Compliance and Regulations MCQ 60 Tests With Answers (2026)
PerfectNotes TeamUpdated: March 2026~15 min practice 60 Questions Β· 3 Levels 60 Questions Β· 3 Levels
Compliance and Regulations MCQ practice questions are essential for preparing for competitive exams, GRC audits, and professional certifications (CISA, CISM, CRISC, CISSP). This comprehensive MCQ platform provides 60 carefully curated practice questions covering industry standards (PCI-DSS), federal laws (HIPAA, SOX), international certifications (ISO 27001), cloud standards (FedRAMP, SOC 2), and data privacy regulations.
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering framework definitions, primary compliance standards, and fundamental audit requirements), Concepts (covering PCI-DSS v4.0 controls, HIPAA Safeguards, ISO 27001 Annex A, and NIST CSF 2.0 functions), and Advanced (covering scenario-based audit readiness, FedRAMP authorizations, SOC 2 Type II operations, and multi-framework alignment). Each question includes a verified, in-depth explanation to reinforce learning.
Practice in Study Mode to reveal answers and detailed explanations instantly, or use Exam Mode for timed testing and real-time scoring to simulate real-world GRC audit or certification exam conditions. The interactive engine tracks your progress and identifies knowledge gaps across compliance frameworks, regulatory requirements, and risk management strategies.
Contents
- 1.Basics (20 Questions)PCI-DSS Β· HIPAA Safeguards Β· SOX Financial Controls
- 2.Concepts (20 Questions)ISO 27001 ISMS Β· NIST CSF Functions Β· FedRAMP Authorization Levels
- 3.Advanced (20 Questions)Scenario-based Β· complex mechanics
- 4.Conclusionsummary Β· next steps Β· study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept Β· definition Β· key fact table
- 7.FAQcommon questions answered
Compliance & Regulations β Basics
1What is the fundamental definition of "Regulatory Compliance" in cybersecurity?
CorrectB: Adhering to mandated rules, laws, and industry frameworks designed to secure digital assets and protect data
Regulatory compliance in cybersecurity refers to the process of adhering to externally mandated laws, regulations, and industry standards designed to protect data, secure systems, and ensure accountability. It is not voluntary β violations carry legal and financial penalties.
IncorrectB: Adhering to mandated rules, laws, and industry frameworks designed to secure digital assets and protect data
Regulatory compliance in cybersecurity refers to the process of adhering to externally mandated laws, regulations, and industry standards designed to protect data, secure systems, and ensure accountability. It is not voluntary β violations carry legal and financial penalties.
2Which specific framework explicitly governs the secure processing, transmission, and storage of credit card data?
CorrectD: Payment Card Industry Data Security Standard (PCI-DSS)
PCI-DSS (Payment Card Industry Data Security Standard) is the industry-mandated framework created by the major card brands (Visa, Mastercard, Amex, Discover, JCB) that governs the secure storage, processing, and transmission of cardholder data. It applies to any entity that accepts, processes, or transmits credit card information.
IncorrectD: Payment Card Industry Data Security Standard (PCI-DSS)
PCI-DSS (Payment Card Industry Data Security Standard) is the industry-mandated framework created by the major card brands (Visa, Mastercard, Amex, Discover, JCB) that governs the secure storage, processing, and transmission of cardholder data. It applies to any entity that accepts, processes, or transmits credit card information.
3What is the primary objective of the HIPAA Security Rule?
CorrectC: To establish national standards for the protection of individuals' electronic personal health information (ePHI)
The HIPAA Security Rule (45 CFR Part 164) establishes national standards to protect individuals' electronic protected health information (ePHI). It requires covered entities and business associates to implement appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.
IncorrectC: To establish national standards for the protection of individuals' electronic personal health information (ePHI)
The HIPAA Security Rule (45 CFR Part 164) establishes national standards to protect individuals' electronic protected health information (ePHI). It requires covered entities and business associates to implement appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.
4What does the Sarbanes-Oxley Act (SOX) primarily address in relation to IT systems?
CorrectA: The accuracy, transparency, and security of corporate financial disclosures and the IT systems hosting them
SOX (Sarbanes-Oxley Act, 2002) was enacted after major accounting scandals to restore investor confidence. In IT, it mandates that the systems used to generate, store, and manage financial data must have strong internal controls (IT General Controls β ITGCs) covering access management, change management, and audit logging to ensure the accuracy and integrity of financial reporting.
IncorrectA: The accuracy, transparency, and security of corporate financial disclosures and the IT systems hosting them
SOX (Sarbanes-Oxley Act, 2002) was enacted after major accounting scandals to restore investor confidence. In IT, it mandates that the systems used to generate, store, and manage financial data must have strong internal controls (IT General Controls β ITGCs) covering access management, change management, and audit logging to ensure the accuracy and integrity of financial reporting.
5Which international standard provides the formal requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS)?
CorrectD: ISO/IEC 27001
ISO/IEC 27001 is the internationally recognised standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS. It is the foundation of ISO's 27000 family of standards and is the basis upon which organisations can achieve third-party certification of their information security management practices.
IncorrectD: ISO/IEC 27001
ISO/IEC 27001 is the internationally recognised standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS. It is the foundation of ISO's 27000 family of standards and is the basis upon which organisations can achieve third-party certification of their information security management practices.
6What is the fundamental difference between a "Regulation" and a "Framework"?
CorrectA: A regulation is a legally binding law enforced by a government entity, while a framework is a set of best practices that may be voluntarily adopted or mandated
A regulation (e.g., GDPR, HIPAA) is a legally enforceable rule issued by a government or regulatory body β non-compliance results in fines, penalties, or legal action. A framework (e.g., NIST CSF, ISO 27001) is a structured set of guidelines and best practices that an organization follows to manage risk; some frameworks are voluntary while others are contractually mandated (e.g., PCI-DSS).
IncorrectA: A regulation is a legally binding law enforced by a government entity, while a framework is a set of best practices that may be voluntarily adopted or mandated
A regulation (e.g., GDPR, HIPAA) is a legally enforceable rule issued by a government or regulatory body β non-compliance results in fines, penalties, or legal action. A framework (e.g., NIST CSF, ISO 27001) is a structured set of guidelines and best practices that an organization follows to manage risk; some frameworks are voluntary while others are contractually mandated (e.g., PCI-DSS).
7What are the five core functions of the NIST Cybersecurity Framework (CSF)?
CorrectB: Identify, Protect, Detect, Respond, Recover
The NIST Cybersecurity Framework (CSF 1.1) organises security activities into five concurrent and continuous core functions: Identify (understand the environment), Protect (implement safeguards), Detect (discover anomalies), Respond (take action on detected events), and Recover (restore capabilities). CSF 2.0 added a sixth function: Govern.
IncorrectB: Identify, Protect, Detect, Respond, Recover
The NIST Cybersecurity Framework (CSF 1.1) organises security activities into five concurrent and continuous core functions: Identify (understand the environment), Protect (implement safeguards), Detect (discover anomalies), Respond (take action on detected events), and Recover (restore capabilities). CSF 2.0 added a sixth function: Govern.
8In corporate governance, who holds the ultimate fiduciary responsibility for ensuring an organization remains compliant with relevant cybersecurity laws?
CorrectB: The organization's executive management and board of directors
While IT teams implement controls and auditors verify them, the ultimate fiduciary and legal responsibility for organizational compliance rests with executive management and the board of directors. Under laws like SOX Section 302, the CEO and CFO personally certify the accuracy of financial controls. The board sets the risk appetite and is accountable to shareholders and regulators.
IncorrectB: The organization's executive management and board of directors
While IT teams implement controls and auditors verify them, the ultimate fiduciary and legal responsibility for organizational compliance rests with executive management and the board of directors. Under laws like SOX Section 302, the CEO and CFO personally certify the accuracy of financial controls. The board sets the risk appetite and is accountable to shareholders and regulators.
9What is an IT Compliance Audit?
CorrectC: A formal, independent review and assessment of an organization's adherence to regulatory guidelines and internal security policies
An IT compliance audit is a structured, formal examination conducted by an independent internal or external auditor to verify that an organization's IT systems, processes, and controls meet specified regulatory requirements and internal policies. Auditors review documentation, test controls, and interview personnel to produce a findings report.
IncorrectC: A formal, independent review and assessment of an organization's adherence to regulatory guidelines and internal security policies
An IT compliance audit is a structured, formal examination conducted by an independent internal or external auditor to verify that an organization's IT systems, processes, and controls meet specified regulatory requirements and internal policies. Auditors review documentation, test controls, and interview personnel to produce a findings report.
