Free practice test · no sign-up
ISC2 CISSPFree Certified Information Systems Security Professional practice test
10 real ISC2 CISSP practice questions with instant answers and explanations — no account, no credit card, no email. Score yourself, then unlock the full bank of 998questions whenever you’re ready. The ISC2 CISSP passing score is 700 / 1000.
Which of the following activities falls OUTSIDE the typical scope of a business impact analysis (BIA)?
Answer key
All 10 ISC2 CISSP questions & answers
Prefer to just read the answers and explanations? Here’s the full key for this free ISC2 CISSP test.
Q1. Which of the following activities falls OUTSIDE the typical scope of a business impact analysis (BIA)?
Correct answer: B. Projecting annual revenue figures
A BIA focuses on understanding how disruptions affect organizational operations. It is used to rank risks, assign value to systems, define recovery objectives such as MTD and RPO, and inform continuity strategies. Projecting annual revenue is a finance department function and is not part of a BIA's scope.
Q2. Which of the following activities would MOST LIKELY be a core component of a business impact analysis (BIA)?
Correct answer: B. Cataloging and evaluating organizational risks
A BIA is designed to catalog and evaluate risks that could disrupt operations. By identifying organizational risks, security teams can assign priority and value to systems and determine appropriate controls. Drafting a mission statement is a senior leadership governance function. A BIA typically feeds into an existing GRC program rather than establishing one. Revenue forecasting belongs to the finance department.
Q3. A company writes a white paper to generate leads but worries that rivals might reproduce it without permission. Which form of intellectual property protection is MOST appropriate?
Correct answer: A. Copyright
Copyright shields original authored works — such as written documents, videos, and music — from unauthorized reproduction or distribution. A trade secret protects confidential business information that gains value from being kept private. A patent covers novel inventions. A trademark distinguishes a brand's words, logos, or symbols. Since the white paper is an original written work, copyright is the correct protection.
Q4. An organization keeps finding that employees mislabel customer personal data under the wrong classification tier. When selecting a new label for this data category, what approach is BEST?
Correct answer: B. Choose a name that is intuitive and meaningful to the staff who handle the data
Persistent misclassification usually signals that the classification labels are unclear to the people using them. No law requires a private organization to use specific label names unless it operates under a government mandate — nothing in this scenario suggests that is the case. Choosing labels that resonate with the workforce and pairing them with thorough training is the most effective remedy. Governance frameworks may suggest names, but those are recommendations, not requirements.
Q5. An attacker spoofs a VoIP caller ID to impersonate a manager, then convinces an HR employee to hand over executive personal details, which are later used to drain funds from an executive's account. What is the MOST SPECIFIC term for this attack technique?
Correct answer: D. Vishing
Vishing is the most precise classification here. Social engineering is the broad umbrella, phishing is a specific subset of social engineering, and vishing is a specific subset of phishing that exploits voice communications. The attacker manipulated a victim using a spoofed VoIP call, which is the defining characteristic of vishing. Smishing uses SMS text messages rather than voice calls.
Q6. A bad actor deploys automated bots to flood a restaurant's review platforms with fake five-star ratings, artificially inflating its perceived popularity. Which category of social engineering attack does this represent?
Correct answer: D. Influence campaign
Deploying bots to shape public perception through fake ratings is an influence campaign — a social engineering technique that manipulates opinion through dishonest digital means, often using fake accounts, bots, or fabricated content. Clickjacking tricks users into clicking hidden UI elements. Vishing leverages phone-based deception. Baiting involves leaving compromised media (such as a USB drive) in a location where someone will find and use it.
Q7. A government contractor is building a Disaster Recovery Plan and needs to identify and rank the threats that plan must address. Which of the following BEST supports that goal?
Correct answer: B. Business Impact Analysis (BIA)
A BIA systematically examines how various disruptions — from cyberattacks to natural disasters — affect critical operations, and it produces prioritized recovery objectives (such as RTO and MTD) that guide disaster recovery planning. Quantitative and qualitative risk analyses are tools that feed into the BIA process. Threat modeling is a structured approach for uncovering attack paths in systems or applications, not specifically designed to prioritize DR-related risks.
Q8. A company's secret manufacturing formula — which gives it a competitive edge — is BEST classified as which risk management component?
Correct answer: A. Asset
An asset is anything of value to an organization. A proprietary formula that provides competitive advantage is a classic example. A threat is what can harm the asset. A vulnerability is a weakness that could be exploited. A control is a safeguard — such as encryption or access management — implemented to protect assets from threats.
Q9. When a user tries to visit a blocked website, a proxy redirects them to a warning page that describes the risk. The user can still proceed if they acknowledge the warning. Which type of operational control does this illustrate?
Correct answer: C. Deterrent control
A deterrent control attempts to discourage unwanted behavior without physically blocking it. Because the user can still choose to visit the restricted site after reading the warning, access is not prevented — it is discouraged. A preventive control would block the page entirely. A corrective control addresses an environment after an incident has already occurred. A recovery control restores systems to a fully normal state following an incident.
Q10. During malware analysis in a sandbox, a researcher observes that the malware only activates when three simultaneous conditions are true: the clock falls within a specific afternoon window on a weekday, network connectivity is present, and the current user has administrator rights. What type of malware is MOST LIKELY being examined?
Correct answer: A. Logic bomb
A logic bomb is malicious code that lies dormant until a defined set of conditions is satisfied, at which point it executes. The condition-dependent activation described here is the hallmark characteristic of a logic bomb. A worm self-replicates across a network without user action. A virus replicates only when a user triggers it. A bounds-checking attack relates to buffer overflow exploitation, not conditional execution.
Exam facts and objectives sourced from the official ISC2 certification page. Last reviewed June 2026.
Ready for the full ISC2 CISSP bank? Start free.
998 questions, timed mock exams, and missed-question review — 30 free questions, no card.
Start free trial