This free ISC2 CC study guide walks through every content domain the Certified in Cybersecurity (CC) exam tests, organized to the current ISC2 exam outline (effective October 1, 2025).[1]
It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, flashcards, and practice questions, so you learn by doing — not just reading.
CC is ISC2’s entry-level certification — no work experience is required to sit it — and it tests five official domains. We teach all five as five study modules, and we lead with the heaviest-weighted content.
Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview that maps the official content — not a full security textbook.
ISC2 CC is one of the 9 ISC2 certifications — explore our ISC2 study guides to compare and prep across the whole family.
ISC2 CC Exam Snapshot
| Detail | Certified in Cybersecurity (CC) |
|---|---|
| Questions | 100–125 items (Computerized Adaptive Testing) |
| Format | Multiple choice + advanced item types |
| Time | 2 hours |
| Passing score | 700 out of 1000 points |
| Administered by | ISC2, delivered at Pearson VUE (or online proctored) |
| Certifying body | ISC2 (formerly (ISC)²) |
| Eligibility | None — entry-level; no work experience required |
| Cost | About $50 USD |
| Recertification | Every 3 years — 45 CPE credits + $50 Annual Maintenance Fee |
| Outline version | Effective October 1, 2025 |
The CC covers five domains, and the weights are uneven — Security Principles is the largest at 26%, and it frames everything else, so it is where to invest first. Network Security (24%) and Access Controls (22%) are close behind and together with Security Principles make up nearly three-quarters of the exam.[1] Study by weight:
Security Principles
26% of the exam
BC, DR & Incident Response Concepts
10% of the exam
Access Controls Concepts
22% of the exam
Network Security
24% of the exam
Security Operations
18% of the exam
Module 1 · Security Principles
26% of the exam — the largest domain. Security Principles is the foundation of the whole CC: the goals of security, how an organization understands and treats risk, the kinds of controls it uses, and the governance and ethics a security professional must uphold. Master it and the rest of the exam makes sense.
1.1 CIA Triad & Assurance Concepts
Everything starts with the . prevents unauthorized disclosure (encryption, access control); prevents unauthorized change (hashing, checksums); and keeps systems reachable for authorized users (redundancy, backups). The opposite of CIA is sometimes called DAD — Disclosure, Alteration, Destruction — naming the threats to each goal.
Confidentiality
Prevent unauthorized disclosure of data (encryption, access control).
Integrity
Keep data accurate and unaltered except by authorized parties (hashing, checksums).
Availability
Authorized users get timely, reliable access (redundancy, backups, DDoS defense).
Authentication
Proving a claimed identity with a credential.
Non-repudiation
A party cannot deny having performed an action.
Privacy
Appropriate handling of personal information.
CC extends the triad with three more information assurance concepts: (proving a claimed identity), (a party can’t deny an action they took), and (the appropriate handling of personal information). These appear throughout the exam and underpin access control and operations.[6]
| Concept | What it ensures | Typical control |
|---|---|---|
| Confidentiality | Data is not disclosed to unauthorized parties | Encryption, access controls |
| Integrity | Data is accurate and unaltered | Hashing, checksums, change control |
| Availability | Authorized users get timely access | Redundancy, backups, DDoS defense |
| Authentication | An identity claim is verified | Passwords, MFA, biometrics |
| Non-repudiation | An action can't be denied later | Digital signatures, logging |
| Privacy | Personal data is handled appropriately | Data classification, consent, minimization |
1.2 Risk Management & Controls
is the chance a exploits a to harm an . You need all three for meaningful risk: a threat, a matching vulnerability, and something of value. Risk is a function of (how probable) and (how bad). The risk management process is a continuous loop: identify, assess, treat, implement, and monitor.
- 1
Identify assets, threats & vulnerabilities
Inventory what you protect, then list threats (potential causes of harm) and vulnerabilities (weaknesses they could exploit).
- 2
Assess & prioritize risk
Estimate the likelihood and impact of each threat exploiting a vulnerability; rank the risks so the biggest get attention first.
- 3
Choose a risk treatment
Avoid (stop the activity), Mitigate (reduce with controls), Transfer (insurance / third party), or Accept (tolerate with sign-off).
- 4
Implement controls
Deploy administrative, technical, and physical controls cost-effectively — a control should not cost more than the asset.
