40 exam-style questions covering all 6 chapters of the ISTQB Certified Tester Foundation Level v4.0 syllabus. Click an answer to reveal whether it’s correct and why. Use this to identify which chapters need more study.
Which of the following BEST describes the first principle of testing in ISTQB CTFL v4.0?
The first ISTQB testing principle states that testing shows the presence of defects, not their absence. Even a full green test run does not prove no bugs exist — it only proves the tested scenarios passed. This is why risk-based testing matters.
Question 2
A tester at a Wellington-based government agency argues that they should test every possible combination of inputs before releasing a new citizens’ portal. Their test lead points out this approach violates which testing principle?
Exhaustive testing (testing every possible input and path) is impossible for non-trivial systems. Risk analysis and test design techniques such as equivalence partitioning and boundary value analysis must be used to select the most valuable subset of tests.
Question 3
Which of the following is an objective of testing according to ISTQB CTFL v4.0?
Testing objectives include finding defects, building confidence in quality, providing information for decisions, and preventing defects through early review. Fixing defects is the responsibility of developers, not testers. Proving absence of defects is not possible.
Question 4
Which statement BEST distinguishes testing from debugging?
Testing is the activity that triggers failures (observable incorrect behaviour). Debugging is the development activity that traces a failure back to the defect in the code and corrects it. They are complementary but distinct activities, often performed by different people.
Question 5
An Auckland fintech startup ships a payments app that passes all tests but fails to help users understand their balance due to confusing UX. Which ISTQB principle does this situation illustrate?
The “absence of errors” fallacy states that finding and fixing all defects is useless if the system still fails to meet user needs or business goals. A technically bug-free product that confuses its users is still a poor-quality product.
Question 6
A test team repeatedly runs the same regression suite for six months and finds no new defects. Their manager concludes testing is no longer necessary. Which principle explains why this conclusion is incorrect?
The pesticide paradox (tests wear out) states that if the same tests are run repeatedly, they stop finding new defects. The system may still have untested defects. The fix is to regularly review and update test cases, and use new testing techniques to explore different areas.
Question 7
Which role is PRIMARILY responsible for test planning, monitoring, and controlling during a project?
ISTQB CTFL v4.0 defines two primary roles: the test manager (responsible for planning, monitoring, controlling, and completing testing) and the tester (responsible for analysis, design, implementation, and execution of tests). The test lead takes the management role in smaller teams.
Chapter 2 — Testing Throughout the Software Development Lifecycle
7 questions — V-model, Agile testing, shift-left, test levels, test types
Question 8
In the V-model, which test level corresponds to system design specifications?
In the V-model, system testing corresponds to the system design phase on the left-hand side. Component (unit) testing corresponds to component specifications, integration testing to high-level design, and acceptance testing to business/user requirements.
Question 9
Which of the following BEST describes the “shift-left” approach to testing?
Shift-left means starting testing activities earlier (reviewing requirements, doing static analysis, writing tests before code). Defects found earlier in the lifecycle are significantly cheaper to fix than those found in system test or production.
Question 10
In an Agile team, which statement about testing is MOST accurate according to ISTQB CTFL v4.0?
ISTQB CTFL v4.0 emphasises that in Agile, testing is continuous and integrated — testers collaborate with developers and product owners throughout each sprint, not in a separate phase. Lightweight but sufficient documentation is still expected.
Question 11
A Christchurch retailer’s development team writes unit tests alongside their code using a Test-Driven Development approach. Which type of testing does this PRIMARILY represent?
TDD involves writing unit (component) tests before the production code. This is a form of component testing. Regression testing would be re-running these tests after a change, but the primary test level in TDD is component (unit) testing.
Question 12
Which of the following is an example of non-functional testing?
Non-functional testing evaluates characteristics such as performance, security, usability, and reliability — the “how well” rather than “what” the system does. Measuring load time under concurrent users is a performance (non-functional) test.
Question 13
Acceptance testing conducted by real users before a new Te Whatu Ora patient portal goes live is BEST classified as which type of acceptance testing?
UAT is performed by intended end users (in this case, hospital staff and clinicians) to verify the system is fit for purpose. Alpha testing is conducted at the developer’s site with representative users. OAT checks operational readiness (backup, recovery, maintenance).
Question 14
Which of the following BEST describes regression testing?
Regression testing confirms that modifications (bug fixes, new features, refactoring) have not broken existing functionality. It re-runs a relevant subset of previously passing tests. It is distinct from confirmation testing, which re-tests the specific fixed defect.
