ASIS CPP Exam Questions 2025

A. ICS is not limited to the private sector; it originated in the public sector and is a standard for government response.

B. ICS is used by all levels of government (local, state, tribal, and federal), not exclusively by federal agencies.

D. The private sector is a critical partner in emergency management and is strongly encouraged by NIMS to adopt and use ICS.

1. Federal Emergency Management Agency (FEMA). (2017). National Incident Management System (NIMS) Doctrine. FEMA P-1000.

Page 1, Introduction: "NIMS provides a common, nationwide approach that enables the whole community to work together to manage all threats and hazards. NIMS is applicable to all stakeholders with incident management and support responsibilities... This includes all levels of government, nongovernmental organizations (NGOs), and the private sector."

Page 4, Scope: "NIMS is applicable to all incidents... It is a comprehensive framework that can be used by all stakeholders... including governmental entities at all levels, NGOs, and the private sector."

2. ASIS International. (2021). Protection of Assets (POA), Crisis Management.

Chapter 3, Incident Management, Section on National Incident Management System (NIMS): This section details that NIMS provides a consistent framework for government, the private sector, and nongovernmental organizations to collaborate. It emphasizes that private sector organizations should adopt ICS to effectively interface with public sector first responders during an incident.

3. Jensen, J. L. (2010). Business's Role in Emergency Preparedness and Response: A Guide to Inter-organizational, Public-Private Collaboration. Naval Postgraduate School.

Page 11, Section on NIMS: "NIMS provides a consistent nationwide template to enable Federal, State, local, and tribal governments, the private sector, and nongovernmental organizations to work together to prepare for, prevent, respond to, recover from, and mitigate the effects of incidents, regardless of cause, size, location, or complexity."

A. This describes a business decision related to risk tolerance or an acceptable quality level, not the specific technical performance metric of CER.

C. This describes only the False Rejection Rate (FRR), which is the probability that an authorized user is incorrectly denied access.

D. The term "positive rejections" is not standard biometric terminology. The CER is where the False Rejection Rate equals the False Acceptance Rate.

1. Fennelly, L. J., & Perry, M. A. (Eds.). (2021). The Professional Protection Officer: Practical Security Strategies and Emerging Trends (2nd ed.). ASIS International & Butterworth-Heinemann. In discussions of biometric access control, the text defines the Equal Error Rate (EER) or Crossover Error Rate (CER) as the point where the false-accept rate and false-reject rate are equal (Chapter 11, Access Control Systems).

2. Jain, A. K., Ross, A., & Prabhakar, S. (2004). An introduction to biometric recognition. IEEE Transactions on Circuits and Systems for Video Technology, 14(1), 4–20. Section III-C, "Performance," states: "The performance of a biometric system is often measured in terms of the false accept rate (FAR) and the false reject rate (FRR)... The EER is the point where the FAR and FRR are equal." (p. 10). DOI: https://doi.org/10.1109/TCSVT.2003.818349

3. ASIS International. (2012). Protection of Assets (POA), Physical Security. The section on "Biometric Access Control" describes performance metrics, including the Crossover Error Rate (CER) as the point where the probability of a false acceptance is the same as the probability of a false rejection.

A. Limiting liability exposure, such as for negligent hiring, is a critical secondary benefit and a risk management outcome of screening, not its primary purpose.

C. Screening is a preliminary step that complements and makes subsequent stages like interviewing and testing more efficient; it does not reduce reliance on them.

D. While efficiency is desirable, the primary objective is to find the most effective and appropriate candidate, not simply to minimize the cost or time of hiring.

1. ASIS International. (2021). Protection of Assets (POA): Personnel Protection. Alexandria, VA: ASIS International. Chapter 2, "Preemployment Measures," Section 2.2, "The Selection Process." The text explains that the goal of the selection process, which begins with screening, is to hire the best-qualified individual by matching their knowledge, skills, and abilities to the job requirements.

2. Fischer, R. J., Halibozek, E., & Walters, D. C. (2019). Introduction to Security (10th ed.). Butterworth-Heinemann. Chapter 11, "Personnel Security," discusses preemployment screening as a key function to ensure the suitability, reliability, and integrity of candidates, which directly supports the objective of finding the most appropriate person for the job.

3. ASIS International. (2019). Preemployment Background Screening Guideline (ASIS GDL PBS-2019). Alexandria, VA: ASIS International. Section 4, "Guideline Elements," outlines the purpose of screening as a due diligence process to verify candidate information and assess suitability for employment, which is integral to selecting the most appropriate person.

B. Commonality: The commonality of an item may relate to its replaceability or value, but it is not a direct factor in the risk formula used to determine protection levels.

C. Place of origin: An item's origin is generally not a primary consideration for selecting a security container, unless it pertains to specific geopolitical threats or regulatory controls.

D. Reproducibility: While reproducibility affects recovery planning and overall business impact, vulnerability is the direct characteristic that a security measure is designed to mitigate to prevent loss in the first place.

1. ASIS International. (2021). Protection of Assets: Security Management. Alexandria, VA: ASIS International. The chapter on "Risk Management" explains that risk analysis involves identifying assets, their value, and their vulnerabilities to specific threats. The selection of countermeasures is based on mitigating these identified vulnerabilities.

