Professional CISSP Practice Exam 100

Certified Information Systems Security Professional (CISSP) Practice Exam 100 Questions And Correct Answers (Verified Answers) Plus Rationales 2026 Q&A | Instant Download Pdf

• Which of the following best defines due care in information security

management?

• Implementing controls to protect against known risks
• Taking reasonable measures to prevent foreseeable harm
• Ensuring total elimination of risk
• Accepting all risk as part of business operations

Rationale: Due care means taking reasonable precautions to prevent

foreseeable harm. It demonstrates an organization’s responsibility in protecting assets.

• / 4

• What is the primary purpose of a risk assessment?
• To eliminate all vulnerabilities
• To identify, analyze, and prioritize risks
• To ensure compliance with regulations
• To reduce operational costs

Rationale: A risk assessment determines potential risks, their impact, and

likelihood to prioritize mitigation efforts.

• Which security principle ensures that no single individual has full control

over a critical process?

• Separation of use
• Separation of duties
• Least privilege
• Dual control

Rationale: Separation of duties divides tasks among individuals to reduce the

risk of fraud or error.

• Which of the following is considered a deterrent control?
• Encryption
• Intrusion detection system
• Warning banner
• Audit trail 2 / 4

Rationale: Deterrent controls discourage violations by warning potential

offenders (e.g., banners or signs).

5. In risk management, residual risk refers to:

• The total risk before controls are applied
• The risk remaining after controls are implemented
• The risk accepted before assessment
• The risk transferred to third parties

Rationale: Residual risk is what remains after mitigation efforts are in place.

• Which type of law focuses on relationships between individuals and

organizations?

• Criminal law
• Civil law
• Regulatory law
• Administrative law

Rationale: Civil law governs private rights and disputes between individuals

or organizations.

7. The primary purpose of security classification is to:

• Reduce operational costs
• Indicate the level of protection required for information 3 / 4

• Comply with privacy regulations
• Assign accountability to users

Rationale: Classification defines how data should be protected based on its

sensitivity.

• Which security principle dictates granting users only the access needed

to perform their duties?

• Need to know
• Least privilege
• Separation of duties
• Due diligence

Rationale: Least privilege restricts access to the minimum necessary for job

functions.

9. A Business Impact Analysis (BIA) primarily identifies:

• Root causes of incidents
• Critical business functions and their dependencies
• Legal compliance requirements
• Backup scheduling needs

Rationale: A BIA identifies critical processes and the impact of disruptions to

them.

• / 4