In my last article, I covered five questions similar to those on the official CISSP Exam. The new CISSP exam format was introduced in 2014 with “drag-and-drop” and “hotspot” questions.

This article will cover more new-format sample CISSP exam questions from the CISSP Common Body of Knowledge (CBK) domains. But before we dive into the sample questions, let’s cover some of the test-taking strategies the first article explained.

CISSP Exam Strategies

Memorize Tables of Related Items

In my first article, my questions briefly introduced the CBK’s “CIA triad” (confidentiality, integrity and availability), “I-triple A” (the identification, authentication, authorization and accountability of access control), and several “ends in AC” access control frameworks. Like the questions I selected, the CBK groups similar concepts like that to make it possible for mere mortals to quickly learn the similarities and differences between related frameworks and technologies.

As you prepare for your own CISSP exam, I recommend that you build up a library of flash-card sized tables, each corresponding to a related concept. For example:

  • 4 Database “ACID” Tests (Atomicity, Consistency, Isolation and Durability)
  • 7 Access Control Categories (Preventative, Detective, Corrective, Directive, Deterrent, Recovery and Compensating)
  • 4 Electrical Power Faults (Loss of Power, Degradation, Interference and Grounding)
  • And so on…

Hit the Easy Questions First

If you studied well, your head will be full of tables of related technologies and concepts as you walk into your CISSP exam. Armed with that knowledge, you’ll find that there will be dozens of questions sprinkled throughout the test that beg for immediate attention. For example:

Gimme: What elements guarantee database transactions get processed reliably?

The CISSP exam won’t actually list “Something Else” as a possible element, but by the time you have the four elements of the database ACID test (and other tables) crammed in your head, dozens of questions will look just like this!

Since the CISSP exam allows you to skip around, be sure to hit questions like these first, then return to the ones that require you to read several paragraphs first. Let’s try a few of the new format questions now.

Five Sample Questions You May See On a CISSP Exam

#1: What types of memory are NOT directly available to the CPU?
Drag and drop the correct answers from left to right.

The types of memory available to a CPU are “RAM”, “ROM” and “Registry Memory” – the other two items are one step removed. Remember, this is a “NOT” question where the correct solution excludes the correct answers, so the final solution appears like this.

Ready for something a little harder? Let’s try a risk management question.

#2: Which of the following terms identifies the amount of money a business expects to lose to a given risk each year? Drag and drop the correct answers from left to right.

First, let’s expand those terms.

  • ARO - Annualized rate of occurrence
  • ALE - Annualized risk expectancy
  • RUM - Made up, a red herring. (Yes, those do appear on exams.)
  • SLE - Single loss expectancy
  • EF - Exposure factor

Actually, that’s the only step we need to do. Annualized loss expectancy (ALE) basically restates the question: “annualized” for “each year” and “loss expectancy” for “amount of money a business expects to lose.” Here’s what the completed answer would look like, and note that the number of correct answers is just one.

Next, let’s look at a hotspot example.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

#3: A user has just downloaded a PGP public key off the Internet and plans to use it to send a secure message to a remote business partner. Click the step where the public key should be used.

This question tries to confuse people who aren’t familiar with PKI, with the “Zip” and “Unzip” steps. Would the average user use a “key from the Internet” to communicate securely? You know better. They certainly can use someone else’s public key, regardless of source. However, do you remember whether you use the public key to encrypt or decrypt?

If you need to think this through, just remember that the user starts with a cleartext message and that his or her business partner will be performing the decryption step. Got it now? (If you’re still stumped, remember that PKI users should NEVER exchange private keys.) Anyway, here is the correct answer.

Does that make sense? Now, back to another drag-and-drop example about risk management.

#4: Which of the following are important elements in any job description? Drag and drop the correct answers from left to right.

“Job responsibilities” is obvious. And the last question only had one correct answer. Is “job responsibilities” it? Well, not quite.

This is really a question about designing MULTIPLE job descriptions to reduce a company’s overall risk, with a CISSP’s especially paranoid point of view (and without much regard to direct employment costs). With that in mind, you should develop descriptions that also enforce “separation of duties” and “job rotation.”

But what about “collusion” and “responsibility drift?” Unlike the other three that address possible insider problems before they appear, collusion and responsibility are symptoms of bad job descriptions from the vantage of the question. The final answer is shown below.

While we’re at it, here’s the final CISSP sample question in this article. It’s a hotspot question, but I hope you’ll find it to be challenging enough.

#5: Which of the following alternative processing sites would take the longest to activate? (Click the site.)

As a multiple choice question, this one is easy, especially since “Production Site” isn’t a possible answer.

  • Hot site: ready to go
  • Warm site: almost ready to go
  • Cold site: definitely not ready to go
  • Mobile site: requires benefit of the doubt, but probably not just another cold site

However, the tricky part of the question comes with the extra details only a diagram can add. First, there’s the unnecessary distance from the “Production Site” to the “Warm Site,” and then there is the useless fence around the “Hot Site.” However, by ignoring the extra information and treating the question like a simple multiple choice, you can quickly arrive at the correct answer, the “Cold Site.”


The CISSP exam’s new drag-and-drop and hotspot questions will challenge your CISSP candidate training in new ways. However, the new types of questions are nothing to be afraid of if you address them using the techniques described in my articles. Simply focus on answering the question first, then worry about clicking on the right elements, and you’ll soon be able to call yourself a CISSP, too!

For more information on how you can start earning your CISSP today, fill out the form below for information about our training options (self paced, online mentored & instructor lead) and pricing details on the course!