- 5
Monitor & review
Residual risk remains after controls; senior management accepts it. Reassess as assets, threats, and the business change.
Once a risk is assessed, you choose a treatment: (stop the activity), (add controls), (insurance or a third party), or (tolerate it with documented management sign-off). Whatever you do, remains — risk can be reduced but never eliminated.[4]
| Treatment | What you do | Example |
|---|---|---|
| Avoid | Stop the activity that creates the risk | Discontinue a risky feature entirely |
| Mitigate (reduce) | Add controls to lower likelihood or impact | Deploy MFA to reduce account takeover |
| Transfer | Shift the financial impact to a third party | Buy cyber-insurance |
| Accept | Formally tolerate the residual risk | Management signs off on a low-impact risk |
Risk is reduced with controls, and CC tests two ways of categorizing them. By type (how they’re implemented): (technology like firewalls and encryption), (policies and training), and (locks, guards, CCTV). By function (what they do): , , and (plus deterrent and compensating). A single control has both a type and a function.
By type (how it’s implemented)
Technical (Logical)
Technology that enforces security: firewalls, encryption, antivirus, MFA, access control lists.
Administrative (Managerial)
Policies, procedures, standards, and training that direct how people behave.
Physical
Tangible barriers that protect facilities and hardware: locks, fences, guards, badges, CCTV.
By function (what it does)
Preventive
Stop an incident before it happens (a lock, a firewall rule).
Detective
Identify an incident in progress or after (CCTV, IDS, logs).
Corrective
Restore systems after an incident (backups, patches, antivirus removal).
Deterrent
Discourage an attacker (warning signs, visible guards).
1.3 Governance & the Code of Ethics
Security must be governed from the top. Senior management owns risk and sets the tone; the security professional translates business goals into rules.
Know the governance hierarchy: (high-level intent) → (mandatory specifics) → (step-by-step) → (recommended, optional). Above all of these sit , which the organization must obey.
| Document | What it is | Mandatory? |
|---|---|---|
| Regulation / law | A rule imposed by a government or authority | Yes (by law) |
| Policy | High-level management statement of intent and goals | Yes |
| Standard | Specific mandatory requirements (e.g., 'use AES-256') | Yes |
| Procedure | Detailed step-by-step instructions | Yes |
| Guideline | Recommended, discretionary best practice | No |
Every ISC2 member must follow the . Its four canons are applied in order: (1) protect society, the common good, and the infrastructure; (2) act honorably, honestly, justly, responsibly, and legally; (3) provide diligent and competent service to principals; and (4) advance and protect the profession. When two canons conflict, the earlier one wins.[3]
Checkpoint · Security Principles
Question 1 of 10
Which three properties make up the CIA triad, the foundational model of information security?
Module 2 · BC, DR & Incident Response
10% of the exam — the smallest domain, but high-value. This domain is about keeping the organization running and recovering when something goes wrong: business continuity, disaster recovery, and responding to security incidents. The three are related but distinct, and CC loves to test the differences.
2.1 Business Continuity & the BIA
Business continuity (BC) keeps critical business functions running during and after a disruption — it is the broad, organization-wide plan. The centers on the , which identifies the organization’s critical functions and sets the recovery targets every other decision serves.
Three recovery metrics come out of the BIA and must be known cold. is the outer limit a function can be down before unacceptable harm. is the target time to restore it (RTO must be shorter than MTD). is the maximum acceptable data loss, which dictates how often you back up.[5]
| Metric | Meaning | Drives |
|---|---|---|
| MTD | Maximum Tolerable Downtime — the absolute limit | Sets the ceiling for the RTO |
| RTO | Recovery Time Objective — target time to restore | Recovery strategy and site choice |
| RPO | Recovery Point Objective — acceptable data loss | Backup frequency |
2.2 Disaster Recovery
is the IT-focused subset of continuity: restoring systems, data, and infrastructure after a disruptive event. Where BC keeps the business running, DR gets the technology back. DR relies on backups and on recovery sites, which trade cost against speed.
| Site | What it provides | Trade-off |
|---|---|---|
| Hot site | Fully equipped, near-real-time failover | Fastest recovery, most expensive |
| Warm site | Hardware and connectivity; data restored on demand | Moderate cost and speed |
| Cold site | Empty space with power and cooling only | Cheapest, slowest to bring online |
Backups themselves come in types — full (everything), incremental (changes since the last backup of any kind; fast to back up, slow to restore), and differential (changes since the last full backup; slower to back up, faster to restore). The classic guidance is the 3-2-1 rule: keep three copies, on two different media types, with one copy off-site.
