ISACA · CyberSec-Fund
Validates foundational cybersecurity knowledge across four domains: information security fundamentals, threat landscape, securing assets, and security operations and response, covering core security concepts, threat identification, data protection, and incident detection.
Questions
596
Duration
120 minutes
Passing Score
65%
Difficulty
FoundationalLast Updated
Feb 2026
The ISACA Cybersecurity Fundamentals Certificate does not expire. Once you pass the exam and earn it, it stays valid for life. There is no continuing professional education (CPE) requirement, no annual maintenance fee, and nothing to renew. That sets it apart from ISACA's professional certifications such as CISA, CISM, CRISC, and CGEIT, which must be renewed every three years and carry ongoing CPE obligations.
Because it is a foundational, knowledge-based credential, the goal is simply to pass the exam once. This practice set covers the four domains it tests: information security fundamentals, the threat landscape, securing assets, and security operations and response. Start with 30 free questions, then work through the full bank of 596 with detailed explanations and earn a certificate that never needs renewing.
The ISACA Cybersecurity Fundamentals Certificate validates foundational knowledge and practical skills across the core principles of cybersecurity. It covers the language, frameworks, and technologies that define the discipline, including information security fundamentals, data protection, threat identification, and security operations. The credential is designed to establish that a candidate understands both the theoretical underpinnings of cybersecurity and the practical role security professionals play in defending enterprise systems and data.
Unlike ISACA's more advanced practitioner certifications, this certificate is explicitly entry-level and carries no expiration date, making it a durable credential for those early in their cybersecurity journey. The exam blends traditional knowledge-based multiple-choice questions with performance-based questions set in a virtual lab environment, reflecting ISACA's emphasis on applied, real-world competency rather than purely memorized concepts.
This certificate is designed for students, recent graduates, and early-career IT professionals who want to establish a verified baseline in cybersecurity. It is also well-suited for IT professionals from adjacent disciplines—such as networking, systems administration, or software development—who are transitioning into security-focused roles and need to formalize their foundational knowledge.
Career changers from non-IT backgrounds entering the cybersecurity field will also find this credential valuable as a first step toward more advanced ISACA certifications such as the CSX-P (Cybersecurity Practitioner). Organizations looking to upskill staff or build internal cybersecurity awareness programs frequently use this certificate as a baseline benchmark for their teams.
There are no formal prerequisites for the Cybersecurity Fundamentals Certificate. ISACA allows candidates to register for and sit the exam at any time, with no required work experience, prior certifications, or formal education. This open-access policy reflects the foundational, entry-level nature of the credential.
While no prerequisites are mandated, candidates with some exposure to basic IT concepts—such as networking fundamentals, operating system basics, or general IT infrastructure—will find the material more approachable. Familiarity with concepts like access control, encryption basics, or network protocols is beneficial but not required to begin studying.
The exam consists of 60 scored questions delivered over 120 minutes, yielding roughly two minutes per question. It is administered online as a remotely proctored, closed-book exam, meaning candidates can take it from any suitable location without visiting a physical test center. The question format combines traditional knowledge-based multiple-choice questions with performance-based questions set in a virtual lab environment, testing practical application alongside conceptual understanding.
A passing score of 65% is required, meaning candidates must answer at least 39 of the 60 questions correctly. Exam eligibility is valid for 12 months from the date of registration. Candidates may reschedule their exam without penalty if they do so at least 48 hours before the scheduled appointment. The certificate itself does not expire once earned.
Earning the Cybersecurity Fundamentals Certificate signals to employers that a candidate has verified, baseline-level cybersecurity knowledge validated by ISACA—a globally recognized standards body also responsible for CISA, CISM, and CRISC. For entry-level roles such as Security Analyst, IT Security Technician, SOC Analyst (Tier 1), or Junior Penetration Tester, this credential helps candidates stand out in competitive applicant pools where many lack any formal cybersecurity validation. The digital badge issued through Credly allows holders to display their credential on LinkedIn and other professional platforms for immediate visibility to recruiters.
As a foundational certificate with no expiration date, it also serves as a stepping stone toward more advanced ISACA credentials. Candidates who go on to earn the CSX-P (Cybersecurity Practitioner) certification—ISACA's hands-on, performance-based practitioner credential—can expect significantly higher earning potential, with mid-career cybersecurity professionals commonly earning between $80,000 and $130,000 annually depending on role and region. The Cybersecurity Fundamentals Certificate positions candidates to begin that progression with a recognized, vendor-neutral credential accepted across industries.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 596 questions.
