Free CISSP Practice Test: DOMAIN 6: Security Assessment and Testing + Anki Decks

Ref:📕The Official ISC2 CISSP CBK Reference 6th Edition

DOMAIN 6: Security Assessment and Testing

1 / 93

What is the goal of fingerprinting network endpoints in Phase 4 of Pen Testing?

A. To determine which endpoints are not valuable

B. To discover useful details like operating system and application software versions

C. To exhaust all identified possibilities

D. To see how long the tester can remain undetected

2 / 93

What is a potential drawback of using external auditors for security assessments and testing?

A. External auditors may overlook findings to protect the organization being audited.

B. External auditors may be more costly and lack knowledge about an organizations operations.

C. External auditors may have conflicts of interest that affect the audit process.

D. External auditors may not have specialized skills needed to perform the audit.

3 / 93

What is the difference between KPIs and metrics?

A. KPIs and metrics are the same thing.

B. KPIs provide context, whereas metrics are simply measurements.

C. Metrics are more important than KPIs.

D. KPIs are less specific than metrics.

4 / 93

What is a common issue that vulnerability scanners may cause?

A. Unauthorized data access

B. Excessive traffic and denial of service (DoS)

C. Social engineering attacks

D. Physical security breaches

5 / 93

What is the purpose of interface testing in security assessments?

A. To ensure that the user interface looks aesthetically pleasing.

B. To test the functionality and security of the systems various interfaces.

C. To test the ability of the system to handle unexpected situations.

D. To determine if the system meets the organizations data analytics goals.

6 / 93

Why are defined rules of behavior important to include in a pen testing engagement?

A. To provide testers with an opportunity to exploit any vulnerabilities found.

B. To ensure that the pen testing team fully tests the organizations response capabilities.

C. To provide guidelines and set ground rules for testers and ensure the safety of everyone involved during the testing process.

D. To document and report any critical security issues to the organization immediately.

7 / 93

What should physical pen testers be provided with in the event they are caught or detained?

A. A letter of apology

B. A reward for successfully gaining access

C. A get out of jail free card

D. A recommendation letter

8 / 93

What is an appropriate response to an increase in the number of phishing attempts detected or reported, as indicated by a KRI?

A. No action is required as phishing attempts are not a serious threat to the organization.

B. Deploy additional security tools to collect even more data on phishing attempts.

C. Implement multifactor authentication (MFA), increase user training, and deploy additional system monitoring.

D. Increase IT budget and resource allocation to upgrade firewalls.

9 / 93

What can logs be used for in a security program?

A. To prevent attacker access

B. To capture meaningless information

C. To provide evidence of technical controls

D. To replace the need for audits and assessments

10 / 93

Which of the following is the foundation for the Common Criteria certification and is a formal assessment process for technology products against a defined set of security functional requirements?

A. SSAE 18

B. ISO/IEC 15408-1:2009

C. ISO/IEC 18045:2008

D. ISO/IEC 27006:2015

11 / 93

What is the difference between white- and black-box testing in penetration testing?

A. White- or crystal-box testing provides zero knowledge to the attacker and instead relies on them to perform reconnaissance to gather details.

B. White- or crystal-box testing is total transparency, while black-box testing provides the pen testers with complete knowledge of the system or network to be tested.

C. White- or crystal-box testing combines elements of both white- and black-box methods.

D. Black-box testing is a hybrid method that combines elements of both white- and black-box methods.

12 / 93

Which compliance framework requires an annual audit by a third-party auditor and routine internal activities such as quarterly vulnerability scans?

A. ISO 27001

B. FedRAMP

C. HIPAA

D. SOC 2

13 / 93

Which of the following is an example of technical processes that detect incidents or deviations?

A. Network access controls like VPNs

B. Encryption of data and securing access to decryption keys

C. Host-based firewalls

D. EDR and SIEM

14 / 93

What method of testing combines elements of vulnerability scanning and automated penetration testing, and utilizes a continuously refreshed database of attack methods and newly discovered vulnerabilities?

A. Social engineering testing

B. Network traffic analysis

C. Breach and attack simulations

D. Physical security testing

15 / 93

What is a key process data to collect from account management processes?

A. Number of user accounts created per day

B. Average response time for access request tickets

C. Timely account management such as removal of access within specified timeframes after a user changes roles or leaves employment

D. Type of encryption keys used

16 / 93

What does black-box testing rely on?