2. Fischer, R. J., Halibozek, E., & Walters, D. C. (2019). Introduction to Security (10th ed.). Butterworth-Heinemann. In Chapter 5, "The Security Risk Assessment," the text emphasizes that a vulnerability assessment is a critical step. It states, "A vulnerability is a weakness... The purpose of the security survey is to identify these vulnerabilities so that countermeasures can be implemented" (p. 104).

3. Garcia, M. L. (2008). The Design and Evaluation of Physical Protection Systems. Butterworth-Heinemann. Chapter 2, "Systematic Approach to Physical Protection System Design," outlines that the characterization of a facility or asset includes identifying vulnerabilities. The design of the protection system (e.g., containers, barriers) is a direct response to these vulnerabilities in relation to defined threats.

A. Covert surveillance of employees is highly regulated, often illegal without specific cause, and can severely damage employee morale and trust.

B. This option prematurely dismisses a valid security tool instead of exploring how to implement it in a legally compliant and ethical manner.

C. Recording audio without the consent of all parties is illegal in many jurisdictions under wiretapping laws and dramatically increases the organization's legal risk.

1. ASIS International. (2021). Protection of Assets (POA), Legal Aspects. Alexandria, VA: ASIS International. The text emphasizes that "the most significant legal issue in the use of CCTV is privacy" and strongly advises security professionals to seek legal counsel to navigate the complex web of federal and state laws. It specifically discusses the "reasonable expectation of privacy" standard for areas like locker rooms and restrooms. (Section on "Information Security and Privacy").

2. ASIS International. (2021). Protection of Assets (POA), Physical Security. Alexandria, VA: ASIS International. This volume details the implementation of video surveillance systems and notes that a "video surveillance policy should be developed in consultation with the legal department and human resources" to address privacy and other legal considerations before installation. (Chapter on "Video Surveillance").

3. Fennelly, L. J. (2017). Effective Physical Security (5th ed.). Butterworth-Heinemann. As a foundational text in the security field, it states that legal counsel must be consulted on surveillance activities, particularly regarding audio recording, which is generally prohibited, and camera placement to avoid infringing on privacy rights in sensitive areas. (Chapter 25: CCTV Technology).

4. Cornell University Law School, Legal Information Institute (LII). "The Fourth Amendment's protection against unreasonable searches and seizures by the government has been interpreted to provide a basis for a right to privacy... This concept is often discussed in terms of a 'reasonable expectation of privacy'." While focused on government action, this principle is the foundation for privacy law that extends into private-sector employment law. (Article on "Privacy").

A. Detecting drug use is a medical/testing function; supervisors are not qualified and risk legal liability if they attempt diagnosis.

B. Performance monitoring is routine management; enforcement requires the next step—referral to professional help when abuse is suspected.

C. Identifying on-site drug sales involves security or law-enforcement investigators, not line supervisors.

1. ASIS International, Protection of Assets Manual, Vol. 2 “Security Management”, Section “Substance-Abuse Programs”, pp. 2-35–2-36: supervisors document performance problems and make EAP referrals.

2. Roman, P.M. & Blum, T.C. (1996) “The workplace and alcohol problem prevention”, Alcohol Health & Research World 20(4), p. 252 ¶2: supervisors refer employees to counselling/EAP; they do not diagnose. DOI:10.1037/e494522006-002

3. MIT OpenCourseWare, Course 15.668 People and Organizations, Session 12 “Employee Assistance Programs”, Slide 6: supervisor’s key role—formal referral to counselling resources when performance deteriorates.

4. Journal of Occupational & Environmental Medicine, 37(7) (1995) “Supervisor training and EAP referral patterns”, pp. 784-785: performance documentation followed by supervisory referral is the mandated process.

5. University of Washington School of Public Health, Workplace Substance-Abuse Module, Section “Supervisor Responsibilities”, para 3: supervisors observe, document, and refer to EAP—not detect use or investigate sales.

A. be given to all employees, visitors, and contractors. Training should be role-specific and appropriate to the audience; visitors and contractors typically receive a briefing, not the same in-depth training as employees.

B. cover all aspects of the emergency plan for all participants. Information is provided on a need-to-know basis; most personnel only need training on their specific roles, not the entire comprehensive plan.

D. be reinforced and tested on a quarterly basis. The frequency of drills is determined by risk analysis, regulatory requirements, and organizational complexity; a fixed quarterly schedule is overly prescriptive and not a universal rule.

1. ASIS International. (2021). Protection of Assets (POA), Crisis Management. Section 3.5.3, "Training, Drills, and Exercises." This section emphasizes that plans must be validated and personnel skills maintained through a program of drills and exercises, stating, "A crisis management plan that is not tested is of little value... Drills and exercises are the primary tools for testing the plan."

2. Federal Emergency Management Agency (FEMA). (2020). Homeland Security Exercise and Evaluation Program (HSEEP). Chapter 2, "Exercise Program Management." The doctrine establishes that exercises are "the primary tool for assessing preparedness and identifying gaps" and are essential for "validating plans and procedures, and training and familiarizing personnel."