Which of the following is a characteristic of static testing that differentiates it from dynamic testing?
Static testing involves examining work products (requirements, design documents, code, test plans) without running the software. Dynamic testing executes the code with inputs and observes outputs. Static testing can find defects earlier and in a wider range of artefacts.
Question 16
In which review type does the author lead a session where colleagues ask questions and make suggestions, without a formal defect log or entry/exit criteria?
A walkthrough is led by the author. The author guides reviewers through the work product. It is less formal than an inspection or technical review — there are no mandatory entry/exit criteria or formal defect logging, though notes may be taken.
Question 17
Which review type is MOST formal and typically uses a defined process with entry criteria, checklists, roles, and a formal defect log?
An inspection is the most formal review type. It has defined roles (moderator, author, reviewers, scribe), entry and exit criteria, preparation requirements, checklists, and a formal defect log with follow-up. It is used on high-risk or critical work products.
Question 18
A static analysis tool flags a section of code as having a potential null-pointer dereference that no test has yet triggered. This is an example of:
Static analysis tools examine code without running it and can find defects (such as null-pointer dereferences, security vulnerabilities, or coding standard violations) that dynamic testing might never trigger, especially in rarely-exercised code paths.
Question 19
Which of the following artefacts can benefit from static testing? Select the MOST complete answer.
Static testing applies to any work product that can be examined without execution: requirements specifications, design documents, user stories, source code, test plans, test cases, and more. This is one of its greatest strengths — defects can be caught before any code is written.
Question 20
During a requirements review for a Ministry of Social Development portal, a reviewer notes that a requirement uses the word “should” where “shall” (mandatory) was intended, making the requirement ambiguous. This is BEST described as:
Ambiguous language in requirements is a classic defect type found through static review. Catching this in the requirements phase is far cheaper than discovering it during system test or after release, when multiple teams have already built code based on a misunderstanding.
Question 21
What is the PRIMARY benefit of conducting reviews early in the SDLC?
A defect in a requirement that is caught during a requirements review costs a fraction of the same defect discovered during system test or production. Early reviews prevent the error from propagating into design, code, and test assets, all of which would then need rework.
A NZ online tax form accepts income values from $0 to $180,000. Using equivalence partitioning, which set of test values covers the MINIMUM number of partitions?
Equivalence partitioning divides inputs into partitions where all values behave the same. Here there are three partitions: below-valid (e.g. −1), valid (e.g. $90,000), and above-valid (e.g. $180,001). One representative from each partition is sufficient. BVA would additionally test the boundary values themselves.
Question 23
Using 2-value Boundary Value Analysis on a field that accepts ages from 18 to 65, which test values are required?
2-value BVA tests the boundary and the value just outside it on each side: 17 (just below minimum — invalid), 18 (minimum — valid), 65 (maximum — valid), 66 (just above maximum — invalid). This gives four test values for a two-boundary range.
Question 24
A tester is designing tests for a discount rule: customers who are members AND have a purchase over $100 get 10% off. Non-members or purchases under $100 get no discount. Which technique is MOST appropriate?
Decision table testing is ideal for rules with multiple conditions (member status, purchase amount) that combine to produce different outputs (discount or no discount). It ensures all meaningful combinations of conditions are tested and prevents logic errors in business rule implementation.
Question 25
A tester is verifying the behaviour of an ATM card: a card can be Active, Blocked, or Expired. An expired card cannot be unblocked; an active card can be blocked; a blocked card can be unblocked. Which test design technique is MOST appropriate?
State transition testing models a system as a set of states, transitions triggered by events, and resulting actions. It is the ideal technique when the system’s response depends on its current state — as with the ATM card lifecycle.
Question 26
Statement coverage measures:
Statement coverage (a white-box metric) measures the percentage of executable source-code statements exercised by the test suite. 100% statement coverage does not guarantee all branches are tested. Branch coverage is a stronger criterion that also requires each decision outcome (true/false) to be exercised.
Question 27
Which of the following is an example of experience-based testing?
Experience-based techniques (error guessing, exploratory testing, checklist-based testing) leverage the tester’s knowledge, intuition, and domain expertise rather than a systematic derivation from a specification. They complement formal techniques and are particularly valuable for finding defects that structured techniques miss.
