Welcome to today’s CompTIA Security+ practice test!
Today’s practice test is based on subdomain 5.5 (Explain types and purposes of audits and assessments) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam. To view answers and explanations for today’s questions, expand the Answers accordion.
Results
#1. Your organization is onboarding a payments processor. Procurement asks security which contractual clause ensures you can review the vendor’s security controls and evidence at any point during the agreement term. What should you require?
#2. A security administrator at a healthcare startup needs to demonstrate to a potential customer—without granting them direct access to the company’s environment—that the organization’s security controls have been independently evaluated against established standards. Which type of document would best provide this assurance?
#3. An analyst in a SOC observes that the red team and blue team are collaborating in real time during an exercise to improve detection and response. Which test type is being performed?
#4. An attacker is attempting to tailgate into your HQ. Your security team asks for a test that evaluates badge controls, guards, and door sensors without touching production systems. Which assessment is most appropriate?
#5. Your organization is scheduled for a visit from a government agency that will review operations to ensure compliance with industry-specific regulations. What type of audit is this?
#6. A security administrator at a mid-sized company wants a recurring internal activity that compares implemented controls to policy, and documents gaps for management. Which approach best fits?
#7. Your vendor risk team requests “evidence of internal audits” from a cloud provider during due diligence. What is the primary purpose of this request?
#8. An analyst in a SOC observes a scheduled third-party engagement where testers are given network diagrams and a subset of credentials to speed scenario coverage. Which test type is this?
#9. Your organization is finalizing rules of engagement (RoE) for a pen test. Which item most directly protects business operations while preserving test value?
#10. Your company is asked to complete a detailed security questionnaire by a potential enterprise customer. What is the primary purpose of such questionnaires in the audit/assessment process?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | C | Your organization is onboarding a payments processor. Procurement asks security which contractual clause ensures you can review the vendor’s security controls and evidence at any point during the agreement term. What should you require? A. Confidentiality clause (NDA) (Incorrect): A confidentiality clause, or NDA, is designed to protect sensitive information shared between the two parties. It does not grant the right to inspect or audit the vendor’s security controls. B. Service-level agreement (SLA) (Incorrect): An SLA defines performance metrics, such as uptime and response times, and specifies penalties if the vendor fails to meet them. It does not provide the right to audit their security practices. C. Right-to-audit clause (Correct): A right-to-audit clause is a specific contractual provision that grants your organization the legal right to review the vendor’s security controls, records, and evidence at any point during the term of the agreement. This is the most direct and effective way to ensure ongoing due diligence and security validation. D. Business partners agreement (BPA) (Incorrect): A BPA is a broad, overarching legal agreement that establishes the terms of a business partnership. While a right-to-audit clause would be included within a BPA, the clause itself is the specific element that addresses the requirement, not the entire agreement. |
| 2 | B | A security administrator at a healthcare startup needs to demonstrate to a potential customer—without granting them direct access to the company’s environment—that the organization’s security controls have been independently evaluated against established standards. Which type of document would best provide this assurance? A. Internal self-assessment checklist (Incorrect): A self-assessment is performed by the organization itself. It lacks the objectivity and independence that a potential customer would require to trust the results, as it is not a third-party evaluation. B. External attestation report (Correct): An external attestation report (such as a SOC 2 report) is a document created by an independent, third-party auditor. It provides a formal, trustworthy, and verifiable statement that your organization’s controls have been evaluated against a specific set of criteria without giving the customer direct access to your environment. C. Penetration test rules of engagement (Incorrect): The rules of engagement are a document that defines the scope, legal permissions, and boundaries for a penetration test. It does not provide a summary of the test’s findings or an overall attestation of the company’s controls. D. Memorandum of understanding (MOU) (Incorrect): An MOU is a non-binding document that outlines a general understanding between two parties. It is not a security artifact and provides no evidence of a control evaluation. |
| 3 | C | An analyst in a SOC observes that the red team and blue team are collaborating in real time during an exercise to improve detection and response. Which test type is being performed? A. Offensive test (Incorrect): An offensive test is a red team activity focused on simulating an attack to find vulnerabilities, without real-time collaboration with the defensive team. B. Defensive test (Incorrect): A defensive test is a blue team activity focused on fortifying defenses, without real-time collaboration with the red team. C. Integrated test (Correct): An integrated test, also known as a purple team exercise, is a security test where the red team (attackers) and the blue team (defenders) collaborate in real-time. The red team performs attacks while the blue team adjusts its defenses and detection capabilities, allowing both sides to improve their skills and security posture simultaneously. D. Regulatory examination (Incorrect): A regulatory examination is a formal audit performed by a government body or regulator to ensure compliance. It is not a security test involving red and blue teams. |
| 4 | A | An attacker is attempting to tailgate into your HQ. Your security team asks for a test that evaluates badge controls, guards, and door sensors without touching production systems. Which assessment is most appropriate? A. Physical penetration test (Correct): A physical penetration test is a security assessment designed to test an organization’s physical security controls. The scenario of attempting to tailgate, bypassing guards, and testing door sensors is a classic example of a physical penetration test. It is conducted without affecting the company’s production IT systems. B. Defensive test (Incorrect): A defensive test is a “blue team” exercise focused on improving the defensive posture of a network, such as threat detection and incident response. It is an internal, IT-focused activity. C. Independent third-party audit (Incorrect): An audit is a formal examination of controls and records against a standard or policy. It is a passive, document-based review and not a hands-on, live attempt to breach physical security. D. Self-assessment (Incorrect): A self-assessment is an internal activity where an organization evaluates its own security posture. While it might include a checklist of physical controls, it is not a hands-on, simulated attack like the one described. |
