100+ Free ASIS APP Practice Questions

Pass your ASIS Associate Protection Professional (APP) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not published Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Return on Security Investment (ROSI) is most accurately expressed as:

Annualized Rate of Occurrence × Single Loss Expectancy

(Risk Mitigated by Control − Cost of Control) / Cost of Control

Threat × Vulnerability × Asset Value

(Annual Loss Expectancy − Cost of Control) / Cost of Control

to track

2026 Statistics

Key Facts: ASIS APP Exam

125

Total Questions (100 scored + 25 pretest)

ASIS APP Candidate Handbook

2 hours

Test Duration

ASIS APP Candidate Handbook

Exam Domains

ASIS APP Outline

$300

ASIS Member Application + Exam Fee

ASIS Certification Application Fees

60 CPEs

Recertification Requirement (3-year cycle)

ASIS Recertification Guide

1-3 yrs

Experience Required (varies by education)

ASIS APP Eligibility

~35%

Largest Domain (Security Fundamentals)

ASIS APP Outline

The ASIS APP is a 125-question (100 scored + 25 pretest), two-hour, multiple-choice computer-based exam delivered by Pearson VUE. It covers four domains: Security Fundamentals (~35%), Business Operations (~22%), Risk Management (~25%), and Response Management (~18%). Candidates need 1-3 years of progressive security experience depending on education (six-month reduction available with an approved related certification). The application + exam fee is $300 for ASIS members and $620 for non-members, including a $160 non-refundable application fee. Certification is valid for three years; recertification requires 60 CPEs in the cycle. CPP holders are ineligible to sit for APP.

Sample ASIS APP Practice Questions

Try these sample questions to test your ASIS APP exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which ASIS guideline integrates security into the broader enterprise risk function by aligning protective activities with organizational objectives?

A.ISO/IEC 27001:2022

B.Enterprise Security Risk Management (ESRM) Guideline

C.NFPA 1600 Standard on Continuity

D.ANSI/ASIS PSC.1 Private Security Operations

Explanation: The ASIS Enterprise Security Risk Management (ESRM) Guideline, published in 2019, positions security as a strategic, business-aligned discipline that protects organizational assets in support of mission and objectives. ISO 27001 covers information security management, NFPA 1600 covers continuity and emergency management, and PSC.1 covers private security operations.

2An APP candidate is asked to list the four broad categories of assets that an enterprise security program protects. Which set is correct?

A.Hardware, software, networks, and data

B.People, property, information, and reputation

C.Cash, inventory, fixed assets, and intangibles

D.Buildings, vehicles, equipment, and supplies

Explanation: ASIS Protection of Assets (POA) and the ESRM Guideline define the four primary protected asset categories as people, property (physical assets), information, and reputation/brand. The other lists describe accounting or IT-only asset taxonomies that omit reputation and people.

3A regional retailer is choosing between proprietary, contract, and hybrid security staffing models. Which statement most accurately characterizes proprietary security?

A.Officers are employees of a licensed third-party security firm

B.Officers are direct employees of the protected organization

C.Officers are contractors retained on a project basis

D.Officers are sworn public-sector law enforcement on detail

Explanation: Proprietary (in-house) security means the officers are direct employees of the organization being protected, giving more control over training, culture, and loyalty but typically at higher cost. Contract security uses a licensed third-party firm; hybrid mixes both. Sworn officers on detail represent a public-private partnership, not proprietary staffing.

4Which ANSI/ASIS standard provides management system requirements for organizational resilience that integrates security, preparedness, continuity, and recovery?

A.ANSI/ASIS SPC.1-2009 Organizational Resilience

B.ANSI/ASIS PAP.1-2012 Persons at Risk

C.ANSI/ASIS WVPI.1-2020 Workplace Violence and Active Assailant

D.ANSI/ASIS PCI 2016 Investigations

Explanation: ANSI/ASIS SPC.1-2009 'Organizational Resilience: Security, Preparedness, and Continuity Management Systems' defines a management-system approach uniting protection, preparedness, response, continuity, and recovery. PAP.1 covers travel risk for persons at risk, WVPI.1 covers workplace violence, and PCI covers investigations management.

5A new security manager is mapping security disciplines onto the organization. Which option lists the four traditionally recognized security disciplines on the APP outline?

