Career Employer

FREE ISC2 CC Study Guide 2026: All 5 Domains

The most important things the ISC2 CC tests — an interactive study guide with built-in quizzes and flashcards, organized by all 5 official domains.

Check sections to boost your score

Don't know where to start?

To find us again, just search “Career Employer ISC2 CC

By

This free ISC2 CC study guide walks through every content domain the Certified in Cybersecurity (CC) exam tests, organized to the current ISC2 exam outline (effective October 1, 2025).[1]

It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, flashcards, and practice questions, so you learn by doing — not just reading.

CC is ISC2’s entry-level certification — no work experience is required to sit it — and it tests five official domains. We teach all five as five study modules, and we lead with the heaviest-weighted content.

Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview that maps the official content — not a full security textbook.

ISC2 CC is one of the 9 ISC2 certifications — explore our ISC2 study guides to compare and prep across the whole family.

ISC2 CC Exam Snapshot

ISC2 CC exam at a glance
DetailCertified in Cybersecurity (CC)
Questions100–125 items (Computerized Adaptive Testing)
FormatMultiple choice + advanced item types
Time2 hours
Passing score700 out of 1000 points
Administered byISC2, delivered at Pearson VUE (or online proctored)
Certifying bodyISC2 (formerly (ISC)²)
EligibilityNone — entry-level; no work experience required
CostAbout $50 USD
RecertificationEvery 3 years — 45 CPE credits + $50 Annual Maintenance Fee
Outline versionEffective October 1, 2025

The CC covers five domains, and the weights are uneven — Security Principles is the largest at 26%, and it frames everything else, so it is where to invest first. Network Security (24%) and Access Controls (22%) are close behind and together with Security Principles make up nearly three-quarters of the exam.[1] Study by weight:

ISC2 CC weighting by domain (exam outline, effective Oct 1, 2025)
Security Principles26% · Domain 1
Network Security24% · Domain 4
Access Controls Concepts22% · Domain 3
Security Operations18% · Domain 5
BC, DR & Incident Response10% · Domain 2

Module 1 · Security Principles

26% of the exam — the largest domain. Security Principles is the foundation of the whole CC: the goals of security, how an organization understands and treats risk, the kinds of controls it uses, and the governance and ethics a security professional must uphold. Master it and the rest of the exam makes sense.

1.1 CIA Triad & Assurance Concepts

Everything starts with the . prevents unauthorized disclosure (encryption, access control); prevents unauthorized change (hashing, checksums); and keeps systems reachable for authorized users (redundancy, backups). The opposite of CIA is sometimes called DAD — Disclosure, Alteration, Destruction — naming the threats to each goal.

CC extends the triad with three more information assurance concepts: (proving a claimed identity), (a party can’t deny an action they took), and (the appropriate handling of personal information). These appear throughout the exam and underpin access control and operations.[6]

The information assurance concepts (CC Domain 1)
ConceptWhat it ensuresTypical control
ConfidentialityData is not disclosed to unauthorized partiesEncryption, access controls
IntegrityData is accurate and unalteredHashing, checksums, change control
AvailabilityAuthorized users get timely accessRedundancy, backups, DDoS defense
AuthenticationAn identity claim is verifiedPasswords, MFA, biometrics
Non-repudiationAn action can't be denied laterDigital signatures, logging
PrivacyPersonal data is handled appropriatelyData classification, consent, minimization

1.2 Risk Management & Controls

is the chance a exploits a to harm an . You need all three for meaningful risk: a threat, a matching vulnerability, and something of value. Risk is a function of (how probable) and (how bad). The risk management process is a continuous loop: identify, assess, treat, implement, and monitor.

Once a risk is assessed, you choose a treatment: (stop the activity), (add controls), (insurance or a third party), or (tolerate it with documented management sign-off). Whatever you do, remains — risk can be reduced but never eliminated.[4]

The four risk treatment options
TreatmentWhat you doExample
AvoidStop the activity that creates the riskDiscontinue a risky feature entirely
Mitigate (reduce)Add controls to lower likelihood or impactDeploy MFA to reduce account takeover
TransferShift the financial impact to a third partyBuy cyber-insurance
AcceptFormally tolerate the residual riskManagement signs off on a low-impact risk

Risk is reduced with controls, and CC tests two ways of categorizing them. By type (how they’re implemented): (technology like firewalls and encryption), (policies and training), and (locks, guards, CCTV). By function (what they do): , , and (plus deterrent and compensating). A single control has both a type and a function.