2.3 Incident Response
First, a precise distinction: an is any observable occurrence, while an is an event that actually or potentially harms security. Every incident is an event, but only some events are incidents. is the structured process for handling them, run by a designated team following a documented plan.
- 1
Preparation
Build the IR plan and team, set up tools and communications, and train staff — before anything happens.
- 2
Detection & Analysis
Recognize that an event is actually an incident, confirm it, determine scope, and prioritize.
- 3
Containment, Eradication & Recovery
Stop the spread (contain), remove the cause (eradicate), and restore systems to normal operation (recover).
- 4
Post-Incident Activity
Hold a lessons-learned review, document what happened, and improve the plan and controls.
CC uses the four-phase NIST SP 800-61 lifecycle: Preparation (build the plan, team, and tools), Detection & Analysis (confirm and scope the incident), Containment, Eradication & Recovery (stop the spread, remove the cause, restore service), and Post-Incident Activity (lessons learned). Containment always comes before eradication — you stop the bleeding first.[7]
Checkpoint · BC, DR & Incident Response
Question 1 of 10
What is the primary purpose of a Business Continuity Plan (BCP)?
Module 3 · Access Controls Concepts
22% of the exam. Access controls decide who — and what — can reach resources, and how. This domain splits into physical controls (protecting facilities and hardware) and logical controls (protecting systems and data), tied together by the AAA model: authentication, authorization, and accountability.
3.1 Physical Access Controls
protect the tangible world: facilities, equipment, and the people in them. They include perimeter barriers (fences, bollards, gates), entry controls (locks, badges, biometric readers, turnstiles, and mantraps — a two-door airlock that stops tailgating), guards, and monitoring (CCTV, motion sensors, alarms).
| Control | Purpose | Function |
|---|---|---|
| Locks & badges | Restrict entry to authorized people | Preventive |
| Mantrap (access control vestibule) | Stop tailgating — one person per authentication | Preventive |
| Security guard | Human judgment, response, deterrence | Preventive + deterrent |
| CCTV cameras | Record and monitor activity | Detective + deterrent |
| Fences, bollards, lighting | Define and protect the perimeter | Preventive + deterrent |
3.2 Logical Access Controls & AAA
Logical (technical) access control follows a four-step sequence: (claim an identity, e.g., a username) → (prove it) → (what you may do) → (log it). The middle three are the AAA model. Strong authentication means — combining factors from different categories: something you know (password), have (token), and are (biometric).[8]
| Factor | Type | Examples |
|---|---|---|
| Something you know | Knowledge | Password, PIN, passphrase |
| Something you have | Possession | Smart card, hardware token, phone |
| Something you are | Inherence (biometric) | Fingerprint, iris, face |
Two principles govern who gets what: (only the minimum access needed) and (no one person controls a sensitive task end to end). Authorization is then enforced through access control models.
DAC — Discretionary
The data owner decides who gets access (e.g., file permissions). Flexible but error-prone.
MAC — Mandatory
The system enforces access from labels and clearances (e.g., classified data). Rigid, highest security.
RBAC — Role-Based
Access is granted by job role, not the individual. Scales well in organizations.
lets the owner decide; is enforced by the system from labels and clearances (most restrictive); and grants access by job role, which scales best in organizations.
Checkpoint · Access Controls Concepts
Question 1 of 10
What does authorization determine?
Module 4 · Network Security
24% of the exam — the second-largest domain. This is the most technical part of CC: how networks work, the threats they face, and the infrastructure used to defend them. Don’t panic — CC tests concepts and terminology, not configuration.
4.1 Networking Fundamentals
The backbone here is the — seven layers from Physical up to Application. CC maps devices, protocols, and attacks to layers: switches at Layer 2, routers at Layer 3. The simpler collapses these into four layers. At the transport layer, is connection-oriented and reliable, while is connectionless and fast.
