100+ Free CPIT InfoSec Practice Questions

Pass your Certified Professional of IT - Information Security Officer (InfoSec) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

60-70% Pass Rate

100+ Questions

100% Free

Loading practice questions...

Same family resources

Explore More CPIT Hong Kong IT Certification

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CPIT Associate Project Manager (APM) Exam

Practice Questions100 questions

CPIT Business Analyst (BA) Exam

Practice Questions100 questions

2026 Statistics

Key Facts: CPIT InfoSec Exam

120

Real Exam Questions

HKITPC

3 hours

Exam Time Limit

HKITPC

Cap. 486

Governing PDPO Ordinance

Hong Kong PCPD

C-RAF

Cyber Resilience Framework

HKMA Guidelines

Level 4

Target QF equivalent

HK QF roadmap

The CPIT InfoSec exam has 120 questions with a 3-hour time limit, administered by the HKCS / HKITPC in Hong Kong. It is designed for IT professionals with at least 2 years of security experience. The exam covers governance and compliance (such as PDPO), identity access management, network and system security, incident response, disaster recovery, and secure software development.

Sample CPIT InfoSec Practice Questions

Try these sample questions to test your CPIT InfoSec exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Under the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong, what is the primary role of the Privacy Commissioner for Personal Data (PCPD)?

A.To prosecute cybercriminals who perform denial-of-service attacks against government networks

B.To monitor, supervise, and enforce compliance with the provisions of Cap. 486

C.To mandate technical security configurations for all commercial databases in Hong Kong

D.To issue digital certificates and manage public key infrastructure as a root CA

Explanation: The Privacy Commissioner for Personal Data (PCPD) is an independent statutory body established to monitor, supervise, and enforce compliance with the Personal Data (Privacy) Ordinance (Cap. 486) in Hong Kong. PCPD promotes data protection practices but does not prosecute criminal offenses directly (which is handled by the Police and Department of Justice), nor does it mandate specific configurations or act as a Certificate Authority.

2What is the key difference between Risk Assessment and Risk Management in an enterprise security framework?

A.Risk Assessment involves fixing the security flaws, while Risk Management is only about auditing

B.Risk Assessment identifies, analyzes, and evaluates risks, whereas Risk Management encompasses the entire process of identifying, assessing, and mitigating risks

C.Risk Assessment is performed by external auditors, while Risk Management is performed only by the internal IT team

D.Risk Assessment is a qualitative process, whereas Risk Management is purely quantitative

Explanation: Risk Assessment is a specific sub-process that involves identifying, analyzing, and evaluating risks to determine their significance. Risk Management is a broader, continuous lifecycle process that includes risk assessment, mitigation decisions (treating, tolerating, transferring, or terminating), and monitoring of risks. Both processes can utilize qualitative and quantitative methods, and both involve internal and external stakeholders.

3Which of the following describes the primary objective of the ISO/IEC 27001 standard?

A.To specify the exact hardware and firewall rules required to secure an enterprise network

B.To establish, implement, maintain, and continually improve an Information Security Management System (ISMS)

C.To serve as a legally binding regulation that all businesses registered in Hong Kong must comply with

D.To certify individual IT professionals as qualified system administrators

Explanation: ISO/IEC 27001 is an international standard that provides requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It is a process-oriented management standard, not a technical configuration guide. Compliance is voluntary unless mandated by contract or local sector regulations, and the standard certifies organizations, not individual professionals.

4What is the most critical requirement for an enterprise Information Security Policy to remain effective over time?

A.It must be drafted by an external legal counsel without input from the IT department

B.It must be reviewed and updated regularly in response to changes in the organization's environment and threat landscape

C.It must contain highly technical, low-level configuration steps for system administration

D.It must remain static and unchanged for at least ten years to ensure consistency

Explanation: An Information Security Policy must be reviewed and updated periodically, or whenever significant changes occur in the organization or threat landscape, to ensure it remains relevant and effective. Policies should define high-level management objectives rather than low-level configuration steps, which belong in guidelines or procedures. Input from internal IT and business units is essential, and keeping a policy static for ten years makes it obsolete.