Preview — answers shown1. An enterprise implements mandatory access control for protecting classified government contracts. Users are assigned security clearances of Confidential, Secret, and Top Secret. Documents are labeled with corresponding classification levels. A user with Secret clearance attempts to read a Top Secret document and write data to a Confidential file. Which outcomes occur under the Bell-LaPadula security model? (Select one!)
Explanation
Both operations fail under Bell-LaPadula model which enforces confidentiality through two properties. The Simple Security Property or no read up rule prevents subjects from reading objects at higher classification levels, so the Secret user cannot read the Top Secret document. The Star Property or no write down rule prevents subjects from writing to objects at lower classification levels to prevent information leakage, so the Secret user cannot write to the Confidential file. Both operations succeeding would violate confidentiality requirements. Read failing with write succeeding only applies the read restriction without write restriction. Read succeeding with write failing reverses the actual model behavior.
2. An enterprise deploys 802.1X network access control with EAP authentication. The security policy requires the strongest possible authentication with mutual certificate validation between clients and servers. Which EAP method should be configured? (Select one!)
Explanation
EAP-TLS with client and server certificates is correct because it provides the highest security level through mutual authentication where both the client and server validate each other using X.509 certificates. PEAP with server certificate only provides strong protection for credentials but only authenticates the server to the client, not mutual authentication. EAP-TTLS also uses server-only certificates without client certificate authentication. EAP-MD5 with shared secrets is deprecated due to lack of encryption and vulnerability to dictionary attacks.
3. A security analyst reviews vulnerability scan results showing CVE-2024-12345 with the following CVSS metrics: Attack Vector Network, Attack Complexity Low, Privileges Required None, User Interaction None, Scope Changed, and High impact to Confidentiality, Integrity, and Availability. What CVSS severity rating does this vulnerability likely have? (Select one!)
Explanation
Critical severity rating (9.0-10.0) applies to vulnerabilities with network-based attack vectors requiring no privileges or user interaction, changed scope, and high CIA impact. These characteristics indicate easily exploitable vulnerabilities with severe consequences across security boundaries. Low severity applies to vulnerabilities with minimal impact or high exploitation barriers. Medium severity requires some privileges or has limited impact. High severity (7.0-8.9) represents serious vulnerabilities but typically lacks the combination of network exploitability, no authentication, scope change, and complete CIA impact that characterizes critical vulnerabilities.
4. A security team configures wireless infrastructure and must select the most secure authentication protocol available. The solution must provide forward secrecy, protect against offline dictionary attacks on captured handshakes, and use the strongest encryption. Which wireless security protocol should be implemented? (Select one!)
Explanation
WPA3 provides the strongest wireless security through Simultaneous Authentication of Equals (SAE) replacing the vulnerable 4-way handshake, forward secrecy ensuring past sessions remain secure even if passwords are compromised, protection against offline dictionary attacks, and AES-GCMP-256 encryption. WEP is completely broken and can be cracked in minutes. WPA with TKIP is deprecated due to vulnerabilities. WPA2 with AES-CCMP is secure but vulnerable to offline dictionary attacks against captured handshakes and lacks forward secrecy.
5. An enterprise must select a disaster recovery site for its data center supporting 24/7 operations. The organization has a limited budget but requires system restoration within 8-12 hours after a disaster. The DR site should have networking infrastructure and some pre-installed equipment, but systems do not need to run continuously. Which disaster recovery site type meets these requirements at the lowest cost? (Select one!)
Explanation
Warm site provides the optimal balance for the specified requirements. It includes pre-installed servers, storage, and networking hardware with some systems configured but not running continuously. Recovery time for warm sites typically ranges from several hours to one day, which aligns with the 8-12 hour RTO requirement. Warm sites cost significantly less than hot sites because systems are not fully operational 24/7. Hot site would meet the RTO easily with minutes-to-hours recovery but is the most expensive option and exceeds budget constraints. Cold site provides only bare infrastructure with no pre-installed equipment, requiring days to weeks for recovery which exceeds the 8-12 hour RTO. Mobile sites are specialized solutions for temporary operations rather than primary disaster recovery.
Certified Information Security Manager (CISM)
CISM · 1196 questions
Certified Information Systems Auditor (CISA)
CISA · 895 questions
Certified in Risk and Information Systems Control (CRISC)
CRISC · 761 questions
Certified Data Privacy Solutions Engineer (CDPSE)
CDPSE · 749 questions
IoT Fundamentals Certificate
IoT-Fund · 630 questions
IT Audit Fundamentals Certificate
IT-Audit-Fund · 627 questions
$17.99
One-time access to this exam