So I wrote my exam on Tuesday in NZ and thought I failed as I only answered 95 questions. Then received my notice to say I passed. This was a great relief as, based on what I understood, is if you answer less than 100 questions, it would indicate you failed. So if anyone else who does not get to 100 questions, do not panic until you have received your confirmation 😁.

You are reviewing the results of a vulnerability scan of your organization's network. The scan has identified several high-risk vulnerabilities. Due to limited resources, you cannot immediately remediate all of the vulnerabilities. What is the MOST appropriate approach to prioritize remediation efforts? A. Remediate the vulnerabilities that are easiest to fix first, regardless of their potential impact. B. Remediate the vulnerabilities that are most commonly exploited by attackers, based on threat intelligence and vulnerability statistics. C. Remediate the vulnerabilities that pose the greatest risk to the organization's critical assets and business operations. D. Remediate the vulnerabilities that were discovered most recently, as these are likely to be the most current threats.

Your organization is implementing a new cloud-based Security Information and Event Management (SIEM) system. You need to ensure that the SIEM effectively detects and alerts on security incidents. Which of the following is the MOST important step in this process? A. Configuring the SIEM to collect logs from all available sources, including network devices, servers, and applications. B. Developing and implementing use cases that are tailored to the organization's specific threat landscape and business requirements. C. Training the security team on how to use the SIEM system to investigate and respond to security incidents. D. Regularly testing and tuning the SIEM system to ensure that it is effectively detecting and alerting on real security incidents.

You are leading a penetration test against a web application that handles sensitive customer data. During the assessment, the penetration testers discover a SQL injection vulnerability that could allow an attacker to gain access to the entire database. The development team is aware of the vulnerability but has not yet implemented a fix due to other project priorities. The application is considered business critical. What is the BEST course of action? A. Immediately shut down the web application to protect the sensitive customer data. B. Inform the development team and business stakeholders of the vulnerability and its potential impact, and recommend immediate remediation, even if it requires delaying other projects. C. Document the vulnerability in the penetration test report and recommend that the development team address it in the next scheduled maintenance window. D. Implement a web application firewall (WAF) as a temporary mitigation measure and schedule a follow-up penetration test after the development team has implemented a fix.

So while studying using the official ISC2 adaptive learning I came across this question. The American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) Standard 90.4-2019 recommends setting the temperature ranges for maximum uptime and hardware life as between which of the following? A - 50⁰ and 81⁰ F B - 64⁰ and 70⁰ F C - 50⁰ and 70⁰ F D - 64⁰ and 81⁰ F When I read this in the study notes I noted in my head the 18 to 27 degrees Celsius. I did not memorise the 64 to 81 F as I do not understand Fahrenheit. So do I need to learn to convert Imperial to Metric in my head as I will not have access to a calculator in the exam? Or will the actual questions in the Exam have both Imperial and Metric?