ISACA · ITCA
Entry-level certification that validates fundamental knowledge in cybersecurity concepts, one of five certificates in the ITCA program.
Questions
596
Duration
120 minutes
Passing Score
65%
Difficulty
FoundationalLast Updated
Jan 2026
Use this ITCA practice exam to prepare for Information Technology Certified Associate (ITCA) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 596 questions for ISACA ITCA, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to patterns in your missed answers. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The ISACA Cybersecurity Fundamentals Certificate is one of five stackable credentials that together comprise the Information Technology Certified Associate (ITCA) program. It validates foundational knowledge of cybersecurity principles, threat landscapes, asset security, and security operations — the core competencies required to begin a career protecting enterprise data and infrastructure. The exam blends knowledge-based multiple-choice questions with performance-based questions delivered in a virtual lab environment, ensuring candidates can demonstrate practical ability alongside theoretical understanding.
The certificate is part of ISACA's broader effort to create an entry-level pathway into IT credentialing. Candidates who earn all five ITCA certificates — covering Computing Fundamentals, Networking and Infrastructure, Cybersecurity, Software Development, and Data Science — can then apply for the full ITCA certification. The Cybersecurity Fundamentals certificate itself does not expire and awards 9.5 CPE credits when the accompanying course is completed.
This certificate is designed for individuals at the very beginning of their IT or cybersecurity career journey, including recent graduates, college students, and professionals from non-technical fields looking to transition into cybersecurity. No prior work experience in IT is required, making it accessible to career changers who want a recognized credential to validate self-taught or academic knowledge.
It is also well-suited for IT generalists, help desk technicians, or junior administrators who want to formalize their cybersecurity knowledge and differentiate themselves for roles such as security analyst, IT support specialist, or junior SOC analyst. Organizations may also use it as a structured upskilling tool for existing technical teams.
There are no formal prerequisites for the Cybersecurity Fundamentals certificate. Candidates can register and sit for the exam at any time without prior certifications, work experience documentation, or educational requirements — distinguishing it from ISACA's more advanced credentials such as CISM or CISA.
While no prerequisites are mandated, candidates will benefit from a basic familiarity with computing concepts, networking fundamentals, and general IT terminology before attempting the exam. ISACA offers an optional self-paced online course (9.5 CPE credits) and a study guide authored by subject-matter experts to help candidates without a formal cybersecurity background build the necessary knowledge before sitting for the exam.
The exam consists of 75 questions delivered in a computer-based, remotely proctored format. Questions are a blend of knowledge-based multiple-choice items and performance-based questions set within a virtual lab environment, requiring candidates to demonstrate practical task execution rather than purely theoretical recall. The time limit is 120 minutes, and a passing score of 65% is required.
The exam is available continuously — candidates can schedule it as early as 48 hours after payment, with appointments available up to 90 days in advance. Free rescheduling is permitted with at least 48 hours' notice. Candidates have 365 days from the date of purchase to sit for the exam, and there is no stated limit on retake attempts. Exam fees are US$120 for ISACA members and US$144 for non-members.
Earning the Cybersecurity Fundamentals certificate signals to employers that a candidate has verified, baseline competency in protecting systems and data — a quality increasingly valued even for non-security IT roles. It serves as a credible entry point for positions such as junior security analyst, SOC tier-1 analyst, IT support specialist, or cybersecurity technician, particularly at organizations that recognize ISACA credentials (common in financial services, government, and enterprise technology sectors).
As a standalone certificate it complements ISACA's advanced certifications (CISM, CISA, CRISC), providing a documented foundation that can accelerate a candidate's path toward those credentials. For candidates who complete all five ITCA badges and earn the full ITCA certification, the credential demonstrates breadth across core IT disciplines — making it a differentiator in entry-level hiring where employers seek candidates who can operate across multiple technology domains from day one.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 596 questions.
Preview — answers shown1. A software testing team is implementing automated testing for a microservices-based e-commerce application. They need to verify that the payment service, inventory service, and order service work correctly together when processing a complete purchase transaction. Which testing level should they implement? (Select one!)