A. The pen testers having complete knowledge of the system being tested.

B. The pen testers relying on the system to provide information about itself.

C. The pen testers being provided with some information about the system being tested.

D. The pen testers having limited knowledge about the system being tested.

17 / 93

What is something that can cause issues with reports or processes that expect valid data stored in the system during automated vulnerability scanning?

A. Filling in form fields on a web application

B. Testing against a staging environment

C. Ignoring certain types of fields like email address

D. Using recognized type of test data that can easily be ignored or cleaned up after the scan

18 / 93

What is a potential drawback of internal audits?

A. Internal auditors lack sufficient independence to perform an objective assessment.

B. Internal audits are often more expensive than external audits.

C. Internal auditors are unfamiliar with an organizations processes, tools, and personnel.

D. Internal auditors cannot identify issues due to their familiarity with an environment.

19 / 93

What is one purpose of employing synthetic transactions as a test mechanism?

A. To generate financial transactions between systems

B. To monitor heartbeat of systems that are offline

C. To record every user interaction with an application

D. To log into an application to verify if the service meets agreed level

20 / 93

What category of attack can be tested by a breach attack simulation tool using test messages?

A. Endpoint

B. Network

C. Email

D. Behavior-based

21 / 93

Which of the following can be used as a Key Risk Indicator (KRI) to indicate security program deficiencies that require additional attention or resources?

A. Number of successful firewall intrusions

B. Number of security incidents

C. Number of successful phishing attempts

D. Number of successful ransomware attacks

22 / 93

What is a key element of governance and risk management related to security, and covered in Chapter 1?

A. Continuous monitoring

B. Management review and approval processes

C. Certification and accreditation

D. Control objectives

23 / 93

Which of the following metrics could be useful to test and evaluate the effectiveness of a security training and awareness program?

A. The number of employees who attended a training session

B. Whether employees are able to identify a phishing email

C. The number of hours employees spent on training

D. The amount of money spent on cybersecurity training in the past year

24 / 93

What is the main goal of conducting or facilitating a security audit?

A. To identify vulnerabilities in the system

B. To compare some aspect of an organization against a standard

C. To hack into the system

D. To assess the readiness of the disaster recovery plan

25 / 93

What is the goal of the exploitation phase in pen testing?

A. Identify vulnerabilities

B. Analyze network traffic

C. Gain access to systems or data that should not be accessible

D. Test application security

26 / 93

Which of the following is a companion to ISO 15048 and provides standards for consistent criteria and evaluation methods?

A. SSAE 18

B. ISO/IEC 15408-1:2009

C. ISO/IEC 18045:2008

D. ISO/IEC 27006:2015

27 / 93

What specific review requirements does ISO 27001 control 9.3 have for management?

A. Management must certify and accredit all information systems used in the organization.

B. Management must establish performance measures and use relevant quality information to support internal control.

C. Management must review the information security program periodically for continued suitability, adequacy, and effectiveness.

D. Management must assess and authorize information systems for use and issue an authorization to operate (ATO).

28 / 93

Which framework requires management to establish performance measures and generate relevant, quality information to support the functioning of internal control?

A. ISO 27001

B. SOC 2

C. COBIT

D. NIST

29 / 93

What is the importance of generating reports for security evaluations?

A. Reports help reduce the number of security tools and evaluations needed.

B. Reports help summarize key details of testing and evaluation activities, including findings and recommended remedial steps.

C. Reports only need to be generated for security team members, not for outside users.

D. Reports are unnecessary since security evaluations are performed with automated tools that generate reports automatically.

30 / 93

What is the purpose of Key Risk Indicators (KRIs)?

A. To capture past risks to the organization

B. To provide a window into future risks and drive proactive mitigating action

C. To support short-term management decision-making

D. To measure the effectiveness of existing security controls

31 / 93

What does ISO 27001 control 9.3 specify in relation to management review?

A. Management must perform security assessments and authorizations for all information systems periodically.

B. Management must ensure that IT and cybersecurity frameworks are suited to the organizations needs.

C. Management must periodically review the information security program for continuing suitability, adequacy and effectiveness.

D. Management must establish performance measures and quality information to support the functioning of internal control.

32 / 93

Which of the following best describes a KPI?

