ISC2 · CC
The ISC2 Certified in Cybersecurity (CC) validates foundational knowledge and skills required for entry- or junior-level cybersecurity roles. It covers security principles, access controls, network security, and incident response concepts.
Questions
838
Duration
120 minutes
Passing Score
700/1000
Difficulty
FoundationalLast Updated
Mar 2026
Use this CC practice exam to prepare for Certified in Cybersecurity (CC) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 838 questions for ISC2 CC, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as Security Principles, Business Continuity, Disaster Recovery & Incident Response, Access Controls Concepts, Network Security, and Security Operations. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The ISC2 Certified in Cybersecurity (CC) is an entry-level certification developed by ISC2 — the world's largest association of certified cybersecurity professionals — to validate foundational knowledge and skills required for junior cybersecurity roles. The credential covers five core domains: Security Principles (including the CIA triad, risk management, and governance), Business Continuity and Disaster Recovery, Access Controls, Network Security, and Security Operations. It is accredited by ANAB to ISO/IEC Standard 17024, signifying its adherence to internationally recognized standards for personnel certification.
The CC was created specifically to address the global cybersecurity workforce shortage, which ISC2 estimated at nearly 4.8 million unfilled positions in 2024. It serves as both a standalone entry-level credential and a structured pathway to advanced ISC2 certifications such as the CISSP. Uniquely among professional certifications, ISC2 has offered free training and exam vouchers to qualifying candidates as part of its One Million Certified in Cybersecurity initiative, significantly lowering the barrier to entry for career changers and new graduates.
The CC is designed for individuals at the beginning of their cybersecurity careers, including career changers transitioning from unrelated fields, recent college graduates or current students in IT or computer science programs, and IT generalists looking to formalize their security knowledge. ISC2 explicitly states that no prior work experience in cybersecurity or IT is required to sit for the exam, making it one of the most accessible professional certifications available.
The credential is particularly well-suited for individuals in roles such as help desk technician, IT support specialist, or junior systems administrator who want to move into dedicated security positions like SOC Analyst, Security Analyst, or IT Security Specialist. Analytical, problem-solving individuals who are new to the field but want a recognized credential to validate their foundational knowledge will benefit most from pursuing the CC.
ISC2 does not impose any formal prerequisites for the CC exam — there is no minimum work experience requirement, no prior certifications required, and no educational prerequisites. This policy sets the CC apart from nearly all other professional security credentials and makes it accessible to complete newcomers to the field.
While not required, ISC2 recommends familiarity with basic IT concepts before studying for the exam. Candidates who have completed coursework in networking fundamentals, operating systems, or general IT principles will find the material easier to absorb. After passing the exam, candidates must pay a $50 Annual Maintenance Fee (AMF) to complete certification and gain ISC2 member status; no endorsement from an existing ISC2 member is required, unlike the CISSP process.
The CC exam consists of 100 to 125 items, which include multiple-choice questions and advanced item types such as drag-and-drop and hotspot questions. The time limit is 2 hours (120 minutes). The exam is delivered via Pearson VUE in a computerized adaptive testing (CAT) format, available at authorized testing centers worldwide or via online proctoring. The exam is offered in English, Chinese, Japanese, German, and Spanish.
Scoring is on a scale of 0 to 1000, and the passing score is 700. The adaptive format means the difficulty of questions adjusts dynamically based on candidate performance, and the total number of questions delivered may vary within the 100–125 range depending on the test engine's assessment of candidate ability. Candidates should be prepared for both straightforward knowledge-recall questions and scenario-based items that require applying concepts to real-world situations.
Earning the CC positions candidates for entry-level and junior cybersecurity roles in a field that the U.S. Bureau of Labor Statistics projects will grow 32% by 2032 — more than ten times the average growth rate across all occupations. Common job titles pursued by CC holders include SOC Analyst, Security Analyst, IT Security Specialist, and Cybersecurity Technician, with entry-level salaries in the United States typically ranging from $60,000 to $85,000 annually. ISC2 reports that its certified members earn 35% higher salaries than non-members, and survey data shows that 10% of CC holders received a salary increase and 7% received a promotion within their first certification cycle.
