Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free ISACA CSX Fundamentals Practice Questions

Pass your ISACA Cybersecurity Fundamentals Certificate (CSX-F) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
ISACA does not publicly publish a CSX Fundamentals pass rate Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

The Recovery Point Objective (RPO) of a critical database is 15 minutes. Which backup strategy best supports it?

A
B
C
D
to track
Same family resources

Explore More ISACA Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CISA

Practice QuestionsStudy Guide
2 blogs

CISM

Practice QuestionsStudy Guide
2 blogs

CRISC Certified in Risk and Information Systems Control

Practice Questions
1 blog

ISACA COBIT 2019 Foundation

Practice Questions
1 blog

ISACA AAIA Advanced in AI Audit

Practice Questions

ISACA AAIR Advanced in AI Risk

Practice Questions

More From This Family

Videos and articles for deeper review.

ArticleCISA Exam Guide 2026: FREE ISACA Study Plan + Practice28 min readArticleCISM Exam Guide 2026: FREE ISACA Study Plan + Practice30 min readArticleCOBIT 2019 Foundation 2026: Governance-First Prep6 min readArticleCRISC Exam Guide 2026: FREE ISACA Study Plan + Practice30 min read
2026 Statistics

Key Facts: ISACA CSX Fundamentals Exam

75

Exam Questions

Multiple-choice + performance-based

2 hr

Time Limit

Online proctored by PSI

65%

Passing Score

ISACA CSX-F

$120

Member Fee

$150 non-member

4

Domains

Weighted 27/18/35/20

No CPE

Renewal

Certificate of completion

The ISACA Cybersecurity Fundamentals Certificate (CSX-F) is an entry-level cybersecurity credential delivered online by PSI in a 2-hour, 75-question proctored exam with a 65% passing score. The exam costs $120 for ISACA members and $150 for non-members and has no prerequisites. Content covers four domains: Information Security Fundamentals (27%), Threat Landscape (18%), Securing Assets (35%), and Security Operations and Response (20%), aligned with NIST CSF 2.0 and core ISACA frameworks. CSX-F is a strong foundation before pursuing CompTIA Security+, ISACA CISA, or CISM.

Sample ISACA CSX Fundamentals Practice Questions

Try these sample questions to test your ISACA CSX Fundamentals exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which three properties make up the CIA triad in information security?
A.Confidentiality, Integrity, Availability
B.Control, Identification, Authentication
C.Compliance, Integrity, Auditing
D.Confidentiality, Identification, Authorization
Explanation: The CIA triad — Confidentiality, Integrity, and Availability — is the foundational model of information security. Confidentiality protects data from unauthorized disclosure, Integrity protects it from unauthorized modification, and Availability ensures authorized users can access it when needed.
2Encrypting a database column that holds Social Security numbers primarily protects which property of the CIA triad?
A.Availability
B.Integrity
C.Confidentiality
D.Non-repudiation
Explanation: Encryption is the canonical control for confidentiality — it ensures that only parties with the proper key can read the data. While encryption can also support integrity through authenticated modes, its primary purpose for sensitive PII is preventing unauthorized disclosure.
3An attacker silently changes a wire-transfer amount in transit from $1,000 to $10,000. Which CIA property has been violated?
A.Confidentiality
B.Integrity
C.Availability
D.Authentication
Explanation: Integrity protects data from unauthorized modification. Changing a value in transit, even without disclosing it, is the textbook definition of an integrity violation. Hashing, digital signatures, and message authentication codes (MACs) protect integrity.
4A ransomware attack encrypts critical production files so users cannot open them. Which CIA property is most directly affected?
A.Confidentiality
B.Integrity
C.Availability
D.Accountability
Explanation: Ransomware that encrypts files without exfiltrating them denies legitimate users access to their data, which is an availability violation. Modern ransomware often combines confidentiality (data theft) with availability impact (encryption), but the encryption itself is an availability concern.
5What does the second 'A' in the AAA framework stand for?
A.Auditing
B.Authorization
C.Accounting
D.Availability
Explanation: AAA stands for Authentication, Authorization, and Accounting. Authentication proves identity, Authorization decides what an authenticated user can do, and Accounting (sometimes called auditing) records what they did.
6A user successfully proves their identity with a password and a hardware token. Which AAA function has just been performed?
A.Authentication
B.Authorization
C.Accounting
D.Auditing
Explanation: Proving who you are with credentials (password + token) is authentication. Authorization is the subsequent step that decides what you are allowed to do, and accounting records the activity.
7Which property prevents a sender from later denying that they sent a message?
A.Confidentiality
B.Authentication
C.Non-repudiation
D.Availability
Explanation: Non-repudiation provides assurance that an action — typically signing or sending a message — cannot later be denied. It is most commonly delivered by digital signatures, which bind the signer's private key to the data.
8An organization uses a firewall, an IDS, host-based antivirus, and least-privilege accounts together. Which strategy does this represent?
A.Defense in depth
B.Security through obscurity
C.Single point of failure
D.Trust but verify
Explanation: Defense in depth layers multiple, independent controls so that the failure of any one control does not result in compromise. The example combines network, detection, endpoint, and identity controls — classic layered defense.
9In the security policy hierarchy, which document is the highest-level statement of management intent?
A.Procedure
B.Standard
C.Guideline
D.Policy
Explanation: A policy is a high-level, management-approved statement of intent that drives the rest of the hierarchy. Standards specify mandatory implementation choices, procedures provide step-by-step instructions, and guidelines offer recommended (non-mandatory) practice.
10Which security policy artifact is mandatory for compliance and specifies the exact technology or configuration that must be used?
A.Guideline
B.Standard
C.Baseline
D.Procedure
Explanation: A standard is a mandatory specification that supports a policy by dictating the exact technology, configuration, or behavior required (for example, 'TLS 1.2 or higher must be used for all external HTTPS traffic'). Guidelines are optional, baselines define minimum configurations, and procedures are step-by-step instructions.

