CompTIA ⭐ Premium ⭐ Featured

CompTIA SecurityX (CAS-005)

By Webmaster Certland English 📝 340 questions ❤️ 0 likes

Practice exam for the CompTIA SecurityX CAS-005 certification. Covers all 4 official exam domains: Governance, Risk, and Compliance; Security Architecture; Security Engineering; and Security Operations. Designed for advanced security practitioners and architects with 10+ years of IT security experience.

⭐ Premium Updated Mar 2026

Unlock all 340 CompTIA SecurityX (CAS-005) questions

Full simulation · Detailed explanations · Unlimited attempts

340 questions — ~5 full-length simulations
Detailed explanations — why each answer is right or wrong
Unlimited attempts — retake as many times as needed
Smart Practice + Focus Mode + no ads

340

Questions

All certifications

from $4.90/mo

⭐ Get Premium — $4.90/mo ▶ Try 5 questions free

Sample Questions — CompTIA SecurityX (CAS-005)

5 free sample questions from this practice exam. Correct answers are highlighted.

1. A CISO at a multinational financial services company is redesigning the security governance framework. The board has requested a model that clearly separates governance objectives from management activities, aligns IT goals with enterprise goals, and provides a set of enablers that can be measured. Which framework best satisfies these requirements?

A COBIT 2019, because it provides a goals cascade from enterprise goals to IT goals to enabler goals, with a clear governance/management separation ✓ Correct

B ISO 27001, because it provides an ISMS with Annex A controls that can be mapped to business objectives and measured via KPIs

C NIST CSF 2.0, because the new Govern function provides board-level oversight and the five remaining functions cover all management activities

D ITIL 4, because the Service Value System integrates governance, management, and continual improvement into a single measurable model

2. A security architect is building a policy hierarchy for a large healthcare organization. The board has approved a high-level mandate that PHI must be protected in accordance with applicable regulations. The architect needs to define the relationship between the top-level document and the lower-level documents that specify how to configure encryption on endpoint devices. Which document order correctly represents the policy hierarchy from most authoritative to most prescriptive?

A Standard → Policy → Procedure → Guideline

B Policy → Standard → Procedure → Guideline ✓ Correct

C Policy → Guideline → Standard → Procedure

D Policy → Procedure → Standard → Guideline

3. A CISO is implementing NIST CSF 2.0 across a critical infrastructure organization. The organization has strong detection and response capabilities but has never formally established risk governance processes, security roles and responsibilities, or a supply chain risk management program. According to NIST CSF 2.0, which function should the CISO prioritize to address these gaps?

A Govern, because it specifically addresses organizational context, risk management strategy, roles and responsibilities, and supply chain risk management ✓ Correct

B Identify, because it covers asset management and risk assessment activities that must precede all other functions

C Protect, because implementing safeguards requires defined roles and a supply chain vetting process

D Respond, because governance gaps become most visible during incident response when authority is unclear

4. A security program manager needs to present security performance to the board of directors. The board wants to understand both the organization's current security posture and early warning indicators of emerging risks. Which combination of metrics best satisfies the board's requirements?

A Total vulnerability counts by severity and monthly patch compliance percentages

B Mean time to detect (MTTD), mean time to respond (MTTR), and total incident counts by quarter

C Key Performance Indicators (KPIs) for security posture and Key Risk Indicators (KRIs) for emerging risk signals ✓ Correct

D CVSS score distributions and threat intelligence feed subscription coverage rates

5. A CISO at a financial institution is standing up a new security operations function. The organization wants to clearly define which teams make decisions, which teams are consulted before decisions, which teams must be informed of decisions, and which team owns the actual execution. Which tool should the CISO use to document these relationships?

A A security charter that documents the authority, scope, and organizational boundaries of the security function

B A governance framework such as COBIT 2019 that maps governance objectives to management processes

C A policy hierarchy that delegates authority from board policy down to operational procedures

D A RACI matrix that assigns Responsible, Accountable, Consulted, and Informed roles for each security activity ✓ Correct

Want to test yourself for real?

Create a free account and run our exam simulation engine.

Free No credit card

Simulation engine
Up to 10 questions per attempt
Score & basic stats

Create free account Already have an account? Sign in

Best

Premium Premium

All 340 questions
Detailed explanations
Smart Practice + Focus Mode

⭐ Get Premium

Information

Questions 340

Time 2h 45min

Difficulty Hard

Minimum Score 75.00%

▶ Try 5 questions — no account needed ⭐ Unlock all questions — Premium 🤍 Like

Study Guides & Articles

Free

How to Pass CompTIA SecurityX (CAS-005) in 2026: Complete Study Guide

CompTIA SecurityX (formerly CASP+) is the expert-level security certification for architects and senior engineers — it tests enterprise security design, not just security operations. This guide covers all 4 domains, how SecurityX differs from Security+ and CySA+, and a 10-week study plan.

⭐ Premium

SecurityX Deep Dive: Security Architecture, Zero Trust Design, and Enterprise Engineering

Security Architecture (30%) and Security Engineering (30%) make up 60% of the SecurityX exam. This guide covers zero trust architecture design, hybrid cloud security models, cryptographic protocol selection, software-defined security, and supply chain risk management — the advanced topics that define expert-level security thinking.

⭐ Premium