Free ISC2 Certified in Cybersecurity CC Practice Questions: Security Governance

Topic snapshot

Sample questions

These are original IT Mastery practice questions aligned to this topic area. They are not official ISC2 questions, copied live-exam content, or exam dumps. Use them to preview question style and explanation depth before continuing with topic drills, mixed sets, and timed mocks in IT Mastery.

Question 1

Topic: Security Governance

A small company’s primary office is closed for several days after a water leak damages the building. The business continuity plan states that customer support must continue during facility outages, and staff can work remotely using approved laptops. What is the BEST action?

Options:

• A. Wait until the office reopens before resuming support

• B. Activate the continuity plan for remote support

• C. Begin a full forensic investigation of the water leak

• D. Disable all customer support accounts until repairs finish

Best answer: B

Explanation: Business continuity focuses on keeping critical processes available when a supplier, staff role, process, or facility is unavailable. In this scenario, the facility is unavailable, but the plan already identifies a continuity method: approved laptops and remote work for customer support. The best response is to activate that plan so the required service continues during the outage. Investigation, repair coordination, or facility recovery may still happen, but they do not satisfy the immediate continuity requirement to keep customer support operating.

• Waiting for repairs fails because it allows a critical service to stop despite an approved continuity option.
• Investigating the leak may be useful later, but it does not maintain customer support during the outage.
• Disabling accounts would reduce availability and conflicts with the stated need to continue support.

Question 2

Topic: Security Governance

A regional clinic loses access to its main scheduling system after a power failure. Its documented plan tells staff how to continue patient check-in, route urgent cases, and record appointments manually until normal systems return. Which concept does this description best illustrate?

Options:

• A. Business continuity

• B. Vulnerability management

• C. Incident response

• D. Disaster recovery

Best answer: A

Explanation: Business continuity is the planning and coordination used to keep critical operations running when a disruption affects normal systems, facilities, staffing, or suppliers. In this scenario, the clinic is not only fixing the failed system; it is preserving essential services such as patient check-in and urgent-case routing through temporary manual procedures. Disaster recovery is related, but it focuses more narrowly on restoring technology or facilities after an outage. The key takeaway is that business continuity protects the organization’s ability to operate at an acceptable level during the disruption.

• Disaster recovery is tempting because a system outage occurred, but the described activity is continuing clinic operations, not restoring the failed system.
• Incident response addresses detecting, containing, and handling security incidents, while the stem focuses on operational continuity.
• Vulnerability management identifies and remediates weaknesses before exploitation, not maintaining essential functions during an outage.

Question 3

Topic: Security Governance

A company launched phishing awareness training after several employees clicked fake login links. The security goal is to reduce risky user behavior and encourage employees to report suspicious messages. Management wants one metric to show whether the awareness activity is effective over time. Which metric is the BEST FIT?

Options:

• A. Percentage of employees assigned the training

• B. Number of awareness emails sent each month

• C. Trend in simulated phishing click and report rates

• D. Total number of spam messages blocked

Best answer: C

Explanation: Effective cybersecurity metrics should align with the stated control goal. In this scenario, the awareness activity is intended to change user behavior: fewer unsafe clicks and more reporting of suspicious messages. A trend in simulated phishing click rates and report rates measures that behavior directly over time, making it a better effectiveness metric than counts of communications or assignments. Activity measures can show that a program was delivered, but they do not prove the control improved behavior.

• Emails sent measures program activity, not whether employees changed behavior.
• Training assigned shows coverage of the assignment, but not completion, understanding, or safer behavior.
• Spam blocked may be useful for email security operations, but it does not measure awareness training effectiveness.

Question 4

Topic: Security Governance

A security governance dashboard flags a report item as red when the number of internet-facing systems with unresolved critical vulnerabilities exceeds the organization’s approved risk tolerance. The item is used to warn leadership that exposure is increasing.

Which cybersecurity reporting concept does this best describe?