10Which comprehensive European Union regulation governs data protection and privacy for individuals within the EU and the European Economic Area (EEA)?
CorrectA: General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR, Regulation 2016/679) is the EU's comprehensive data protection law that came into force on 25 May 2018. It applies to any organisation processing the personal data of EU/EEA residents, regardless of where the organisation is located, and enforces strict rules on consent, data subject rights, breach notification, and international data transfers.
IncorrectA: General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR, Regulation 2016/679) is the EU's comprehensive data protection law that came into force on 25 May 2018. It applies to any organisation processing the personal data of EU/EEA residents, regardless of where the organisation is located, and enforces strict rules on consent, data subject rights, breach notification, and international data transfers.
11In the United States, what does FISMA stand for?
CorrectD: Federal Information Security Management Act
FISMA stands for the Federal Information Security Management Act (2002, modernised in 2014 as FISMA Reform). It requires all US federal agencies and their contractors to develop, document, and implement information security programs to protect federal information and information systems. Agencies must follow NIST standards (e.g., SP 800-53) and report annually to Congress.
IncorrectD: Federal Information Security Management Act
FISMA stands for the Federal Information Security Management Act (2002, modernised in 2014 as FISMA Reform). It requires all US federal agencies and their contractors to develop, document, and implement information security programs to protect federal information and information systems. Agencies must follow NIST standards (e.g., SP 800-53) and report annually to Congress.
12In compliance frameworks, what is a "Compensating Control"?
CorrectC: An alternative security measure implemented when an organization cannot meet a specific framework requirement due to legitimate technical or business constraints
A compensating control is an alternative safeguard used when implementing the exact specified control is not feasible due to legitimate technical, operational, or business constraints. The compensating control must provide a comparable level of security. In PCI-DSS, for example, organisations must document the constraint, the original requirement, and demonstrate that the compensating control sufficiently mitigates the risk.
IncorrectC: An alternative security measure implemented when an organization cannot meet a specific framework requirement due to legitimate technical or business constraints
A compensating control is an alternative safeguard used when implementing the exact specified control is not feasible due to legitimate technical, operational, or business constraints. The compensating control must provide a comparable level of security. In PCI-DSS, for example, organisations must document the constraint, the original requirement, and demonstrate that the compensating control sufficiently mitigates the risk.
13What does the principle of "Separation of Duties" (SoD) achieve in a compliance environment?
CorrectB: It prevents a single individual from having enough privileges to execute and conceal a fraudulent or malicious action independently
Separation of Duties (SoD) is a foundational internal control principle that divides critical tasks and privileges among multiple individuals so that no single person can independently execute and conceal a fraudulent or malicious action. For example, the employee who authorises a payment should not also be the one who processes it. SoD is a key requirement in SOX, PCI-DSS, and ISO 27001.
IncorrectB: It prevents a single individual from having enough privileges to execute and conceal a fraudulent or malicious action independently
Separation of Duties (SoD) is a foundational internal control principle that divides critical tasks and privileges among multiple individuals so that no single person can independently execute and conceal a fraudulent or malicious action. For example, the employee who authorises a payment should not also be the one who processes it. SoD is a key requirement in SOX, PCI-DSS, and ISO 27001.
14What is the primary purpose of a SOC 2 (System and Organization Controls 2) report?
CorrectD: To provide independent assurance to clients regarding a service organization's security, availability, processing integrity, confidentiality, and privacy controls
A SOC 2 report (developed by the AICPA) provides independent CPA assurance that a service organisation's controls related to the Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) are suitably designed (Type I) or operating effectively (Type II). It is widely used by cloud providers and SaaS companies to demonstrate security posture to enterprise clients.
IncorrectD: To provide independent assurance to clients regarding a service organization's security, availability, processing integrity, confidentiality, and privacy controls
A SOC 2 report (developed by the AICPA) provides independent CPA assurance that a service organisation's controls related to the Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) are suitably designed (Type I) or operating effectively (Type II). It is widely used by cloud providers and SaaS companies to demonstrate security posture to enterprise clients.
15What does the Gramm-Leach-Bliley Act (GLBA) specifically mandate for financial institutions?
CorrectB: They must proactively explain their information-sharing practices to customers and safeguard sensitive data
The Gramm-Leach-Bliley Act (GLBA, 1999) applies to US financial institutions and has two key rules: the Financial Privacy Rule (requires institutions to provide privacy notices explaining how they collect and share customer financial information) and the Safeguards Rule (requires them to implement a written information security plan with administrative, technical, and physical safeguards to protect customer data).
IncorrectB: They must proactively explain their information-sharing practices to customers and safeguard sensitive data
The Gramm-Leach-Bliley Act (GLBA, 1999) applies to US financial institutions and has two key rules: the Financial Privacy Rule (requires institutions to provide privacy notices explaining how they collect and share customer financial information) and the Safeguards Rule (requires them to implement a written information security plan with administrative, technical, and physical safeguards to protect customer data).
16What is a "Gap Analysis" in the context of IT compliance?
CorrectB: An assessment comparing an organization's current security posture against the specific requirements of a target compliance framework to identify deficiencies
A compliance gap analysis is a structured assessment that compares an organisation's existing security controls and processes against the requirements of a specific framework or regulation (e.g., ISO 27001, PCI-DSS, HIPAA) to identify areas of non-conformance or weakness (the "gaps"). The output drives the remediation roadmap needed to achieve compliance.
IncorrectB: An assessment comparing an organization's current security posture against the specific requirements of a target compliance framework to identify deficiencies
A compliance gap analysis is a structured assessment that compares an organisation's existing security controls and processes against the requirements of a specific framework or regulation (e.g., ISO 27001, PCI-DSS, HIPAA) to identify areas of non-conformance or weakness (the "gaps"). The output drives the remediation roadmap needed to achieve compliance.
17Under HIPAA, what constitutes Protected Health Information (PHI)?
CorrectC: Any demographic information, medical histories, test results, or insurance data that can be used to identify a specific patient
PHI under HIPAA is any individually identifiable health information transmitted or maintained in any form (electronic, paper, or oral) that relates to a person's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare. HIPAA defines 18 specific identifiers (name, SSN, dates, phone numbers, etc.) that, if linked to health data, constitute PHI.
IncorrectC: Any demographic information, medical histories, test results, or insurance data that can be used to identify a specific patient
PHI under HIPAA is any individually identifiable health information transmitted or maintained in any form (electronic, paper, or oral) that relates to a person's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare. HIPAA defines 18 specific identifiers (name, SSN, dates, phone numbers, etc.) that, if linked to health data, constitute PHI.
18What defines "Continuous Compliance"?
CorrectD: The ongoing, automated monitoring of IT systems to ensure they remain strictly aligned with regulatory requirements between formal audit periods
Continuous compliance is a proactive approach that uses automation and real-time monitoring to ensure systems remain aligned with regulatory requirements at all times β not just during annual audits. Tools like CSPM (Cloud Security Posture Management) and SIEM continuously check configurations, policies, and controls against compliance benchmarks and alert on drift immediately.
IncorrectD: The ongoing, automated monitoring of IT systems to ensure they remain strictly aligned with regulatory requirements between formal audit periods
Continuous compliance is a proactive approach that uses automation and real-time monitoring to ensure systems remain aligned with regulatory requirements at all times β not just during annual audits. Tools like CSPM (Cloud Security Posture Management) and SIEM continuously check configurations, policies, and controls against compliance benchmarks and alert on drift immediately.
19Which entity is directly responsible for enforcing PCI-DSS compliance and penalizing non-compliance?
CorrectA: The major credit card brands (e.g., Visa, Mastercard, Discover, American Express)
Unlike GDPR or HIPAA, PCI-DSS is not a government law β it is enforced contractually by the card brands (Visa, Mastercard, Discover, American Express, JCB) through their merchant agreements. The PCI Security Standards Council (PCI SSC) manages the standards, but enforcement, fines, and penalties (including increased transaction fees or card acceptance revocation) are levied by the card brands themselves.
IncorrectA: The major credit card brands (e.g., Visa, Mastercard, Discover, American Express)
Unlike GDPR or HIPAA, PCI-DSS is not a government law β it is enforced contractually by the card brands (Visa, Mastercard, Discover, American Express, JCB) through their merchant agreements. The PCI Security Standards Council (PCI SSC) manages the standards, but enforcement, fines, and penalties (including increased transaction fees or card acceptance revocation) are levied by the card brands themselves.
20What is the purpose of an Acceptable Use Policy (AUP) in a compliance program?