A. A patch management metric like the number of patches applied to a computing environment

B. The number of endpoints in the environment

C. A performance indicator that uses metrics and provides context

D. The time required to resolve incidents

33 / 93

What is an architecture that places scanning agents inside network segments to allow the endpoints in that segment to be scanned and then consolidates the results to a central console?

A. Firewall rules

B. VLANs

C. Zero trust network architecture

D. Distributed scanning

34 / 93

What is the purpose of the reporting phase in pen testing?

A. To compile a list of all tested systems and their associated vulnerabilities.

B. To find and report vulnerabilities only to the technical staff responsible for system maintenance.

C. To gather information on weaknesses in the IT staff who were targeted during the testing process.

D. To capture all activities performed, vulnerabilities found, and access achieved, and to provide recommendations to remediate any identified vulnerabilities.

35 / 93

Which of the following metrics can be used to measure the implementation of an organizational policy barring personal social media use on organization-issued equipment?

A. The number of audit logs generated by technical controls

B. The number of incidents reported by security guards

C. The number of users who have read and acknowledged their understanding of the policy by signing it

D. The number of process artifacts collected during process execution

36 / 93

What is the purpose of synthetic transactions in SLA monitoring?

A. To capture sensitive data entered by users

B. To monitor system activity like DNS resolution

C. To ensure services meet agreed levels of service

D. To detect slow or unresponsive pages

37 / 93

What does branch coverage ensure in a program or system being tested?

A. Every Boolean expression in the code is validated for both true and false conditions

B. Every function in the program is called

C. Every branch in a control statement has been executed

D. The execution of every statement in the program is validated

38 / 93

Which type of breach attack simulation focuses on testing security controls monitoring for malicious network scans or complex interactions with applications that should be blocked by a web application firewall (WAF)?

A. Endpoint

B. Network

C. Email

D. Behavior-based

39 / 93

Which of the following is a crucial example of blended control types in account management?

A. Timely account management

B. Administrative process for requesting user access

C. Technical implementation of the system for submitting requests

D. Physical controls such as tokens and smartcards

40 / 93

What does the Mean time to detect (MTTD) metric measure?

A. The number of patches applied to a computing environment

B. The time required to resolve security incidents

C. The mean time required to detect a security incident or threat

D. The maturity of an organizations security efforts

41 / 93

What is the main goal of implementing a process for remediation in response to security testing findings?

A. It allows for easier management of the security program.

B. It identifies timelines and milestones for the next security audit.

C. It addresses any discovered security vulnerabilities.

D. It tracks the work through to completion.

42 / 93

Which of the following controls might be put in place to restrict and monitor access and must contain all required information like user role, justification for access, and necessary approvals?

A. Administrative process for requesting user access

B. Technical implementation of user access

C. Physical controls to enforce access control

D. Audit and other assurance activities over these processes and artifacts

43 / 93

When is it advisable or even required to use an external firm for assessments, testing, or audits, according to regulatory reasons?

A. Whenever the organization is unintentionally unaware of any issues it may have.

B. Whenever an organization is involved in legal or regulatory situations, such as maturity assessments against a maturity model or compliance purposes.

C. Whenever it requires specialized skills that are valuable but not needed full-time.

D. Whenever the organization is looking to save money on hiring full-time testers.

44 / 93

Which audit framework provides a formal assessment process for technology products against a defined set of security functional requirements?

A. SSAE 18

B. ISO/IEC 15408-1:2009

C. ISO/IEC 27006:2015

D. NIST Cybersecurity Framework (CSF)

45 / 93

What type of testing provides complete knowledge of the system or network to be tested, like IP addresses and system version numbers, and simulates an insider threat?

A. Black-box testing

B. White- or crystal-box testing

C. Gray-box testing

D. Out-of-scope testing

46 / 93

Which of the following techniques would pen testers use to identify active network hosts and services running on a network?

A. Vulnerability scanning

B. Exploitation toolkit

C. Network footprinting

D. Banner grabs

47 / 93

What is the difference between full disclosure and responsible disclosure in ethical disclosure of vulnerabilities?