- 7
Application
HTTP, DNS, SMTP — the data the user sees
- 6
Presentation
Encryption, encoding, formatting (TLS sits near 6/7)
- 5
Session
Setting up, managing, and tearing down sessions
- 4
Transport
TCP (reliable) and UDP (fast); port numbers
- 3
Network
IP addressing and routing; routers; IPsec
- 2
Data Link
MAC addresses; switches; frames
- 1
Physical
Cables, signals, and hardware; hubs
Know the basics of addressing and protocols: IPv4 uses 32-bit addresses (running out), and IPv6 uses 128-bit addresses (vastly more). Traffic reaches the right service via port numbers — for example, HTTP on 80, HTTPS on 443, SSH on 22, DNS on 53. Wireless (WiFi) should use modern WPA3 encryption, never legacy WEP.
| Port | Protocol | Use |
|---|---|---|
| 22 | SSH | Secure remote administration |
| 53 | DNS | Domain name resolution |
| 80 | HTTP | Unencrypted web traffic |
| 443 | HTTPS (TLS) | Encrypted web traffic |
| 3389 | RDP | Remote Desktop |
4.2 Threats & Attacks
CC expects you to recognize the common network threats. is an umbrella term — viruses (need a host file and user action), worms (self-replicate across networks), trojans (disguised as legitimate software), ransomware (encrypts data for extortion), and spyware. Availability attacks include the (one source floods a target) and the more powerful (many compromised machines flood it at once).
Other key attacks: an on-path (man-in-the-middle) attack intercepts traffic between two parties; a side-channel attack leaks information through physical signals; and — especially — targets people, not technology, and is the most common initial attack vector.
| Threat | What it does | CIA goal attacked |
|---|---|---|
| Virus | Attaches to a file and spreads on user action | Integrity / availability |
| Worm | Self-replicates across the network with no user action | Availability |
| Ransomware | Encrypts data and demands payment | Availability / confidentiality |
| DoS / DDoS | Floods a system to exhaust resources | Availability |
| On-path (MITM) | Intercepts traffic between two parties | Confidentiality / integrity |
| Phishing | Tricks a user into revealing credentials | Confidentiality |
4.3 Network Security Infrastructure
Networks are defended in layers (). At the boundary and internally: filter traffic by rules; an detects and alerts, while an detects and blocks. and subnets segment the network; a isolates public-facing servers; and a encrypts traffic across untrusted networks. The modern overarching philosophy is — never trust, always verify.
| Control | What it does | Function |
|---|---|---|
| Firewall | Allows/blocks traffic by ruleset | Preventive |
| IDS | Monitors and alerts on suspicious traffic | Detective |
| IPS | Detects and actively blocks malicious traffic | Preventive |
| VLAN / segmentation | Isolates traffic into logical groups | Preventive |
| DMZ | Screened subnet for public-facing services | Preventive |
| VPN | Encrypts traffic across an untrusted network | Preventive |
CC also introduces cloud concepts: the service models SaaS (software), PaaS (platform), and IaaS (infrastructure), and the shared responsibility model — the provider secures the cloud itself, while the customer secures what they put in it (their data, access, and configuration).
Checkpoint · Network Security
Question 1 of 10
What does the OSI model layer 3 (Network layer) primarily handle?
Module 5 · Security Operations
18% of the exam. Security operations is where security runs day to day: protecting data, hardening systems, controlling change, enforcing policy, and training people. It ties the other four domains into routine practice.
5.1 Data Security & Encryption
Data must be protected throughout its lifecycle and in each of its states: (encrypt the disk or database), (TLS, IPsec, or a VPN), and data in use (the hardest to protect, since it’s decrypted in memory). The tool for confidentiality is encryption.
uses one shared key (AES) — fast but hard to distribute; uses a public/private key pair (RSA) — slower but it solves key exchange and enables digital signatures. For integrity, produces a one-way digest (SHA-256).[6]
| State | Example | Protection |
|---|---|---|
| At rest | Files on a disk, rows in a database | Full-disk / database encryption |
| In transit | Traffic moving across a network | TLS, IPsec, VPN |
| In use | Data decrypted in memory while processing | Access controls, secure enclaves (hardest) |
Data is governed by — labeling it by sensitivity (public, internal, confidential, restricted) so the right protection, handling, and retention apply. Logging and monitoring (often centralized in a ) provide the visibility needed to detect and investigate problems.