CorrectC: To legally document the rules, constraints, and practices that employees must agree to before accessing the corporate network and data
An Acceptable Use Policy (AUP) is a documented set of rules governing how employees may use corporate IT assets, networks, and data. It establishes boundaries for internet use, software installation, data handling, and device usage. Employees typically sign the AUP as part of onboarding. It is a foundational administrative control required by frameworks like ISO 27001 and NIST CSF.
IncorrectC: To legally document the rules, constraints, and practices that employees must agree to before accessing the corporate network and data
An Acceptable Use Policy (AUP) is a documented set of rules governing how employees may use corporate IT assets, networks, and data. It establishes boundaries for internet use, software installation, data handling, and device usage. Employees typically sign the AUP as part of onboarding. It is a foundational administrative control required by frameworks like ISO 27001 and NIST CSF.
Compliance & Regulations β Concepts
1What fundamentally distinguishes a SOC 2 Type I report from a SOC 2 Type II report?
CorrectB: Type I assesses the design of controls at a specific point in time; Type II evaluates the operating effectiveness of those controls over a sustained period (typically 6β12 months)
A SOC 2 Type I report provides an auditor's opinion on whether the controls are suitably designed at a single point in time. A Type II report covers a period (usually 6β12 months) and assesses whether those controls were not only designed correctly but also operated effectively throughout that review period. Type II is significantly more valuable to enterprise clients as it demonstrates sustained performance.
IncorrectB: Type I assesses the design of controls at a specific point in time; Type II evaluates the operating effectiveness of those controls over a sustained period (typically 6β12 months)
A SOC 2 Type I report provides an auditor's opinion on whether the controls are suitably designed at a single point in time. A Type II report covers a period (usually 6β12 months) and assesses whether those controls were not only designed correctly but also operated effectively throughout that review period. Type II is significantly more valuable to enterprise clients as it demonstrates sustained performance.
2Under PCI-DSS, what is a Self-Assessment Questionnaire (SAQ)?
CorrectC: A validation tool intended to assist eligible merchants and service providers in self-evaluating their compliance with PCI-DSS requirements
The PCI-DSS SAQ is a reporting tool used by merchants and service providers below Level 1 thresholds to self-assess their compliance. There are multiple SAQ variants (SAQ A, B, C, D, etc.) depending on how an organisation processes card payments. For example, SAQ A applies to card-not-present merchants that have fully outsourced cardholder data functions, while SAQ D is the most comprehensive for merchants storing cardholder data.
IncorrectC: A validation tool intended to assist eligible merchants and service providers in self-evaluating their compliance with PCI-DSS requirements
The PCI-DSS SAQ is a reporting tool used by merchants and service providers below Level 1 thresholds to self-assess their compliance. There are multiple SAQ variants (SAQ A, B, C, D, etc.) depending on how an organisation processes card payments. For example, SAQ A applies to card-not-present merchants that have fully outsourced cardholder data functions, while SAQ D is the most comprehensive for merchants storing cardholder data.
3What is the primary focus of the ISO/IEC 27701 standard?
CorrectB: It extends the ISO 27001 framework to explicitly include requirements and guidance for establishing a Privacy Information Management System (PIMS)
ISO/IEC 27701:2019 is a privacy extension to ISO 27001 and ISO 27002. It extends the ISMS to include a Privacy Information Management System (PIMS), providing specific controls for Personal Identifiable Information (PII) processing. It maps closely to GDPR requirements, allowing organisations to align their ISO 27001 certification with GDPR compliance efforts for Controllers and Processors.
IncorrectB: It extends the ISO 27001 framework to explicitly include requirements and guidance for establishing a Privacy Information Management System (PIMS)
ISO/IEC 27701:2019 is a privacy extension to ISO 27001 and ISO 27002. It extends the ISMS to include a Privacy Information Management System (PIMS), providing specific controls for Personal Identifiable Information (PII) processing. It maps closely to GDPR requirements, allowing organisations to align their ISO 27001 certification with GDPR compliance efforts for Controllers and Processors.
4How does the GDPR define a "Data Processor"?
CorrectD: An entity that processes personal data exclusively on behalf of, and following the instructions of, the Data Controller
Under GDPR Article 4(8), a Data Processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller. The Processor acts under the Controller's instructions and may not process data for its own purposes. A cloud hosting provider that stores customer data is a classic example of a Processor, while the company using that cloud host is the Controller.
IncorrectD: An entity that processes personal data exclusively on behalf of, and following the instructions of, the Data Controller
Under GDPR Article 4(8), a Data Processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller. The Processor acts under the Controller's instructions and may not process data for its own purposes. A cloud hosting provider that stores customer data is a classic example of a Processor, while the company using that cloud host is the Controller.
5What major regulatory enforcement mechanism did the California Privacy Rights Act (CPRA) establish that the original CCPA did not have?
CorrectC: The creation of a dedicated privacy regulatory agency known as the California Privacy Protection Agency (CPPA)
The CPRA (effective January 1, 2023) significantly amended and expanded the CCPA. Its most notable structural addition was the creation of the California Privacy Protection Agency (CPPA) β the first dedicated state-level privacy enforcement agency in the US. The CPPA has independent rulemaking authority and enforcement powers, addressing a major criticism of the CCPA, which was enforced solely by the California Attorney General.
IncorrectC: The creation of a dedicated privacy regulatory agency known as the California Privacy Protection Agency (CPPA)
The CPRA (effective January 1, 2023) significantly amended and expanded the CCPA. Its most notable structural addition was the creation of the California Privacy Protection Agency (CPPA) β the first dedicated state-level privacy enforcement agency in the US. The CPPA has independent rulemaking authority and enforcement powers, addressing a major criticism of the CCPA, which was enforced solely by the California Attorney General.
6In the NIST Cybersecurity Framework (CSF), which Core Function explicitly covers identity management, access control, awareness training, and data security?
CorrectA: Protect
The "Protect" function in NIST CSF covers the safeguards needed to ensure delivery of critical infrastructure services. Its categories include Identity Management and Access Control (PR.AC), Awareness and Training (PR.AT), Data Security (PR.DS), Information Protection Processes and Procedures (PR.IP), Maintenance (PR.MA), and Protective Technology (PR.PT). The "Identify" function focuses on asset management and risk assessment, not protection.
IncorrectA: Protect
The "Protect" function in NIST CSF covers the safeguards needed to ensure delivery of critical infrastructure services. Its categories include Identity Management and Access Control (PR.AC), Awareness and Training (PR.AT), Data Security (PR.DS), Information Protection Processes and Procedures (PR.IP), Maintenance (PR.MA), and Protective Technology (PR.PT). The "Identify" function focuses on asset management and risk assessment, not protection.
7What is the primary difference between ISO 27001 and ISO 27002?
CorrectC: ISO 27001 defines the mandatory requirements for an ISMS against which a company is certified; ISO 27002 provides a supplementary code of practice and guidance for implementing those controls
ISO/IEC 27001 is the certifiable standard specifying the requirements (using "shall") for establishing an ISMS β organisations are audited and certified against it. ISO/IEC 27002 (updated to 93 controls in 2022) is a reference guideline providing implementation guidance ("should") for the Annex A controls referenced in ISO 27001. You can be certified against 27001 but not 27002; the two are designed to be used together.
IncorrectC: ISO 27001 defines the mandatory requirements for an ISMS against which a company is certified; ISO 27002 provides a supplementary code of practice and guidance for implementing those controls
ISO/IEC 27001 is the certifiable standard specifying the requirements (using "shall") for establishing an ISMS β organisations are audited and certified against it. ISO/IEC 27002 (updated to 93 controls in 2022) is a reference guideline providing implementation guidance ("should") for the Annex A controls referenced in ISO 27001. You can be certified against 27001 but not 27002; the two are designed to be used together.
8What does the legal concept of "Data Residency" dictate?
CorrectD: The requirement that certain digital data must be physically stored and processed within the borders of a specific country
Data residency is a legal and regulatory requirement mandating that data about a country's residents must be collected, processed, and/or stored within that country's borders. Countries like Russia (Federal Law No. 242-FZ), China (PIPL), and India (PDPB) have data localisation requirements. This creates compliance complexity for multinational organisations using centralised cloud environments.
IncorrectD: The requirement that certain digital data must be physically stored and processed within the borders of a specific country
Data residency is a legal and regulatory requirement mandating that data about a country's residents must be collected, processed, and/or stored within that country's borders. Countries like Russia (Federal Law No. 242-FZ), China (PIPL), and India (PDPB) have data localisation requirements. This creates compliance complexity for multinational organisations using centralised cloud environments.
9What is the primary function of the HITRUST Common Security Framework (CSF)?