1.3 Governance & the Code of Ethics

Security must be governed from the top. Senior management owns risk and sets the tone; the security professional translates business goals into rules.

Know the governance hierarchy: (high-level intent) → (mandatory specifics) → (step-by-step) → (recommended, optional). Above all of these sit , which the organization must obey.

The governance document hierarchy
DocumentWhat it isMandatory?
Regulation / lawA rule imposed by a government or authorityYes (by law)
PolicyHigh-level management statement of intent and goalsYes
StandardSpecific mandatory requirements (e.g., 'use AES-256')Yes
ProcedureDetailed step-by-step instructionsYes
GuidelineRecommended, discretionary best practiceNo

Every ISC2 member must follow the . Its four canons are applied in order: (1) protect society, the common good, and the infrastructure; (2) act honorably, honestly, justly, responsibly, and legally; (3) provide diligent and competent service to principals; and (4) advance and protect the profession. When two canons conflict, the earlier one wins.[3]

Checkpoint · Security Principles

Question 1 of 10

Which three properties make up the CIA triad, the foundational model of information security?

Module 2 · BC, DR & Incident Response

10% of the exam — the smallest domain, but high-value. This domain is about keeping the organization running and recovering when something goes wrong: business continuity, disaster recovery, and responding to security incidents. The three are related but distinct, and CC loves to test the differences.

2.1 Business Continuity & the BIA

Business continuity (BC) keeps critical business functions running during and after a disruption — it is the broad, organization-wide plan. The centers on the , which identifies the organization’s critical functions and sets the recovery targets every other decision serves.

Three recovery metrics come out of the BIA and must be known cold. is the outer limit a function can be down before unacceptable harm. is the target time to restore it (RTO must be shorter than MTD). is the maximum acceptable data loss, which dictates how often you back up.[5]

The three recovery objectives
MetricMeaningDrives
MTDMaximum Tolerable Downtime — the absolute limitSets the ceiling for the RTO
RTORecovery Time Objective — target time to restoreRecovery strategy and site choice
RPORecovery Point Objective — acceptable data lossBackup frequency

2.2 Disaster Recovery

is the IT-focused subset of continuity: restoring systems, data, and infrastructure after a disruptive event. Where BC keeps the business running, DR gets the technology back. DR relies on backups and on recovery sites, which trade cost against speed.

Recovery sites by cost and speed
SiteWhat it providesTrade-off
Hot siteFully equipped, near-real-time failoverFastest recovery, most expensive
Warm siteHardware and connectivity; data restored on demandModerate cost and speed
Cold siteEmpty space with power and cooling onlyCheapest, slowest to bring online

Backups themselves come in types — full (everything), incremental (changes since the last backup of any kind; fast to back up, slow to restore), and differential (changes since the last full backup; slower to back up, faster to restore). The classic guidance is the 3-2-1 rule: keep three copies, on two different media types, with one copy off-site.

2.3 Incident Response

First, a precise distinction: an is any observable occurrence, while an is an event that actually or potentially harms security. Every incident is an event, but only some events are incidents. is the structured process for handling them, run by a designated team following a documented plan.

CC uses the four-phase NIST SP 800-61 lifecycle: Preparation (build the plan, team, and tools), Detection & Analysis (confirm and scope the incident), Containment, Eradication & Recovery (stop the spread, remove the cause, restore service), and Post-Incident Activity (lessons learned). Containment always comes before eradication — you stop the bleeding first.[7]

Checkpoint · BC, DR & Incident Response

Question 1 of 10

What is the primary purpose of a Business Continuity Plan (BCP)?

Module 3 · Access Controls Concepts

22% of the exam. Access controls decide who — and what — can reach resources, and how. This domain splits into physical controls (protecting facilities and hardware) and logical controls (protecting systems and data), tied together by the AAA model: authentication, authorization, and accountability.