About the ISACA CSX Fundamentals Exam

The ISACA Cybersecurity Fundamentals Certificate (CSX-F) is a foundational, entry-level credential from ISACA that validates core knowledge of cybersecurity. Candidates are tested across four domains — Information Security Fundamentals, Threat Landscape, Securing Assets, and Security Operations and Response — and must answer multiple-choice as well as performance-based virtual lab questions in a 2-hour, online-proctored PSI exam. There are no prerequisites, making CSX-F a strong starting point for students, career changers, and IT staff moving into cybersecurity before pursuing CompTIA Security+, ISACA CISA, or CISM.

Assessment

75 questions delivered online by PSI, mixing multiple-choice and performance-based virtual lab items across four domains: Information Security Fundamentals (27%), Threat Landscape (18%), Securing Assets (35%), and Security Operations and Response (20%)

Time Limit

2 hours

Passing Score

65%

Exam Fee

$120 member / $150 non-member (ISACA / PSI)

ISACA CSX Fundamentals Exam Content Outline

27%

Information Security Fundamentals

CIA triad, AAA, non-repudiation, defense in depth, security goals vs objectives, policy/standard/procedure/guideline hierarchy, least privilege, need-to-know, separation of duties, control types and functions, risk management (SLE/ALE, treatment), and frameworks (NIST CSF 2.0 with the new Govern function, ISO/IEC 27001/27002, COBIT 2019)

18%

Threat Landscape

Threat actors (script kiddies, hacktivists, organized crime, nation-state APTs, insiders) and motivations; attack types (DDoS, ransomware, phishing/spear/whaling, BEC, watering hole, supply chain, zero-day); MITRE ATT&CK tactics/techniques; threat intel with TLP 2.0, IoCs/IoAs, STIX/TAXII, OSINT; trends (RaaS, AI-powered attacks, supply chain — SolarWinds, Log4j, MOVEit)

35%

Securing Assets

Network security (stateful firewalls, NGFW, IDS/IPS, IPsec/TLS VPN, segmentation, DMZ, zero trust per NIST 800-207); endpoint (antivirus, EDR, hardening, patching, allowlisting, USB control, BitLocker/FileVault); IAM (RBAC/ABAC/MAC/DAC, MFA, SSO, SAML, OAuth 2.0, OIDC, NIST 800-63B password guidance, FIDO2/passkeys); cryptography (AES, RSA/ECC, SHA-256, signatures, PKI, X.509, TLS 1.3); data protection (DLP, encryption at rest/in transit/in use, classification, secure disposal, cryptographic erase)

