Top 10 CISSP interview questions and how to answer them in 2026

The 10 questions

1. Qualitative vs quantitative risk analysis — when do you use each?

Quantitative assigns dollar values: SLE × ARO = ALE (single loss expectancy × annualized rate of occurrence = annualized loss expectancy). That ALE figure justifies the control budget — spend less than ALE on the control and you are net-positive. Qualitative uses ordinal scales (high/medium/low or 1–5 heat maps) when reliable frequency or loss data does not exist. Real programs run qualitative across the whole register to triage, then quantitative on the top 10 risks where the spend decision is contested. Saying “quantitative is more accurate” is the rookie answer — it is more precise, but only as accurate as the input data, which is almost always estimated.

2. Walk me through how you would build a security program from scratch.

Start with asset inventory and data classification — you cannot protect what you have not enumerated, and the protections differ by classification (public, internal, confidential, restricted). Pick a framework as the control catalog: NIST CSF 2.0 for risk-based programs, ISO 27001 Annex A for certifiable management systems, or a regulated baseline (HIPAA, PCI DSS v4, NIS2). Run a gap assessment, build a risk register, and present a prioritized roadmap to leadership with budget and timeline. Sequence: quick-win controls first (MFA on all admin and external surfaces, EDR, immutable backups, patch SLAs), then governance (policies, awareness training, vendor risk), then audit-grade evidence collection. Tooling comes last — choosing a SIEM before you know your detection requirements is the most common failure.

3. BCP vs DRP vs incident response — explain the difference.

Business continuity (BCP) keeps critical business processes running during a disruption — people, alternate sites, supply chain, communications. Disaster recovery (DRP) restores IT systems and data after an outage — RTO (recovery time objective), RPO (recovery point objective), backup restore order, failover. Incident response (IR) handles security events — detection, containment, eradication, recovery, lessons learned (NIST 800-61r2). BCP is the umbrella; DRP and IR are subordinate plans with different triggers, different owners, and different tabletops. Confusing BCP with DRP is the textbook giveaway that a candidate has not actually run a tabletop.

4. What is the difference between a policy, a standard, a procedure, and a guideline?

Policy — high-level management intent, board-approved, slow to change (“all production data must be encrypted at rest”). Standard — mandatory technical specifics that satisfy the policy (“AES-256 with KMS-managed keys”). Procedure — the exact step-by-step that executes the standard (“run `terraform apply` from the locked CI role…”). Guideline — recommended, non-mandatory good practice. The disqualifying answer treats them as synonyms. The interviewer wants to hear the hierarchy and that policy violation is a disciplinary issue, while procedure deviation is a process-improvement issue.

5. What is defense in depth, and give a concrete example?

Layered controls so that the failure of any single control does not lead to compromise. Concrete example for a public web app: WAF at the edge, TLS 1.3, identity-aware reverse proxy with MFA, least-privileged IAM role on the service, secrets in a vault (not env vars), runtime EDR on the host, immutable infrastructure, encrypted database with row-level security, audit logs to an append-only store, and a SIEM detection on anomalous query volume. Each layer would let an attacker through alone — together they buy detection time. Answering “firewalls and antivirus” is the 1998 answer and signals you stopped reading after the textbook.

6. Explain the principle of least privilege and separation of duties.

Least privilege — every identity (user, service account, role) gets the minimum permissions required to perform its job, and they are removed when no longer needed. Separation of duties — no single identity can complete a sensitive end-to-end transaction unilaterally (the developer who writes the change cannot also approve and deploy it to production; the AP clerk who creates the vendor cannot also approve the payment). Implementation: RBAC tied to job function, just-in-time elevation (Azure PIM, AWS IAM Identity Center), peer review on production change, four-eyes on financial transactions, quarterly access reviews. Mentioning JIT and the “four-eyes” control signals real operational experience beyond the glossary.

7. What are the major data privacy regulations a CISSP needs to know in 2026?

GDPR (EU) — lawful basis required for processing, 72-hour breach notification to the supervisory authority, data subject rights (access, erasure, portability), DPIA for high-risk processing, fines up to 4% of global turnover. CCPA/CPRA (California) — opt-out of sale, deletion, correction, sensitive personal information category, enforced by the CPPA. HIPAA (US healthcare) — PHI safeguards, business associate agreements, breach notification rule. PCI DSS v4.0 (payment cards) — mandatory from March 2025, expanded MFA, customised approach option. NIS2 (EU critical-infrastructure cyber, transposed October 2024). Naming GDPR alone in 2026 is incomplete — the interviewer expects awareness of NIS2 and PCI DSS v4 because they hit operations directly.

8. How do you justify a security budget to a CFO who does not believe in “FUD”?

You stop selling fear and start selling risk-adjusted return. Convert the top risks to ALE figures (quantitative). Pair each control with the ALE it reduces, the control cost, and the net benefit. Tie controls to revenue protection (uptime, contract clauses), cost avoidance (regulatory fine exposure under GDPR/CCPA, breach response cost from the IBM Cost of a Data Breach report), and revenue enablement (SOC 2 / ISO 27001 unblocks enterprise sales). Show the cyber-insurance premium delta you have already earned. The CFO answer is a one-page table: risk, ALE, proposed control, control cost, residual ALE, payback period. The wrong answer mentions Verizon DBIR statistics with no dollar figure attached.

9. What is the OSI model and why does a CISSP need to know it?

Seven layers: Physical, Data Link, Network, Transport, Session, Presentation, Application (“Please Do Not Throw Sausage Pizza Away”). A CISSP needs it because controls and attacks both live at specific layers — ARP spoofing at L2, IP spoofing at L3, TCP session hijacking at L4, TLS at L5/L6, web injection at L7. The right answer pairs the layer with the control: L2 = port security and DHCP snooping, L3 = firewall ACLs and segmentation, L4 = stateful inspection, L7 = WAF and CASB. Cloud reshapes this — security groups span L3/L4, service mesh adds L7 identity — but the layering still drives where you put each control.

10. Walk me through the change management process for a production firewall rule.

Request raised in the ticketing system with business justification, source/destination/port/protocol, requested duration, and data classification of what the rule will expose. Risk review — security engineer validates that the rule does not expose restricted data to a less-trusted zone and that it follows least-privilege (no any/any). Change Advisory Board approval (or standard-change template if pre-approved). Peer-reviewed implementation in IaC (Terraform), with the change ticket referenced in the commit. Deploy through CI with four-eyes on apply. Post-implementation review: automated test that the rule does what it claims and nothing more. Quarterly recertification — if the business owner cannot re-attest, the rule is removed. Mentioning IaC, four-eyes, and recertification proves you have actually run change in a regulated environment.

What these questions test

Every question above has a “technician answer” and a “manager answer.” CISSP panels are screening for the manager answer — the one that starts with the asset and the risk, names the framework, justifies the control with ALE or compliance, sequences quick wins before tooling, and references real artifacts (risk register, CAB, IaC commit, access review). Passing CISSP proves you can recall the eight-domain CBK. Answering these correctly proves you can run the program.

Frequently asked questions