A.Cybersecurity, fraud, audit, and compliance

B.Physical, information, personnel, and executive protection

C.Patrol, investigations, intelligence, and special operations

D.Loss prevention, safety, fire, and life-safety

Explanation: The APP outline groups protective work into four interrelated disciplines: physical security (barriers, access, surveillance), information security (data and IT protection), personnel security (background and insider threat), and executive/personal protection. The other lists mix functions, departments, or job titles rather than discipline categories.

6Crime Prevention Through Environmental Design (CPTED) relies on several core strategies. Which option lists three commonly cited first-generation CPTED strategies?

A.Natural surveillance, natural access control, and territorial reinforcement

B.Deter, detect, and delay

C.Patrol, post, and respond

D.Encrypt, monitor, and audit

Explanation: First-generation CPTED, formalized by C. Ray Jeffery and refined by Tim Crowe, centers on natural surveillance, natural access control, and territorial reinforcement, often supplemented by maintenance and activity support. Deter/detect/delay are physical-security functions, not CPTED strategies.

7Return on Security Investment (ROSI) is most accurately expressed as:

A.(Annual Loss Expectancy − Cost of Control) / Cost of Control

B.(Risk Mitigated by Control − Cost of Control) / Cost of Control

C.Annualized Rate of Occurrence × Single Loss Expectancy

D.Threat × Vulnerability × Asset Value

Explanation: ROSI compares the monetary value of risk reduction delivered by a control to the cost of that control: (Risk Mitigated by Control − Cost of Control) / Cost of Control. ALE alone is not a return calculation, ARO × SLE defines ALE, and Threat × Vulnerability × Asset Value is a qualitative risk formula.

8Which statement best describes the historical role of private security in the United States?

A.Private security developed only after the September 11, 2001 attacks

B.Allan Pinkerton's National Detective Agency (founded 1850) is widely cited as an early proprietary-style private security and investigative firm

C.Private security was first authorized by the Homeland Security Act of 2002

D.Private security has always been outsourced to public law enforcement

Explanation: Allan Pinkerton founded the Pinkerton National Detective Agency in 1850, providing detective, guard, and protective services and is widely cited in ASIS POA as an early commercial private security firm. Private security existed long before 9/11 or the Homeland Security Act, and it has never been the same function as public policing.

9An APP candidate is asked to differentiate the ASIS Code of Ethics from a company code of conduct. Which statement is most accurate?

A.The ASIS Code of Ethics applies only when a member is on duty for an ASIS event

B.The ASIS Code of Ethics binds ASIS members across their professional conduct and provides grounds for ASIS sanctions

C.The ASIS Code of Ethics has no enforcement mechanism

D.The ASIS Code of Ethics replaces an employer's code of conduct

Explanation: The ASIS Code of Ethics binds members in their broader professional conduct and supports ASIS member-discipline procedures. Members must comply with their employer's policies as well; the two sets of rules coexist rather than replace each other.

10A protective lighting design uses a 4:1 maximum-to-minimum illuminance ratio in a parking area. This ratio primarily controls:

A.The total wattage installed per acre

B.Uniformity of light, reducing dark spots and shadow areas

C.The color rendering index of the lamps used

D.The carbon footprint of the lighting installation

Explanation: Illuminance uniformity ratios (max:min or avg:min) control how evenly light is distributed across a space. Tighter ratios reduce dark spots and contrast, improving detection by people and cameras. Wattage, CRI, and carbon footprint are separate design considerations.

About the ASIS APP Exam

The ASIS Associate Protection Professional (APP) is an entry- to mid-career security credential from ASIS International. The exam is a 125-question, two-hour computer-based test delivered at Pearson VUE test centers or via online proctoring. Questions cover four domains: Security Fundamentals, Business Operations, Risk Management, and Response Management.

Questions

125 scored questions

Time Limit

2 hours

Passing Score

Scaled passing score set by ASIS

Exam Fee

$300 ASIS member / $620 non-member application + exam (Pearson VUE for ASIS International)

ASIS APP Exam Content Outline

~35%

Security Fundamentals

Security history and roles, disciplines (physical, information, personnel, executive protection), asset categories, ESRM Guideline, ANSI/ASIS standards (PSC.1, SPC.1, ESRM), CPTED basics, ROSI, and professional development.