20%

Security Operations and Response

SOC tiering (T1/T2/T3, MSSP, MDR); SIEM concepts and platforms (Splunk, QRadar, Sentinel, ELK); SOAR; incident response per NIST SP 800-61 Rev. 2 (Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident); evidence handling, RFC 3227 order of volatility, chain of custody; BCP/DR (RTO, RPO, MTPD/MAO); backup types and hot/warm/cold sites

How to Pass the ISACA CSX Fundamentals Exam

What You Need to Know

  • Passing score: 65%
  • Assessment: 75 questions delivered online by PSI, mixing multiple-choice and performance-based virtual lab items across four domains: Information Security Fundamentals (27%), Threat Landscape (18%), Securing Assets (35%), and Security Operations and Response (20%)
  • Time limit: 2 hours
  • Exam fee: $120 member / $150 non-member

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

ISACA CSX Fundamentals Study Tips from Top Performers

1Memorize CSF 2.0's six functions (Govern, Identify, Protect, Detect, Respond, Recover) — Govern was added in February 2024 and is heavily emphasized in 2026 study materials
2Practice mapping concrete attacks to CIA properties — ransomware encryption is availability, wire-transfer tampering is integrity, data theft is confidentiality
3Distinguish authentication factors carefully: password + PIN is single-factor (both 'something you know'); password + hardware token is true MFA
4Know the NIST SP 800-61 incident response order: Preparation comes first, Containment comes before Eradication, and Lessons Learned closes the loop
5For data states, pair the right control: encryption-at-rest (BitLocker/FileVault), encryption-in-transit (TLS 1.3), and encryption-in-use (confidential computing/TEEs)
6Use the ISACA glossary for definitions — exam wording often matches it precisely (for example, 'risk = threat x vulnerability x impact')

Frequently Asked Questions

What is the ISACA Cybersecurity Fundamentals Certificate (CSX-F)?

CSX-F is ISACA's entry-level cybersecurity certificate. It validates foundational knowledge of information security principles, threats, defensive controls, and operations and response, and is intended for students, career changers, and IT staff moving into cybersecurity. The exam mixes multiple-choice and performance-based virtual lab questions and is delivered online by PSI.

How many questions are on the CSX-F exam and what is the passing score?

The CSX-F exam has 75 questions delivered in 2 hours with a 65% passing score. Questions are weighted by domain — Information Security Fundamentals 27%, Threat Landscape 18%, Securing Assets 35%, and Security Operations and Response 20% — and combine multiple-choice with performance-based virtual lab items.

How much does the CSX-F exam cost?

The CSX Fundamentals exam costs $120 for ISACA members and $150 for non-members. The exam is delivered online through PSI; candidates need a quiet, private space and a valid government-issued photo ID to take the proctored exam.

Are there prerequisites for the CSX Fundamentals certificate?

No. CSX-F has no formal prerequisites and is designed as an entry-level credential. ISACA recommends, but does not require, that candidates have basic IT exposure or have completed an introductory cybersecurity course or self-study program before sitting the exam.

Does CSX-F require continuing professional education (CPE)?

No. CSX Fundamentals is a certificate of completion rather than a CPE-maintained certification. Once you pass, the certificate does not expire and does not require ongoing CPE — unlike ISACA's flagship credentials such as CISA, CISM, CRISC, and CGEIT, which do require annual CPE.

How does CSX-F compare to CompTIA Security+?

Both are entry-level cybersecurity credentials, but CSX-F is more concept-focused and delivered with a few performance-based virtual lab items, while CompTIA Security+ is broader, longer (90 minutes, ~90 questions), DoD 8570-approved, and explicitly used as a job-role validation credential. Many candidates use CSX-F as a foundation and then pursue Security+ or move directly into ISACA's audit/management track via CISA or CISM.

How should I prepare for the CSX Fundamentals exam?

Focus on the four weighted domains, with the largest share of study time on Securing Assets (35%) and Information Security Fundamentals (27%). Read the NIST Cybersecurity Framework 2.0 (with the new Govern function), review NIST SP 800-61 incident response phases, work through MITRE ATT&CK tactics, and practice configuring basic controls in a lab. Take full-length practice exams to time yourself against the 2-hour limit before the real attempt.