Options:

• A. Operational metric

• B. Procedure

• C. Key Risk Indicator (KRI)

• D. Control inventory

Best answer: C

Explanation: A Key Risk Indicator (KRI) is a reporting measure tied to risk, risk tolerance, or risk appetite. In the scenario, the dashboard is not just counting work performed; it warns leadership when exposure from critical internet-facing vulnerabilities exceeds an approved tolerance. That makes it a risk indicator. An operational metric usually tracks activity or performance, such as tickets closed, scans completed, or average patch time. Operational metrics can support a KRI, but the KRI is the risk-focused signal used for governance decisions.

• Operational metric tracks security work or performance, but the stem emphasizes risk tolerance and leadership warning.
• Procedure describes step-by-step instructions, not a dashboard signal.
• Control inventory lists safeguards or assets, but it does not indicate whether risk exceeds tolerance.

Question 5

Topic: Security Governance

An employee receives an email that appears to be from the help desk. It says the employee’s account will be disabled in 30 minutes unless they click a link and enter their password. The link points to an unfamiliar external domain. Which control best addresses this phishing clue?

Options:

• A. Increase the minimum password length

• B. Encrypt stored employee payroll records

• C. Train users to verify and report urgent credential requests

• D. Require visitors to wear identification badges

Best answer: C

Explanation: Security awareness is the best fit when the main issue is user recognition of a phishing or social engineering attempt. The message uses urgency, asks for a password, and sends the user to an unfamiliar external domain. A good awareness control teaches users not to click the link, to verify the request through a known trusted channel, and to report the message using the approved process. Technical controls can help reduce phishing risk, but this scenario asks for the control that directly addresses the visible user-facing clue.

• Physical badges protect facility access, but they do not help a user recognize a suspicious email.
• Data encryption protects stored information, but it does not address the phishing behavior in the message.
• Password length can improve password strength, but it does not stop a user from submitting a password to a fake site.

Question 6

Topic: Security Governance

An employee receives a phone call from someone claiming to be from the help desk. The caller says the employee’s account will be locked unless the employee immediately provides a one-time MFA code. What is the best initial user action?

Options:

• A. Provide the code only if the caller knows the employee’s name

• B. Ask the caller to send an email link for verification

• C. Share the code, then change the password afterward

• D. End the call and report it through the approved security channel

Best answer: D

Explanation: The core concept is social engineering response. A request for an MFA code is a high-risk sign because legitimate support staff should not need a user’s one-time authentication code. The best initial action is to stop interacting with the suspicious caller and use the organization’s approved reporting process, such as a security mailbox, help desk ticket, or phishing-reporting tool. This preserves the account, alerts security, and avoids giving the attacker more information.

Verifying through the same caller or following a link supplied by the caller keeps the user inside the attacker’s channel. The key takeaway is to disengage and report using a trusted, independent process.

• Caller knowledge is weak verification because names, job titles, and phone numbers can be gathered or spoofed.
• Email link verification is risky because an attacker can send a convincing link to a phishing site.
• Post-disclosure password change fails because the MFA code could allow immediate unauthorized access before recovery steps occur.

Question 7

Topic: Security Governance

A small company backs up its customer database every night to an offsite location. During a recent outage, the IT team could not confirm how long restoration would take, and no one had practiced the recovery steps. Management wants assurance that the backup will support disaster recovery. What is the best action?

Options:

• A. Increase the backup frequency to every hour

• B. Move the backup files to encrypted storage

• C. Perform a restoration test and document recovery procedures

• D. Keep an additional copy with the database administrator

Best answer: C

Explanation: Backups are only one part of disaster recovery. The organization must know that backup data can be restored within the needed time and that staff can follow clear recovery procedures during an outage. A restoration test validates that the backup is usable, identifies missing steps, and gives management evidence that recovery is realistic. Increasing backup frequency may reduce data loss, and encryption may protect confidentiality, but neither proves the company can recover operations from the backup. The key takeaway is that an untested backup is not the same as a working recovery capability.

• Backup frequency may improve recovery point objectives, but it does not show that restoration will work.
• Encrypted storage protects backup confidentiality, but it does not validate recovery steps or timing.
• Extra copy may add redundancy, but it still leaves the restore process untested and undocumented.