5.2 Hardening & Change Management
reduces a system’s attack surface — removing unnecessary services, closing unused ports, disabling default accounts, and applying patches — measured against a secure . keeps systems in that known-good state by recording and controlling their settings, and ensures every change is evaluated, tested, approved, and documented so a fix doesn’t introduce a new vulnerability.
| Discipline | What it does |
|---|---|
| System hardening | Reduces attack surface: remove services, close ports, patch, disable defaults |
| Baseline | Defines the minimum secure configuration to harden toward |
| Configuration management | Records and controls system settings to keep a known-good state |
| Change management | Evaluates, tests, approves, and documents every change |
| Patch management | Applies vendor updates promptly to close known vulnerabilities |
5.3 Policies & Security Awareness
Operations is governed by everyday security policies: an (how systems may be used), data handling and classification policies, privacy policies, password policies, and bring-your-own-device (BYOD) rules. Policies only work if people follow them, which is why is part of operations.
The biggest operational risk is the human one. manipulates people into breaking security, and — fraudulent emails or messages — is its most common form. Training teaches users to recognize phishing, use strong unique passwords (and a password manager), lock their screens, and report anything suspicious.
Checkpoint · Security Operations
Question 1 of 10
What is the main purpose of patch management?
How to Use This ISC2 CC Study Guide
This guide is built to be worked, not just read. The most efficient path to a pass:
- Study by weight. Lead with Security Principles (26%), then Network Security (24%) and Access Controls (22%); BC/DR and Incident Response (10%) is smallest but quick to learn.
- Memorize the distinctions. CC loves comparison questions — control type vs. function, DAC/MAC/RBAC, IDS vs. IPS, RTO vs. RPO, event vs. incident. Nail these and you nail the exam.
- Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
- Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
- Drill the weak domain. Send your weak area into the flashcards and a practice test until your score climbs comfortably above 700.
ISC2 CC Concept Questions
Common ISC2 CC concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.
ISC2 CC Glossary
The high-yield ISC2 CC terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.
- Acceptable use policy (AUP)
- A policy defining how employees may use organizational systems and data.
- Accountability
- Tying actions back to a specific identity through logging and monitoring.
- Administrative control
- A managerial control — policies, procedures, standards, and training that direct people.
- Asset
- Anything of value to the organization that needs protection — data, hardware, software, or people.
- Asymmetric encryption
- Encryption using a public/private key pair (e.g., RSA); solves key exchange and enables signatures.
- Authentication
- Proving a claimed identity with a credential (something you know, have, or are).
- Authorization
- Determining what an authenticated identity is permitted to access and do.
- Availability
- Ensuring authorized users have timely, reliable access to systems and data; protected by redundancy, backups, and fault tolerance.
- Baseline
- A minimum required level of secure configuration for a system.
- Business continuity plan (BCP)
- A plan to keep critical business functions operating during and after a disruption.
- Business Impact Analysis (BIA)
- An analysis that identifies critical business functions and sets recovery objectives (MTD, RTO, RPO).
- Change management
- A controlled process for evaluating, approving, and documenting changes to systems.
- CIA triad
- The three core goals of information security: Confidentiality (no unauthorized disclosure), Integrity (no unauthorized modification), and Availability (timely, reliable access for authorized users).
- Confidentiality
- Preventing the unauthorized disclosure of data; protected primarily by encryption and access controls.
- Configuration management
- The disciplined process of recording, controlling, and approving changes to system settings.
- Corrective control
- A control that restores systems after an incident (backups, patches).
- Data at rest
- Data stored on a disk or in a database; protected with full-disk or database encryption.
- Data classification
- Labeling data by sensitivity (e.g., public, confidential) so the right protection is applied.
- Data in transit
- Data moving across a network; protected with TLS, IPsec, or a VPN.
- DDoS attack
- A Distributed Denial-of-Service attack launched from many compromised machines at once.
- Defense in depth
- Layering multiple, overlapping controls so that if one fails, others still protect the asset.
- Detective control
- A control that identifies an incident in progress or after the fact (CCTV, IDS, logs).