CorrectC: To provide a certifiable, prescriptive framework that unifies multiple existing regulations (HIPAA, NIST, ISO) specifically tailored for the healthcare industry
HITRUST CSF is a healthcare-focused certifiable framework that harmonises requirements from over 40 regulations and standards including HIPAA, NIST, ISO 27001, PCI-DSS, and HITECH. It provides a prescriptive, risk-based control catalogue that scales based on an organisation's size, risk profile, and the type of data processed. HITRUST certification is widely recognised as a gold standard for demonstrating security in the healthcare and health-tech sectors.
IncorrectC: To provide a certifiable, prescriptive framework that unifies multiple existing regulations (HIPAA, NIST, ISO) specifically tailored for the healthcare industry
HITRUST CSF is a healthcare-focused certifiable framework that harmonises requirements from over 40 regulations and standards including HIPAA, NIST, ISO 27001, PCI-DSS, and HITECH. It provides a prescriptive, risk-based control catalogue that scales based on an organisation's size, risk profile, and the type of data processed. HITRUST certification is widely recognised as a gold standard for demonstrating security in the healthcare and health-tech sectors.
10In third-party vendor compliance terminology, what does "Right to Audit" mean?
CorrectB: A contractual clause that grants a client or regulatory body the explicit authority to formally examine a vendor's internal security controls and records
A "Right to Audit" clause in a vendor contract grants the client (or a regulatory body on the client's behalf) the authority to conduct or commission a formal review of the vendor's security practices, controls, and records. This clause is critical for organisations that outsource processing of sensitive regulated data (e.g., PHI under HIPAA, cardholder data under PCI-DSS) and need to verify vendor compliance independently.
IncorrectB: A contractual clause that grants a client or regulatory body the explicit authority to formally examine a vendor's internal security controls and records
A "Right to Audit" clause in a vendor contract grants the client (or a regulatory body on the client's behalf) the authority to conduct or commission a formal review of the vendor's security practices, controls, and records. This clause is critical for organisations that outsource processing of sensitive regulated data (e.g., PHI under HIPAA, cardholder data under PCI-DSS) and need to verify vendor compliance independently.
11What is the Payment Card Industry Software Security Framework (PCI SSF) primarily designed to replace?
CorrectC: The legacy Payment Application Data Security Standard (PA-DSS)
The PCI Software Security Framework (SSF), introduced in 2019, replaced the PA-DSS (Payment Application Data Security Standard), which was retired in October 2022. PA-DSS was a framework for ensuring commercially available payment applications do not store prohibited data and support compliance. The SSF modernised this with the Secure Software Standard (for general software security) and the Secure Software Lifecycle (SLC) Standard (for development vendor maturity).
IncorrectC: The legacy Payment Application Data Security Standard (PA-DSS)
The PCI Software Security Framework (SSF), introduced in 2019, replaced the PA-DSS (Payment Application Data Security Standard), which was retired in October 2022. PA-DSS was a framework for ensuring commercially available payment applications do not store prohibited data and support compliance. The SSF modernised this with the Secure Software Standard (for general software security) and the Secure Software Lifecycle (SLC) Standard (for development vendor maturity).
12What is the primary goal of the Sarbanes-Oxley Act (SOX) Section 404?
CorrectB: To require management and the external auditor to explicitly report on the adequacy of the company's internal controls over financial reporting
SOX Section 404 requires that the annual report of publicly traded companies include an internal control report assessing the effectiveness of internal controls over financial reporting (ICFR). For large accelerated filers, the external auditor must also independently attest to management's assessment. IT General Controls (ITGCs) β covering access, change management, operations, and development β are a major audit focus because financial systems rely entirely on IT infrastructure.
IncorrectB: To require management and the external auditor to explicitly report on the adequacy of the company's internal controls over financial reporting
SOX Section 404 requires that the annual report of publicly traded companies include an internal control report assessing the effectiveness of internal controls over financial reporting (ICFR). For large accelerated filers, the external auditor must also independently attest to management's assessment. IT General Controls (ITGCs) β covering access, change management, operations, and development β are a major audit focus because financial systems rely entirely on IT infrastructure.
13What defines a "Control Owner" during an IT audit?
CorrectD: The designated individual or role within an organization ultimately responsible for ensuring a particular security measure is effectively designed, implemented, and operating
A Control Owner is the designated person (e.g., a manager, system administrator, or process owner) accountable for ensuring a specific internal control is properly designed, consistently implemented, and functioning as intended. During audits, control owners are interviewed and asked to provide evidence (logs, screenshots, policies) that their assigned controls are operating effectively. Clear control ownership is required by SOX, ISO 27001, and SOC 2.
IncorrectD: The designated individual or role within an organization ultimately responsible for ensuring a particular security measure is effectively designed, implemented, and operating
A Control Owner is the designated person (e.g., a manager, system administrator, or process owner) accountable for ensuring a specific internal control is properly designed, consistently implemented, and functioning as intended. During audits, control owners are interviewed and asked to provide evidence (logs, screenshots, policies) that their assigned controls are operating effectively. Clear control ownership is required by SOX, ISO 27001, and SOC 2.
14How does the NIS2 Directive expand upon the original NIS Directive in the European Union?
CorrectA: It significantly expands the scope of critical sectors covered, introduces stricter incident reporting timelines, and enforces direct accountability for senior management
NIS2 (Directive 2022/2555), effective October 2024, substantially expands the original 2016 NIS Directive. It extends coverage to 18 critical sectors (vs. the original 7), introduces a 24-hour early warning and 72-hour detailed incident reporting requirement, mandates supply chain risk management, imposes direct personal liability on senior management for non-compliance, and sets a minimum fine of β¬10 million or 2% of global turnover.
IncorrectA: It significantly expands the scope of critical sectors covered, introduces stricter incident reporting timelines, and enforces direct accountability for senior management
NIS2 (Directive 2022/2555), effective October 2024, substantially expands the original 2016 NIS Directive. It extends coverage to 18 critical sectors (vs. the original 7), introduces a 24-hour early warning and 72-hour detailed incident reporting requirement, mandates supply chain risk management, imposes direct personal liability on senior management for non-compliance, and sets a minimum fine of β¬10 million or 2% of global turnover.
15Which of the following is a mandatory requirement for achieving PCI-DSS Level 1 compliance (processing over 6 million transactions annually)?
CorrectA: Completing an annual on-site assessment conducted by a certified Qualified Security Assessor (QSA) and submitting a Report on Compliance (RoC)
PCI-DSS Level 1 merchants (processing over 6 million Visa or Mastercard transactions per year, or any merchant that has suffered a breach) must undergo an annual on-site security assessment performed by a PCI SSC-certified Qualified Security Assessor (QSA). The QSA produces a detailed Report on Compliance (RoC). Level 1 organisations also require a quarterly network scan by an Approved Scanning Vendor (ASV).
IncorrectA: Completing an annual on-site assessment conducted by a certified Qualified Security Assessor (QSA) and submitting a Report on Compliance (RoC)
PCI-DSS Level 1 merchants (processing over 6 million Visa or Mastercard transactions per year, or any merchant that has suffered a breach) must undergo an annual on-site security assessment performed by a PCI SSC-certified Qualified Security Assessor (QSA). The QSA produces a detailed Report on Compliance (RoC). Level 1 organisations also require a quarterly network scan by an Approved Scanning Vendor (ASV).
16What is the significance of the FIPS 140 standard in US federal compliance?
CorrectB: It establishes the mandatory benchmark for evaluating and validating the effectiveness of cryptographic hardware and software modules used by government agencies
FIPS 140 (Federal Information Processing Standard 140) is published by NIST and mandated by the US federal government for validating cryptographic modules used to protect sensitive but unclassified information. FIPS 140-2 defines four security levels; FIPS 140-3 (aligned with ISO/IEC 19790:2012) superseded it in 2019. Any encryption module used in a federal system or FedRAMP environment must be FIPS 140 validated.
IncorrectB: It establishes the mandatory benchmark for evaluating and validating the effectiveness of cryptographic hardware and software modules used by government agencies
FIPS 140 (Federal Information Processing Standard 140) is published by NIST and mandated by the US federal government for validating cryptographic modules used to protect sensitive but unclassified information. FIPS 140-2 defines four security levels; FIPS 140-3 (aligned with ISO/IEC 19790:2012) superseded it in 2019. Any encryption module used in a federal system or FedRAMP environment must be FIPS 140 validated.
17Under HIPAA, what is a Business Associate Agreement (BAA)?