A. Full disclosure requires immediate public disclosure of the vulnerability, while responsible disclosure requires reporting the vulnerability to the organization in a timely manner and giving them time to fix it before publicly disclosing it

B. Full disclosure requires reporting the vulnerability to the organization in a timely manner and giving them time to fix it before publicly disclosing it, while responsible disclosure requires immediate public disclosure of the vulnerability

C. Full disclosure requires reporting the vulnerability only to law enforcement or other authorities, while responsible disclosure requires reporting the vulnerability to the organization in a timely manner and giving them time to fix it before publicly disclosing it

D. Full disclosure and responsible disclosure refer to the same thing in terms of ethical disclosure of vulnerabilities

48 / 93

Which of the following is an example of a preventative technical control?

A. EDR

B. Host-based intrusion prevention system (IPS)

C. Encryption of data

D. SIEM

49 / 93

When choosing and configuring a vulnerability scanner, what is a major consideration for organizations with mixed IT environments?

A. The legal, contractual, or regulatory obligations that may specify the scope, coverage, or frequency of scanning.

B. The depth, scope, or coverage of the scanner, including the ability to perform advanced scanning by authenticating to targets being scanned with administrative credentials.

C. The platform support.

D. The ability to perform cloud-based scanning.

50 / 93

What are the key components of documenting an exception in the exception handling process?

A. Risk details, reason for having the risk, remediation plan, time frame for compliance

B. Risk details, reason for exception, compensating controls, exception approval, time

C. Risk details, reason for non-compliance, policy updates, management decision review

D. Risk details, reason for exception, exemption from security assessment, time frame for exemption

51 / 93

What is the importance of fostering a relationship across teams with regards to vulnerability assessment?

A. To ensure that vulnerabilities are not taken seriously and addressed by asset owners.

B. To prioritize the findings for remediation using CVSS scores.

C. To communicate the context of any findings to nonsecurity personnel.

D. To keep vulnerability scanners owned by the business management team.

52 / 93

Which of the following is an example of a physical control for enforcing access control in an information system?

A. A system for submitting access requests and performing reviews

B. Segregated VLAN or restrictive firewall rules

C. Usernames and passwords

D. Encryption keys

53 / 93

Which section of an audit report provides a high-level overview of testing activities and findings, typically taking up no more than one page?

A. Assumptions or constraints

B. Executive summary

C. Recommendations

D. Summary of activities

54 / 93

Which framework specifies that management must periodically review the information security program for continuing suitability, adequacy and effectiveness?

A. NIST and FedRAMP

B. SOC 2

C. COBIT

D. ISO 27001

55 / 93

What is a benefit of utilizing a standard audit and assessment methodology?

A. It ensures that all systems and processes are equally evaluated.

B. It reduces the cost of monitoring activities.

C. It makes testing results more comparable over time.

D. It eliminates the need for identifying and addressing risks.

56 / 93

Which compliance framework requires an ongoing annual assessment in order to maintain Authority to Operate (ATO) status?

A. PCI-DSS

B. ISO 27001

C. FedRAMP

D. SOC 2

57 / 93

What is the difference between an audit and an assessment?

A. There is no difference between an audit and an assessment

B. An assessment involves evaluating the likelihood of a specific risk, while an audit involves a systematic analysis against a defined standard to determine if the object meets a set of criteria

C. An audit involves evaluating the likelihood of a specific risk, while an assessment involves a systematic analysis against a defined standard to determine if the object meets a set of criteria

D. An audit involves gathering information, while an assessment involves testing security controls

58 / 93

What is responsible disclosure in terms of security research?

A. Reporting a vulnerability to law enforcement or other authorities may be mandatory.

B. Fully and transparently reported to the organization responsible for fixing it as soon as possible.

C. The discoverer should disclose the vulnerability in a timely manner and publicly disclose it immediately.

D. There may be contractual or legal obligations that prevent disclosure of a vulnerability.

59 / 93

What is the purpose of performing a test restore from backup media?

A. To verify the encryption of the backup data

B. To ensure that all required data is present and readable

C. To evaluate the performance of the backup system

D. To check the accessibility of the backup data

60 / 93

Which of the following is a guide to assessing the controls outlined in NIST SP 800-53?

A. ISO/IEC 27006:2015

B. NIST Special Publication (SP) 800-53A

C. ISO/IEC 15408-1:2009

D. ISO/IEC 18045:2008

61 / 93

Which framework requires management to periodically review the information security program for continuing suitability, adequacy, and effectiveness?