3.1 Physical Access Controls

protect the tangible world: facilities, equipment, and the people in them. They include perimeter barriers (fences, bollards, gates), entry controls (locks, badges, biometric readers, turnstiles, and mantraps — a two-door airlock that stops tailgating), guards, and monitoring (CCTV, motion sensors, alarms).

Common physical access controls
ControlPurposeFunction
Locks & badgesRestrict entry to authorized peoplePreventive
Mantrap (access control vestibule)Stop tailgating — one person per authenticationPreventive
Security guardHuman judgment, response, deterrencePreventive + deterrent
CCTV camerasRecord and monitor activityDetective + deterrent
Fences, bollards, lightingDefine and protect the perimeterPreventive + deterrent

3.2 Logical Access Controls & AAA

Logical (technical) access control follows a four-step sequence: (claim an identity, e.g., a username) → (prove it) → (what you may do) → (log it). The middle three are the AAA model. Strong authentication means — combining factors from different categories: something you know (password), have (token), and are (biometric).[8]

The three authentication factor categories
FactorTypeExamples
Something you knowKnowledgePassword, PIN, passphrase
Something you havePossessionSmart card, hardware token, phone
Something you areInherence (biometric)Fingerprint, iris, face

Two principles govern who gets what: (only the minimum access needed) and (no one person controls a sensitive task end to end). Authorization is then enforced through access control models.

lets the owner decide; is enforced by the system from labels and clearances (most restrictive); and grants access by job role, which scales best in organizations.

Checkpoint · Access Controls Concepts

Question 1 of 10

What does authorization determine?

Module 4 · Network Security

24% of the exam — the second-largest domain. This is the most technical part of CC: how networks work, the threats they face, and the infrastructure used to defend them. Don’t panic — CC tests concepts and terminology, not configuration.

4.1 Networking Fundamentals

The backbone here is the — seven layers from Physical up to Application. CC maps devices, protocols, and attacks to layers: switches at Layer 2, routers at Layer 3. The simpler collapses these into four layers. At the transport layer, is connection-oriented and reliable, while is connectionless and fast.

Know the basics of addressing and protocols: IPv4 uses 32-bit addresses (running out), and IPv6 uses 128-bit addresses (vastly more). Traffic reaches the right service via port numbers — for example, HTTP on 80, HTTPS on 443, SSH on 22, DNS on 53. Wireless (WiFi) should use modern WPA3 encryption, never legacy WEP.

Common ports and protocols to know
PortProtocolUse
22SSHSecure remote administration
53DNSDomain name resolution
80HTTPUnencrypted web traffic
443HTTPS (TLS)Encrypted web traffic
3389RDPRemote Desktop

4.2 Threats & Attacks

CC expects you to recognize the common network threats. is an umbrella term — viruses (need a host file and user action), worms (self-replicate across networks), trojans (disguised as legitimate software), ransomware (encrypts data for extortion), and spyware. Availability attacks include the (one source floods a target) and the more powerful (many compromised machines flood it at once).

Other key attacks: an on-path (man-in-the-middle) attack intercepts traffic between two parties; a side-channel attack leaks information through physical signals; and — especially — targets people, not technology, and is the most common initial attack vector.

Common network threats at a glance
ThreatWhat it doesCIA goal attacked
VirusAttaches to a file and spreads on user actionIntegrity / availability
WormSelf-replicates across the network with no user actionAvailability
RansomwareEncrypts data and demands paymentAvailability / confidentiality
DoS / DDoSFloods a system to exhaust resourcesAvailability
On-path (MITM)Intercepts traffic between two partiesConfidentiality / integrity
PhishingTricks a user into revealing credentialsConfidentiality

4.3 Network Security Infrastructure

Networks are defended in layers (). At the boundary and internally: filter traffic by rules; an detects and alerts, while an detects and blocks. and subnets segment the network; a isolates public-facing servers; and a encrypts traffic across untrusted networks. The modern overarching philosophy is — never trust, always verify.