5When conducting a security assessment of a third-party vendor, what is the main purpose of reviewing their SOC 2 Type II report?

A.To verify that the vendor has paid all their local business taxes in Hong Kong

B.To obtain independent assurance about the operational effectiveness of the vendor's security controls over a specified period

C.To get a list of all custom code vulnerabilities present in the vendor's production software

D.To confirm the physical locations and land titles of the vendor's corporate offices

Explanation: A SOC 2 Type II report provides independent assurance that a vendor's security controls are designed properly and operated effectively over a specified period (typically 6 months or more). It is a vital tool in third-party risk management. It does not focus on tax compliance, physical land titles, or provide detailed custom source code vulnerability lists.

6What is the primary function of the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT)?

A.To arrest and prosecute individuals suspected of committing computer crimes in Hong Kong

B.To coordinate information security incident response and share threat intelligence for local enterprises and internet users

C.To act as the sole commercial ISP for all government departments in Hong Kong

D.To inspect and audit commercial networks without prior notice under statutory power

Explanation: HKCERT is the center for coordinating information security incident response and sharing threat intelligence, security alerts, and preventive advice for enterprises and internet users in Hong Kong. It does not have law enforcement or prosecution powers (which belong to the police), it is not an ISP, and it does not possess statutory authority to conduct non-consensual network audits.

7Under the Cyber Resilience Assessment Framework (C-RAF) established by the Hong Kong Monetary Authority (HKMA), which three pillars form the framework's core?

A.Identity Access, Firewall Filtering, and Cryptographic Management

B.Inherent Risk Assessment, Maturity Assessment, and Intelligence-led Cyber Attack Simulation Testing (i-CAST)

C.Asset Governance, Network Perimeter Defense, and Application Patching

D.Qualitative Risk Analysis, Quantitative Risk Analysis, and Business Continuity Planning

Explanation: The HKMA's Cyber Resilience Assessment Framework (C-RAF) consists of three core components: Inherent Risk Assessment (to classify the institution's risk level), Maturity Assessment (to evaluate the effectiveness of security controls), and Intelligence-led Cyber Attack Simulation Testing (i-CAST, which is a red-teaming exercise based on threat intelligence). The other options represent technical security domains or generic risk management stages, not the structural pillars of C-RAF.

8According to Data Protection Principle 4 (DPP4) of the Personal Data (Privacy) Ordinance of Hong Kong, what is a data user required to do?

A.Ensure that personal data is deleted within 24 hours of collection

B.Take all practicable steps to ensure that personal data held is protected against unauthorized or accidental access, processing, erasure, loss, or use

C.Encrypt all personal data using a specific proprietary algorithm approved by the PCPD

D.Store all collected personal data on physical servers located within the territory of Hong Kong

Explanation: Data Protection Principle 4 (DPP4) under Cap. 486 focuses on the security of personal data. It dictates that data users must take all practicable steps to protect personal data against unauthorized or accidental access, processing, erasure, loss, or use. It does not mandate specific encryption algorithms, location of servers, or immediate deletion within 24 hours (data should be retained only as long as necessary).

9How does an organization determine the appropriate level of protection for an information asset under an asset classification policy?

A.Based solely on the physical size and storage footprint of the asset

B.Based on the business value of the asset and the potential impact if its confidentiality, integrity, or availability is compromised

C.By matching the classification level to the seniority of the employee who created the asset

D.By assigning all assets to the highest classification level to ensure maximum security

Explanation: Asset classification levels are determined by the business value of the asset and the impact on the organization if the asset's confidentiality, integrity, or availability (CIA) is compromised. Classifying all assets at the highest level is cost-prohibitive and inefficient, while physical size and creator seniority are irrelevant to the security value of the data.

10What is the key advantage of a Quantitative Risk Assessment over a Qualitative Risk Assessment?

