In my last article, I covered five questions similar to those on the official CISSP Exam. The new CISSP exam format was introduced in 2014 with “drag-and-drop” and “hotspot” questions.

This article will cover more new-format sample CISSP exam questions from the CISSP Common Body of Knowledge (CBK) domains. But before we dive into the sample questions, let’s cover some of the test-taking strategies the first article explained.

CISSP Training – Resources (InfoSec)

CISSP Exam Strategies

Memorize Tables of Related Items

In my first article, my questions briefly introduced the CBK’s “CIA triad” (confidentiality, integrity and availability), “I-triple A” (the identification, authentication, authorization and accountability of access control), and several “ends in AC” access control frameworks. Like the questions I selected, the CBK groups similar concepts like that to make it possible for mere mortals to quickly learn the similarities and differences between related frameworks and technologies.

As you prepare for your own CISSP exam, I recommend that you build up a library of flash-card sized tables, each corresponding to a related concept. For example:

  • 4 Database “ACID” Tests (Atomicity, Consistency, Isolation and Durability)
  • 7 Access Control Categories (Preventative, Detective, Corrective, Directive, Deterrent, Recovery and Compensating)
  • 4 Electrical Power Faults (Loss of Power, Degradation, Interference and Grounding)
  • And so on…

Hit the Easy Questions First

If you studied well, your head will be full of tables of related technologies and concepts as you walk into your CISSP exam. Armed with that knowledge, you’ll find that there will be dozens of questions sprinkled throughout the test that beg for immediate attention. For example:

Gimme: What elements guarantee database transactions get processed reliably?

The CISSP exam won’t actually list “Something Else” as a possible element, but by the time you have the four elements of the database ACID test (and other tables) crammed in your head, dozens of questions will look just like this!

Since the CISSP exam allows you to skip around, be sure to hit questions like these first, then return to the ones that require you to read several paragraphs first. Let’s try a few of the new format questions now.

Five Sample Questions You May See On a CISSP Exam

#1: What types of memory are NOT directly available to the CPU?
Drag and drop the correct answers from left to right.

The types of memory available to a CPU are “RAM”, “ROM” and “Registry Memory” – the other two items are one step removed. Remember, this is a “NOT” question where the correct solution excludes the correct answers, so the final solution appears like this.

Ready for something a little harder? Let’s try a risk management question.

#2: Which of the following terms identifies the amount of money a business expects to lose to a given risk each year? Drag and drop the correct answers from left to right.

First, let’s expand those terms.

  • ARO - Annualized rate of occurrence
  • ALE - Annualized risk expectancy
  • RUM - Made up, a red herring. (Yes, those do appear on exams.)
  • SLE - Single loss expectancy
  • EF - Exposure factor

Actually, that’s the only step we need to do. Annualized loss expectancy (ALE) basically restates the question: “annualized” for “each year” and “loss expectancy” for “amount of money a business expects to lose.” Here’s what the completed answer would look like, and note that the number of correct answers is just one.

Next, let’s look at a hotspot example.

#3: A user has just downloaded a PGP public key off the Internet and plans to use it to send a secure message to a remote business partner. Click the step where the public key should be used.

This question tries to confuse people who aren’t familiar with PKI, with the “Zip” and “Unzip” steps. Would the average user use a “key from the Internet” to communicate securely? You know better. They certainly can use someone else’s public key, regardless of source. However, do you remember whether you use the public key to encrypt or decrypt?

If you need to think this through, just remember that the user starts with a cleartext message and that his or her business partner will be performing the decryption step. Got it now? (If you’re still stumped, remember that PKI users should NEVER exchange private keys.) Anyway, here is the correct answer.

Does that make sense? Now, back to another drag-and-drop example about risk management.

#4: Which of the following are important elements in any job description? Drag and drop the correct answers from left to right.

“Job responsibilities” is obvious. And the last question only had one correct answer. Is “job responsibilities” it? Well, not quite.

This is really a question about designing MULTIPLE job descriptions to reduce a company’s overall risk, with a CISSP’s especially paranoid point of view (and without much regard to direct employment costs). With that in mind, you should develop descriptions that also enforce “separation of duties” and “job rotation.”

But what about “collusion” and “responsibility drift?” Unlike the other three that address possible insider problems before they appear, collusion and responsibility are symptoms of bad job descriptions from the vantage of the question. The final answer is shown below.

While we’re at it, here’s the final CISSP sample question in this article. It’s a hotspot question, but I hope you’ll find it to be challenging enough.

#5: Which of the following alternative processing sites would take the longest to activate? (Click the site.)

As a multiple choice question, this one is easy, especially since “Production Site” isn’t a possible answer.

  • Hot site: ready to go
  • Warm site: almost ready to go
  • Cold site: definitely not ready to go
  • Mobile site: requires benefit of the doubt, but probably not just another cold site

However, the tricky part of the question comes with the extra details only a diagram can add. First, there’s the unnecessary distance from the “Production Site” to the “Warm Site,” and then there is the useless fence around the “Hot Site.” However, by ignoring the extra information and treating the question like a simple multiple choice, you can quickly arrive at the correct answer, the “Cold Site.”


The CISSP exam’s new drag-and-drop and hotspot questions will challenge your CISSP candidate training in new ways. However, the new types of questions are nothing to be afraid of if you address them using the techniques described in my articles. Simply focus on answering the question first, then worry about clicking on the right elements, and you’ll soon be able to call yourself a CISSP, too!

For more information on how you can start earning your CISSP today, fill out the form below for information about our training options (self paced, online mentored & instructor lead) and pricing details on the course!

CISSP Instant Pricing- Resources