Browse Certification Practice Tests by Exam Family

SABSA Practitioner Practice Test

May 1, 2026

Try 12 SABSA Practitioner sample questions on applied security architecture design, business attributes, traceability, risk scenarios, assurance planning, and design tradeoffs.

On this page

SABSA Practitioner preparation should feel scenario-based: choose the architecture response that preserves business traceability, risk alignment, assurance, and operating fit.

These 12 original questions are a public preview, not official SABSA questions.

Practice option: Sample questions available

SABSA Practitioner practice update

Start with the 12 sample questions on this page. Dedicated practice for SABSA Practitioner is not currently included as a full web-app practice page; enter your email to get updates when full practice becomes available or expands for this exam.

Need live practice now? See currently available IT Mastery exam pages.

Occasional practice updates. Unsubscribe anytime. We only publish independently written practice questions, not real, leaked, copied, or recalled exam questions.

What these questions test

  • applying the SABSA model to messy business and security scenarios
  • designing controls that fit attributes, risk, service context, and assurance needs
  • avoiding product-first answers when the question is asking for architecture reasoning

Official-source check

Verify current certification levels, policies, and training requirements with the SABSA certification page .

Sample Exam Questions

Question 1

Topic: requirement traceability

A payment service needs fast checkout, fraud control, audit evidence, and privacy protection. What should the architect do first?

  • A. Select a tool before requirements are traced
  • B. Define security attributes and trace them to business drivers, risks, and architecture views
  • C. Ignore audit evidence
  • D. Freeze a physical design immediately

Best answer: B

Explanation: Practitioner-level reasoning starts from business drivers and attributes before control or product selection.

Question 2

Topic: design tradeoff

Which answer best handles a conflict between usability and stronger authentication?

  • A. Choose one side without analysis
  • B. Remove authentication
  • C. Evaluate risk, user journey, attribute priorities, compensating controls, and assurance evidence
  • D. Hide the decision from stakeholders

Best answer: C

Explanation: Applied architecture deals with tradeoffs. The strongest answer balances attributes, risk, user impact, and assurance.

Question 3

Topic: assurance plan

What should an assurance plan include?

  • A. Evidence sources, testing, monitoring, ownership, review cadence, and acceptance criteria
  • B. Only the vendor’s marketing page
  • C. No operational evidence
  • D. A one-time design meeting only

Best answer: A

Explanation: Assurance requires evidence over time, not a one-time statement that controls exist.

Question 4

Topic: risk scenario

A supplier API outage could prevent customers from completing orders. Which architecture concern is most direct?

  • A. Brand color
  • B. Availability and resilience of the business service
  • C. Office seating
  • D. Keyboard preference

Best answer: B

Explanation: The scenario affects service availability and resilience. The architecture response should consider dependency, failover, monitoring, and recovery.

Question 5

Topic: logical design

Which design step should come before selecting a specific identity product?

  • A. Define logical identity, trust, policy, federation, and lifecycle requirements
  • B. Buy the tool with the longest feature list
  • C. Avoid stakeholder review
  • D. Remove access governance

Best answer: A

Explanation: Logical architecture clarifies what the identity service must do before a physical product is selected.

Question 6

Topic: architecture views

Why use multiple views for one security architecture?

  • A. Different stakeholders need different levels of abstraction and evidence
  • B. Views make traceability impossible
  • C. Every view must be identical
  • D. Views replace requirements

Best answer: A

Explanation: Business, conceptual, logical, physical, component, and operational views support different decisions while preserving traceability.

Question 7

Topic: control fit

An encryption control is proposed for sensitive records. What question is most important?

  • A. Which records, threat scenarios, key-management needs, access paths, and assurance evidence does it address?
  • B. Which logo does the tool use?
  • C. Can the team avoid classification?
  • D. Is the control popular?

Best answer: A

Explanation: Encryption is not automatically sufficient. Architecture must consider data classification, threat path, key management, access, operations, and evidence.

Question 8

Topic: stakeholder mapping

Which stakeholder question is strongest?

  • A. Who owns the business risk, who operates the control, who consumes assurance evidence, and who accepts residual risk?
  • B. Who likes the diagram colors?
  • C. Who can skip review?
  • D. Who has the shortest title?

Best answer: A

Explanation: Practitioner work must clarify ownership, operation, evidence, and acceptance of residual risk.

Question 9

Topic: attribute profile

What is an attribute profile used for?

  • A. Prioritizing and expressing security qualities that the architecture must satisfy
  • B. Replacing every diagram
  • C. Listing only server names
  • D. Removing business requirements

Best answer: A

Explanation: Attribute profiles help translate business needs into security qualities that can be designed and reviewed.

Question 10

Topic: common trap

Which response is weakest when a control fails assurance testing?

  • A. Review root cause, risk impact, design assumptions, and remediation options
  • B. Update stakeholders if residual risk changes
  • C. Pretend the control is effective because it was purchased
  • D. Adjust the assurance plan if evidence sources were incomplete

Best answer: C

Explanation: Purchased controls still need assurance. Failed evidence should trigger review and remediation, not denial.

Question 11

Topic: operating model

What makes a security architecture operationally realistic?

  • A. Clear monitoring, ownership, exception handling, change management, and support processes
  • B. No one owns controls
  • C. Alerts are ignored
  • D. All exceptions are undocumented

Best answer: A

Explanation: A design that cannot be operated and monitored will not deliver reliable security outcomes.

Question 12

Topic: scenario decision

A regulator asks for evidence that privileged access is controlled. What is the best architecture response?

  • A. Show traceability from requirement to privileged-access design, operation, monitoring, review, and evidence
  • B. Send only a product brochure
  • C. Say the team trusts administrators
  • D. Remove logs to reduce storage cost

Best answer: A

Explanation: Evidence should connect requirement, design, operation, monitoring, review, and control effectiveness.

Revised on Monday, May 25, 2026
Master
Updates