A.It can be completed much faster and requires no specialized calculation tools

B.It provides numeric, monetary values for risks, making it easier to perform cost-benefit analysis for security investments

C.It relies purely on subjective expert opinions, reducing the need for historical data

D.It is always more accurate and has no margin for error or estimation bias

Explanation: Quantitative Risk Assessment uses numerical values and monetary calculations (such as Single Loss Expectancy and Annualized Loss Expectancy) to describe risk levels. This facilitates precise cost-benefit analyses for security controls. However, it requires significant data, is complex to perform, and is still subject to estimation errors if the input data is low-quality.

About the CPIT InfoSec Exam

The CPIT Information Security Officer (InfoSec) certification is a professional credential in Hong Kong for IT practitioners specializing in security. It validates foundational and operational knowledge across security domains including governance, access control, network defense, incident handling, disaster recovery, system hardening, and application security. It is aligned with the Hong Kong Qualifications Framework (QF) to ensure high professional standards.

Assessment

120 multiple-choice questions

Time Limit

3 hours

Passing Score

Typically 60%

Exam Fee

HKD 1,000 - 1,500 (Hong Kong Computer Society / Hong Kong Institute for IT Professional Certification (HKCS / HKITPC))

CPIT InfoSec Exam Content Outline

18%

Information Security Governance

Security policies, risk assessment methodologies, regulatory compliance (PDPO, HKMA C-RAF), and asset governance.

16%

Access Control and Identity Management

Least privilege, MFA, Identity Federation (SSO), RBAC, privileged access management, and Zero Trust concepts.

18%

Network and Infrastructure Security

Firewall state inspection, VPN technologies, cryptography, public key infrastructure (PKI), TLS, and network segmentation.

16%

Incident Response and Disaster Recovery

Incident response lifecycle, threat containment, RTO/RPO, backup strategies, and BCP/DRP planning.

16%

Operations and System Security

Patch management, system hardening, logging/SIEM correlation, vulnerability scanning, and threat intelligence.

16%

Application and Software Security

Secure SDLC (DevSecOps), OWASP Top 10 vulnerabilities, input validation, and secure API design.

How to Pass the CPIT InfoSec Exam

What You Need to Know

Passing score: Typically 60%
Assessment: 120 multiple-choice questions
Time limit: 3 hours
Exam fee: HKD 1,000 - 1,500

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

CPIT InfoSec Study Tips from Top Performers

1Familiarize yourself with Hong Kong-specific compliance laws, particularly the Personal Data (Privacy) Ordinance (Cap. 486) and its Data Protection Principles (especially DPP4).

2Review the HKMA Cyber Resilience Assessment Framework (C-RAF) guidelines, which are crucial for financial sector IT environments.

3Understand standard cryptographic algorithms (AES, RSA) and their usage in protecting data at rest, transit, and use.

4Learn the incident response lifecycle and containment techniques for common attacks like ransomware and phishing.

5Study secure coding guidelines such as the OWASP Top 10 and how to prevent vulnerabilities like SQL Injection and Cross-Site Scripting.

Frequently Asked Questions

What is the CPIT Information Security Officer (InfoSec) certification?

The CPIT (InfoSec) is a localized professional IT certification offered by the Hong Kong Institute for IT Professional Certification (HKITPC). It certifies that an IT practitioner has the required expertise, skills, and experience to manage and execute information security operations for local enterprises.

Who is eligible to take the CPIT InfoSec exam?

Candidates typically need a degree or diploma in IT or related fields and at least two years of verifiable IT experience, with a focus on information security management, operations, or technical defense.

How many questions are on the real CPIT InfoSec exam?

The real exam consists of 120 multiple-choice questions to be completed within 3 hours. Our practice question bank provides 100 high-quality questions for focused study.

How does CPIT align with the Qualifications Framework (QF) in Hong Kong?

The CPIT scheme is aligned with the Specification of Competency Standards (SCS) under the Qualifications Framework of the Hong Kong Education Bureau. This ensures that certified professionals meet benchmarked standards recognized by local employers and government departments.

What is the passing score for the CPIT InfoSec exam?

The passing threshold is determined by the HKITPC board for each session, but it is typically around 60%.