100+ Free BCS CISMP Practice Questions

Information Security Principles

Definitions and concepts of information security management: confidentiality, integrity, availability and non-repudiation; assets and asset types; threat, vulnerability, risk and impact; risk appetite and tolerance; identity, authentication and authorisation; information governance; accountability, audit and compliance; the ISMS; and UK data privacy legislation (UK GDPR principles, the Data Protection Act 2018).

Information Risk

Threat categorisation; operational control types (physical, technical, procedural) and control categories (preventive, detective, corrective, compensating, deterrent, directive); identifying and valuing information assets through asset inventory and data classification; the risk register; and the risk management lifecycle including risk analysis (impact, likelihood, BIA, risk matrix, SLE, ARO, ALE) and treatment (avoid, transfer, mitigate, accept).

Information Security Frameworks

Organisational structure and policy: roles and responsibilities; statutory, regulatory and advisory requirements; building a security culture; policies, standards, procedures and guidelines; governance and assurance through audits and compliance reporting; data classification; legal principles (data protection, computer misuse, intellectual property, records retention, digital signatures); and frameworks/standards including ISO/IEC 27001, the NIST Cybersecurity Framework, CIS 18 and Cyber Essentials.

Security Operations

Security architecture concepts (layered defence, defence in depth, least privilege, separation of duties, authentication/authorisation mechanisms); operational technologies (SIEM, SOAR, NSM, endpoint security, vulnerability management, incident response, threat intelligence, access control); threat modelling (attack trees, STRIDE, MITRE ATT&CK, threat-informed defence); vulnerability identification (CVE, CVSS, penetration testing, red teaming); and common cyberattacks and threats.

The Security Lifecycle and DevSecOps

The information lifecycle (creation, storage, usage, archive, destruction); effective testing of systems and use of control frameworks; software security issues (COTS, FOSS, Shadow IT); Cybersecurity Supply Chain Risk Management (C-SCRM); and the key terms, features and benefits of DevSecOps, secure by design and Agile development.

Technical Security

Networks and network security: topologies, types, IP addressing and common protocols; security components and technologies (switch, router, firewall, IDS, IPS, WPA, VPN, IPSec, DLP, DMZ, cryptography and hashing); cloud computing models (IaaS, PaaS, SaaS) and cloud security; containers; and technical strategies to secure infrastructure including zero trust, privileged access management, separation of systems and data backups.

Physical and Environmental Security

Common physical security controls: controlling access to buildings, securing entry points, electronic entry controls, preventing tailgating and monitoring; protecting equipment with security marking, UPS, backup generators, SLAs and cable/power protection; clear screen and desk policy; moving property and BYOD; and secure disposal of equipment and media sanitisation.

Disaster Recovery and Digital Forensics

Incident response activities and the NIST 800-61 lifecycle (preparation; detection and analysis; containment, eradication and recovery; post-incident activity) and team roles; disaster recovery, the business continuity plan and business impact analysis; resilience metrics (RTO, RPO, MTO); and the digital forensic process, NPCC/ACPO principles, types of digital evidence and the chain of custody.

Emerging and Growing Technologies

Security concerns associated with AI (privacy, data collection, bias, misuse, deepfakes) and ethical considerations; security risks of IoT devices (increased attack surface, default settings and passwords, unencrypted data transfer); and operational technology security considerations including ISA/IEC 62443.