CorrectC: A legally binding contract mandating that third-party vendors properly safeguard PHI when providing services to a covered entity
A Business Associate Agreement (BAA) is a mandatory HIPAA contract (45 CFR Β§164.308(b)) between a HIPAA Covered Entity (e.g., hospital, insurer) and a Business Associate (any third-party vendor that creates, receives, maintains, or transmits PHI on their behalf). The BAA legally obligates the vendor to implement appropriate safeguards for PHI, report breaches, and comply with HIPAA's Security and Privacy Rules. Cloud providers like AWS, Google, and Azure offer HIPAA BAAs.
IncorrectC: A legally binding contract mandating that third-party vendors properly safeguard PHI when providing services to a covered entity
A Business Associate Agreement (BAA) is a mandatory HIPAA contract (45 CFR Β§164.308(b)) between a HIPAA Covered Entity (e.g., hospital, insurer) and a Business Associate (any third-party vendor that creates, receives, maintains, or transmits PHI on their behalf). The BAA legally obligates the vendor to implement appropriate safeguards for PHI, report breaches, and comply with HIPAA's Security and Privacy Rules. Cloud providers like AWS, Google, and Azure offer HIPAA BAAs.
18What is the purpose of a "Statement of Applicability" (SoA) in an ISO 27001 implementation?
CorrectD: To formally document which of the Annex A controls have been implemented, which have been excluded, and the business justification for those decisions
The Statement of Applicability (SoA) is a mandatory document in ISO 27001 (Clause 6.1.3). It lists all 93 Annex A controls (ISO 27001:2022), states whether each is applicable or excluded, provides the justification for exclusions (e.g., a software company may exclude physical media controls if irrelevant), and references the policies or procedures implementing each included control. The SoA is a core audit artefact and must be approved by senior management.
IncorrectD: To formally document which of the Annex A controls have been implemented, which have been excluded, and the business justification for those decisions
The Statement of Applicability (SoA) is a mandatory document in ISO 27001 (Clause 6.1.3). It lists all 93 Annex A controls (ISO 27001:2022), states whether each is applicable or excluded, provides the justification for exclusions (e.g., a software company may exclude physical media controls if irrelevant), and references the policies or procedures implementing each included control. The SoA is a core audit artefact and must be approved by senior management.
19What characterizes the "Maturity Model" approach in frameworks like the Cybersecurity Maturity Model Certification (CMMC)?
CorrectB: It requires organizations to progress through sequential tiers of security practices, proving that advanced processes are not just documented but institutionalized and measured
The maturity model concept (originating from CMMI) acknowledges that security capability matures over time in progressive stages. CMMC 2.0 has three levels: Level 1 (Foundational β 17 basic practices, annual self-assessment), Level 2 (Advanced β 110 practices aligned with NIST SP 800-171, third-party assessment), and Level 3 (Expert β 110+ practices from NIST SP 800-172, government-led assessment). Higher levels require practices to be institutionalized, measured, and continuously improved β not just documented.
IncorrectB: It requires organizations to progress through sequential tiers of security practices, proving that advanced processes are not just documented but institutionalized and measured
The maturity model concept (originating from CMMI) acknowledges that security capability matures over time in progressive stages. CMMC 2.0 has three levels: Level 1 (Foundational β 17 basic practices, annual self-assessment), Level 2 (Advanced β 110 practices aligned with NIST SP 800-171, third-party assessment), and Level 3 (Expert β 110+ practices from NIST SP 800-172, government-led assessment). Higher levels require practices to be institutionalized, measured, and continuously improved β not just documented.
20Which privacy law firmly established the concept and necessity of conducting formal "Data Protection Impact Assessments" (DPIAs) for high-risk processing?
CorrectD: The General Data Protection Regulation (GDPR)
GDPR Article 35 formally mandated Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risk to individuals' rights and freedoms β particularly for large-scale processing of special category data, systematic monitoring of public spaces, or novel technologies. DPIAs must be conducted before processing begins and must describe the processing, assess necessity and proportionality, and identify the measures to address identified risks.
IncorrectD: The General Data Protection Regulation (GDPR)
GDPR Article 35 formally mandated Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risk to individuals' rights and freedoms β particularly for large-scale processing of special category data, systematic monitoring of public spaces, or novel technologies. DPIAs must be conducted before processing begins and must describe the processing, assess necessity and proportionality, and identify the measures to address identified risks.
Compliance & Regulations β Advanced
1What does the Digital Operational Resilience Act (DORA) strictly mandate for entities in the EU?
CorrectB: It requires financial organizations and their critical ICT third-party providers to establish comprehensive capabilities to withstand, respond to, and recover from all types of ICT-related disruptions and threats
DORA (Regulation 2022/2554), applicable from January 2025, establishes a uniform EU-wide ICT risk management framework for financial entities (banks, insurers, investment firms, crypto-asset service providers) and their critical ICT third-party providers (CTPPs). Key pillars include ICT risk management, incident classification and reporting, digital operational resilience testing (including threat-led penetration testing for significant entities), and ICT third-party risk management through Register of Information and oversight of CTPPs.
IncorrectB: It requires financial organizations and their critical ICT third-party providers to establish comprehensive capabilities to withstand, respond to, and recover from all types of ICT-related disruptions and threats
DORA (Regulation 2022/2554), applicable from January 2025, establishes a uniform EU-wide ICT risk management framework for financial entities (banks, insurers, investment firms, crypto-asset service providers) and their critical ICT third-party providers (CTPPs). Key pillars include ICT risk management, incident classification and reporting, digital operational resilience testing (including threat-led penetration testing for significant entities), and ICT third-party risk management through Register of Information and oversight of CTPPs.
2In the context of US Department of Defense compliance, what does CMMC Level 3 specifically require that lower levels do not?
CorrectC: It mandates the implementation of advanced proactive threat hunting capabilities and the strict management of Advanced Persistent Threats (APTs) outlined in NIST SP 800-172
CMMC 2.0 Level 3 (Expert) is designed for contractors handling the most sensitive Controlled Unclassified Information (CUI) and aligns with NIST SP 800-172 "Enhanced Security Requirements for Protecting CUI." It adds ~24 advanced requirements on top of Level 2's 110 NIST SP 800-171 practices, specifically designed to counter Advanced Persistent Threats (APTs) with enhanced threat hunting, incident response, and configuration management capabilities. Assessments are conducted by the Defense Contract Management Agency (DCMA).
IncorrectC: It mandates the implementation of advanced proactive threat hunting capabilities and the strict management of Advanced Persistent Threats (APTs) outlined in NIST SP 800-172
CMMC 2.0 Level 3 (Expert) is designed for contractors handling the most sensitive Controlled Unclassified Information (CUI) and aligns with NIST SP 800-172 "Enhanced Security Requirements for Protecting CUI." It adds ~24 advanced requirements on top of Level 2's 110 NIST SP 800-171 practices, specifically designed to counter Advanced Persistent Threats (APTs) with enhanced threat hunting, incident response, and configuration management capabilities. Assessments are conducted by the Defense Contract Management Agency (DCMA).
3How does the "Schrems II" court ruling critically impact global compliance for US-based multinational companies?
CorrectD: It invalidated the EU-US Privacy Shield, placing the burden on companies to conduct Transfer Impact Assessments (TIAs) and rely heavily on Standard Contractual Clauses (SCCs) for transatlantic data flows
In Data Protection Commissioner v. Facebook Ireland (C-311/18, July 2020), the Court of Justice of the EU (CJEU) invalidated the EU-US Privacy Shield adequacy decision because US surveillance laws (FISA Section 702, EO 12333) do not provide equivalent EU privacy protections. Companies must now rely on Standard Contractual Clauses (SCCs) supplemented by Transfer Impact Assessments (TIAs) to justify international data transfers. The EU-US Data Privacy Framework (DPF, 2023) is the current adequacy mechanism, though subject to ongoing legal challenge.
IncorrectD: It invalidated the EU-US Privacy Shield, placing the burden on companies to conduct Transfer Impact Assessments (TIAs) and rely heavily on Standard Contractual Clauses (SCCs) for transatlantic data flows
In Data Protection Commissioner v. Facebook Ireland (C-311/18, July 2020), the Court of Justice of the EU (CJEU) invalidated the EU-US Privacy Shield adequacy decision because US surveillance laws (FISA Section 702, EO 12333) do not provide equivalent EU privacy protections. Companies must now rely on Standard Contractual Clauses (SCCs) supplemented by Transfer Impact Assessments (TIAs) to justify international data transfers. The EU-US Data Privacy Framework (DPF, 2023) is the current adequacy mechanism, though subject to ongoing legal challenge.
4What is the precise role of "Cross-Walking" (or a Common Controls Hub) in enterprise compliance architectures?