Network defenses and what they do
ControlWhat it doesFunction
FirewallAllows/blocks traffic by rulesetPreventive
IDSMonitors and alerts on suspicious trafficDetective
IPSDetects and actively blocks malicious trafficPreventive
VLAN / segmentationIsolates traffic into logical groupsPreventive
DMZScreened subnet for public-facing servicesPreventive
VPNEncrypts traffic across an untrusted networkPreventive

CC also introduces cloud concepts: the service models SaaS (software), PaaS (platform), and IaaS (infrastructure), and the shared responsibility model — the provider secures the cloud itself, while the customer secures what they put in it (their data, access, and configuration).

Checkpoint · Network Security

Question 1 of 10

What does the OSI model layer 3 (Network layer) primarily handle?

Module 5 · Security Operations

18% of the exam. Security operations is where security runs day to day: protecting data, hardening systems, controlling change, enforcing policy, and training people. It ties the other four domains into routine practice.

5.1 Data Security & Encryption

Data must be protected throughout its lifecycle and in each of its states: (encrypt the disk or database), (TLS, IPsec, or a VPN), and data in use (the hardest to protect, since it’s decrypted in memory). The tool for confidentiality is encryption.

uses one shared key (AES) — fast but hard to distribute; uses a public/private key pair (RSA) — slower but it solves key exchange and enables digital signatures. For integrity, produces a one-way digest (SHA-256).[6]

Protecting data in its three states
StateExampleProtection
At restFiles on a disk, rows in a databaseFull-disk / database encryption
In transitTraffic moving across a networkTLS, IPsec, VPN
In useData decrypted in memory while processingAccess controls, secure enclaves (hardest)

Data is governed by — labeling it by sensitivity (public, internal, confidential, restricted) so the right protection, handling, and retention apply. Logging and monitoring (often centralized in a ) provide the visibility needed to detect and investigate problems.

5.2 Hardening & Change Management

reduces a system’s attack surface — removing unnecessary services, closing unused ports, disabling default accounts, and applying patches — measured against a secure . keeps systems in that known-good state by recording and controlling their settings, and ensures every change is evaluated, tested, approved, and documented so a fix doesn’t introduce a new vulnerability.

Operational disciplines that keep systems secure
DisciplineWhat it does
System hardeningReduces attack surface: remove services, close ports, patch, disable defaults
BaselineDefines the minimum secure configuration to harden toward
Configuration managementRecords and controls system settings to keep a known-good state
Change managementEvaluates, tests, approves, and documents every change
Patch managementApplies vendor updates promptly to close known vulnerabilities

5.3 Policies & Security Awareness

Operations is governed by everyday security policies: an (how systems may be used), data handling and classification policies, privacy policies, password policies, and bring-your-own-device (BYOD) rules. Policies only work if people follow them, which is why is part of operations.

The biggest operational risk is the human one. manipulates people into breaking security, and — fraudulent emails or messages — is its most common form. Training teaches users to recognize phishing, use strong unique passwords (and a password manager), lock their screens, and report anything suspicious.

Checkpoint · Security Operations

Question 1 of 10

What is the main purpose of patch management?

How to Use This ISC2 CC Study Guide

This guide is built to be worked, not just read. The most efficient path to a pass:

  • Study by weight. Lead with Security Principles (26%), then Network Security (24%) and Access Controls (22%); BC/DR and Incident Response (10%) is smallest but quick to learn.
  • Memorize the distinctions. CC loves comparison questions — control type vs. function, DAC/MAC/RBAC, IDS vs. IPS, RTO vs. RPO, event vs. incident. Nail these and you nail the exam.
  • Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
  • Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
  • Drill the weak domain. Send your weak area into the flashcards and a practice test until your score climbs comfortably above 700.

ISC2 CC Concept Questions

Common ISC2 CC concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.

ISC2 CC Glossary

The high-yield ISC2 CC terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.