| 5 | D | Your organization is scheduled for a visit from a government agency that will review operations to ensure compliance with industry-specific regulations. What type of audit is this? A. Independent third-party audit (Incorrect): This type of audit is performed by a private, non-governmental firm (e.g., an accounting or consulting firm) to assess controls, often for a certification like SOC 2. B. Attestation (Incorrect): An attestation is a formal report or statement issued as the result of an audit. It is the output of the process, not the process itself. C. Internal audit (Incorrect): An internal audit is performed by an organization’s own employees to assess internal controls and compliance. The audit described is being performed by an external government agency. D. Regulatory examination (Correct): A regulatory examination is a formal audit conducted by a government agency or a regulator to ensure that an organization is in compliance with specific laws and industry regulations. This directly matches the scenario of a government agency visiting an organization to review its operations for compliance. |
| 6 | A | A security administrator at a mid-sized company wants a recurring internal activity that compares implemented controls to policy, and documents gaps for management. Which approach best fits? A. Internal audit (Correct): An internal audit is a proactive, recurring internal activity performed by an organization’s own personnel. Its primary purpose is to systematically evaluate and compare implemented controls against internal policies and procedures and then formally document the findings for management and the board. B. Penetration test (Incorrect): A penetration test is a simulated attack used to test system security defenses. Its purpose is to find exploitable vulnerabilities, not to formally compare all security controls against a policy. C. Rules of engagement (ROE) document (Incorrect): The ROE is a one-time document that defines the legal and procedural boundaries for an authorized security test. It is not a recurring activity or an audit. D. Work order (WO) (Incorrect): A work order is a document that authorizes and defines a specific task or project. It is not a recurring activity for compliance verification. |
| 7 | B | Your vendor risk team requests “evidence of internal audits” from a cloud provider during due diligence. What is the primary purpose of this request? A. To confirm the provider’s incident response plan (Incorrect): While an internal audit might touch on the incident response plan, its scope is much broader. A more direct way to confirm the plan would be to request the plan’s document or evidence of incident response drills. B. To verify the provider regularly evaluates and documents its own controls (Correct): The primary purpose of requesting evidence of internal audits is to confirm that the cloud provider has a formal, ongoing process for self-governance. It shows that they are proactive in evaluating their own security controls, identifying deficiencies, and documenting their adherence to internal policies. This provides assurance that they are managing their risks responsibly. C. To require an external regulator’s sign-off (Incorrect): An internal audit is conducted by the provider’s own internal audit team. It is not an external audit conducted by a regulator. D. To define uptime commitments (Incorrect): Uptime commitments are defined in a Service-Level Agreement (SLA). They are unrelated to the findings or purpose of an internal audit. |
| 8 | C | An analyst in a SOC observes a scheduled third-party engagement where testers are given network diagrams and a subset of credentials to speed scenario coverage. Which test type is this? A. Known environment (Incorrect): A known environment (white box) test gives testers full knowledge of the system’s internals, including source code and full credentials. The scenario describes only a subset of information. B. Unknown environment (Incorrect): An unknown environment (black box) test provides testers with no prior knowledge of the system, simulating a completely external attacker. This contradicts the scenario where the testers are given network diagrams and credentials. C. Partially known environment (Correct): This is a partially known environment, also called a gray box test. In this type of assessment, the testers are given some internal knowledge, such as network diagrams, a subset of credentials, or a limited understanding of the application’s logic. This approach is often used to simulate an attack by an insider or to accelerate the testing process by allowing the testers to bypass initial reconnaissance steps. D. Defensive test (Incorrect): A defensive test is an internal activity performed by a “blue team” to improve their detection and response capabilities. It describes the role of the defenders, not the level of information provided to the testers. |
| 9 | D | Your organization is finalizing rules of engagement (RoE) for a pen test. Which item most directly protects business operations while preserving test value? A. Mandating active reconnaissance only (Incorrect): This is too restrictive and would severely reduce the value of the test by preventing testers from performing any form of exploitation, which is the primary goal of a penetration test. B. Prohibiting social engineering entirely (Incorrect): Prohibiting social engineering limits the test’s scope and realism, as it is a common attack vector. While it protects against a specific threat, it doesn’t directly address the protection of business systems from technical disruption. C. Requiring testers to share all zero-day findings after the test completes (Incorrect): This is a standard reporting requirement for a penetration test. It addresses the post-test documentation, not the protection of business operations during the active testing phase. D. Excluding production-critical systems from disruptive techniques (Correct): This item directly protects the organization’s most important assets and ensures business continuity by prohibiting potentially harmful or destructive actions on live systems. By allowing disruptive techniques on non-critical systems, the test’s value is preserved, as testers can still demonstrate the full impact of a successful attack without risking business operations. |
| 10 | B | Your company is asked to complete a detailed security questionnaire by a potential enterprise customer. What is the primary purpose of such questionnaires in the audit/assessment process? A. To replace the need for any third-party assessments (Incorrect): Questionnaires are typically used as an initial step. They complement, but do not replace, independent third-party assessments, which provide a more objective evaluation. B. To gather structured evidence of control design and operation prior to deeper review (Correct): The primary purpose of a security questionnaire is for due diligence. It allows a customer to efficiently collect standardized, structured information about a vendor’s security controls and practices. This initial evidence helps them make a preliminary risk assessment and decide if a deeper, more costly review (e.g., a third-party audit or penetration test report) is necessary. C. To serve as a binding legal agreement on security practices (Incorrect): A security questionnaire is an informational document. Binding security practices are defined in legal documents like the Master Service Agreement (MSA) and Service-Level Agreement (SLA). D. To authorize penetration testing without further documentation (Incorrect): Authorizing a penetration test requires a formal legal document, such as a Rules of Engagement (RoE) document, to define the scope, timeline, and legal protections for both parties. |