CompTIA Security+ Compliance Practice Questions 2026
Compliance, governance, and regulatory frameworks form a critical knowledge domain on the CompTIA Security+ exam. As organizations navigate an increasingly complex landscape of data protection laws, industry standards, and security frameworks, security professionals must understand how to implement and maintain compliance programs. This practice guide covers the regulations, frameworks, and governance concepts you'll encounter on the exam and in professional security roles.
What Is Compliance on the Security+ Exam?
Compliance in the context of the Security+ exam refers to the body of knowledge surrounding regulatory requirements, security frameworks, governance structures, and organizational policies that guide how organizations protect sensitive data and manage security programs. This isn't just about memorizing regulation names — the exam tests your ability to apply compliance concepts to real-world scenarios.
The Security+ exam covers three interconnected compliance areas. First, regulatory compliance — understanding laws like GDPR, HIPAA, PCI-DSS, and SOX that mandate specific security controls and carry penalties for violations. Second, security frameworks — voluntary but widely adopted standards like NIST CSF, ISO 27001, and CIS Controls that provide structured approaches to security management. Third, organizational governance — the internal policies, roles, processes, and procedures that translate compliance requirements into operational reality.
What makes compliance challenging on the exam is that questions often present scenarios requiring you to identify which regulation applies, recommend the appropriate framework, or determine the correct organizational response. You need to understand not just what each regulation requires, but who it applies to, what data it protects, and what happens when organizations fail to comply.
Why Compliance Matters for Security+
Domain 5 (Security Program Management and Oversight) carries 20% of the exam weight, making compliance knowledge directly responsible for roughly 18 of your 90 scored questions. More importantly, compliance concepts appear indirectly in other domains — risk management decisions, access control implementations, and incident response procedures are all shaped by regulatory requirements.
In the workplace, compliance is not optional. Organizations that process payment cards must comply with PCI-DSS or face fines and lose processing privileges. Healthcare providers must comply with HIPAA or face penalties up to $1.9 million per violation category per year. Companies handling EU citizen data must comply with GDPR or face fines up to 4% of global annual revenue. Security professionals who understand compliance are invaluable because they bridge the gap between legal requirements and technical implementation.
The Security+ exam reflects the reality that modern security work is as much about governance, risk, and compliance (GRC) as it is about technical controls. Understanding how to build security policies, conduct risk assessments, manage vendor relationships, and maintain audit trails are essential skills that compliance knowledge provides.
Key Compliance Concepts to Master
Regulatory Frameworks
GDPR (EU data protection, 4% revenue fines), HIPAA (US healthcare PHI), PCI-DSS (payment card data), SOX (financial reporting controls), GLBA (financial institution privacy), FERPA (student education records), CCPA/CPRA (California consumer rights). Know scope, protected data types, and penalty structures for each.
Security Frameworks
NIST CSF (Identify→Protect→Detect→Respond→Recover), NIST 800-53 (comprehensive control catalog), ISO 27001 (ISMS certification), ISO 27002 (control implementation guidance), CIS Controls (prioritized top 18 actions), COBIT (IT governance), SOC 2 (service organization trust criteria). Know purpose and when to apply each.
Data Classification
Government: Unclassified → Confidential → Secret → Top Secret. Commercial: Public → Internal → Confidential → Restricted. Data classification determines security controls: encryption requirements, access restrictions, handling procedures, and retention/destruction policies. Classification must align with regulatory requirements.
Security Policies
Acceptable Use Policy (AUP), data handling policy, password policy, remote access policy, BYOD policy, incident response policy, change management policy, data retention and destruction policy. Policies define organizational security expectations and provide the basis for enforcement and audit.
Organizational Roles
CISO (Chief Information Security Officer — program leadership), DPO (Data Protection Officer — GDPR mandate), Data Owner (classifies and authorizes access), Data Custodian (implements controls), Data Steward (ensures quality), Privacy Officer (privacy compliance), and Security Analyst (operational monitoring).
Third-Party Risk Management
Vendor risk assessments, supply chain security, right-to-audit clauses, service level agreements (SLAs), business associate agreements (BAAs for HIPAA), data processing agreements (DPAs for GDPR), and SOC 2 report review. Third-party breaches account for a significant portion of security incidents.
Regulatory Compliance Quick Reference
| Regulation | Scope | Protected Data | Key Requirements | Penalties |
|---|---|---|---|---|
| GDPR | EU citizen data (global reach) | Personal data, PII | Consent, right to erasure, DPO, 72hr breach notification | Up to 4% global revenue |
| HIPAA | US healthcare entities | PHI (Protected Health Information) | Privacy Rule, Security Rule, BAAs, encryption | $100-$1.9M per category/year |
| PCI-DSS | Payment card processors | Cardholder data (CHD) | 12 requirements, quarterly scans, annual assessment | Fines, loss of processing |
| SOX | US public companies | Financial data | Internal controls, audit trails, CEO/CFO certification | Criminal penalties, prison |
| GLBA | US financial institutions | Customer financial info | Privacy notices, safeguards rule, pretexting protection | $100K per violation |
| FERPA | US educational institutions | Student education records | Parent/student consent, directory information limits | Loss of federal funding |
| CCPA/CPRA | California consumers | Personal information | Opt-out rights, data deletion, privacy notices | $2,500-$7,500 per violation |
Sample Compliance Questions
Question 1: Regulation Identification
A US hospital discovers that a laptop containing unencrypted patient records was stolen from a physician's car. Which regulation PRIMARILY governs the response to this incident?
