ASIS-PSP ASIS Physical Security Professional (PSP) Exam Free Practice Exam Questions (2026 Updated)

Encryption is a method of converting readable data into an encoded format using algorithms. Only those with the appropriate decryption key can convert the data back into its original, usable form. It is a primary method for protecting data confidentiality in storage and transmission.

Distraction (A), Disgruntling (B), and Falsification (C) are unrelated to data protection techniques.

Security awareness training ensures that all employees understand security policies, recognize threats, and know how to respond appropriately. It is critical for creating a proactive security culture and ensuring that all layers of defense—including human factors—are effective.

A, B, and D refer to specific training content areas, but security awareness encompasses overall employee engagement and is critical for program success.

Credit reports not only reflect a person ' s financial condition (debts, credit utilization, bankruptcies), but also provide useful data such as past addresses and the names of previous employers. This auxiliary information is essential during background investigations and helps validate the accuracy of job applications.

Legal and compliance considerations apply; employers must follow fair credit reporting laws and obtain consent.

High-pressure sodium (HPS) lamps are ideal for parking lots and large outdoor areas because they offer long service life, energy efficiency, and good visibility, even in adverse weather. Their slightly yellowish hue is acceptable for general surveillance and area illumination.

A (Metal halide) has better color rendering but shorter life.

B (Low-pressure sodium) has poor color rendering.

C (Halogen) is less efficient and has a shorter lifespan.

Security consultants are often retained to provide strategic input on staffing needs, policy design, and technology integration. Their advice helps organizations make informed decisions regarding the deployment of personnel, the structure of policies, and the selection of physical and electronic security systems.

The pre-bid conference is held to clarify specifications, answer bidder questions, and ensure all prospective contractors understand the requirements. It supports transparency and consistency across all bids.

A is incorrect—bids are not anonymous.

C misrepresents the purpose of the meeting.

D (Disclosing project cost) may or may not occur, and it ' s not the primary goal.

In a competitive pre-bid conference, the most important information to record in the meeting minutes is the project questions raised and the answers provided during the conference. From an organizational and Human Resource management perspective, accurate documentation supports fairness, transparency, and equal access to information for all participants. If all bidders receive the same clarifications, the process remains ethical and professionally managed. Recording only attendance or walk-through details does not fully protect the integrity of the bidding process. The questions and answers are critical because they may affect how contractors interpret requirements, prepare pricing, and understand project expectations. Proper records also reduce misunderstandings, disputes, and claims of favoritism. Therefore, option D is the correct answer because it best supports a fair and well-documented procurement process.

The critical detection point in a Physical Protection System (PPS) occurs when the remaining distance or time an adversary must cover before reaching the target exceeds the security response time. This ensures that detection happens early enough for responders to act and intervene before the attacker reaches the asset.

B and C refer to detection and interruption probabilities, which are important metrics but not the defining threshold for the critical detection point.

D (Remaining delay time) factors into the protection layers but does not define the detection threshold.

Business continuity involves two core stages:

Business Recovery – restoring critical business functions quickly after a disruption.

Business Resumption – full restoration of all business operations to normal levels over the long term.

This sequence ensures operational stability in the short term and complete restoration in the long term.

The value of an asset to an organization is most appropriately characterized by its replacement value, which represents the cost required to replace or restore the asset if it is lost, damaged, or compromised. In Human Resource and organizational management contexts, understanding asset value is essential for prioritizing protection measures, budgeting, and risk management planning. Replacement value provides a practical and measurable basis for decision-making, especially when allocating resources for security, insurance, and contingency planning. While surveys or industry publications may provide general insights, they do not reflect the specific operational importance of an asset within a particular organization. Cumulative value is not a standard method used in risk assessment. Therefore, option B is correct because replacement value offers a clear, objective, and widely accepted way to determine an asset’s importance.

When a bomb threat targets a specific floor, safety protocols typically mandate evacuation of the identified floor and the floors immediately above and below. This accounts for the potential blast radius and structural impact, ensuring personnel safety in adjacent vulnerable areas.

A is too vague.

C and D (all floors above or below) may be excessive unless threat specifics demand it.

Post-implementation evaluation testing should be performed at least annually to assess whether the security system continues to meet operational requirements. It also ensures that performance standards are upheld, and helps identify any necessary updates or improvements.

A, B, and C are more frequent than typical industry best practice unless special conditions apply.

Annual Loss Expectancy (ALE) is a key financial metric used in risk management to estimate the potential dollar loss per year due to a specific risk. It is calculated as:

ALE = Single Loss Expectancy (SLE) × Annual Rate of Occurrence (ARO).

This helps quantify the financial impact of a threat, allowing better prioritization and budgeting for mitigation efforts.

B (Probability) is part of the ALE calculation but not a dollar-value measure.

C (Criticality) relates to function importance but not direct financial impact.

D (Risk) is broader and includes impact and likelihood, but ALE specifically quantifies impact in dollars.

Contingency planning traditionally focuses on:

Infrastructure (A)

People (B)

Processes (C)

While reputation is a concern in broader risk management and public relations, it is not considered a direct category of contingency planning programs, which deal more with operational continuity than brand management.

Private security refers to individuals or organizations that offer security-related services for compensation. This includes both self-employed individuals (such as independent security consultants or contractors) and funded business entities (such as security companies or firms) that provide services to private clients for a fee. These services may include guarding, patrolling, risk assessments, investigations, alarm monitoring, or other protective activities.

Strict liability applies when a manufacturer or service provider is held legally responsible for damages or injuries caused by a defective product or service, regardless of fault or intent. This type of liability is often associated with consumer protection laws, where the focus is on the danger posed to the user rather than negligence on the part of the provider.

Plaintiff (B) is the party bringing the suit.

Defendant (C) is the party being sued.

" None of the above " (D) is incorrect since " Strict liability " is the correct legal principle.

A virus is a type of malicious software that attaches itself to legitimate files and spreads when those files are executed.

A worm is a standalone malware program that replicates itself to spread to other computers without needing to attach to a host file.

A bug refers to an error or flaw in software, but in the context of this question (malicious instructions causing effects), it can contribute to vulnerabilities exploited by malware.

Since all these can involve sets of unwanted instructions leading to harmful effects, “All of the above” is the most accurate answer.

Risk management is the continuous and proactive process of identifying areas where a business may suffer losses, assessing the likelihood and potential impact of those losses, and implementing security countermeasures to minimize or eliminate them. This function ensures that organizational assets—people, property, and information—are protected against threats such as theft, sabotage, natural disasters, and operational failures.

References from PSP: ASIS POA – Risk Management; PSP Study Guide – Physical Security Assessment Domain

The correct answer is A. Humans.

In the ASIS PSP Body of Knowledge, asset identification is part of Domain One: Physical Security Assessment, where the security professional must identify assets to determine their value, criticality, and loss impact. The PSP Body of Knowledge specifically includes knowledge of the nature and types of assets, including tangible and intangible assets.

A tangible asset is an asset that has a physical form or physical presence. Humans/people are tangible because they physically exist and can be directly protected through physical security measures such as access control, emergency response, life safety systems, barriers, screening, and security staffing.

The other choices are not the best examples of tangible assets:

B. Information is generally treated as an intangible asset, although it may be stored on physical media.

C. Reputation is an intangible organizational asset.

D. Trademarks are intellectual property and are intangible assets.

ASIS also describes the PSP credential as related to protecting an organization’s assets, including people, property, and information, which supports the classification of people/humans as a core asset in physical security.

Therefore, the correct answer is A. Humans.