regulatory obligations, consequences of non compliance.
Integrity
Accuracy and completeness
Availability
Property of information being accessible to individuals with the authority
Non-repudiation
Assurance that information validity cannot be denied (having sent or created etc.). Proof
of origin and integrity of data
Cyber Security
The protection of privacy, integrity and accessibility of information
Asset
Anything of value to an organisation (information, physical or software)
How are assets valued and what five aspects are considered?
,This is done using a Business Impact Assessment that will consider:
1. Cost of loss/unavailability (time)
2. Cost of recovery (back to BAU)
3. Value to a competitor (how much they would pay to get this asset)
4. Impact on brand reputation and customer loyalty
5. Cost of damage to other operations
Threat
Cause of an unwanted incident that may result in harm (can be subjective)
Vulnerability
Weakness in an asset/control that can be exploited by a threat/Risk
Risks arise when a threat and vulnerability are present - they are the effect of
uncertainty on acheiving an objective.
Impact
Result of an incident caused by a threat - this drives the controls put into place
What is an information security policy and what should it contain?
This is a policy for information assets and should contain statements acknowledging risk
exists, it's seriousness and that it has been considered by persons of correct authority
What are controls? And what four types of controls are there?
,Controls are activities that manage risk.
1. Reduce: lesson the probability of occurrence or lower the impact (risk = likelihood X
impact)
2. Eliminate: completely avoid activity that results in risk
3. Transfer: make another organisation responsible through contracts or insurance (only
covers financial).
4. Accept: Tolerate when impacts/likelihood are too small to justify the cost of mitigation.
What is defence in a. depth and b. breadth?
Depth: interconnection so attacks need to consider more than one system when
targeting a single system.
Breadth: layers of security increasing in complexity with more critical assets
Identity
Information that distinguishes one entity (can be people or information assets) from
another in a given domain without ambiguity
What is the AAA Framework and what does it include?
Way to understand the access ability of individuals within an organisation.
1.Authentication: assurance of the claimed identity of the entity to a level of appropriate
, confidence (what they know, who they are, what they have)
2. Authorisation: correct permissions granted to a system entity for access to a
resource.
3. Accounting: usage monitoring using SIEM to understand what they are accessing or
attempting to access.
Accountability
Property of a process that ensures the actions of an entity can be traced back to a
unique identity. Every action in a system must have someone accountable.
Audit
Review of a party's capacity to meet approval agreements, check records that actions
have been carried out correctly, no misuse of the system and identify gaps in system
functionality.
Compliance
Meeting all application requirements outlined in a standard/published set of
requirements
Information security professionalism and ethics?
Trust is most highly valued as security professionals get access to very important
information
What is an Information Security Management System? (ISMS)
SOLUTIONS VERIFIED BY EXPERT 2024/2025
Confidentiality
Information not disclosed to unauthorised people, entities or processes
What should be included in an IA policy?
How IA would be managed, how it should be communicated to users, statement of
support from senior management, protection of IA assets and how they will comply with
legal and regulatory obligations, consequences of non compliance.
Integrity
Accuracy and completeness
Availability
Property of information being accessible to individuals with the authority
Non-repudiation
Assurance that information validity cannot be denied (having sent or created etc.). Proof
of origin and integrity of data
Cyber Security
The protection of privacy, integrity and accessibility of information
Asset
Anything of value to an organisation (information, physical or software)
How are assets valued and what five aspects are considered?
,This is done using a Business Impact Assessment that will consider:
1. Cost of loss/unavailability (time)
2. Cost of recovery (back to BAU)
3. Value to a competitor (how much they would pay to get this asset)
4. Impact on brand reputation and customer loyalty
5. Cost of damage to other operations
Threat
Cause of an unwanted incident that may result in harm (can be subjective)
Vulnerability
Weakness in an asset/control that can be exploited by a threat/Risk
Risks arise when a threat and vulnerability are present - they are the effect of
uncertainty on acheiving an objective.
Impact
Result of an incident caused by a threat - this drives the controls put into place
What is an information security policy and what should it contain?
This is a policy for information assets and should contain statements acknowledging risk
exists, it's seriousness and that it has been considered by persons of correct authority
What are controls? And what four types of controls are there?
,Controls are activities that manage risk.
1. Reduce: lesson the probability of occurrence or lower the impact (risk = likelihood X
impact)
2. Eliminate: completely avoid activity that results in risk
3. Transfer: make another organisation responsible through contracts or insurance (only
covers financial).
4. Accept: Tolerate when impacts/likelihood are too small to justify the cost of mitigation.
What is defence in a. depth and b. breadth?
Depth: interconnection so attacks need to consider more than one system when
targeting a single system.
Breadth: layers of security increasing in complexity with more critical assets
Identity
Information that distinguishes one entity (can be people or information assets) from
another in a given domain without ambiguity
What is the AAA Framework and what does it include?
Way to understand the access ability of individuals within an organisation.
1.Authentication: assurance of the claimed identity of the entity to a level of appropriate
, confidence (what they know, who they are, what they have)
2. Authorisation: correct permissions granted to a system entity for access to a
resource.
3. Accounting: usage monitoring using SIEM to understand what they are accessing or
attempting to access.
Accountability
Property of a process that ensures the actions of an entity can be traced back to a
unique identity. Every action in a system must have someone accountable.
Audit
Review of a party's capacity to meet approval agreements, check records that actions
have been carried out correctly, no misuse of the system and identify gaps in system
functionality.
Compliance
Meeting all application requirements outlined in a standard/published set of
requirements
Information security professionalism and ethics?
Trust is most highly valued as security professionals get access to very important
information
What is an Information Security Management System? (ISMS)