A) GDPR B) PCI-DSS C) HIPAA D) SOX
Answer: C) HIPAA — The scenario involves a US healthcare organization and patient records (PHI). HIPAA's Breach Notification Rule requires notification to affected individuals within 60 days and HHS notification. The unencrypted nature of the data means the breach cannot be excluded under the encryption safe harbor provision.
Question 2: Framework Selection
A mid-size company wants to implement a structured cybersecurity program using a framework developed by the US federal government that organizes activities into Identify, Protect, Detect, Respond, and Recover functions. Which framework should they adopt?
A) ISO 27001 B) NIST CSF C) CIS Controls D) COBIT
Answer: B) NIST CSF — The NIST Cybersecurity Framework is the only framework organized around the five functions: Identify, Protect, Detect, Respond, and Recover. It was developed by NIST (US government) and is widely adopted by organizations of all sizes for structuring cybersecurity programs.
Question 3: Data Classification
A company's marketing department publishes a blog post on the corporate website. Under a typical data classification scheme, how should this content be classified?
A) Restricted B) Confidential C) Internal D) Public
Answer: D) Public — Content published on a public website is intended for external consumption and should be classified as Public. No access controls or special handling are required. Internal, Confidential, and Restricted classifications apply to progressively more sensitive information that requires access controls.
Common Mistakes to Avoid
- Confusing regulations (legally mandatory) with frameworks (voluntary best practices) — HIPAA is a law; NIST CSF is a framework
- Assuming GDPR only applies to EU companies — it applies to ANY organization that processes EU citizen data, regardless of location
- Mixing up Data Owner and Data Custodian — the Owner classifies data and decides who gets access; the Custodian implements technical controls per the Owner's decisions
- Thinking PCI-DSS is a government regulation — it's an industry standard created by card brands (Visa, Mastercard, etc.), enforced through contractual obligations
- Overlooking breach notification timelines — GDPR requires 72-hour notification to supervisory authorities; HIPAA requires 60-day notification to individuals; timelines vary by regulation
Study Checklist for Compliance
- ☑ List all major regulations with scope, protected data, and penalty structures
- ☑ Compare NIST CSF five functions with practical organizational examples
- ☑ Differentiate ISO 27001 (certification standard) from ISO 27002 (control guidance)
- ☑ Explain data classification levels for both government and commercial contexts
- ☑ Define all organizational security roles and their responsibilities
- ☑ Describe third-party risk management processes and required agreements
- ☑ Know breach notification requirements for GDPR, HIPAA, and state laws
- ☑ Understand change management and configuration management processes
- ☑ Review business continuity and disaster recovery planning requirements
- ☑ Practice matching scenarios to the correct regulation or framework
Frequently Asked Questions
How many compliance questions are on the Security+ exam?
Compliance and governance topics fall under Domain 5 (Security Program Management and Oversight), which represents approximately 20% of the Security+ exam. You can expect 12-15 questions covering regulatory frameworks, security policies, risk management processes, and governance structures.
Which regulations should I know for the Security+ exam?
Key regulations include GDPR (EU data protection), HIPAA (US healthcare), PCI-DSS (payment card industry), SOX (financial reporting), GLBA (financial privacy), FERPA (education records), and CCPA/CPRA (California consumer privacy). Know what each regulation protects, who it applies to, and the penalties for non-compliance.
What is the difference between a regulation and a framework?
Regulations are legally mandated requirements with penalties for non-compliance (GDPR, HIPAA, SOX). Frameworks are voluntary best-practice guidelines that organizations adopt to improve security posture (NIST CSF, ISO 27001, CIS Controls, COBIT). Some frameworks can become mandatory through contractual obligations (PCI-DSS) or industry standards.
What security frameworks are tested on Security+?
NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover), NIST 800-53 (security controls catalog), ISO 27001/27002 (information security management), CIS Controls (prioritized security actions), COBIT (IT governance), and SOC 2 (service organization controls). Know the purpose and scope of each framework.
What governance concepts appear on the Security+ exam?
Security governance topics include security policies (AUP, password policies, data classification), organizational roles (CISO, DPO, data owner, data custodian), change management processes, business continuity and disaster recovery planning, incident response procedures, and third-party risk management through vendor assessments and supply chain security.
How does data classification relate to compliance?
Data classification categorizes information by sensitivity level (public, internal, confidential, restricted/top secret) to determine appropriate security controls. Regulations require specific protections based on data type: HIPAA protects PHI, PCI-DSS protects cardholder data, GDPR protects personal data of EU residents. Classification ensures the right controls are applied to the right data.
Practice Compliance Questions Now
Our Smart Practice practice tests generate unlimited compliance questions tailored to the CompTIA Security+ exam objectives. Get instant feedback with detailed explanations for every answer.
Start Free Practice Test →