- Disaster recovery (DR)
- The processes and procedures to restore IT systems and operations after a disruptive event.
- Discretionary access control (DAC)
- Access decided by the data owner (e.g., file permissions, ACLs).
- DMZ
- A demilitarized zone — a screened subnet that exposes public-facing services while shielding the internal network.
- DoS attack
- A Denial-of-Service attack that floods a system from one source to make it unavailable.
- Event
- Any observable occurrence on a system or network.
- Firewall
- A control that filters network traffic, allowing or blocking it based on a defined ruleset.
- Guideline
- Recommended, discretionary best practice; not mandatory.
- Hashing
- A one-way function producing a fixed-length digest used to verify integrity (e.g., SHA-256).
- Identification
- A subject claiming an identity (e.g., a username) — the first step of access control.
- IDS
- Intrusion Detection System — monitors traffic and alerts on suspicious activity but does not block it.
- Impact
- The magnitude of harm if a risk event occurs.
- Incident
- An event that actually or potentially harms the confidentiality, integrity, or availability of information.
- Incident response (IR)
- The structured process to prepare for, detect, contain, eradicate, recover from, and learn from a security incident.
- Integrity
- Ensuring data is accurate and unaltered except by authorized parties; protected by hashing, checksums, and change control.
- IPS
- Intrusion Prevention System — detects and actively blocks malicious traffic.
- ISC2 Code of Ethics
- Four canons every ISC2 member must follow, applied in order: protect society and the infrastructure; act honorably; provide diligent service to principals; advance and protect the profession.
- Least privilege
- Granting users and processes only the minimum access needed to do their job, and nothing more.
- Likelihood
- The probability that a given threat will exploit a given vulnerability.
- Malware
- Malicious software such as viruses, worms, trojans, ransomware, and spyware.
- Mandatory access control (MAC)
- Access enforced by the system from labels and clearances; rigid and high-security.
- Maximum Tolerable Downtime (MTD)
- The longest time a business function can be unavailable before the organization suffers unacceptable harm.
- Multi-factor authentication (MFA)
- Using two or more factors from different categories — something you know, have, and are.
- Non-repudiation
- Assurance that a party cannot deny having performed an action, achieved through digital signatures and logging.
- OSI model
- A seven-layer reference model for networking: Physical, Data Link, Network, Transport, Session, Presentation, Application.
- Phishing
- A social-engineering attack using fraudulent messages to trick users into revealing credentials or installing malware.
- Physical control
- A tangible control that protects facilities and hardware (locks, fences, guards, CCTV).
- Policy
- A high-level management statement of intent and goals; mandatory.
- Preventive control
- A control that stops an incident before it happens (a lock, a firewall rule).
- Privacy
- The appropriate collection, use, and protection of personal information.
- Procedure
- Detailed step-by-step instructions for completing a task; mandatory.
- Recovery Point Objective (RPO)
- The maximum acceptable amount of data loss measured backward in time; drives backup frequency.
- Recovery Time Objective (RTO)
- The targeted time to restore a system or function after a disruption; must be shorter than the MTD.
- Regulation
- A rule imposed by a government or authority that an organization must comply with by law.
- Residual risk
- The risk that remains after controls are applied; senior management formally accepts it.
- Risk
- The likelihood that a threat will exploit a vulnerability, and the resulting impact on an asset.
- Risk acceptance
- A documented, management-approved decision to tolerate a risk and its potential impact.
- Risk avoidance
- Eliminating a risk by ceasing the activity that creates it.
- Risk mitigation
- Reducing risk to an acceptable level by implementing controls.
- Risk transference
- Shifting the financial impact of a risk to a third party, such as through insurance.
- Role-based access control (RBAC)
- Access granted by job role rather than the individual; scales well in organizations.
- Security awareness training
- Educating users to recognize and avoid threats such as phishing and social engineering.
- Segregation of duties
- Splitting a sensitive task so no single person can complete it alone, reducing fraud and error.
- SIEM
- Security Information and Event Management — a system that aggregates and correlates logs for detection and analysis.
- Social engineering
- Manipulating people into divulging information or performing actions that compromise security (e.g., phishing).
- Standard
- A specific mandatory requirement that supports a policy (e.g., 'use AES-256').
