Free Sample Questions

CISSP Practice Questions — Free CAT-Style Sample

Six representative questions across 6 of the 8 CISSP domains, with full explanations. These reflect the difficulty and style of questions in the AdaptivePrep question bank — the same adaptive engine used in the real ISC2 CAT exam.

Domain 1 — Security & Risk ManagementDifficulty 2 / 5

Q1. A company is evaluating whether to purchase cyber liability insurance to cover the financial impact of a data breach. Which risk management strategy does this represent?

A.Risk avoidance
B.Risk acceptance
C.Risk transference✓ Correct
D.Risk mitigation

Why C is correct: Purchasing insurance transfers the financial consequences of a risk to a third party (the insurer). Risk avoidance means eliminating the activity causing the risk. Risk acceptance means acknowledging and tolerating the risk. Risk mitigation means reducing the likelihood or impact through controls.

Domain 2 — Asset SecurityDifficulty 2 / 5

Q2. An organization is decommissioning hard drives that stored classified government data. The drives will be reused by another department within the same organization. Which data sanitization method is most appropriate?

A.Deletion using the operating system
B.Degaussing
C.Overwriting with a DoD-approved multi-pass algorithm✓ Correct
D.Physical destruction

Why C is correct: Since the drives will be reused internally, physical destruction is unnecessary. Degaussing renders a drive unusable. Standard OS deletion is insufficient for classified data. Overwriting with a multi-pass algorithm (such as DoD 5220.22-M) sanitizes the media while keeping it functional for reuse.

Domain 3 — Security Architecture & EngineeringDifficulty 3 / 5

Q3. A security architect is designing a system where users with a Top Secret clearance must never be able to write data to a file classified at the Secret level. Which security model enforces this requirement?

A.Biba integrity model
B.Clark-Wilson integrity model
C.Bell-LaPadula confidentiality model✓ Correct
D.Brewer-Nash model

Why C is correct: The Bell-LaPadula model enforces confidentiality using two core rules: no read up (a subject cannot read data above their clearance) and no write down (a subject cannot write data to a classification level below theirs). This prevents a Top Secret user from writing to a Secret file, which could leak classified information downward.

Domain 5 — Identity & Access ManagementDifficulty 2 / 5

Q4. A financial firm requires that no single employee can both initiate and approve a wire transfer. Which security principle does this control implement?

A.Least privilege
B.Separation of duties✓ Correct
C.Job rotation
D.Need to know

Why B is correct: Separation of duties requires that a single person cannot complete a sensitive transaction alone, reducing the risk of fraud or error. Least privilege limits access to the minimum necessary. Job rotation moves employees between roles periodically. Need to know restricts access to information required for a specific task.

Domain 7 — Security OperationsDifficulty 3 / 5

Q5. During incident response, a security analyst discovers malware on a workstation that is actively exfiltrating data. The workstation is connected to a network segment housing critical production systems. What should the analyst do FIRST?

A.Power off the workstation immediately to stop the exfiltration
B.Isolate the workstation from the network while preserving its running state✓ Correct
C.Capture a full forensic image of the hard drive before taking any action
D.Notify law enforcement before touching the system

Why B is correct: Containment is the priority during an active incident. Isolating the workstation (e.g., removing it from the network or placing it in a quarantine VLAN) stops the exfiltration while preserving volatile memory and the running state for forensic analysis. Powering off destroys volatile evidence. Imaging before containment allows continued exfiltration. Law enforcement notification comes after containment and evidence preservation.

Domain 8 — Software Development SecurityDifficulty 3 / 5

Q6. A development team is building a web application that accepts user-supplied search terms and passes them directly to a database query. Which vulnerability does this practice most directly introduce, and what is the correct mitigation?

A.Cross-site scripting (XSS); mitigate with output encoding
B.SQL injection; mitigate with parameterized queries✓ Correct
C.Buffer overflow; mitigate with input length validation
D.Cross-site request forgery (CSRF); mitigate with anti-CSRF tokens

Why B is correct: Passing unsanitized user input directly into a database query creates a SQL injection vulnerability, allowing attackers to manipulate the query structure and access or modify unauthorized data. Parameterized queries (prepared statements) separate code from data, preventing injection. XSS involves injecting scripts into web output. Buffer overflows involve writing beyond allocated memory. CSRF exploits authenticated sessions to make unauthorized requests.

Ready for the full adaptive experience?

The real CISSP is a CAT exam. AdaptivePrep is the only practice platform that trains you the same way — difficulty adjusts in real time based on every answer. 20 questions free, no credit card.

Start free — 20 questions →Learn more

CISSP Exam FAQs

What is the CISSP CAT exam format?

The CISSP uses a Computer Adaptive Testing (CAT) format for English-language exams. The exam contains 125–175 questions (including 25 unscored pilot questions) with a 4-hour time limit. Questions adapt in difficulty based on your responses — correct answers lead to harder questions, wrong answers lead to easier ones. You need to demonstrate consistent competency across all 8 domains to pass.

How many questions are on the CISSP exam?

The CISSP CAT exam has between 125 and 175 questions. The exam ends when the system is statistically confident in your result — either a pass or fail — or when you reach the 175-question or 4-hour limit. Most candidates finish between 125 and 150 questions.

What are the 8 CISSP domains?

The 8 CISSP domains are: (1) Security and Risk Management, (2) Asset Security, (3) Security Architecture and Engineering, (4) Communication and Network Security, (5) Identity and Access Management, (6) Security Assessment and Testing, (7) Security Operations, and (8) Software Development Security.

How hard is the CISSP exam?

The CISSP has a pass rate estimated around 20–30% on the first attempt, making it one of the most challenging cybersecurity certifications. The exam tests not just knowledge recall but applied judgment — many questions require choosing the "most correct" answer among several defensible options. Consistent adaptive practice across all domains is the most effective preparation strategy.

How does adaptive (CAT) practice help CISSP prep?

The real CISSP is a CAT exam, meaning question difficulty adjusts based on your performance. Practicing with a CAT-style engine trains you for this experience directly. You spend more time on questions at the edge of your ability rather than repeatedly answering easy questions you already know — making your study time more efficient and exposing you to the same pressure you'll face on exam day.

AdaptivePrep is an independent study tool. Not affiliated with or endorsed by ISC2. CISSP® is a registered trademark of ISC2, Inc.