Beyond immediate job placement, the CC serves as the foundational step in the ISC2 certification pathway, familiarizing candidates with ISC2's exam format and professional standards before advancing toward credentials such as the SSCP or CISSP. Compared to alternatives like CompTIA Security+, the CC's lack of prerequisites and free exam availability make it a lower-risk entry point, while ISC2's brand recognition — as the organization behind CISSP, the most recognized advanced security certification globally — lends the CC meaningful credibility with hiring managers and HR systems that filter for ISC2 credentials.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 838 questions.
Preview — answers shown1. A retail organization experiences a ransomware attack that encrypts their point-of-sale systems. The IT team performs a full system restore from Sunday's backup and then applies Thursday's differential backup. It is now Friday morning. How much transaction data was lost? (Select one!)
Explanation
Differential backups capture all changes since the last full backup. Thursday's differential contains all changes from Monday through Thursday relative to Sunday's full backup. When restored together, they recover data through Thursday. Any transactions occurring after Thursday's differential backup ran until the Friday morning restore would be lost. Differential backups do not provide continuous protection, only point-in-time recovery to when the last backup completed.
2. A security analyst must categorize a new security awareness training program that educates employees about phishing attacks and password hygiene. According to ISC2 security control classifications, which two categories apply to this training program? (Select two!)
Multiple correct answersExplanation
Security awareness training is an administrative control because it consists of policies, procedures, and processes implemented through human action and organizational governance. Training is also a preventive control because it aims to stop security incidents before they occur by improving employee behavior and decision-making. Physical controls are tangible mechanisms like locks and fences. Detective controls identify incidents after they occur. Technical controls are software or hardware-based automated protections, while training relies on human behavior modification.
3. A cybersecurity professional certified by ISC2 discovers that their organization is knowingly selling software with unpatched critical vulnerabilities that could allow attackers to steal customer financial data. The organization refuses to address the issue, citing profit concerns. According to the ISC2 Code of Ethics, which canon takes precedence in determining the professional's response? (Select one!)
Explanation
The ISC2 Code of Ethics canons are prioritized in order, with Canon I taking precedence over all others. Canon I requires protecting society and public trust, which includes protecting customers from financial fraud and data theft. When conflicts arise between serving the employer (Canon III) and protecting society (Canon I), society always takes precedence. The professional has an ethical obligation to take action that protects the public even if it conflicts with the employer's interests. Canon II addresses individual behavior and Canon IV addresses the profession, but Canon I governs when public harm is involved.
4. A company discovers that attackers have been intercepting and reusing session tokens to impersonate legitimate users and access confidential customer records without authentication. Which element of the CIA triad is primarily being violated? (Select one!)
Explanation
Confidentiality is primarily violated because session token hijacking grants attackers unauthorized access to private information and resources that should remain restricted to legitimate users. By impersonating authenticated users through stolen tokens, attackers breach the confidentiality principle of protecting sensitive information from unauthorized disclosure. While session hijacking may secondarily affect integrity if attackers modify data, or availability if sessions are disrupted, the fundamental security violation is unauthorized access to confidential data. Non-repudiation prevents denial of actions but is not part of the CIA triad.
5. An e-commerce application uses a cryptographic algorithm with a 2048-bit key to establish secure HTTPS connections. The web server keeps its key secret while publishing a related key that browsers use to encrypt session data. Which cryptographic approach is being used? (Select one!)
Explanation
Asymmetric encryption uses key pairs consisting of a public key that can be freely distributed and a private key kept secret. The keys are mathematically related, and data encrypted with one key can only be decrypted with the other. The 2048-bit key size and public-private key structure confirm asymmetric encryption. Symmetric encryption uses a single shared key for both encryption and decryption. Hashing is a one-way function that produces fixed-length digests and cannot encrypt data for later decryption. Salting is a technique used with hashing to defend against rainbow table attacks.
Certified Cloud Security Professional (CCSP)
CCSP · 850 questions
Certified in Governance, Risk and Compliance (CGRC)
CGRC · 850 questions
Certified Information Systems Security Professional (CISSP)
CISSP · 850 questions
Information Systems Security Architecture Professional (ISSAP)
ISSAP · 850 questions
Information Systems Security Engineering Professional (ISSEP)
ISSEP · 850 questions
Systems Security Certified Practitioner (SSCP)
SSCP · 849 questions
$17.99
One-time access to this exam