Question 28
During an exploratory testing session on a new Kiwi Bank mobile feature, the tester simultaneously designs, executes, and learns. This session is BEST managed using:
Exploratory testing is session-based and guided by a test charter. The charter defines what to explore (scope), the mission (goal), and is time-boxed. Notes and findings are captured in a session sheet. This structure preserves the flexibility and learning value of exploratory testing while maintaining accountability.
Which of the following is a PRIMARY purpose of a test plan?
A test plan is a management document that describes the scope, objectives, approach, resources, schedule, risks, and mitigation strategies for a testing effort. It guides the team and communicates testing intent to stakeholders. It does not record individual results (that is the test log) or defects (the defect report).
Question 30
A test team uses product risk analysis to prioritise which test cases to run first. A high-probability, high-impact risk is identified in the payment module of an NZ e-commerce site. What should happen to testing of this module?
Risk-based testing allocates more testing effort to areas with higher risk (likelihood × impact). A high-probability, high-impact risk in the payment module warrants prioritised, thorough testing. This approach ensures that if time is short, the most critical areas have been tested first.
Question 31
Entry criteria for a system test phase typically include which of the following?
Entry criteria define conditions that must be met before a test phase begins. For system testing this typically includes: a stable build delivered to the test environment, integration tests passed, test data prepared, and the test basis (requirements, design) available. Exit criteria define conditions for completing the phase.
Question 32
A test manager uses metrics including test case pass rate, defect density, and defect discovery trend to assess whether testing is on track. This is an example of:
Test monitoring and control involves collecting data about the testing effort (metrics), comparing against the plan, and taking corrective action when needed. Test monitoring answers “where are we?”; test control answers “what do we do about it?”
Question 33
Which of the following information should a well-written defect report include? Select the MOST complete answer.
A good defect report enables a developer to reproduce and understand the defect without contacting the reporter. It needs: a clear title, severity/priority, steps to reproduce, actual vs expected result, environment/build info, and attachments (logs, screenshots). Dictating the fix is not the tester’s role.
Question 34
During test planning, the test manager estimates effort using a combination of historical data from similar projects and expert judgement. Which estimation technique is this?
Metric-based estimation uses historical data (defect rates, test cycle durations from past projects) to predict future effort. When combined with expert judgement to adjust for project-specific differences, it is one of the most reliable estimation approaches. Wideband Delphi and planning poker are consensus-based team techniques.
Which of the following is a potential RISK of introducing test automation to a project?
Test automation requires significant upfront investment (tooling, scripting, infrastructure) and ongoing maintenance as the application evolves. Brittle tests that break with every UI change are a common failure mode. Automation is best applied to stable, high-frequency regression scenarios rather than exploratory or one-off tests.
Question 36
A tool that automatically checks source code against coding standards and flags security vulnerabilities without executing the code is BEST classified as:
Static analysis tools examine code without running it and can identify coding standard violations, security vulnerabilities, complexity metrics, and potential runtime errors. They are a key part of shift-left testing and CI/CD pipelines. Examples include SonarQube, ESLint, and Checkstyle.
Question 37
Which of the following is a BENEFIT of test automation?
A key benefit of test automation is repeatability: the same tests can be run overnight, on every commit, or on every build without additional human effort. This enables rapid regression feedback. Automation does not replace human judgement or cover defects outside its scripted scope.
Question 38
When selecting a test management tool for a medium-sized NZ software house, which factor is MOST important to consider first?
Tool selection should be driven by fit to process, integration capability (with the CI/CD pipeline, issue tracker, source control), licence cost, learning curve, and vendor support. A tool with many features that does not integrate with your workflow creates overhead rather than value.
Question 39
A test team introduces a CI/CD pipeline that runs the automated regression suite on every commit. This approach is MOST aligned with which concept?
Continuous testing integrates automated tests into the delivery pipeline so feedback is rapid and continuous. ISTQB CTFL v4.0 covers how test activities fit DevOps and CI/CD pipelines, emphasising fast feedback loops that enable teams to detect regression quickly without slowing delivery.
Question 40
Which of the following BEST describes the concept of a “test oracle”?
A test oracle is the mechanism or source that allows a tester to determine the expected result for a test case. It can be a specification, a reference system, a previous version of the software, domain expert knowledge, or a mathematical formula. Without an oracle, a tester cannot judge whether the actual output is correct.
Your Result
Answer all 40 questions to see your final score.
The ISTQB CTFL v4.0 exam passes at approximately 65% (26 out of 40). Use the chapter breakdown above to target your revision.