CorrectA: Consolidating and mathematically mapping overlapping requirements from multiple regulations (e.g., NIST, ISO, HIPAA) into a single, unified control set to eliminate redundant audit efforts
Compliance cross-walking (or control mapping) is the process of identifying and mapping equivalent or overlapping requirements across multiple regulatory frameworks into a unified control library. For example, NIST SP 800-53 AC-2 (Account Management) maps to ISO 27001 Annex A 8.2, PCI-DSS Requirement 7, and HIPAA Β§164.312(a)(1). By implementing one strong control that satisfies multiple frameworks simultaneously, organisations dramatically reduce audit preparation time, cost, and duplication β the core value of GRC platforms and OSCAL.
IncorrectA: Consolidating and mathematically mapping overlapping requirements from multiple regulations (e.g., NIST, ISO, HIPAA) into a single, unified control set to eliminate redundant audit efforts
Compliance cross-walking (or control mapping) is the process of identifying and mapping equivalent or overlapping requirements across multiple regulatory frameworks into a unified control library. For example, NIST SP 800-53 AC-2 (Account Management) maps to ISO 27001 Annex A 8.2, PCI-DSS Requirement 7, and HIPAA Β§164.312(a)(1). By implementing one strong control that satisfies multiple frameworks simultaneously, organisations dramatically reduce audit preparation time, cost, and duplication β the core value of GRC platforms and OSCAL.
5Under the SEC Cybersecurity Disclosure Rules adopted in 2023, what is the specific timeframe mandated for public companies to report a material cyber incident?
CorrectC: Within four business days of the company determining that the cybersecurity incident is material
The SEC's Cybersecurity Disclosure Rules (effective December 2023) require public companies to disclose material cybersecurity incidents on Form 8-K within four business days of determining that the incident is "material" β meaning a reasonable investor would consider it important. Critically, the clock starts at the materiality determination, not the incident discovery. The rules also require annual disclosure of cybersecurity risk management, strategy, and governance on Form 10-K.
IncorrectC: Within four business days of the company determining that the cybersecurity incident is material
The SEC's Cybersecurity Disclosure Rules (effective December 2023) require public companies to disclose material cybersecurity incidents on Form 8-K within four business days of determining that the incident is "material" β meaning a reasonable investor would consider it important. Critically, the clock starts at the materiality determination, not the incident discovery. The rules also require annual disclosure of cybersecurity risk management, strategy, and governance on Form 10-K.
6What technically distinguishes a "FedRAMP High" baseline system from a "FedRAMP Moderate" system?
CorrectD: FedRAMP High applies to systems where the loss of confidentiality, integrity, or availability would result in severe or catastrophic adverse effects on organizational operations, assets, or individuals (incorporating ~421 NIST controls)
FedRAMP is tiered based on FIPS 199 impact levels. FedRAMP Moderate (~325 controls) covers systems where a breach would have serious adverse effects. FedRAMP High (~421 controls) is required for systems handling government law enforcement, emergency services, healthcare, financial data, and other areas where a breach would cause severe or catastrophic harm. Only a handful of cloud providers have achieved FedRAMP High authorization, including AWS GovCloud and Microsoft Azure Government. All must use FIPS 140-validated cryptography.
IncorrectD: FedRAMP High applies to systems where the loss of confidentiality, integrity, or availability would result in severe or catastrophic adverse effects on organizational operations, assets, or individuals (incorporating ~421 NIST controls)
FedRAMP is tiered based on FIPS 199 impact levels. FedRAMP Moderate (~325 controls) covers systems where a breach would have serious adverse effects. FedRAMP High (~421 controls) is required for systems handling government law enforcement, emergency services, healthcare, financial data, and other areas where a breach would cause severe or catastrophic harm. Only a handful of cloud providers have achieved FedRAMP High authorization, including AWS GovCloud and Microsoft Azure Government. All must use FIPS 140-validated cryptography.
7In PCI-DSS v4.0, what significant, structural shift was introduced regarding how organizations can implement required controls?
CorrectB: The introduction of the "Customized Approach," allowing organizations to meet the objective of a requirement using alternative, innovative methods without filing a formal Compensating Control Worksheet
PCI-DSS v4.0 (released March 2022, mandatory from March 2025) introduced the "Customized Approach" as an alternative to the traditional "Defined Approach." Under the Customized Approach, a mature organisation can design and implement its own security controls to meet the stated objective of a requirement, rather than following the prescriptive defined controls. This requires extensive documentation in a Customized Approach Objective, detailed testing procedures approved by a QSA, and is intended for organisations with sophisticated risk management capabilities.
IncorrectB: The introduction of the "Customized Approach," allowing organizations to meet the objective of a requirement using alternative, innovative methods without filing a formal Compensating Control Worksheet
PCI-DSS v4.0 (released March 2022, mandatory from March 2025) introduced the "Customized Approach" as an alternative to the traditional "Defined Approach." Under the Customized Approach, a mature organisation can design and implement its own security controls to meet the stated objective of a requirement, rather than following the prescriptive defined controls. This requires extensive documentation in a Customized Approach Objective, detailed testing procedures approved by a QSA, and is intended for organisations with sophisticated risk management capabilities.
8What is the fundamental requirement of "Contextual Integrity" in advanced privacy compliance frameworks?
CorrectC: The principle that data collection and sharing must strictly conform to the expected norms and boundaries of the specific environment in which it was originally collected
Contextual integrity, a concept introduced by philosopher Helen Nissenbaum, holds that privacy is violated not simply by sharing data, but by sharing data in a way that violates the contextual norms under which it was originally disclosed. For example, sharing a patient's diagnosis with their treating physician is appropriate; sharing it with a marketing firm is not, regardless of whether technical consent was obtained. This concept increasingly informs advanced GDPR enforcement decisions and Privacy by Design methodologies.
IncorrectC: The principle that data collection and sharing must strictly conform to the expected norms and boundaries of the specific environment in which it was originally collected
Contextual integrity, a concept introduced by philosopher Helen Nissenbaum, holds that privacy is violated not simply by sharing data, but by sharing data in a way that violates the contextual norms under which it was originally disclosed. For example, sharing a patient's diagnosis with their treating physician is appropriate; sharing it with a marketing firm is not, regardless of whether technical consent was obtained. This concept increasingly informs advanced GDPR enforcement decisions and Privacy by Design methodologies.
9How does the HIPAA Omnibus Rule modify the breach notification requirements for covered entities?
CorrectD: It replaces the previous "harm threshold" with a strict presumption that a breach has occurred unless the covered entity can definitively demonstrate a low probability that the PHI has been compromised
The HIPAA Omnibus Rule (2013) significantly strengthened breach notification under the HITECH Act. It replaced the previous "risk of harm" threshold (which had allowed organisations to avoid reporting by arguing no harm would result) with a strict "probability of compromise" standard. Under this standard, any impermissible use or disclosure of PHI is presumed to be a breach requiring notification unless the covered entity can demonstrate β through a four-factor risk assessment β that there is a low probability the PHI has been compromised.
IncorrectD: It replaces the previous "harm threshold" with a strict presumption that a breach has occurred unless the covered entity can definitively demonstrate a low probability that the PHI has been compromised
The HIPAA Omnibus Rule (2013) significantly strengthened breach notification under the HITECH Act. It replaced the previous "risk of harm" threshold (which had allowed organisations to avoid reporting by arguing no harm would result) with a strict "probability of compromise" standard. Under this standard, any impermissible use or disclosure of PHI is presumed to be a breach requiring notification unless the covered entity can demonstrate β through a four-factor risk assessment β that there is a low probability the PHI has been compromised.
10Which cryptographic requirement is strictly mandated by FIPS 140-3 Level 3 that is NOT required in Level 2?
CorrectA: The module must possess physical tamper-response mechanisms that automatically zeroize plaintext cryptographic keys upon detecting physical intrusion
FIPS 140-3 (ISO/IEC 19790) Security Level 3 requires physical tamper-response and zeroization mechanisms β the module must actively detect physical intrusion attempts (e.g., probing, drilling) and automatically zeroize (erase to zero) all plaintext cryptographic keys and critical security parameters upon detection. Level 2 only requires evidence of tampering (tamper-evident seals) without the active zeroization response. Hardware Security Modules (HSMs) used in banking, PKI, and government environments commonly achieve Level 3 or higher.
IncorrectA: The module must possess physical tamper-response mechanisms that automatically zeroize plaintext cryptographic keys upon detecting physical intrusion
FIPS 140-3 (ISO/IEC 19790) Security Level 3 requires physical tamper-response and zeroization mechanisms β the module must actively detect physical intrusion attempts (e.g., probing, drilling) and automatically zeroize (erase to zero) all plaintext cryptographic keys and critical security parameters upon detection. Level 2 only requires evidence of tampering (tamper-evident seals) without the active zeroization response. Hardware Security Modules (HSMs) used in banking, PKI, and government environments commonly achieve Level 3 or higher.