Explanation
Integration testing verifies that multiple components or modules work correctly together. Testing the interaction between payment, inventory, and order services requires integration testing to ensure proper communication, data exchange, and workflow across service boundaries. Unit testing focuses on individual functions or methods within a single service in isolation. System testing validates the complete application including UI, backend, and infrastructure as a whole. Acceptance testing verifies business requirements are met and is typically performed by end users or stakeholders to determine if the system is ready for deployment.
2. A data science team trains a binary classification model to predict customer churn. After deployment, they discover the model correctly identifies 95 percent of customers who actually churned but generates many false alarms by incorrectly flagging 40 percent of loyal customers as potential churners. Which metric is high while which metric is low? (Select one!)
Explanation
Recall measures the proportion of actual positives correctly identified, which is 95 percent in this scenario. Precision measures the proportion of positive predictions that are correct, which is low due to the 40 percent false positive rate. High precision with low recall would mean few false positives but missing many actual churners. Accuracy measures overall correctness but doesn't distinguish between these specific error types. F1 score balances precision and recall, so it would be moderate given the tradeoff between high recall and low precision.
3. A network engineer troubleshoots connectivity issues between two branch offices connected via IPsec VPN over the internet. The VPN tunnel establishes successfully, but encrypted traffic fails to pass through a newly installed NAT gateway. Which IPsec component and port are required for NAT traversal to function correctly? (Select one!)
Explanation
ESP (Encapsulating Security Payload) protocol provides encryption and integrity for IPsec VPN traffic, and UDP port 4500 is specifically designed for NAT traversal (NAT-T) which encapsulates ESP packets inside UDP to pass through NAT devices. UDP port 500 is used for IKE (Internet Key Exchange) negotiation but not for NAT traversal. AH (Authentication Header) protocol does not support NAT traversal because it includes the IP header in its integrity check, which breaks when NAT modifies IP addresses.
4. A global logistics company manages supply chain data across multiple systems including warehouse management, transportation tracking, and inventory databases. Data quality audits reveal discrepancies where the same product appears with different descriptions in various systems, critical shipment dates are missing in 15% of records, and customer addresses contain invalid postal codes. Which three data quality dimensions are violated in this scenario? (Select three!)
Multiple correct answersExplanation
Consistency is violated when the same product has different descriptions across systems, as data should match across all instances. Completeness is violated when required shipment date fields are missing in 15% of records, failing to fulfill data comprehensiveness expectations. Validity is violated when postal codes do not conform to predefined format rules and standards. Timeliness concerns when data is available, not accuracy of existing data. Uniqueness addresses duplicate records which is not mentioned in the scenario. Accuracy relates to whether data correctly represents reality, but the scenario describes structural quality issues rather than factual correctness.
5. A big data engineer designs a data processing pipeline for analyzing 500 TB of historical customer transaction logs. The analysis requires SQL-like queries on structured data stored in distributed file systems. The organization uses Hadoop ecosystem. The engineer must select an appropriate tool for running SQL queries on HDFS data. Which Hadoop ecosystem component provides SQL-like query capabilities on HDFS data? (Select one!)
Explanation
Hive provides SQL-like query capabilities through HiveQL, allowing users to write SQL queries that execute as MapReduce or Spark jobs on HDFS data. Hive is specifically designed for SQL-like analytics on large datasets. HDFS is the storage layer, not a query engine. MapReduce is a low-level processing paradigm without SQL interface. Spark is a processing engine that can be used with Hive but does not itself provide SQL interface without additional components.
Certified Information Security Manager (CISM)
CISM · 1196 questions
Certified Information Systems Auditor (CISA)
CISA · 895 questions
Certified in Risk and Information Systems Control (CRISC)
CRISC · 761 questions
Certified Data Privacy Solutions Engineer (CDPSE)
CDPSE · 749 questions
IoT Fundamentals Certificate
IoT-Fund · 630 questions
IT Audit Fundamentals Certificate
IT-Audit-Fund · 627 questions
$17.99
One-time access to this exam