Advanced security-practitioner certification covering all eight (ISC)2 CISSP domains, from security and risk management to software development security, with a worked explanation on every practice question.
Free sample questions
No account needed. Every question has a worked explanation, just like the full bank.
lock_openFree sampleSecurity and Risk Managementeasy
Which statement BEST describes the relationship between the ISC2 Code of Professional Ethics canons and an employer's internal code of conduct for a CISSP-certified employee?
- AThe ISC2 canons apply to certified professionals at all times and complement, rather than replace, lawful employer codes of conduct.check_circle Correct
- BThe employer's code of conduct overrides the ISC2 canons whenever the two appear to conflict in the workplace.
- CThe ISC2 canons only apply when the CISSP is performing security work outside of normal employment duties.
- DEither code can be ignored provided the professional acts in line with applicable national law and contractual obligations.
Recognise that the ISC2 Code of Ethics binds the certified professional continuously and operates alongside, not in place of, lawful organisational codes. Holding the CISSP is a personal undertaking to abide by the ISC2 canons in every professional act, while an employer's code defines workplace duties owed to a principal. Both apply concurrently, and where a lawful employer rule and a canon point the same way the professional follows both; the canons set the floor and an organisational code can add stricter expectations on top.
Why A is correct: The canons bind the certificant personally and continuously, while a lawful employer code governs workplace duties; the two are designed to coexist, with the canons providing the professional baseline.
Why B is wrong: Tempting because employees normally follow employer policy, but a CISSP holder agreed to uphold the ISC2 canons as a condition of certification, so the canons are not displaced by internal policy.
Why C is wrong: Plausible to a candidate who thinks ethics codes only cover voluntary or external activity, but the canons attach to the certificant in every professional context, not only off-hours engagements.
Why D is wrong: Compliance with law is necessary but not sufficient; the ISC2 canons impose duties beyond legal minimums, and ignoring an employer's lawful code breaches duty owed to principals.
lock_openFree sampleSecurity and Risk Managementeasy
A CISSP must resolve a conflict between two canons of the ISC2 Code of Professional Ethics. Which ordering of the canons reflects the precedence stated by ISC2 when canons appear to conflict?
- AAct honourably first, then advance the profession, then provide diligent service, then protect society.
- BProtect society and the common good first, then act honourably, then provide diligent service to principals, then advance the profession.check_circle Correct
- CProvide diligent and competent service to principals, then protect society, then act honourably, then advance the profession.
- DAdvance and protect the profession first, then protect society, then provide diligent service, then act honourably.
Recall the order of the four ISC2 canons and that the order itself signals precedence when the canons appear to conflict. ISC2 publishes the canons in a deliberate sequence: protect society and the common good; act honourably, honestly, justly, responsibly and legally; provide diligent and competent service to principals; advance and protect the profession. The order is also a tie-breaker, so a CISSP weighing two canons resolves the conflict by favouring the earlier canon over the later one.
Why A is wrong: Tempting because personal honour feels foundational, but ISC2 lists protection of society and the common good as the first canon, ahead of personal honour.
Why B is correct: This matches the canon order published by ISC2, which is also the precedence used when canons conflict: society, honour, service to principals, then the profession.
Why C is wrong: Service to the employer or client feels primary day to day, yet ISC2 places duty to society above duty to principals when canons conflict.
Why D is wrong: Putting the profession first appears self-interested and is not the ISC2 ordering; the profession is the fourth canon, not the first.
lock_openFree sampleSecurity and Risk Managementeasy
An organisation's information security policy requires staff to exercise due care. Which description BEST captures what due care means for a CISSP performing day-to-day duties?
- AInvestigating threats and control options thoroughly before recommending or approving any safeguard for the organisation.
- BDocumenting every control decision in a register that is reviewed by the audit committee before implementation.
- CTaking the reasonable and prudent actions a similarly qualified professional would take to protect organisational assets and stakeholders.check_circle Correct
- DFollowing written security procedures exactly as published, without exercising professional judgement in unusual situations.
Define due care as the reasonable, prudent actions of a competent professional and distinguish it from due diligence and procedural compliance. Due care is the standard of conduct of a reasonably prudent professional in the same role and circumstances. It captures the act of doing what a competent peer would do to protect assets and stakeholders given what was reasonably knowable. Due diligence, by contrast, is the investigative work that informs the decision, so the two are linked but distinct duties under the ISC2 canons.
Why A is wrong: Strong investigation before recommending controls is due diligence, the research that supports a decision, rather than due care, which is the prudent action that follows it.
Why B is wrong: Audit-ready documentation supports accountability and governance, but the substance of due care is the prudent act itself, not the existence of a register reviewed by a committee.
Why C is correct: Due care is the reasonable-person standard applied to a security professional, meaning the actions a competent peer in the same role would take given what was known at the time.
Why D is wrong: Procedural compliance is part of being diligent, but due care expects the professional to apply judgement when circumstances depart from the standard procedure, not to follow text rigidly.
Frequently asked questions
- How many questions are on the CISSP exam?
- The Certified Information Systems Security Professional (CISSP) (CISSP) exam has 100-150 questions (CAT) questions and runs for 180 minutes. The format is computerised adaptive testing (cat), multiple choice and advanced item types, at isc2 authorized pearson vue testing centers (ppc and pvtc select).
- What score do I need to pass CISSP?
- The pass mark is 700 / 1000. Examworthy gives you a per-domain readiness score so you can see which domains are holding you back before you book.
- How much does the CISSP exam cost?
- The exam costs 749 USD to sit. Practising on Examworthy is free to start, with a worked explanation on every question.
- How does Examworthy help me prepare for CISSP?
- Every practice question carries a worked explanation and a per-distractor rationale, mapped to the official blueprint domains. You learn why each answer is right or wrong, not just the letter.
- Is Examworthy affiliated with (ISC)2?
- No. Examworthy is not affiliated with or endorsed by (ISC)2. Our questions are original, blueprint-aligned practice material; we never reproduce live exam items.
Examworthy is not affiliated with or endorsed by (ISC)2. All questions are original, blueprint-aligned practice material. We never reproduce live exam items. CISSP and related marks belong to their respective owners.