Acceptable use policy (AUP)
A policy defining how employees may use organizational systems and data.
Accountability
Tying actions back to a specific identity through logging and monitoring.
Administrative control
A managerial control — policies, procedures, standards, and training that direct people.
Asset
Anything of value to the organization that needs protection — data, hardware, software, or people.
Asymmetric encryption
Encryption using a public/private key pair (e.g., RSA); solves key exchange and enables signatures.
Authentication
Proving a claimed identity with a credential (something you know, have, or are).
Authorization
Determining what an authenticated identity is permitted to access and do.
Availability
Ensuring authorized users have timely, reliable access to systems and data; protected by redundancy, backups, and fault tolerance.
Baseline
A minimum required level of secure configuration for a system.
Business continuity plan (BCP)
A plan to keep critical business functions operating during and after a disruption.
Business Impact Analysis (BIA)
An analysis that identifies critical business functions and sets recovery objectives (MTD, RTO, RPO).
Change management
A controlled process for evaluating, approving, and documenting changes to systems.
CIA triad
The three core goals of information security: Confidentiality (no unauthorized disclosure), Integrity (no unauthorized modification), and Availability (timely, reliable access for authorized users).
Confidentiality
Preventing the unauthorized disclosure of data; protected primarily by encryption and access controls.
Configuration management
The disciplined process of recording, controlling, and approving changes to system settings.
Corrective control
A control that restores systems after an incident (backups, patches).
Data at rest
Data stored on a disk or in a database; protected with full-disk or database encryption.
Data classification
Labeling data by sensitivity (e.g., public, confidential) so the right protection is applied.
Data in transit
Data moving across a network; protected with TLS, IPsec, or a VPN.
DDoS attack
A Distributed Denial-of-Service attack launched from many compromised machines at once.
Defense in depth
Layering multiple, overlapping controls so that if one fails, others still protect the asset.
Detective control
A control that identifies an incident in progress or after the fact (CCTV, IDS, logs).
Disaster recovery (DR)
The processes and procedures to restore IT systems and operations after a disruptive event.
Discretionary access control (DAC)
Access decided by the data owner (e.g., file permissions, ACLs).
DMZ
A demilitarized zone — a screened subnet that exposes public-facing services while shielding the internal network.
DoS attack
A Denial-of-Service attack that floods a system from one source to make it unavailable.
Event
Any observable occurrence on a system or network.
Firewall
A control that filters network traffic, allowing or blocking it based on a defined ruleset.
Guideline
Recommended, discretionary best practice; not mandatory.
Hashing
A one-way function producing a fixed-length digest used to verify integrity (e.g., SHA-256).
Identification
A subject claiming an identity (e.g., a username) — the first step of access control.
IDS
Intrusion Detection System — monitors traffic and alerts on suspicious activity but does not block it.
Impact
The magnitude of harm if a risk event occurs.
Incident
An event that actually or potentially harms the confidentiality, integrity, or availability of information.
Incident response (IR)
The structured process to prepare for, detect, contain, eradicate, recover from, and learn from a security incident.
Integrity
Ensuring data is accurate and unaltered except by authorized parties; protected by hashing, checksums, and change control.
IPS
Intrusion Prevention System — detects and actively blocks malicious traffic.
ISC2 Code of Ethics
Four canons every ISC2 member must follow, applied in order: protect society and the infrastructure; act honorably; provide diligent service to principals; advance and protect the profession.
Least privilege
Granting users and processes only the minimum access needed to do their job, and nothing more.
Likelihood
The probability that a given threat will exploit a given vulnerability.
Malware
Malicious software such as viruses, worms, trojans, ransomware, and spyware.
Mandatory access control (MAC)
Access enforced by the system from labels and clearances; rigid and high-security.
Maximum Tolerable Downtime (MTD)
The longest time a business function can be unavailable before the organization suffers unacceptable harm.
Multi-factor authentication (MFA)
Using two or more factors from different categories — something you know, have, and are.
Non-repudiation
Assurance that a party cannot deny having performed an action, achieved through digital signatures and logging.
OSI model
A seven-layer reference model for networking: Physical, Data Link, Network, Transport, Session, Presentation, Application.
Phishing
A social-engineering attack using fraudulent messages to trick users into revealing credentials or installing malware.
Physical control
A tangible control that protects facilities and hardware (locks, fences, guards, CCTV).
Policy
A high-level management statement of intent and goals; mandatory.
Preventive control
A control that stops an incident before it happens (a lock, a firewall rule).
Privacy
The appropriate collection, use, and protection of personal information.
Procedure
Detailed step-by-step instructions for completing a task; mandatory.
Recovery Point Objective (RPO)
The maximum acceptable amount of data loss measured backward in time; drives backup frequency.
Recovery Time Objective (RTO)
The targeted time to restore a system or function after a disruption; must be shorter than the MTD.
Regulation
A rule imposed by a government or authority that an organization must comply with by law.
Residual risk
The risk that remains after controls are applied; senior management formally accepts it.
Risk
The likelihood that a threat will exploit a vulnerability, and the resulting impact on an asset.
Risk acceptance
A documented, management-approved decision to tolerate a risk and its potential impact.
Risk avoidance
Eliminating a risk by ceasing the activity that creates it.
Risk mitigation
Reducing risk to an acceptable level by implementing controls.
Risk transference
Shifting the financial impact of a risk to a third party, such as through insurance.
Role-based access control (RBAC)
Access granted by job role rather than the individual; scales well in organizations.
Security awareness training
Educating users to recognize and avoid threats such as phishing and social engineering.
Segregation of duties
Splitting a sensitive task so no single person can complete it alone, reducing fraud and error.
SIEM
Security Information and Event Management — a system that aggregates and correlates logs for detection and analysis.
Social engineering
Manipulating people into divulging information or performing actions that compromise security (e.g., phishing).
Standard
A specific mandatory requirement that supports a policy (e.g., 'use AES-256').
Symmetric encryption
Encryption using one shared secret key for both encrypting and decrypting (e.g., AES); fast.
System hardening
Reducing a system's attack surface by removing unnecessary services, closing ports, and patching.
TCP
Transmission Control Protocol — a connection-oriented Layer 4 protocol providing reliable, ordered delivery.
TCP/IP model
A four-layer practical networking model: Network Access, Internet, Transport, and Application.
Technical control
A control implemented with technology (firewalls, encryption, MFA); also called a logical control.
Threat
Any potential event or actor that could cause harm to an asset by exploiting a vulnerability.
UDP
User Datagram Protocol — a connectionless Layer 4 protocol that is fast but unreliable.
VLAN
Virtual LAN — logically segments a network to isolate traffic and limit broadcast domains.
VPN
Virtual Private Network — an encrypted tunnel that secures traffic across an untrusted network.
Vulnerability
A weakness in a system, process, or control that a threat can exploit.
Zero trust
A model that trusts no user or device by default and continuously verifies every access request.

