For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions. As in, "what's the best set of practice questions to use while studying for the exam?"
The answer is, none of them.
I have looked at an awful lot of practice question sets, and they are uniformly awful. Most try to be "hard" by bringing in trivia: that is not representative of the exam. Most concentrate on a bunch of facts: that is not representative of the exam.
So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam. Note that none of these questions will appear on the exam. You can't pass the CISSP exam by memorizing a brain dump. These will just give you a feel.
For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.
I'll be doing this over time, "replying" to this post to add questions. Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.
@Vigenere I believe this is the method they use so that we (that's the royal we) can notify them that at question may be flawed. They had a similar process when tests were pencil and paper.
From their submission form:
Basically, states that they will pass the question to the appropriate people for review and validation and potential correction.
Which type of access control allows users to specify who can access their files?
(Reference: Gasser, Morrie, Building a Secure Computer System, New York: Nostrand Reinhold, 1988, pg 55)
Answer a - Mandatory access control bases access on the preset labels of the sensitivity of objects and the clearance of subjects.
Answer b - The user (or creator) of an object grants authorization to support discretionary access control.
Answer c - Relational is not a type of access control.
Answer d - Administrative is not a type of access control.
Remember: just because you don't know it doesn't make it the right answer.
Hello @rslade , serious question here (even though this may not sound like one). How are we supposed to recognize what "does exist" and "doesn't exist" in answer choices - when it seems many of the practice questions/answers in general, rather than using standard wording like we're used to seeing in our study materials, use words that appear to have been pulled out of a thesaurus?
You make mention that the references here (and I believe also the two sources used for content on the actual exam) don't come from "Study Guides", yet that is what we all have been using to study (such as Sybex/Wiley), and you go out of your way to use wording that doesn't appear in those books or any popular study material.
On another note, in the practice question right above this post, you have in the explanation:
" Administrative is not a type of access control."
Can you please explain this because everywhere I checked, it is a type of access control (Physical, Technical/Logical, Administrative/Directive, Preventative, Detective, Corrective, Deterrent, Recovery)
> redacted (Viewer) mentioned you in a post! Join the conversation below:
> Hello @rslade , serious question here (even though this may not sound like one).
> How are we supposed to recognize what "does exist" and "doesn't exist" in answer
OK, as to the first part, well, the exam exists to determine whether you know something about security, and part of knowing about something is knowing what does and doesn't exist. Don't try to "game" the exam by assuming that if you don't know it, it must be the right answer. Assume you do know about security, and answer on the basis of what you know.
> - when it seems many of the practice questions/answers in general,
> rather than using standard wording we're used to seeing in our study materials,
> appear to have been pulled out of a thesaurus?
As to wording, make sure you understand. If you understand, rather than simply having memorized a bunch of text, then you won't be thrown by a slightly altered (or modified, or edited, or amended, or ...) choice of words.
> You make mention that the
> references here (and I believe also the two sources used for content on the
> actual exam) don't come from "Study Guides", yet that is what we all have been
> using to study (such as Sybex/Wiley), and you go out of your way to use wording
> that doesn't appear in those books or any popular study material.
There are lots more sources for study. Look up some of the best at
There are lots more at
You can't pass the exam with a "brain dump" from a study guide. *Any* study guide.
Q: When you're designing a security system for Internet-delivered email, which of the following is least important? - Nonrepudiation - Availability - Message Integrity - Access restriction
In my opinion, As the question asked for LEAST important, and also says, internet-delivered email.
Availability of Internet is not in our control. It depends on ISP. And the email goes off, once we get Internet.
Other three more important, which are in our control.
Correct me, if I'm wrong.
@rslade , thank you very much for your responses. This thread was a wake-up call.
I have a question about how you recommend we approach the exam questions. In doing practice tests I was experimenting with the technique of reading the answers FIRST (before even reading the question). I found it helped me get my head around each answer first before being possibly thrown off in the question itself.
However, after reading your sample questions here, I'm thinking now this might be a really bad idea. In the practice tests, the answers are all usually things that exist (even if they are distractors), but based on your examples it sounds like quite a few questions might have answers choices that aren't even a real thing in security...
Any advice on how to approach the questions? Should we stick with the traditional read the question first, then the answers then the question again and the answers again?