A. SOC 2

B. COBIT

C. ISO 27001 control 9.3

D. Certification and accreditation

62 / 93

Which of the following questions should a security practitioner seek to answer when conducting a third-party audit?

A. What is the third-partys revenue and market share?

B. What is the third-partys employee turnover rate?

C. What standards do they use for selecting controls and auditing their effectiveness?

D. What is the third-partys social media presence?

63 / 93

What is the primary purpose of performing discovery or reconnaissance during the pen testing phase of security assessment and testing?

A. To obtain hard copies of sensitive information

B. To emulate the behavior of the attackers

C. To collect information from the organizations monitoring devices

D. To use publicly available tools such as Shodan or Have I Been Pwned

64 / 93

What is full disclosure in ethical disclosure of vulnerability findings?

A. Not disclosing vulnerability findings to anyone

B. Disclosing the vulnerability findings only to those who are directly responsible for fixing it

C. Reporting a vulnerability transparently to the organization responsible for fixing it as soon as possible

D. Disclosing vulnerability findings to law enforcement or other authorities

65 / 93

What is an example of a valuable KRI that can indicate that more robust security tools or additional staff are needed?

A. Number of findings

B. Phishing attempts detected or reported

C. Number of security incidents

D. Malware infection and containment rates

66 / 93

What is the purpose of synthetic transactions?

A. To monitor financial transactions in a system

B. To test the uptime of a hosted or cloud-based service

C. To record every user interaction with an application or web page

D. To scan a system for vulnerabilities

67 / 93

Which of the following is a guide to assessing the controls outlined in NIST SP 800-53?

A. ISO/IEC 15408-1:2009

B. ISO/IEC 27006:2015

C. NIST Special Publication (SP) 800-53A

D. ISO/IEC 18045:2008

68 / 93

Compliance checks should be treated as a starting point rather than a security objective for an organizations risk management program. Which of the following statements regarding audits or assessments is true?

A. Scheduled audits or assessments are conducted on a defined schedule and are an effective way to monitor security risk.

B. Compliance audits like SOC 2 Type II and ISO 27001 only evaluate security over a period of performance if it is requested by the organization being audited.

C. Compliance frameworks recognize that audits at a single point in time are an effective way to monitor security risk.

D. Organizations undergoing a FedRAMP assessment are only required to perform continuous monitoring after the initial full security assessment to maintain Authority to Operate (ATO) status.

69 / 93

What is the final phase of a pen testing activity?

A. Attempt to exploit vulnerabilities

B. Gathering information

C. Documenting a report

D. Testing the organizations cyber defenses

70 / 93

Which of the following situations may require mandatory reporting of a discovered vulnerability?

A. Nondisclosure

B. Full disclosure

C. Responsible disclosure

D. Mandatory reporting

71 / 93

What is the difference between black-box testing and white-box testing?

A. Black-box testers have access to the source code, while white-box testers do not.

B. White-box testers model the perspective of an external attacker, while black-box testers have knowledge of internal elements of the application.

C. Black-box testing tests the actual running program, while white-box testing uses static code analysis tools.

D. White-box testing tests the actual running program, while black-box testing uses static code analysis tools.

72 / 93

What is a possible solution to reduce the volume of traffic generated by vulnerability scanners that can lead to DoS conditions?

A. Increase the number of requests the scanner generates in a given time period

B. Disable request throttling to allow the scanner to process more requests

C. Implement request throttling to limit the number of requests the scanner generates in a given time period

D. Conduct scans at times of high user activity

73 / 93

What is a key element required to design a security metrics program?

A. An understanding of the security program objectives and an exhaustive list of every possible security process data source.

B. An exhaustive list of every possible security process data source.

C. A collection of raw data from all security process data sources.

D. An understanding of the security program objectives and security controls that provide a method of measurement or quantification.

74 / 93

What is the purpose of synthetic transactions for data integrity monitoring?

A. To identify systems that are offline or unresponsive

B. To monitor dynamic rules for handling data and alert administrators if processing a set of test data does not result in the expected outcome

C. To measure the performance of a system or application

D. To monitor users in real time as they interact with an application or service

75 / 93

Which category of technical metrics measures the organizations effectiveness at implementing multilayered security by capturing metrics on preventative technical processes such as network access controls like virtual private networks (VPNs)?

A. Detect

B. Respond

C. Prevent

D. None of the above.

76 / 93

Why is identifying the organizations critical assets important before performing vulnerability assessments?

