1|Page
BCS CISMP EXAM QUESTIONS AND ANSWERS
2025
Which of the following doesn't apply to risk?
a) Risk is the effect of uncertainty on objectives
b) When assessing risk you should take into account the
consequence and likelihood of security incidents
c) Risk is the possibility that a threat actor will exploit a
vulnerability to create a security incident
d) In order to assess risk you will need an understanding
of your organisation's assets and its vulnerabilities, as
well as the threats, both internal and external, that it
faces - ....ANSWER ....✔✔ C
Which of the following is true?
a) An unpatched web server is a threat
b) An unencrypted corporate wireless LAN is a threat
c) Both of the above
d) None of the above - ....ANSWER ....✔✔ D
,2|Page
Which of the following is not a vulnerability?
a) A misconfigured firewall
b) A script kiddie
c) Both of the above
d) None of the above - ....ANSWER ....✔✔ B
ISMS stands for...
a) Integrated Security Management System
b) Information System Managed Security
c) Information Security Management System
d) Integrated System for Managed Security -
....ANSWER ....✔✔ C
When accessing an IT system, the order of events is...
a) Authentication, Identification, Authorisation
b) Identification, Authorisation, Authentication
c) Authorisation, Identification, Authentication
d) None of the above - ....ANSWER ....✔✔ D
,3|Page
According to NIST definitions, which of the following is
not an essential characteristic of cloud computing?
a) Access through value-added networks using
proprietary protocols
b) Rapid elasticity
c) Location-independent resource pooling
d) On-demand self-service - ....ANSWER ....✔✔ A
A web service available to the public has been
compromised. The hackers were able to copy passwords
and modify them. Which information security principles
will have been violated by the breach?
a) Confidentiality and integrity only
b) Integrity and availability only
c) Availability and confidentiality only
d) Confidentiality, integrity and availability -
....ANSWER ....✔✔ D
When considering the deployment of a new information
system, which of the following is correct?
, 4|Page
a) The system should be accredited before being
certified
b) Certification is a formal assessment of the information
system against information assurance requirements,
resulting in the acceptance of residual risk in the context
of business requirements and formal approval by
management
c) Accreditation is a comprehensive assessment of the
system's security controls to determine whether they meet
the security requirements of the system
d) The system should be certified before being
accredited - ....ANSWER ....✔✔ D
When valuing an asset, what should you take into
consideration? Select the best answer.
a) Its replacement cost
b) Lost revenue while the asset is unavailable
c) Lost business owing to repetitional damage
d) All of the above - ....ANSWER ....✔✔ D
Which of the following is a tangible asset?
BCS CISMP EXAM QUESTIONS AND ANSWERS
2025
Which of the following doesn't apply to risk?
a) Risk is the effect of uncertainty on objectives
b) When assessing risk you should take into account the
consequence and likelihood of security incidents
c) Risk is the possibility that a threat actor will exploit a
vulnerability to create a security incident
d) In order to assess risk you will need an understanding
of your organisation's assets and its vulnerabilities, as
well as the threats, both internal and external, that it
faces - ....ANSWER ....✔✔ C
Which of the following is true?
a) An unpatched web server is a threat
b) An unencrypted corporate wireless LAN is a threat
c) Both of the above
d) None of the above - ....ANSWER ....✔✔ D
,2|Page
Which of the following is not a vulnerability?
a) A misconfigured firewall
b) A script kiddie
c) Both of the above
d) None of the above - ....ANSWER ....✔✔ B
ISMS stands for...
a) Integrated Security Management System
b) Information System Managed Security
c) Information Security Management System
d) Integrated System for Managed Security -
....ANSWER ....✔✔ C
When accessing an IT system, the order of events is...
a) Authentication, Identification, Authorisation
b) Identification, Authorisation, Authentication
c) Authorisation, Identification, Authentication
d) None of the above - ....ANSWER ....✔✔ D
,3|Page
According to NIST definitions, which of the following is
not an essential characteristic of cloud computing?
a) Access through value-added networks using
proprietary protocols
b) Rapid elasticity
c) Location-independent resource pooling
d) On-demand self-service - ....ANSWER ....✔✔ A
A web service available to the public has been
compromised. The hackers were able to copy passwords
and modify them. Which information security principles
will have been violated by the breach?
a) Confidentiality and integrity only
b) Integrity and availability only
c) Availability and confidentiality only
d) Confidentiality, integrity and availability -
....ANSWER ....✔✔ D
When considering the deployment of a new information
system, which of the following is correct?
, 4|Page
a) The system should be accredited before being
certified
b) Certification is a formal assessment of the information
system against information assurance requirements,
resulting in the acceptance of residual risk in the context
of business requirements and formal approval by
management
c) Accreditation is a comprehensive assessment of the
system's security controls to determine whether they meet
the security requirements of the system
d) The system should be certified before being
accredited - ....ANSWER ....✔✔ D
When valuing an asset, what should you take into
consideration? Select the best answer.
a) Its replacement cost
b) Lost revenue while the asset is unavailable
c) Lost business owing to repetitional damage
d) All of the above - ....ANSWER ....✔✔ D
Which of the following is a tangible asset?