Question 8

Topic: Security Governance

A security governance team tracks a key risk indicator (KRI): privileged accounts without quarterly access review must stay below 2%. The last three monthly reports show 2.5%, 4%, and 6%. The same business unit keeps requesting exceptions because managers are unavailable. What is the BEST action?

Options:

• A. Raise the KRI threshold to match the current level

• B. Wait for an incident before reporting the issue

• C. Treat each exception as acceptable because it was requested

• D. Escalate the trend and require a remediation plan

Best answer: D

Explanation: Cybersecurity metrics and reporting help leaders see when risk is growing, not just whether a single event occurred. A KRI threshold breach is important, and a repeated exception with an upward trend is stronger evidence of increasing risk. In this case, privileged access reviews are missing more often each month, and the same business unit is repeatedly excepted. Governance should escalate the trend to the appropriate stakeholders and require an action plan, such as assigning backup reviewers or reducing overdue access reviews. The key takeaway is that trends, thresholds, and repeated exceptions should trigger risk reporting and remediation, not normalization of the problem.

• Approved exception trap fails because repeated exceptions can become accepted risk only through proper review, not automatic closure.
• Threshold change trap fails because raising the threshold hides the risk instead of addressing the worsening metric.
• Incident-only reporting fails because KRIs are intended to warn before harm occurs.

Question 9

Topic: Security Governance

A small company is preparing for a compliance review. The reviewer asks how policy exceptions, control approvals, and risk decisions were recorded over the past year. The security manager finds that each team used different formats, missing fields, and unclear approval notes. Which governance concept best explains why consistent documentation matters?

Options:

• A. Risk avoidance

• B. Auditability and compliance evidence

• C. Security awareness training

• D. Separation of Duties (SoD)

Best answer: B

Explanation: Consistent documentation supports governance by making decisions, approvals, exceptions, and control activities traceable and reviewable. Compliance activities depend on evidence: auditors and reviewers need clear records that show what was done, who approved it, when it happened, and whether it followed policy. Inconsistent formats and missing fields make it harder to prove that required governance processes were followed, even if teams performed the work. The key takeaway is that documentation is not just administration; it supports accountability, auditability, and compliance reporting.

• SoD is about preventing one person from controlling conflicting tasks, not about record consistency.
• Risk avoidance means choosing not to engage in an activity that creates risk, not documenting governance actions.
• Awareness training helps users understand security expectations, but it does not explain the need for auditable records.

Question 10

Topic: Security Governance

A team uses a GRC platform to record a security exception for a legacy system. The business owner reviews the residual risk and formally agrees to operate the system until it is replaced. What concept best describes the GRC platform’s role in this situation?

Options:

• A. The control that reduces the vulnerability

• B. The authority that accepts residual risk

• C. A tool that documents the risk acceptance decision

• D. The policy that defines risk tolerance

Best answer: C

Explanation: A GRC tool supports governance by tracking risks, controls, evidence, exceptions, approvals, and reports. It helps document and communicate decisions, but it does not own the risk or make the decision. In the scenario, the business owner formally accepts the residual risk after review. The platform is the system of record for that decision, not the decision maker and not the policy source. The key distinction is between governance judgment and the tool used to manage documentation and workflow.

• Decision authority is tempting, but a person or governing body accepts residual risk, not the software platform.
• Risk tolerance policy fails because tolerance is defined by governance direction, while the tool stores related records.
• Control reducing risk fails because documenting an exception does not itself remediate the legacy system vulnerability.

Continue in the web app

Use IT Mastery for interactive ISC2 Certified in Cybersecurity CC practice with mixed sets, timed mocks, topic drills, explanations, and progress tracking.

Try ISC2 Certified in Cybersecurity CC on Web

Related focused pages

• Free ISC2 Certified in Cybersecurity CC Full-Length Practice Exam
• Security Principles
• IAM Concepts
• Network and Cloud Security
• Security Operations