A. To choose appropriate scanning tools and prioritize scanning efforts

B. To determine what level of authorization is needed to scan each system

C. To determine the cost of performing a vulnerability assessment

D. To identify which assets should be scanned first based on their size

77 / 93

What is the purpose of sampling in the audit technique?

A. To increase the amount of work required

B. To reduce the amount of work required while maintaining assurance that deficiencies are identified

C. To add extra work to the audit task without any benefits

D. To decrease the quality of assurance that deficiencies are identified

78 / 93

When is it appropriate to conduct assessments from an internal perspective?

A. As part of an ongoing monitoring process

B. When the organization has no staff or resources for audits

C. When an objective outsider is required for the audit

D. When preparing for an external audit is not necessary

79 / 93

Which of the following is a common method of checking the status of controls in place to meet compliance objectives?

A. Routine internal activities

B. Continuous monitoring

C. Compliance auditors

D. Random security testing

80 / 93

What is MTTR and why is it important in measuring the effectiveness of a security program?

A. MTTR is the Mean Time to Detect a security incident and is not helpful in measuring the effectiveness of a security program.

B. MTTR is the Mean Time to Recover from a security incident and is used to measure the effectiveness of a security program in responding to and resolving incidents.

C. MTTR is the Mean Time to Remediate from a security incident and is used to measure the effectiveness of a security program in preventing incidents from reoccurring.

D. MTTR is not a useful KPI for measuring the effectiveness of a security program.

81 / 93

Why is management support and sponsorship of security initiatives crucial?

A. So that security practitioners can define and execute mission objectives

B. So that management can provide timely data to security practitioners

C. So that management can make informed decisions about identifying risks and mitigating actions

D. So that security practitioners can oversee the continuous monitoring program

82 / 93

Which of the following is a critical element to be considered while performing security assessment and testing related to disaster recovery and business continuity (BCDR) plan?

A. Does the organization rely on critical third parties or services?

B. Are new staff trained on key BCDR roles as part of onboarding?

C. Is the current version of the plan readily accessible and securely stored?

D. All of the above

83 / 93

Which of the following is an example of preventative technical processes in security assessment and testing, according to DOMAIN 6 of CISSP?

A. EDR and SIEM

B. Monitoring the status of hardware or software to detect unexpected outages

C. Endpoint controls like host-based firewalls

D. Network- and host-based intrusion prevention systems (IPSs)

84 / 93

What is responsible disclosure in relation to vulnerability disclosure?

A. Reporting a weakness to the responsible organization and giving them enough time to fix the vulnerability before publicly disclosing it

B. Reporting a weakness publicly as soon as it is discovered

C. Reporting a weakness only if mandatory reporting requirements are met

D. Reporting a weakness to law enforcement or other authorities

85 / 93

Which of the following is a key consideration for a sound third party audit strategy related to supply chain security?

A. Scoping the audit only to suppliers handling sensitive data

B. Performing audits only by organizational resources

C. Relying solely on SOC 2 Type I reports provided by suppliers

D. Including all third parties critical to the organizations operations

86 / 93

What is the advantage of a recurring audit schedule?

A. It provides a snapshot of the security program

B. It allows the program to be tracked over time and show improvements

C. It facilitates external audits

D. It is not needed for an effective audit program

87 / 93

What is the importance of marking port scans from a vulnerability scanners IP address as nonsuspicious?

A. It ensures that all vulnerability scanning activity is logged by the security team.

B. It prevents security alerts and incident response processes from being triggered by legitimate vulnerability scanning.

C. It identifies the vulnerability scanner as a trusted source and prevents it from being blocked by security measures.

D. It allows the security team to track the origin of vulnerability scanning activity and respond accordingly.

88 / 93

What are key performance indicators (KPIs) and key risk indicators (KRIs) used for in a governance, risk, and compliance (GRC) program?

A. To communicate the state of existing security controls and monitor potential future risks

B. To communicate potential future risks and monitor the state of existing security controls

C. To monitor the effectiveness of existing security controls and identify potential future risks

D. To monitor potential future risks and identify potential future security controls

89 / 93

What is the purpose of breach attack simulations (BAS) for an organization?