ISC2 CC Study Guide FAQ

The current ISC2 CC exam (outline effective October 1, 2025) uses Computerized Adaptive Testing with 100 to 125 items, and you have 2 hours to complete it. It includes multiple-choice questions and advanced item types. The exam is offered in English, Chinese, Japanese, German, and Spanish.

References

  1. 1.ISC2. “Certified in Cybersecurity (CC) Exam Outline (effective October 1, 2025).” isc2.org.
  2. 2.ISC2. “CC — Certified in Cybersecurity.” isc2.org.
  3. 3.ISC2. “ISC2 Code of Ethics.” isc2.org.
  4. 4.National Institute of Standards and Technology. “SP 800-30 Rev. 1: Guide for Conducting Risk Assessments.” csrc.nist.gov.
  5. 5.National Institute of Standards and Technology. “SP 800-34 Rev. 1: Contingency Planning Guide.” csrc.nist.gov.
  6. 6.National Institute of Standards and Technology. “SP 800-53 Rev. 5: Security and Privacy Controls.” csrc.nist.gov.
  7. 7.National Institute of Standards and Technology. “SP 800-61 Rev. 2: Computer Security Incident Handling Guide.” csrc.nist.gov.
  8. 8.National Institute of Standards and Technology. “SP 800-63: Digital Identity Guidelines.” csrc.nist.gov.
  9. 9.National Institute of Standards and Technology. “Cybersecurity Framework (CSF) 2.0.” nist.gov.
Career Employer

Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.

Follow Us:

All Posts

Career Employer’s Editorial Process

Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.