Security Study Guide

(ISC)² Certified in Cybersecurity (CC) Study Guide

The (ISC)² Certified in Cybersecurity (CC) is an entry-level credential that validates foundational knowledge across security principles, business continuity and incident response, access control, network security, and security operations. It is aimed at newcomers, career changers, and IT professionals seeking to enter the cybersecurity field with no prior work experience required. The exam is 100 multiple-choice questions over 120 minutes, scored on a 1000-point scale with 700 to pass.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5

Practice (ISC)² Certified in Cybersecurity (CC) questions free Create free account

Domain 1: Security Principles

Key concepts you must know · 129 practice questions

The CIA triad is the core model: Confidentiality (no unauthorized disclosure), Integrity (no unauthorized or undetected alteration), and Availability (authorized users can access systems and data when needed).
Multi-factor authentication (MFA) requires factors from at least two DIFFERENT categories: something you know (password/PIN), something you have (token/phone), and something you are (biometric). Two passwords are NOT MFA.
A threat is a potential danger or actor; a vulnerability is a weakness; risk is the likelihood and impact of a threat exploiting a vulnerability. A threat actor is the entity that carries out the threat.
Least privilege grants users and processes only the minimum access needed for their job, reducing the blast radius if an account is compromised.
Defense in depth layers multiple, varied controls so no single failure leads to compromise.
AAA stands for Authentication (proving identity), Authorization (granting permissions), and Accounting (logging actions for accountability).
Single Loss Expectancy (SLE) = Asset Value x Exposure Factor. Annualized Loss Expectancy (ALE) = SLE x Annualized Rate of Occurrence (ARO).
Risk responses are: Avoid (stop the activity), Mitigate (reduce with controls), Transfer (e.g., insurance), and Accept (when residual risk is within tolerance).
Risk acceptance is appropriate when the cost of the control exceeds the expected loss and residual risk is within the organization's tolerance.
A compensating control provides comparable risk reduction when the primary control is impractical or too costly to implement.
The (ISC)² Code of Ethics has four canons, applied in order of priority: protect society/common good; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; advance and protect the profession.
Privacy concerns the appropriate handling of personal data (PII), governed by regulations such as GDPR and HIPAA; it is distinct from confidentiality but related.
Encryption protects confidentiality at rest (on storage) and in transit (over networks); protecting data in-use requires additional techniques such as memory protection.
Non-repudiation ensures a party cannot deny having performed an action, commonly achieved through digital signatures and logging.

Domain 2: Business Continuity, DR, and Incident Response

Key concepts you must know · 95 practice questions

Recovery Time Objective (RTO) is the maximum acceptable time to restore a service after a disruption; it drives how fast recovery solutions must be.
Recovery Point Objective (RPO) is the maximum acceptable amount of data loss measured as a point in time; it drives backup and replication frequency (e.g., a 4-hour RPO requires backups at least every 4 hours).
The NIST incident response lifecycle has four phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity.
Containment limits the scope and spread of an incident to prevent further damage; eradication removes the threat; recovery restores affected systems from known-good sources.
A Business Continuity Plan (BCP) keeps the whole business operating during a disruption; a Disaster Recovery Plan (DRP) focuses on restoring IT systems and data after an incident.
A Business Impact Analysis (BIA) identifies critical business functions and the impact/timeframes of disruption, and it is what informs RTO and RPO values.
The 3-2-1 backup rule: keep 3 copies of data, on 2 different media types, with 1 copy offsite or offline; the offline copy protects against ransomware.
Backups must be periodically tested by performing actual restores, because untested backups may fail during a real disaster.
Recovery site options range by cost and speed: hot site (fully replicated and running, fastest), warm site (partially configured), and cold site (space and power only, slowest and cheapest).
Synchronous replication to a secondary site gives near-zero RPO but adds latency; asynchronous replication is cheaper but allows some data loss.
Geographic separation and multiple availability zones/regions protect against site-wide and regional disasters.
A longer (more lenient) RTO allows cheaper recovery methods such as backup-and-restore instead of costly always-on hot standby.
Backup types: full (everything), incremental (changes since last backup, fast to back up but slow to restore), and differential (changes since last full, grows over time but restores from full plus one differential).
During an incident, accurate and prompt communication informs stakeholders, leadership, and regulators, and may be legally required by breach-notification laws.

