ISC2 Certified in Cybersecurity (CC) Exam Outline

Introduction

What is the Certified in Cybersecurity (CC) Certification?

The Certified in Cybersecurity (CC) is an entry-level cybersecurity certification introduced by (ISC)² – the organization behind the CISSP. It is designed specifically for:

• Individuals new to cybersecurity
• Students, career changers, or early-career IT professionals
• Anyone seeking a strong foundational understanding of cybersecurity principles

Why Was the CC Certification Created?

There’s a global shortage of over 3.4 million cybersecurity professionals, and the CC certification is ISC2’s initiative to:

• Help bridge this workforce gap
• Open opportunities for non-tech professionals
• Provide accessible, affordable, and globally recognized cybersecurity training

Key Benefits of the CC Certification

• No prior experience required
• FREE self-paced training (via ISC2)
• Globally recognized credential from ISC2
• Builds foundation for more advanced certifications like Security+, SSCP, or CISSP
• Ideal for job roles like:
  • Cybersecurity Analyst (Junior)
  • SOC Analyst (L1)
  • IT Support with security focus
  • GRC support staff

Exam Overview

• Total Questions: 100
• Type: Multiple choice (1 correct answer)
• Duration: 2 hours
• Passing Score: 700 / 1000
• Delivery: Pearson VUE (in-center or online proctoring)
• Languages Available: English, Chinese, Spanish, German, Portuguese, etc.
• Prerequisite: None

First-time candidates may be eligible for free exam voucher upon completion of the free ISC2 training.

Exam Domains

These domains ensure well-rounded knowledge in:

• Cyber risk and defense
• Organizational security posture
• Basic network architecture
• Access governance and controls
• Operational security tasks

Who Should Take the CC Exam?

• Students or recent graduates interested in cybersecurity
• Professionals switching careers into IT/security
• Entry-level IT staff looking to upskill
• Anyone preparing for roles such as:
  • Help Desk (Security-minded)
  • Junior Analyst
  • Cybersecurity Intern

What Comes After CC?

After earning your CC, you’re well-positioned to pursue:

• CompTIA Security+
• ISC2 SSCP (Systems Security Certified Practitioner)
• Certified Ethical Hacker (CEH)
• CISSP (after gaining experience)

Domain Breakup

1. Security Principles (26%)

• Information Assurance Concepts
  • Confidentiality: Protecting information from unauthorized access and disclosure.
  • Integrity: Ensuring information is accurate, complete, and unaltered.
  • Availability: Guaranteeing that information and resources are accessible when needed.
  • Authentication: Verifying the identity of users/systems (methods include passwords, biometrics, two-factor authentication).
  • Non-repudiation: Proof that a user took an action, preventing “denial” by the user.
  • Privacy: Protecting personal or sensitive information from unauthorized use.
• Risk Management Process
  • Risk Prioritization: Identifying which risks need addressing first based on severity/impact.
  • Risk Tolerance: The level of risk an organization is willing to accept.
  • Risk Identification: Pinpointing and describing potential security risks.
  • Risk Assessment: Evaluating likelihood and impact of risks.
  • Risk Treatment: Deciding how to mitigate, transfer, accept, or avoid identified risks.
• Security Controls
  • Technical: Software and hardware mechanisms (e.g., firewalls, antivirus).
  • Administrative: Policies, procedures, awareness training.
  • Physical: Locks, security guards, alarms.
• ISC2 Code of Ethics
  • Professional Conduct: A set of standards to guide ethical decisions; relates to honesty, competence, and respect for privacy.
• Governance Processes
  • Policies & Procedures: Company rules and how they’re implemented.
  • Standards: Requirements based on industry best practices.
  • Regulations/Laws: Government or industry-imposed requirements.

2. Business Continuity (BC), Disaster Recovery (DR) & Incident Response Concepts (10%)

• Business Continuity
  • Purpose: Maintain essential operations during disruptive events.
  • Importance: Minimizes downtime and financial impact.
  • Components: Business Impact Analysis (BIA), Recovery Time Objective (RTO), Recovery Point Objective (RPO).
• Disaster Recovery
  • Purpose: Restore systems and data after incidents like cyberattacks, fire, or natural disasters.
  • Importance: Quick recovery reduces losses.
  • Components: Backups, disaster recovery planning, failover procedures.
• Incident Response
  • Purpose: Prepare for, detect, contain, and recover from security incidents.
  • Importance: Limits damage, preserves evidence.
  • Components: Incident Response Plan (IRP), roles and responsibilities, communication protocols.