11Under the EU AI Act, what compliance obligation is heavily imposed on "High-Risk" Artificial Intelligence systems?
CorrectB: They must undergo a rigorous conformity assessment, establish robust risk management systems, and ensure high-quality training data to mitigate algorithmic bias before market deployment
The EU AI Act (2024/1689, applicable from August 2026 for high-risk systems) classifies AI into four risk tiers. High-risk AI (e.g., systems used in critical infrastructure, education, employment, credit scoring, law enforcement) must comply with obligations including: technical documentation, conformity assessment (self or third-party), CE marking, registration in the EU database, a risk management system throughout the lifecycle, data governance and quality measures for training datasets, human oversight capabilities, and accuracy and robustness standards.
IncorrectB: They must undergo a rigorous conformity assessment, establish robust risk management systems, and ensure high-quality training data to mitigate algorithmic bias before market deployment
The EU AI Act (2024/1689, applicable from August 2026 for high-risk systems) classifies AI into four risk tiers. High-risk AI (e.g., systems used in critical infrastructure, education, employment, credit scoring, law enforcement) must comply with obligations including: technical documentation, conformity assessment (self or third-party), CE marking, registration in the EU database, a risk management system throughout the lifecycle, data governance and quality measures for training datasets, human oversight capabilities, and accuracy and robustness standards.
12What is the primary function of the Open Security Controls Assessment Language (OSCAL)?
CorrectC: To provide a standardized, machine-readable data format (XML, JSON, YAML) for representing security controls, baselines, and system security plans to automate compliance assessments
OSCAL (Open Security Controls Assessment Language) is a NIST-developed standard that enables the machine-readable representation of security control frameworks (catalogues), control baselines, system security plans (SSPs), assessment plans, and assessment results. By digitising compliance artefacts β previously stored in unstructured Word/Excel documents β OSCAL enables automation of FedRAMP package generation, continuous monitoring, and multi-framework control mapping using tools that consume XML, JSON, and YAML formats.
IncorrectC: To provide a standardized, machine-readable data format (XML, JSON, YAML) for representing security controls, baselines, and system security plans to automate compliance assessments
OSCAL (Open Security Controls Assessment Language) is a NIST-developed standard that enables the machine-readable representation of security control frameworks (catalogues), control baselines, system security plans (SSPs), assessment plans, and assessment results. By digitising compliance artefacts β previously stored in unstructured Word/Excel documents β OSCAL enables automation of FedRAMP package generation, continuous monitoring, and multi-framework control mapping using tools that consume XML, JSON, and YAML formats.
13When an enterprise utilizes an overarching "Unified Compliance Framework" (UCF), what inherent risk must the GRC team actively manage?
CorrectD: The risk that generalized, mapped controls fail to satisfy the highly specific, nuanced technical mandates of a stringent, individual regulation like PCI-DSS
A Unified Compliance Framework (UCF) maps common controls across multiple regulations β reducing redundancy and audit fatigue. However, a critical risk is "control dilution" or "false equivalence": the UCF's generalised mapping of a control may satisfy the spirit of multiple standards but fail to meet the highly prescriptive, technically specific requirements of a demanding individual regulation. For example, a generic UCF encryption control may not specify the exact FIPS 140-validated algorithm required by PCI-DSS Requirement 3.5 or FedRAMP. GRC teams must perform supplemental control gap analyses for each stringent regulation.
IncorrectD: The risk that generalized, mapped controls fail to satisfy the highly specific, nuanced technical mandates of a stringent, individual regulation like PCI-DSS
A Unified Compliance Framework (UCF) maps common controls across multiple regulations β reducing redundancy and audit fatigue. However, a critical risk is "control dilution" or "false equivalence": the UCF's generalised mapping of a control may satisfy the spirit of multiple standards but fail to meet the highly prescriptive, technically specific requirements of a demanding individual regulation. For example, a generic UCF encryption control may not specify the exact FIPS 140-validated algorithm required by PCI-DSS Requirement 3.5 or FedRAMP. GRC teams must perform supplemental control gap analyses for each stringent regulation.
14Under the ISO 27001:2022 update, what major structural change occurred in the Annex A reference controls?
CorrectA: The number of controls was reduced from 114 to 93, and they were reorganized into four broader themes (Organizational, People, Physical, Technological) rather than 14 specific domains
ISO/IEC 27001:2022 (replacing the 2013 version) restructured Annex A controls: the count was reduced from 114 controls across 14 domains to 93 controls organized into 4 themes β Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). While some controls were merged, 11 new controls were added covering areas including threat intelligence, cloud security, ICT readiness for business continuity, data masking, web filtering, and secure coding. The Statement of Applicability (SoA) remains mandatory.
IncorrectA: The number of controls was reduced from 114 to 93, and they were reorganized into four broader themes (Organizational, People, Physical, Technological) rather than 14 specific domains
ISO/IEC 27001:2022 (replacing the 2013 version) restructured Annex A controls: the count was reduced from 114 controls across 14 domains to 93 controls organized into 4 themes β Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). While some controls were merged, 11 new controls were added covering areas including threat intelligence, cloud security, ICT readiness for business continuity, data masking, web filtering, and secure coding. The Statement of Applicability (SoA) remains mandatory.
15What is the primary objective of the SWIFT Customer Security Controls Framework (CSCF)?
CorrectB: To establish a mandatory security baseline for financial institutions specifically to secure their local infrastructure connecting to the global SWIFT financial messaging network
Following the 2016 Bangladesh Bank heist ($81M stolen via fraudulent SWIFT messages), SWIFT launched the Customer Security Programme (CSP) with the CSCF. The framework defines mandatory and advisory security controls for members' SWIFT local infrastructure (Swift Secure Zone) β including network segmentation, malware protection, credential management, and application hardening. Members must annually self-attest (or provide an independent assessment) against the current CSCF version, with SWIFT increasingly mandating third-party attestations for higher-risk members.
IncorrectB: To establish a mandatory security baseline for financial institutions specifically to secure their local infrastructure connecting to the global SWIFT financial messaging network
Following the 2016 Bangladesh Bank heist ($81M stolen via fraudulent SWIFT messages), SWIFT launched the Customer Security Programme (CSP) with the CSCF. The framework defines mandatory and advisory security controls for members' SWIFT local infrastructure (Swift Secure Zone) β including network segmentation, malware protection, credential management, and application hardening. Members must annually self-attest (or provide an independent assessment) against the current CSCF version, with SWIFT increasingly mandating third-party attestations for higher-risk members.
16In advanced SOC 2 auditing, how are "Carve-out" and "Inclusive" methods utilized regarding subservice organizations (like an AWS data center)?
CorrectC: The "Carve-out" method excludes the subservice organization's controls from the audit scope, while the "Inclusive" method tests and includes the subservice organization's controls directly in the report
When a SOC 2 service organisation relies on a subservice organisation (e.g., AWS for hosting), the SOC 2 audit must address those dependencies. The "Carve-out" method excludes the subservice org's controls from the scope, leaving clients to obtain the subservice org's own SOC report for assurance. The "Inclusive" method includes the subservice org's relevant controls within the primary SOC 2 report scope, requiring the auditor to test those controls directly β a more rigorous but logistically complex approach.
IncorrectC: The "Carve-out" method excludes the subservice organization's controls from the audit scope, while the "Inclusive" method tests and includes the subservice organization's controls directly in the report
When a SOC 2 service organisation relies on a subservice organisation (e.g., AWS for hosting), the SOC 2 audit must address those dependencies. The "Carve-out" method excludes the subservice org's controls from the scope, leaving clients to obtain the subservice org's own SOC report for assurance. The "Inclusive" method includes the subservice org's relevant controls within the primary SOC 2 report scope, requiring the auditor to test those controls directly β a more rigorous but logistically complex approach.
17What specific legal and compliance challenge is uniquely introduced by the implementation of "Immutable Ledgers" or Blockchain technology?
CorrectD: It fundamentally conflicts with the GDPR's "Right to be Forgotten," as the cryptographic structure of a blockchain makes it practically impossible to delete or alter historical personal data
GDPR Article 17 grants data subjects the "Right to Erasure" (Right to be Forgotten), requiring organisations to delete personal data upon request under certain conditions. Blockchain's fundamental immutability β where blocks are cryptographically chained in an append-only ledger β makes it practically impossible to delete specific historical records without breaking the chain's integrity. Current legal workarounds include storing only hashed or encrypted references on-chain (with keys stored off-chain and deletable), or using permissioned blockchains with access controls, though none fully resolve the tension.