Domain 3: Access Control Concepts

Key concepts you must know · 125 practice questions

Role-Based Access Control (RBAC) assigns permissions to roles tied to job functions; users inherit permissions by role membership, so permissions are managed once per role.
Mandatory Access Control (MAC) enforces access via system-wide sensitivity labels and a central policy that users cannot override; it is used in government/military and highly classified environments.
Discretionary Access Control (DAC) lets the resource owner grant access at their own discretion (e.g., file permissions set by the file's owner).
Attribute-Based Access Control (ABAC) makes decisions based on attributes of the user, resource, action, and environment (e.g., department, time of day, location).
Separation of duties (SoD) splits critical tasks among multiple people so no single person can commit and conceal fraud; it requires collusion to bypass.
Need to know limits access to specific information to those who genuinely require it for their job, even if they hold sufficient clearance; it complements least privilege.
The three control types by function: preventive (stop an action, e.g., a locked door), detective (identify an event, e.g., logs/CCTV), and corrective (fix after the fact, e.g., restoring from backup).
Control categories by nature: physical (fences, badge readers, mantraps), technical/logical (firewalls, encryption, MFA), and administrative (policies, training, procedures).
Physical access controls include badge readers, locked doors, mantraps/access control vestibules (prevent tailgating), turnstiles, and biometric scanners.
Single Sign-On (SSO) lets a user authenticate once to gain access to multiple systems, reducing password fatigue and help-desk reset volume.
Federated identity uses standards like SAML and OpenID Connect (OIDC) to let users authenticate across organizations with one identity provider.
Privileged Access Management (PAM) tightly controls, monitors, and limits administrative accounts; Just-in-Time (JIT) elevation grants privileged access only for a limited, approved window.
Periodic access reviews and recertification remove stale entitlements and orphaned accounts to combat privilege creep.
Prompt deprovisioning when an employee leaves revokes access (reducing insider risk) and reclaims licenses to avoid paying for unused accounts.

Domain 4: Network Security

Key concepts you must know · 121 practice questions

A firewall filters traffic by allowing or denying packets based on rules (source/destination IP, port, protocol); stateful firewalls track connection state, while stateless firewalls evaluate each packet independently.
An IDS passively detects and alerts on suspicious activity; an IPS is deployed inline and can actively block malicious traffic.
A VPN creates an encrypted tunnel over untrusted networks (e.g., public Wi-Fi), protecting confidentiality and integrity of data in transit using protocols like IPsec or TLS.
A DMZ (screened subnet) hosts internet-facing servers isolated from the internal network by firewalls, so a compromise there does not directly expose internal systems.
Network segmentation limits broadcast domains, contains traffic, and restricts lateral (east-west) movement by an attacker.
A Denial-of-Service (DoS) attack targets availability by overwhelming a service; a DDoS uses many distributed sources, and a CDN can absorb/cache traffic to mitigate it.
Common malware types: a virus needs a host file and user action, a worm self-propagates across networks without user interaction, a Trojan hides in legitimate-looking software, and ransomware encrypts data and demands payment.
Zero Trust assumes no implicit trust: verify every request explicitly, enforce least privilege, and apply micro-segmentation between workloads.
A Web Application Firewall (WAF) filters application-layer (Layer 7) attacks such as SQL injection and cross-site scripting before they reach the application.
The OSI model has 7 layers (Physical, Data Link, Network, Transport, Session, Presentation, Application); TCP/IP and port-based filtering operate at the Transport layer and below.
Key ports to know: HTTP 80, HTTPS 443, SSH 22, RDP 3389, DNS 53, FTP 20/21, SMTP 25, Telnet 23 (insecure, should be disabled).
Wi-Fi security should use WPA3 (or WPA2 at minimum); WEP is obsolete and easily broken.
Common social-engineering attacks include phishing, spear phishing, vishing (voice), smishing (SMS), pretexting, and tailgating into a secure area.
Deep packet inspection (DPI) improves threat visibility by examining packet contents but adds processing latency, so devices must be sized appropriately.