3. Access Control Concepts (22%)

• Physical Access Controls
  • Badge Systems, Gates, Environmental Design: Restrict who can enter secure areas.
• Monitoring
  • Security Guards, CCTV, Alarm Systems, Logs: Detect and respond to unauthorized access or security events.
• Person Classification
  • Authorized Personnel: Have permission.
  • Unauthorized Personnel: Do not have permission.
• Logical Access Controls
  • Principle of Least Privilege: Users get only the access necessary for their roles.
  • Segregation of Duties: Dividing tasks among individuals to prevent fraud.
• Access Control Types:
  • Discretionary Access Control (DAC): Data owners control access.
  • Mandatory Access Control (MAC): System-enforced access based on policies.
  • Role-Based Access Control (RBAC): Access based on job roles or functions.

4. Network Security (24%)

• Computer Networking
  • OSI Model: Conceptual framework for how data moves through networks (7 layers: Physical to Application).
  • TCP/IP Model: Real-world networking protocol suite.
  • IPv4/IPv6: Addressing systems for devices on networks.
  • WiFi: Wireless networking protocols.
  • Ports/Applications: Services use numbered ports (HTTP = port 80, HTTPS = port 443).
• Network Threats and Attacks
  • DDoS (Distributed Denial of Service): Overloading services to make them unavailable.
  • Viruses, Worms, Trojans: Different forms of malicious software.
  • Man-in-the-Middle (MITM), Side Channel Attacks: Eavesdropping and indirect exploitation techniques.
• Threat Detection & Prevention
  • IDS/HIDS/NIDS: Intrusion detection systems: Host-based, Network-based.
  • Antivirus Software: Detects and removes malware.
  • Firewalls/IPS: Blocks unauthorized access, prevents some attacks.
• Network Security Infrastructure
  • On-premises Infrastructure: Security for hardware/data centers, including power and environmental controls.
  • Redundancy: Backup systems to ensure availability.
  • MOUs/MOAs: Agreements with partner organizations for crisis support.
• Network Design and Cloud Security
  • Network Segmentation: Isolating parts of a network (e.g., DMZ, VLAN, VPN).
  • Defense in Depth: Use of multiple layers of protection.
  • NAC (Network Access Control): Restricts device/user access, important for IoT.
  • Cloud Concepts: Cloud models (SaaS, IaaS, PaaS), service contracts (SLAs), managed service providers, hybrid/cloud deployments.

5. Security Operations (18%)

• Data Security
  • Encryption: Protecting data with encoding (symmetric, asymmetric, hashing).
  • Data Handling: Securely managing data throughout its lifecycle (classification, labeling, retention, destruction).
  • Event Logging/Monitoring: Collecting/logging system activity for security analysis.
• System Hardening
  • Configuration Management: Applying secure configurations, updates, and patches to systems.
• Security Policies
  • Examples: Data handling policy (how to manage company data), password policy (password complexity/expiration), acceptable use (what’s permitted on company systems), BYOD (rules for personal devices), change management, privacy policy.
• Security Awareness Training
  • Topics: Importance of training, recognizing phishing/social engineering, safe password practices, reporting incidents.

Official ISC2 Resources

• ISC2 Certified in Cybersecurity Self-Study Resources
• Official ISC2 CC eTextbook Download

Community and Open-Source Study Materials

• GitHub Repositories:
• cyberfascinate/ISC2-CC-Study-Material: PDFs, notes, flashcards, quizzes, and Hindi YouTube playlists.
• NP558565/ISC2-CC-Cybersecurity-Study-Material: Domain summaries, key concepts, and review questions.

Practice Exams and Online Courses

• Udemy Video Courses and Practice Tests:
• ISC2 Certified in Cybersecurity (CC) Full Practice Exam ’25: Includes multiple full-length mock exams with answer keys and explanations.
• The Complete Certified in Cybersecurity CC Course: 17+ hours of video, study guides, and practice questions.
• YouTube Videos: Search by “ISC2 CC Exam Prep” for practice sessions (sample: CC Exam Prep 200 practice questions).

Tips and Additional Resources

• Official ISC2 Learning Communities: Join ISC2’s study groups, discussion boards, or local chapters for peer support.

Closing Notes

This certification requires no prior work experience, focusing instead on understanding essential cybersecurity concepts.

Successfully earning the CC certification demonstrates a strong grasp of fundamental cybersecurity principles, preparing candidates for junior or entry-level cybersecurity roles. It also connects holders to ISC2’s global professional network for ongoing career development. With a combination of structured study materials, practice exams, and practical learning, candidates can confidently approach the exam and start a promising cybersecurity career.

This certification is a practical, attainable first step for those passionate about cybersecurity, providing a solid foundation to build upon with further ISC2 certifications and professional growth opportunities.