Free practice test · no sign-up
ISC2 CCSPFree Certified Cloud Security Professional practice test
10 real ISC2 CCSP practice questions with instant answers and explanations — no account, no credit card, no email. Score yourself, then unlock the full bank of 1,434questions whenever you’re ready. The ISC2 CCSP passing score is 700 / 1000.
An electronics manufacturer runs a hybrid cloud setup. After migrating a workload from their internal data center into a public cloud environment, the workload fails to run correctly. Engineers determine the failure is caused by differences in how configuration settings and software dependencies are handled between the two environments. Which functional cloud security property is the manufacturer failing to achieve?
Answer key
All 10 ISC2 CCSP questions & answers
Prefer to just read the answers and explanations? Here’s the full key for this free ISC2 CCSP test.
Q1. An electronics manufacturer runs a hybrid cloud setup. After migrating a workload from their internal data center into a public cloud environment, the workload fails to run correctly. Engineers determine the failure is caused by differences in how configuration settings and software dependencies are handled between the two environments. Which functional cloud security property is the manufacturer failing to achieve?
Correct answer: B. Portability
Portability is the ability of a workload to function correctly after being relocated to a different environment. When a workload breaks due to environmental differences after migration, this is a portability failure. Vendor lock-out occurs when a vendor's service failure prevents access to data or systems. Interoperability ensures different systems can exchange and use information with each other. Vendor lock-in is excessive dependence on a single provider that makes switching difficult.
Q2. A cloud administrator must verify that all data has been fully purged from cloud servers following a data migration. The organization operates a NoSQL IaaS deployment on a public cloud. Which data sanitization approach is both practical and effective in this environment?
Correct answer: A. A contractual clause requiring the CSP to physically shred all drives holding customer data, combined with cryptographic erasure of the database encryption key
In public cloud environments, customers have no access to physical hardware, so the contract must specify how the CSP handles media sanitization. Physical shredding is preferable to multiple overwrite passes. Degaussing only works on magnetic HDDs, and there is no guarantee the drives are HDD rather than SSD. Even with IaaS, customer-performed overwrites are not feasible because cloud storage does not work the same way as direct disk writes — deleting data only removes pointers, not the underlying sectors. Cryptographic erasure of the encryption key is the recommended approach for rendering data irrecoverable in cloud contexts.
Q3. A cloud administrator needs to quickly distribute an application package across a large-scale cloud environment. Which of the following technologies is best suited for rapid deployment in this scenario?
Correct answer: D. Containers
Containers bundle an application together with all its required code, libraries, and configuration into a portable unit that can be deployed quickly and consistently across cloud environments. Virtual machines built on a hypervisor can run software, but they are heavier and slower to provision than containers. Key management systems are used to protect cryptographic keys, not to deploy applications. MDM solutions are used to manage and control mobile devices, which is unrelated to application deployment in a cloud.
Q4. An architect plans to replace all physical hardware — including networking gear and servers — with cloud-based equivalents. They want to retain control over the operating systems and applications installed on those virtual servers but hand off all physical hardware responsibilities. Which cloud service model best fits this requirement?
Correct answer: A. Infrastructure as a Service (IaaS)
IaaS provides virtualized equivalents of physical hardware — routers, switches, firewalls, and servers — while the customer retains responsibility for operating systems and software. PaaS provides a managed platform and may include server operating systems, but it does not typically include virtual network devices like routers and switches. DBaaS is limited to database functionality and does not extend to network infrastructure. SaaS hands full control of both hardware and software to the provider, leaving the customer only able to use the delivered application.
Q5. A cloud customer is decommissioning an old Hardware Security Module (HSM) before switching to a newer model. To ensure no keys can be recovered, they overwrite the wiped storage areas with a mix of random data and zeros. What is this process called?
Correct answer: D. Zeroization
Zeroization refers to the sanitization technique of overwriting stored data with random values and zeros to prevent any recovery of the original content. Cryptographic erasure destroys the encryption key rather than overwriting the underlying data, making the data unreadable without requiring physical access. Degaussing disrupts the magnetic orientation of HDD platters and renders the drive unusable, but it is not applicable to flash-based HSMs. Data hijacking describes an adversarial act such as ransomware where an attacker seizes control of another party's data.
Q6. A cloud security manager is developing an asset management policy. She is defining a method for labeling cloud resources so that access control rules can be applied, monitoring alerts can be triggered, and usage charges can be attributed. What concept makes this possible?
Correct answer: B. Tags
Tags are key-value pairs applied to cloud resources that enable organized access control, alerting, and cost tracking. Consistent tagging policies are essential in any cloud deployment. For example, a tag with key 'environment' and value 'production' can drive automation and billing reports. Tags are sometimes called labels in platforms like Kubernetes. Data types are classification schemas for data itself, not for resource management. Although tags are technically a form of identifier, 'identifier' is too broad to be the most accurate answer here.
Q7. A pharmaceutical company's security team is connected to a government health agency's shared research cloud, and also stores some of their own data in a public cloud in both database and data lake formats. Which term most accurately describes this overall cloud arrangement?
Correct answer: B. Hybrid cloud
A hybrid cloud combines two of the three primary deployment models: public, private, or community. In this case, the organization uses both a community cloud (the government health agency's shared environment) and a public cloud (for databases and data lakes), making it a hybrid deployment. Multi-cloud refers to using services from multiple cloud service providers, typically within the same deployment category. A public cloud hosts multiple tenants over the internet. A private cloud is dedicated to a single organization.
Q8. A cloud provider gathers all of its physical and virtual resources — routers, servers, switches, CPUs, memory, and storage — into a shared collection and then allocates portions of that collection to customers on demand. Which term best describes this activity?
Correct answer: D. Resource pooling
Resource pooling is the practice of combining all available physical and virtual infrastructure into a shared reserve that is dynamically allocated across multiple customers. This underpins multi-tenancy, where many customers draw from the same underlying pool. Portability refers to migrating data between providers without re-entry. On-demand self-service allows customers to provision resources themselves via a portal without provider involvement. Reversibility describes the ability to withdraw data and workloads from a provider.
Q9. A cloud provider wants to offer services to US federal agencies. Which program must they be assessed against before being authorized to sell those services to the US government?
Correct answer: D. Federal Risk and Authorization Management Program
FedRAMP is the US government program that standardizes the security assessment and authorization process for cloud service providers seeking to sell to federal agencies. The Family Educational Rights and Privacy Act protects student educational records and is not a cloud certification program. ISO/IEC 27017 provides guidance on implementing information security controls in cloud environments but is not a US government authorization framework. FIPS 140-3 validates the security of cryptographic modules, not the overall readiness of a CSP to serve government clients.
Q10. A cloud service provider has completed a Service Organization Controls (SOC) 2 audit and published the resulting report. What is the primary purpose of this report?
Correct answer: A. Auditability
A SOC 2 report provides third-party verification that a cloud provider's controls around security, availability, processing integrity, confidentiality, and privacy meet established standards. Its core function is auditability — enabling customers and stakeholders to independently verify the provider's compliance posture. Governance is the broader framework of policies and oversight, not the specific function of a SOC 2 report. Regulatory oversight relates to compliance with specific regulations like GDPR or PCI DSS, which a SOC 2 can support but is not equivalent to. Security is the general topic the report covers, but auditability is the precise purpose of publishing the report.
Exam facts and objectives sourced from the official ISC2 certification page. Last reviewed June 2026.
Ready for the full ISC2 CCSP bank? Start free.
1,434 questions, timed mock exams, and missed-question review — 30 free questions, no card.
Start free trial