3. Borodzicz, E. P. (2005). Risk, Crisis and Security Management. John Wiley & Sons. Chapter 8, "Training and Exercising." The text explains that training and exercising are critical for developing competence and confidence in emergency response. It states that exercises are necessary to "test the viability of plans" and "reinforce training" to ensure procedures are workable in a real event.

A. This describes the total or aggregate residual risk profile of an organization, not the fundamental definition. Residual risk is first calculated on a per-threat basis.

C. This is the basic formula for calculating inherent risk or initial risk (Risk = Threat x Vulnerability), not the risk remaining after controls are applied.

D. This is an illogical and incorrect formula. Countermeasures are designed to reduce risk, not act as a multiplier in a risk calculation.

1. Fischer, R. J., Halibozek, E., & Walters, D. C. (2019). Introduction to Security (10th ed.). Butterworth-Heinemann. In Chapter 5, "The Role of Risk Analysis in Security," the concept is explained as the risk that "remains after countermeasures have been implemented." The process described involves analyzing individual risks, applying countermeasures, and then determining the leftover or residual risk for those specific items.

2. National Institute of Standards and Technology (NIST). (2012). Guide for Conducting Risk Assessments (NIST Special Publication 800-30, Revision 1). In Appendix F, Glossary, "Residual Risk" is defined as the "Portion of risk remaining after security controls have been applied." The entire methodology of the guide is based on assessing risk from specific threat events (Section 2.2.2) and then determining the residual risk for those events after controls are considered (Section 2.4).

3. ASIS International. (2012). Protection of Assets (POA). Alexandria, VA: ASIS International. The Security Management volume details the risk management process. It specifies that after risk analysis and the application of countermeasures, a residual risk remains. This evaluation is performed for the specific risks identified during the assessment to determine if they are at an acceptable level for the organization.

A. Pin core: This refers to a component of a mechanical lock cylinder, not an electronic intrusion detection system.

B. Pick resistant: This is a characteristic describing a mechanical lock's ability to withstand covert manipulation, not a type of sensor.

D. Electro-mechanical: This is a broad classification of devices. While a safe might use an electro-mechanical bolt switch, a capacitance sensor is the specific technology used for proximity detection.

1. Fischer, R. J., Halibozek, E., & Walters, D. C. (2019). Introduction to Security (10th ed.). Butterworth-Heinemann. In Chapter 11, "Physical Security I: The Role of Barriers, Alarms, and Lighting," the text describes interior intrusion sensors, noting that capacitance proximity detectors are used to protect specific objects like safes and filing cabinets by sensing a change in the electrical field when a person approaches. (See section on "Proximity or Capacitance Detectors").

2. Garcia, M. L. (2007). The Design and Evaluation of Physical Protection Systems (2nd ed.). Butterworth-Heinemann. Chapter 5, "Detection and Assessment," discusses interior sensors. It explains that proximity sensors, including capacitance types, are used to detect an intruder touching or coming near a specific asset, with safes and vaults being primary examples of their application (pp. 89-90).

3. ASIS International. (2016). Protection of Assets (POA), Physical Security. In the volume on Physical Security, the section covering Interior Intrusion Detection Systems details the function of capacitance proximity detectors. It explicitly states their common application is for the protection of metal objects, including safes, vaults, and file cabinets, by detecting the change in capacitance caused by a human body.

A. Losses would be expected but unintended by the insured.

This describes an insurable risk. Losses must be unintended (fortuitous), and insurers use statistics to expect losses across a large pool of insureds.

C. The risk is predictable through the law of large numbers.

This is a core principle that makes a risk insurable, not uninsurable. It allows insurers to forecast losses and set appropriate premiums.

D. The risk would be worth the cost but not the effort to insure.

This reflects a subjective business decision by the potential insured, not an inherent characteristic that makes the risk uninsurable from an insurer's perspective.

1. Fischer, R. J., Halibozek, E., & Walters, D. C. (2019). Introduction to Security (10th ed.). Butterworth-Heinemann. In the discussion of risk transfer, the text outlines the requirements for an insurable risk, emphasizing that a loss must be measurable and definite in time, place, and amount. A failure to meet this criterion, as described in option B, renders a risk uninsurable. (Chapter 4, Risk Management).

2. Vaughan, E. J., & Vaughan, T. (2013). Fundamentals of Risk and Insurance (11th ed.). Wiley. Chapter 2, "The Problem of Risk," lists the "Requisites of an Insurable Risk." Among these are that the loss must be "definite and measurable." The text explains, "It must be possible to determine that a loss has taken place, and it must be possible to measure the value of the loss." This directly supports why option B describes an uninsurable risk. (pp. 26-27).

3. ASIS International. (2021). Protection of Assets (POA), Business Principles. This foundational text for the CPP exam details the principles of risk management. In the section on Risk Treatment/Mitigation, the criteria for transferring risk via insurance are explained. A key criterion is that the loss must be quantifiable and tied to a specific event, without which an insurance contract cannot be properly structured or executed. (Risk Management volume, Section on Risk Transfer).