Domain 5: Security Operations

Key concepts you must know · 142 practice questions

Symmetric encryption (e.g., AES, 3DES) uses one shared secret key for both encryption and decryption; it is fast but has a key-distribution challenge.
Asymmetric encryption (e.g., RSA, ECC) uses a public/private key pair: encrypt with the recipient's public key, decrypt with their private key; sign with the private key, verify with the public key.
Hashing (e.g., SHA-256) produces a fixed-length one-way digest used to verify integrity; any change to the input changes the hash, and it cannot be reversed.
Data classification assigns labels (public, internal, confidential, restricted) based on sensitivity, driving proportional controls so confidential data gets stronger protection.
Data states require different protection: at rest (encryption on storage), in transit (TLS/VPN), and in use (memory and access protections).
Patch and vulnerability management remediates known vulnerabilities before attackers exploit them; patches should be tested in staging and deployed in maintenance windows with a rollback plan.
A SIEM aggregates and correlates log and event data from across the environment to enable detection, alerting, and investigation.
Change management requires reviewing, approving, documenting, and providing rollback for changes to reduce the risk of outages and security gaps.
Logging and monitoring provide accountability, anomaly detection, and evidence for investigations; logs should be protected from tampering and retained per policy.
Security awareness training is an administrative control that reduces human-factor risk such as falling for phishing and social engineering.
Data lifecycle management applies retention policies that automatically tier or delete data; tiered retention keeps recent logs hot/searchable and archives older logs to cheaper cold storage.
Data minimization reduces both storage cost and breach exposure: less data stored means a smaller, less attractive target.
Secure data disposal methods include overwriting/wiping, degaussing magnetic media, and physical destruction (shredding); reliable deletion is required when data is no longer needed.
Acceptable Use Policy (AUP), privacy policy, and password policy are common administrative documents that define expected behavior and configuration standards.

(ISC)² Certified in Cybersecurity (CC) exam tips

Memorize the exact frameworks and their order: the CIA triad, AAA, the four (ISC)² Code of Ethics canons (in priority order), the four-phase NIST incident response lifecycle, and the risk-response options (Avoid, Mitigate, Transfer, Accept).
Distinguish lookalike pairs cleanly: threat vs. vulnerability vs. risk, RTO vs. RPO, IDS vs. IPS, BCP vs. DRP, MAC vs. DAC vs. RBAC, and symmetric vs. asymmetric vs. hashing.
Watch the wording on MFA questions: factors must come from DIFFERENT categories (know/have/are). Two passwords or two security questions are single-factor.
When a question asks for the BEST or FIRST action, think in terms of priority: protect life and safety first, then contain before eradicate, and apply least privilege and need-to-know as the default answer.
The exam is concept-focused, not vendor-specific. Pace yourself at roughly one minute per question, flag uncertain ones, and answer every question since there is no penalty for guessing.

Study guide FAQ

How many questions are on the CC exam and what score do I need to pass?

The exam has 100 multiple-choice questions to be completed in 120 minutes. It is scored on a scale of 1 to 1000, and you need a 700 to pass.

Do I need work experience to earn the CC certification?

No. CC is designed as an entry-level credential and requires no prior work experience, making it ideal for students, career changers, and newcomers to cybersecurity. After passing, you complete the (ISC)² endorsement process and agree to the Code of Ethics.

Which domain carries the most weight on the exam?

Security Operations (Domain 5) is the largest at roughly 22%, followed closely by Security Principles, Access Control Concepts, and Network Security. Business Continuity, DR, and Incident Response (Domain 2) is the smallest at about 10%. Study all five, but expect the most questions from operations and principles.

Is the CC exam heavily technical or command-line focused?

No. CC tests foundational concepts, terminology, and security principles rather than hands-on configuration. You do not need to memorize commands; focus on understanding what controls and concepts do, when to use them, and how they relate to confidentiality, integrity, and availability.

Test yourself: 612 (ISC)² Certified in Cybersecurity (CC) practice questions