A. To test the organizations ability to withstand known attacks and vulnerabilities

B. To perform manual penetration testing rather than automated testing

C. To identify all potential vulnerabilities at once

D. To replace quarterly vulnerability scans and yearly penetration tests entirely

90 / 93

What is a KPI?

A. A measurement of a process or system without any indication of performance

B. A measurement of a process or system that provides context and an indication of performance

C. A measurement of a process or system that is only used to identify risks

D. A measurement of a process or system that is not used for decision making

91 / 93

What is a crucial factor to consider when choosing appropriate scanning tools and prioritizing scanning efforts in a vulnerability assessment?

A. The number of systems to be scanned

B. The size of the organization

C. The criticality of the systems to be scanned

D. The location of the systems to be scanned

92 / 93

What is the primary purpose of misuse case testing?

A. To identify expected behavior when an actor interacts with a system

B. To identify vulnerabilities that might be exploitable under unexpected circumstances

C. To simulate specific threat scenarios and model potential attacks

D. To identify security requirements by specifying the ways a system could be abused by a malicious actor

93 / 93

Which of the following is the official set of requirements and guidance for auditors performing certification audits against ISO 27001?

A. SSAE 18

B. ISO/IEC 15408-1:2009

C. ISO/IEC 27006:2015

D. NIST SP 800-53A

Your score is

Share the Post:

Download Your FREE CISSP Anki Deck!

Email issues? [ [email protected] ]

Share the Post:

Understanding Domain 6 CISSP Exam: Security Assessment and Testing

Key Aspects of Domain 6 CISSP Exam

Security Control Testing
- Learn methods to test security controls.
- Assess management, operational, and technical controls.
Vulnerability Assessment
- Identify system vulnerabilities.
- Use tools and techniques for vulnerability assessment.
Security Process Data Analysis
- Analyze data from security processes.
- Collect, review, and interpret data for decision-making.
Security Auditing
- Conduct audits to ensure compliance with policies.
- Understand audit strategies and methodologies.
Internal and Third-Party Audits
- Know the difference between internal and external audits.
- Learn their roles in improving security.

Benefits of Our CISSP Practice Exam

Detailed Answer Explanations: Understand the reasoning behind each answer.
Aligned with Exam Objectives: Covers all Domain 6 topics comprehensively.
Instant Feedback: Get immediate feedback to identify improvement areas.

Continuous Learning

Revisit Domain 5: Identity and Access Management
Start Studying Domain 7: Security Operations

Prepare with our “CISSP Practice Exam” to confidently tackle Domain 6 and advance your cybersecurity career.

For more information, refer to the official ISC2.

WGU Master’s Degree Rankings 2026 | I Asked 3 AIs 300 Times to Find the Best One
Table of Contents Which WGU Master’s Degree Is Actually Worth It? If you’re considering a master’s degree from WGU and can’t figure out which program to choose — cybersecurity, software engineering, AI/ML, data analytics — you’re not alone. The options are overwhelming, and most comparisons online are either outdated or purely opinion-based. So here’s a […]
How I Made $1.3 Million in Cybersecurity (With Exact Revenue Numbers)
Table of Contents If you’re stuck at $50K–$100K and wondering, “How the hell do people make seven figures?” this is for you.I’m Josh Madakor. In 2025, I made $1.3 million in cybersecurity. Not from a corporate job. Not from VC funding. And definitely not from selling a bullshit course.In this article, I’ll break down everything: […]
The Best Laptops for Cyber Security in 2026: Stop Over-Analyzing, Start Building
Table of Contents Let’s be real: most people think that to get into cyber security, you need to be a “super elite hacker” running 10 different virtual machines on a glowing, heavy-duty gaming laptop. Spoiler alert: That’s just not how the industry works. I’ve spent years in roles ranging from Senior Analyst to Security Engineer, […]

Hands-on
Cybersecurity Training
in a LIVE SOC
with Enterprise Security Tools

Internships Available.

Join Now!

Free CISSP Practice Test: DOMAIN 6: Security Assessment and Testing + Anki Decks

Download Your FREE CISSP Anki Deck!

Key Aspects of Domain 6 CISSP Exam

Benefits of Our CISSP Practice Exam

Continuous Learning

Related Posts

Hands-onCybersecurity Training in a LIVE SOCwith Enterprise Security ToolsInternships Available.

Hands-on
Cybersecurity Training
in a LIVE SOC
with Enterprise Security Tools

Internships Available.