Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Influencer II

Practice Questions



For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions.  As in, "what's the best set of practice questions to use while studying for the exam?"


The answer is, none of them.


I have looked at an awful lot of practice question sets, and they are uniformly awful.  Most try to be "hard" by bringing in trivia: that is not representative of the exam.  Most concentrate on a bunch of facts: that is not representative of the exam.


So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam.  Note that none of these questions will appear on the exam.  You can't pass the CISSP exam by memorizing a brain dump.  These will just give you a feel.


For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.


I'll be doing this over time, "replying" to this post to add questions.  Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.


Other posts:

This message may or may not be governed by the terms of or
328 Replies
Community Champion

@alekos wrote:
FYI Accountability and Accounting are interchangeable terms in the AAA 

Cite Please.  If you are referring to AAA as defined/used in the RADIUS protocol, plenty of references (the standard, Wikipedia and NIST) all make reference only to Accounting. 


With respect to the (Sybex) question at hand,  I have to agree that "A. Accountability" is the best answer. Identification, Authentication, Non-Repudiation, Authorization, Accounting, and Auditing are all steps towards holding someone accountable for their actions.  


It may help to think of non-repudiation as a "level" of authentication.  Non-repudiation is about using passwords, MFA, PKI, signatures, witnesses, collaborating evidence, etc. to demonstrate that the accused is the person that "committed the crime"  -- despite their own testimonial evidence.


That said, I concur with @dcontesti that the Sybex question leaves a bit to desired.  The problem being that there are multiple "ultimate goals" that have "identification" as their first step. Therefore, the question is in-a-sense, a form of a post-hoc fallacy.



Newcomer II

@denbesten I never cite Wikepedia  as it is not a credible source; it is not accepted academically or professionally (at least my employer). One great example of where you see Accountability as the last A in the AAA is in the CISSP Study Third Edition by Eric Conrad, Seth Misenar and Joshua Feldman. Specifically it is found on page 309. 


• Authentication: proving an identity claim
• Authorization: actions authenticated subjects are allowed to perform on a system
• Accountability: the ability to audit a system and demonstrate the actions of
subjects. (Conrad et al., 2016).


   In my opinion the question is "solid" because in the broad context it is presented the most correct answer is Accounting, and non repudiation is there to make you second guess yourself. Can the answer be non repudiation? Absolutely, but not in this broad context. 


Having sat for the exam recently and passing it on my first try, I can tell you that this question is nowhere near the level of difficulty of the questions I encountered on the CISSP exam. It was brutal trying to discern the correct answers on the exam as I found myself in multiple scenarios of "which came first the chicken or the egg?". Additionally, as you know, on the real exam typically there is not a perfect answer there is just a best answer and I feel this silly example question that we are analyzing portrays this concept and the situation you might find yourself in when you take the CISSP exam. 









Conrad, E., Misenar, S., Feldman, J., & Simon, B. (2016). Cissp study guide. Syngress.


Community Champion

I do find it interesting that all the commenters seem to be landing on "A", although perhaps via different paths.


@alekos, Thanks for the reference and especially including Conrad, et. al.'s definition for AAA.  Despite different wording, it is clear that their intent matches  -- record keeping.  The only unfortunate bit for Conrad is that the more common definition (1 2 3 4). for "Accountability"  means "responsible" so theirs really does need to include the definition. 


With respect to Wikipedia and Conrad, I would label them both "credible" (capable of being believed) but not "definitive" (best of its kind) -- which is as good as it gets for a compendium.  I concur that one would not cite either as a research reference, but they both make great "informal" references -- especially when referring to potentially obscure terms, such as "post-hoc fallacy" or "whac-a-mole".


Community Champion



As per your statement:


If this question has you all “blown up” I don’t see how you would ever pass the real exam. Simple question, clear answer, with the the detractor being non repudiation.


No one has blown up on this question.  I simply said that there are potentially four correct answers.  By your own admission you only recently became a CISSP....congrats but please DO NOT come here and belittle others.


We all know the exam can be grueling and if someone comes here asking for advice on a question that is published somewhere, it is highly inappropriate for you or anyone else to suggest that folks could or would not ever pass the real exam...especially on this forum.  This forum is meant to encourage folks and allow for healthy discussion.


In life you will learn the only bad question is the one that does not get asked.  @TheMax was asking for some clarification.


@TheMax as you continue to study for anything (in this case the CISSP), I encourage you to ask for clarifications like you did with this question.


@alekos Check out CISCO press ( especially Table 4.1


@amandavanceISC2 Can you flag this question in the study material and ask that the Education folk take a look at the question.  With thanks


In closing, please be kind.  Healthy discussion on an item is appropriate, but your statement is not.




P.S.:  Many of us passed the exam on the first try and many sat the exam when it was 250 question.


PPS: @themax, still nothing from Rob but if you would like to send all questions directly to me, we willl get you answers.

Newcomer II



Talk about belittling Mr. "veteran" CISSP and native English speaker.




Junior CISSP

Community Manager

Per our (ISC)² Community Usage guidelines, please keep discussions respectful. I will look into the practice question being discussed and send to Education for review. 


Thank you.

ISC2 Community Manager
Newcomer II

Good day! I’ve been lurking for a while and I’ve seen others chime into this thread with their own questions in the search for insight.

I came across this practice question that has me a bit perplexed and I was hoping for insight from the community on this one.

Widgets, Inc., wishes to protect its logo from unauthorized use. Which of the following will protect the logo and ensure that others cannot copy and use it?

A. Patent
B. Copyright
C. Trademark
D. Trade secret

What say y’all?

Integrity doesn't only apply to data.
Community Champion

Okay, I sent this to Great-grandpa Rob Slade and this is what he said:


> Widgets, Inc., wishes to protect its logo from unauthorized use. Which of the
> following will protect the logo and ensure that others cannot copy and use it?
> A. Patent
> B. Copyright
> C. Trademark
> D. Trade secret

OK, first off I'd say that the wording of this question is poor.  None of these will
"ensure" that people "cannot" copy and use it.  However, of the options given
(and, of course, that is always the way to approach exam questions), patent,
copyright, and trade secret will do nothing (well, copyright might do  *little*) in
this regard.  The one that does give you some legal protection is trademark.


Newcomer II

Appreciate the reply! I answered the same thing and the answer was returned incorrect. 

Reason given: "Copyrights protect pictorial, graphical works which the question specifically pointed out by mentioning desired protection of the logo."


Anyone have extra Advil?  


Integrity doesn't only apply to data.
Newcomer II

Here’s one more for everyone that had me scratching my head.

Which of the following factors determines the frequency of security audits?

A). Inherent Risk
B). Residual Risk
C). Management Discretion
D). The Threat Landscape

Integrity doesn't only apply to data.