- Symmetric encryption
- Encryption using one shared secret key for both encrypting and decrypting (e.g., AES); fast.
- System hardening
- Reducing a system's attack surface by removing unnecessary services, closing ports, and patching.
- TCP
- Transmission Control Protocol — a connection-oriented Layer 4 protocol providing reliable, ordered delivery.
- TCP/IP model
- A four-layer practical networking model: Network Access, Internet, Transport, and Application.
- Technical control
- A control implemented with technology (firewalls, encryption, MFA); also called a logical control.
- Threat
- Any potential event or actor that could cause harm to an asset by exploiting a vulnerability.
- UDP
- User Datagram Protocol — a connectionless Layer 4 protocol that is fast but unreliable.
- VLAN
- Virtual LAN — logically segments a network to isolate traffic and limit broadcast domains.
- VPN
- Virtual Private Network — an encrypted tunnel that secures traffic across an untrusted network.
- Vulnerability
- A weakness in a system, process, or control that a threat can exploit.
- Zero trust
- A model that trusts no user or device by default and continuously verifies every access request.
ISC2 CC Study Guide FAQ
The current ISC2 CC exam (outline effective October 1, 2025) uses Computerized Adaptive Testing with 100 to 125 items, and you have 2 hours to complete it. It includes multiple-choice questions and advanced item types. The exam is offered in English, Chinese, Japanese, German, and Spanish.
From the current outline: Security Principles (26%), Business Continuity, Disaster Recovery and Incident Response Concepts (10%), Access Controls Concepts (22%), Network Security (24%), and Security Operations (18%). Security Principles is the largest domain, with Network Security and Access Controls close behind.
You need a scaled score of 700 out of 1000 points to pass. Because the exam is adaptive, item difficulty adjusts to your ability, so a raw question count does not translate directly to a percentage; the 700 threshold reflects a consistent ability standard.
There are no work-experience prerequisites — CC is an entry-level certification designed for newcomers to cybersecurity. Anyone can register and sit the exam. After passing, you complete the ISC2 endorsement process and agree to the Code of Ethics to earn the certification.
Study by weight. Start with Security Principles (26%), then Network Security (24%) and Access Controls (22%), followed by Security Operations (18%) and finally BC/DR and Incident Response (10%). Read each module, take the checkpoint, then drill gaps with our free practice test and flashcards.
The CC exam fee is about $50 USD. After certifying, you maintain it on a three-year cycle by earning 45 Continuing Professional Education (CPE) credits and paying a $50 Annual Maintenance Fee (AMF).
CC is an entry-level exam and is widely considered approachable: the questions are mostly definitional and conceptual rather than deeply technical, and most candidates who study the full outline pass. Its breadth — five domains spanning principles, continuity, access, networking, and operations — is the main challenge, so organized review across all five matters.
The Certified in Cybersecurity (CC) is issued by ISC2 and delivered at Pearson VUE test centers or via online proctoring. This study guide, the checkpoints, the glossary, the practice test, and the flashcards are 100% free with no account required.
References
- 1.ISC2. “Certified in Cybersecurity (CC) Exam Outline (effective October 1, 2025).” isc2.org. ↑
- 2.ISC2. “CC — Certified in Cybersecurity.” isc2.org. ↑
- 3.ISC2. “ISC2 Code of Ethics.” isc2.org. ↑
- 4.National Institute of Standards and Technology. “SP 800-30 Rev. 1: Guide for Conducting Risk Assessments.” csrc.nist.gov. ↑
- 5.National Institute of Standards and Technology. “SP 800-34 Rev. 1: Contingency Planning Guide.” csrc.nist.gov. ↑
- 6.National Institute of Standards and Technology. “SP 800-53 Rev. 5: Security and Privacy Controls.” csrc.nist.gov. ↑
- 7.National Institute of Standards and Technology. “SP 800-61 Rev. 2: Computer Security Incident Handling Guide.” csrc.nist.gov. ↑
- 8.National Institute of Standards and Technology. “SP 800-63: Digital Identity Guidelines.” csrc.nist.gov. ↑
- 9.National Institute of Standards and Technology. “Cybersecurity Framework (CSF) 2.0.” nist.gov. ↑

Career Employer
Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.
All PostsCareer Employer’s Editorial Process
Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.
