CASP+ Study Guide 2026
Everything you need to pass the CASP+ exam in one place: the exam format, every topic to study, real practice questions with explanations, flashcards, and full-length practice tests. Free, no sign-up needed.
📋 CASP+ Exam Format at a Glance
📚 CASP+ Topics to Study (21)
✍️ Sample CASP+ Questions & Answers
1. Your business spent three months at its hot site following a natural disaster before moving back to the main location. Which processes at the main site ought to be reinstated first?
When describing the sequence of restoration between the hot site and the primary site in the context of business recovery from a natural disaster, it is inaccurate to argue that any part of the business is "least significant." Based on the importance and dependencies of various business operations and processes, the restoration priorities should be set. The restoration process often entails evaluating the effect of the natural disaster on various business aspects and allocating restoration activities according to priority. Although the primary site is crucial, it might not necessarily be restored first if other vital operations need to be attended to.
2. A CASP+ architect must design a zero-trust network for a financial institution. Which control is MOST critical to enforce zero-trust principles?
Zero trust requires continuous verification of identity and device health for every access request, regardless of network location.
3. An organization requires a security architecture review of a new data warehouse. Which framework MOST comprehensively addresses data security requirements?
NIST SP 800-53 provides a comprehensive catalog of security and privacy controls applicable to federal and enterprise information systems, including data warehouses.
4. Which employs the necessary keys and examines the trust paths and revocation status before enabling the certificate to be utilized when a browser views a website?
Vendors will build a PKI standard to enable the exchange of keys via certificates, which is a need for an application to use a digital certificate. Before enabling the application to utilize the certificate, the browser uses the necessary keys and verifies the trust paths and revocation status. The certificate is provided by the web server to the browser for verification. The PKI certificate's root of trust is the Root CA (certificate authority). Requests for digital certificates are verified by the RA (registration authority).
5. An organization encrypts cloud storage with customer-managed keys (CMK). Which action allows the cloud provider to render the data inaccessible without deleting it?
Disabling or scheduling deletion of the CMK prevents the cloud provider's encryption service from decrypting data; the ciphertext remains but is cryptographically inaccessible without the key.
6. A CASP+ analyst needs to detect credential dumping on Windows endpoints. Which security control provides the MOST direct protection?
Credential Guard uses VBS to store NTLM hashes and Kerberos tickets in an isolated environment inaccessible to the OS, preventing tools like Mimikatz from dumping credentials from LSASS.