~22%

Business Operations

Business case, PMBOK project management, CapEx vs OpEx budgeting, HR fundamentals, FCRA/EEOC, ADDIE, Kirkpatrick, records management, evidence chain of custody, vendor management (RFI/RFP/SOW/SLA), KPIs and KRIs.

~25%

Risk Management

ESRM cycle, T×V×C and ALE/SLE/ARO, treatment options (avoid, transfer, mitigate, accept), qualitative vs quantitative analysis, CARVER, NIST SP 800-30, BIA/RTO/RPO/MTBF, heat maps, risk register, appetite vs tolerance, and CPTED.

~18%

Response Management

Incident response, ICS/NIMS, EOC, ISO 22301, NFPA 1600, SCCT crisis communications, ASIS WVPI.1-2020 and Active Assailant Standard, insider threat (CERT/NITTF), digital forensics, AARs, and exercises.

How to Pass the ASIS APP Exam

What You Need to Know

Passing score: Scaled passing score set by ASIS
Exam length: 125 questions
Time limit: 2 hours
Exam fee: $300 ASIS member / $620 non-member application + exam

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

ASIS APP Study Tips from Top Performers

1Anchor your study to the four published APP domain weightings (~35/22/25/18) so practice time mirrors the points available on the exam.

2Read the ASIS ESRM Guideline (2019) carefully — the four-step ESRM cycle and risk-ownership concepts thread through multiple domains.

3Memorize core formulas: ALE = SLE × ARO, SLE = Asset Value × Exposure Factor, ROSI = (Risk Mitigated − Cost of Control) / Cost of Control.

4Distinguish the four risk treatments (avoid, transfer, mitigate, accept) and pair each with a real organizational example.

5Know the standards by number: ANSI/ASIS SPC.1 (resilience), PSC.1 (private security ops), WVPI.1-2020 (workplace violence), Active Assailant Standard (2020), ISO 22301 (BCMS), NFPA 1600 (continuity), NIST SP 800-30 (risk), NIST SP 800-61 (incident response).

6Practice EEO and FCRA scenarios — pre-adverse and adverse action letters, ban-the-box variations, and disparate impact analysis appear in Business Operations items.

7Use 125-question timed simulations (2 hours total = ~58 seconds per question) and review every miss, not just the score.

8Reserve the last two weeks for weakest-domain remediation and full-length timed practice rather than new content.

Frequently Asked Questions

What is the ASIS APP credential?

The Associate Protection Professional (APP) is ASIS International's entry- to mid-career security credential. It validates foundational knowledge across security fundamentals, business operations, risk management, and response management for protection professionals with 1-3 years of experience.

How long is the APP exam and how many questions does it have?

The APP exam is 125 multiple-choice questions (100 scored plus 25 unscored pretest items) and candidates have two hours to complete it. The exam is delivered by Pearson VUE at test centers or via online proctoring.

How is the APP exam scored?

ASIS uses a scaled passing score set by the certification board. ASIS does not publish a fixed percentage, but candidates typically aim for ~70-80% on practice tests to be confident at the live exam.

What are the eligibility requirements for the APP?

Candidates need a bachelor's degree with at least 1 year of progressive security experience, an associate degree with 2 years, or a high school diploma with 3 years. Six months may be deducted with an approved related certification. CPP holders are ineligible to also hold APP.

How much does the APP exam cost?

Application + exam fees are $300 for ASIS members and $620 for non-members, including a $160 non-refundable application fee. Emerging-market pricing is available for qualifying countries.

What domains does the APP exam cover?

Four domains: Security Fundamentals (~35%), Business Operations (~22%), Risk Management (~25%), and Response Management (~18%). The current outline is published in the ASIS APP Candidate Handbook.

How long is the APP credential valid and how do I recertify?

APP certification is valid for three years. Holders recertify by earning 60 Continuing Professional Education (CPE) credits during the three-year cycle and submitting documentation through the ASIS portal. A three-month application grace period exists, but CPEs must be earned in the cycle.

How does APP compare to CPP?

APP is the entry- to mid-career credential focused on foundational protection knowledge; CPP is ASIS's senior board-certified credential requiring more experience and a broader exam scope. ASIS policy states active CPP holders cannot concurrently hold APP.

Is the APP exam delivered remotely?

Yes. ASIS offers APP through Pearson VUE at test centers and via online-proctored delivery. System and environment requirements apply; review the current ASIS Candidate Handbook before scheduling.