CompTIA Security+ · SY0-701
Objective 5.1: Summarize elements of effective security governance
Practice questions for Security+ objective 5.1, “Summarize elements of effective security governance.” Every question is original, written to the SY0-701 exam objectives, and comes with a full explanation — answer them below to see instant grading.
This objective sits in Domain 5.0: Security Program Management and Oversight, which is about 20% of the exam — so mastering it moves your readiness score meaningfully.
1.A multinational corporation's security team must navigate both ISO 27001 certification requirements and local data sovereignty laws. Which combination of external considerations is involved?
2.A large enterprise has a dedicated security team that develops security policies, defines standards, and performs risk assessments. Each business unit also has an appointed individual who serves as the primary point of contact for security matters within their unit, communicates security requirements to unit staff, and reports security incidents to the central team. These individuals do not work for the security team — they report to their respective business unit leaders. Which governance model does this structure represent, and what is its primary advantage over a fully centralized security governance model?
3.A newly appointed CISO is reviewing the organization's security documentation and finds a document that defines the organization's overall approach to protecting information assets, assigns accountability to specific roles, and has been signed by the CEO. A separate document specifies the exact technical configurations required for hardening Windows workstations. Which classification correctly identifies these two documents?
4.An organization's security policy requires that all employees complete annual security awareness training. The IT department is responsible for tracking completion and the HR department is responsible for enforcing consequences for non-completion. Three months after the training deadline, 35% of employees have not completed the training and no action has been taken. A policy review reveals the requirement exists but no process defines how completion data is shared between IT and HR, no escalation timeline is specified, and no individual is named as ultimately accountable for enforcement outcomes. Which governance element is most directly responsible for the policy's failure to achieve compliance?
5.A multinational organization has a corporate security policy requiring that all employee endpoints have full-disk encryption enabled. The organization's European subsidiary operates under local labor laws that restrict employer monitoring of employee devices, and the subsidiary's legal counsel has advised that enforcing the corporate encryption policy as written may conflict with local data protection regulations regarding employee privacy. The subsidiary's IT director wants to implement a modified version of the policy that satisfies the spirit of the requirement through an alternative technical control. Which governance mechanism most appropriately resolves this conflict while maintaining organizational accountability?
Practice every objective, adaptively
CertBench tracks your score on 5.1 and every other objective, then builds a daily plan that targets your weakest spots. Start with the free diagnostic.
Take the free diagnostic