IncorrectD: It fundamentally conflicts with the GDPR's "Right to be Forgotten," as the cryptographic structure of a blockchain makes it practically impossible to delete or alter historical personal data
GDPR Article 17 grants data subjects the "Right to Erasure" (Right to be Forgotten), requiring organisations to delete personal data upon request under certain conditions. Blockchain's fundamental immutability β where blocks are cryptographically chained in an append-only ledger β makes it practically impossible to delete specific historical records without breaking the chain's integrity. Current legal workarounds include storing only hashed or encrypted references on-chain (with keys stored off-chain and deletable), or using permissioned blockchains with access controls, though none fully resolve the tension.
18Which U.S. federal regulation strictly governs the export of unclassified technical data, defense articles, and services with dual-use military potential?
CorrectA: The International Traffic in Arms Regulations (ITAR)
ITAR (International Traffic in Arms Regulations), administered by the US Department of State under the Arms Export Control Act, controls the export and import of defense-related articles, services, and technical data listed on the US Munitions List (USML). Violations carry severe criminal penalties (up to 20 years in federal prison, $1M per violation). ITAR compliance is critical for aerospace, defence, and tech companies β even storing ITAR-controlled technical data on a foreign national's workstation may constitute an "export." Complements EAR (Export Administration Regulations) for dual-use items.
IncorrectA: The International Traffic in Arms Regulations (ITAR)
ITAR (International Traffic in Arms Regulations), administered by the US Department of State under the Arms Export Control Act, controls the export and import of defense-related articles, services, and technical data listed on the US Munitions List (USML). Violations carry severe criminal penalties (up to 20 years in federal prison, $1M per violation). ITAR compliance is critical for aerospace, defence, and tech companies β even storing ITAR-controlled technical data on a foreign national's workstation may constitute an "export." Complements EAR (Export Administration Regulations) for dual-use items.
19What is the primary objective of a "Type 1" SSAE 18 report compared to a "Type 2" report?
CorrectB: To provide an auditor's opinion on the fair presentation and suitability of the design of controls at a specific point in time, without testing their operational effectiveness over a period
SSAE 18 (Statement on Standards for Attestation Engagements No. 18), published by the AICPA, governs service organisation reporting (replacing SSAE 16/SAS 70). An SSAE 18 Type 1 report (AT-C 205 or AT-C 320) provides an auditor's opinion on whether the service organisation's system description is fairly presented and whether controls were suitably designed at a specific date β no testing of operational effectiveness. Type 2 covers a period and includes testing. SOC 1, SOC 2, and SOC 3 reports are all issued under SSAE 18 / ISAE 3402 frameworks.
IncorrectB: To provide an auditor's opinion on the fair presentation and suitability of the design of controls at a specific point in time, without testing their operational effectiveness over a period
SSAE 18 (Statement on Standards for Attestation Engagements No. 18), published by the AICPA, governs service organisation reporting (replacing SSAE 16/SAS 70). An SSAE 18 Type 1 report (AT-C 205 or AT-C 320) provides an auditor's opinion on whether the service organisation's system description is fairly presented and whether controls were suitably designed at a specific date β no testing of operational effectiveness. Type 2 covers a period and includes testing. SOC 1, SOC 2, and SOC 3 reports are all issued under SSAE 18 / ISAE 3402 frameworks.
20In the context of cloud compliance, what does the "Shared Responsibility Model" dictate regarding the underlying infrastructure of a Platform as a Service (PaaS) environment?
CorrectC: The cloud provider retains full responsibility for securing the physical infrastructure, hypervisor, and operating system, while the customer is responsible for the application logic and data
In a PaaS model (e.g., AWS Elastic Beanstalk, Google App Engine, Azure App Service), the cloud provider secures everything from the physical data centre up to and including the operating system and runtime environment β data centre security, hardware, hypervisor, OS patching. The customer is responsible for the application code, application-level configurations, identity and access management for their app, and the data stored within it. This contrasts with IaaS (where the customer also manages the OS) and SaaS (where the provider manages almost everything).
IncorrectC: The cloud provider retains full responsibility for securing the physical infrastructure, hypervisor, and operating system, while the customer is responsible for the application logic and data
In a PaaS model (e.g., AWS Elastic Beanstalk, Google App Engine, Azure App Service), the cloud provider secures everything from the physical data centre up to and including the operating system and runtime environment β data centre security, hardware, hypervisor, OS patching. The customer is responsible for the application code, application-level configurations, identity and access management for their app, and the data stored within it. This contrasts with IaaS (where the customer also manages the OS) and SaaS (where the provider manages almost everything).
Key Takeaways β Compliance & Regulations
- PCI-DSS v4.0 β 12 requirements apply to ALL organisations that store, process, or transmit cardholder data; Level 1 merchants (6M+ transactions/year) require an annual on-site QSA audit.
- ISO 27001 vs NIST CSF β ISO 27001 is certifiable (third-party audit, 93 Annex A controls) and process-prescriptive; NIST CSF is voluntary, outcome-based, and not certifiable. Many orgs use both.
- HIPAA Safeguards β three types: Administrative (policies, risk analysis), Physical (facility access, device controls), Technical (access controls, audit logs, encryption). Some specifications are βrequiredβ; others are βaddressableβ.
- SOX Section 404 β management must assess ICFR effectiveness; external auditor attests for large accelerated filers. IT General Controls (access, change management, operations) are the primary audit focus.
- FedRAMP Impact Levels β Low (125 controls), Moderate (325 controls, 80% of federal data), High (421 controls, law enforcement/healthcare/emergency). Authorization requires a 3PAO audit + JAB/Agency ATO.
- SOC 2 Type I vs Type II β Type I = point-in-time design assessment; Type II = 6β12 month operational effectiveness test. Enterprise customers typically require Type II from SaaS vendors.
- NIST CSF 2.0 β added βGovernβ as a new sixth function (2024) to emphasise cybersecurity risk management as an enterprise-level responsibility, not just a technical one.
Quick Review & Summary
Use this summary table to consolidate key concepts before or after attempting the questions above.
| Framework | Type | Scope | Key Control / Structure |
|---|---|---|---|
| PCI-DSS v4.0 | Industry Standard | Cardholder data environments (all card brands) | 12 requirements, 6 control objectives; QSA audit for Level 1 |
| HIPAA Security Rule | US Federal Law | ePHI in healthcare (covered entities + BAs) | Administrative, Physical, Technical safeguards; annual risk analysis |
| SOX Β§404 | US Federal Law | US-listed public companies (financial reporting) | ICFR management assessment; external auditor attestation; IT GCs |
| ISO 27001:2022 | International Standard | Any organisation (certifiable ISMS) | PDCA cycle; 93 Annex A controls; 3rd-party certification audit |
| NIST CSF 2.0 | US Gov Guidance | Any organisation (voluntary, non-certifiable) | 6 functions: Govern, Identify, Protect, Detect, Respond, Recover |
| FedRAMP | US Federal Program | Cloud services used by US federal agencies | Low / Moderate / High impact levels; 3PAO audit; JAB or Agency ATO |
| SOC 2 | AICPA Standard | Service organisations (SaaS, cloud, data centres) | 5 Trust Service Criteria; Type I (design) vs Type II (operating effectiveness) |
Frequently Asked Questions
Q. What are the 12 requirements of PCI-DSS and which organisations must comply?
Q. What is the difference between ISO 27001 and the NIST Cybersecurity Framework (CSF)?
Q. What is SOX Section 404 and who must comply?
Q. What are the three types of HIPAA safeguards and what do they require?
Q. What is FedRAMP and what are its three authorization impact levels?
Q. What is the difference between SOC 2 Type I and Type II?
Struggling with some questions? Re-read the full Theory Guide: Compliance & Regulations
Conclusion: Mastering Compliance & Regulations
Compliance frameworks are not bureaucratic checkbox exercises β they encode decades of risk management experience into auditable controls. Whether you are implementing PCI-DSS for cardholder data environments, managing HIPAA safeguards for electronic PHI, documenting SOX Section 404 IT General Controls, or pursuing ISO 27001 certification, a solid understanding of what each framework requires β and why β is essential for security architects, GRC professionals, and audit leads.
The questions in this test map directly to domains assessed in certifications like CISM, CISSP, CISA, CGEIT, and CRISC. Understanding the difference between ISO 27001 and NIST CSF, what makes FedRAMP Moderate vs. High, and the practical implications of SOC 2 Type II over Type I will sharpen your ability to advise on security programme design.
Revisit questions you missed, study their detailed explanations, and pair this practice test with the full Compliance & Regulations Theory Guide and the Cyber Laws & Ethics MCQs for comprehensive exam and audit preparation.