Security and Risk Management — CISSP Practice Questions
Governance, risk assessment, compliance, and professional ethics This domain is about 15% of the CISSP exam. Every question below is cross-checked by two AI models and grounded in public NIST sources.
12 free Security and Risk Management practice questions
Answer them right here — no signup. Pick an option and you'll see the correct answer and a full explanation instantly.
Try it now — no signup. Answer and get instant feedback.
Question 1
beginner
An organization is conducting a risk assessment. What should be done FIRST to identify potential risks?
Why: Understand the importance of identifying assets and their values in risk assessment
Identifying assets and their values is the first step in conducting a risk assessment, as it helps to determine the potential impact of a security breach.
Question 2
beginner
What is the BEST way to ensure that security controls are effective in mitigating risks?
Why: Understand the importance of continuous monitoring in ensuring the effectiveness of security controls
Implementing a continuous monitoring program is the best way to ensure that security controls are effective, as it provides real-time visibility into the security posture of the organization.
Question 3
beginner
An organization is developing a new security policy. What should be done FIRST to ensure the policy is effective?
Why: Define the scope and objectives of a security policy
Defining the policy's scope and objectives is the first step in developing an effective security policy, as it provides a clear direction and focus for the policy.
Question 4
intermediate
An organization is planning to adopt a new cloud-based service. What should be done FIRST to ensure the security and compliance of this new service?
Why: Understand the importance of risk assessment in cloud adoption
Conducting a thorough risk assessment of the cloud service provider is the first step to ensure the security and compliance of the new service, as it helps identify potential risks and vulnerabilities.
Question 5
beginner
What should be included in a comprehensive security governance framework?
Why: Understand the components of a comprehensive security governance framework
A comprehensive security governance framework should include policies, procedures, and standards, as well as risk management and compliance, and security awareness training and incident response.
Question 6
intermediate
An organization is experiencing a significant increase in security incidents. What is the MOST important aspect of professional ethics that the security team should consider?
Why: Understand the importance of accountability in security incident response
Accountability for incident response actions is the most important aspect of professional ethics, as it ensures that the security team is responsible for their actions and decisions during incident response.
Question 7
intermediate
A security manager is tasked with ensuring compliance with a new regulation. What is the MOST important step to take FIRST?
Why: Understand the importance of gap analysis in compliance
Conducting a gap analysis is the most important step to take first, as it helps identify areas where the organization is not compliant and provides a roadmap for remediation.
Question 8
intermediate
A security manager discovers that their organization's compliance with a regulatory requirement is at risk due to inadequate controls. What should be done FIRST to address this issue?
Why: Prioritizing corrective action for compliance issues
Developing a corrective action plan to remediate the inadequate controls addresses the compliance issue directly and promptly, reducing the risk of non-compliance.
Question 9
advanced
A security manager discovers that their organization's new business partner has a significantly different security posture, which may impact the overall risk profile of the organization. What should be done FIRST?
Why: Understand the importance of risk assessment in third-party relationships
The correct answer is to conduct a thorough risk assessment of the business partner. This is because understanding the risk profile of the partner is crucial in determining the potential impact on the organization and identifying necessary mitigations.
Question 10
advanced
A security manager is tasked with ensuring that their organization's security policies are aligned with industry best practices. What is the MOST important step to take FIRST?
Why: Understand the importance of reviewing existing policies before adoption
The correct answer is to conduct a thorough review of existing security policies. This step is crucial because it allows the security manager to understand the current state of the organization's security policies before making changes or adopting new frameworks.
Question 11
advanced
A security manager is tasked with ensuring compliance with a new data protection regulation. What is the BEST approach to ensuring ongoing compliance?
Why: Understand the importance of a comprehensive data protection policy
The correct answer is to develop a comprehensive data protection policy. This approach ensures that the organization has a foundational document that outlines its commitment to data protection, including procedures for handling sensitive data and responding to breaches, which is essential for ongoing compliance.
Question 12
advanced
A security manager has identified a potential conflict of interest between their personal and professional responsibilities. What is the BEST course of action?
Why: Understand the importance of disclosing conflicts of interest
The correct answer is to disclose the potential conflict of interest to their supervisor. This is the best course of action because transparency and disclosure are essential in managing conflicts of interest, allowing the organization to take appropriate steps to mitigate any potential impact on professional judgment or decision-making.
Like this? There's a full CISSP bank behind it.
Create a free account to take a real adaptive CISSPexam, track every domain, and get a readiness score that tells you when you're ready.
How many CISSP Security and Risk Management practice questions does CramKit have?+
CramKit's Security and Risk Management domain has verified CISSP practice questions, each blind re-answered by two independent AI models and grounded in public NIST sources before it goes live. This page shows 12 of them free; the full set is available after a free sign-up.
What percentage of the CISSP exam is Security and Risk Management?+
Security and Risk Management accounts for about 15% of the CISSP exam blueprint, so CramKit weights its question bank to match that emphasis.
Are these Security and Risk Management questions verified?+
Yes. Every question is independently re-answered by two different AI model families and only goes live if both agree it is correct and unambiguous, so you are not practicing on wrong-keyed questions.