Is the ISC2 CC exam really free in 2026?

Yes — but with conditions. Through the One Million Certified in Cybersecurity (1MCC) initiative, ISC2 offers free self-paced training PLUS one free exam attempt to anyone who signs up as an ISC2 Candidate at isc2.org/landing/1mcc. Your first year of Candidate membership is also free. If you pass, you still owe the $50 Annual Maintenance Fee (AMF) to activate your certification. If you fail the free attempt, retakes cost the full $199. As of April 2026 the program is still active, but ISC2 has not announced a permanent end date — treat it as a limited-time offer and register soon.

How hard is the ISC2 CC exam?

The CC is rated beginner-level among cybersecurity certifications. It tests breadth over depth — you need to recognize vocabulary (CIA triad, RBAC, MAC, NAT, IPSec, CPTED) and apply it to scenarios, but not configure equipment. Community-reported first-attempt pass rates are around 65-75% for candidates who complete the free ISC2 self-paced course. Expect 40-80 hours of study for complete beginners, 20-40 hours for IT professionals, and 10-20 hours for those already holding Security+.

ISC2 CC vs CompTIA Security+ — which should I take first?

Take CC first if you are brand new to cybersecurity (no IT background), want a free credential, or plan to pursue CISSP/SSCP later — the content directly mirrors ISC2s Common Body of Knowledge. Take Security+ first if you are targeting DoD 8570/8140 roles, want a credential with stronger employer name recognition in the U.S., or already have hands-on IT experience. Many candidates stack both: CC (free) → Security+ → SSCP → CISSP.

What are the 5 domains on the ISC2 CC exam and their weights?

Domain 1 Security Principles (26%), Domain 2 Business Continuity, Disaster Recovery & Incident Response (10%), Domain 3 Access Controls Concepts (22%), Domain 4 Network Security (24%), Domain 5 Security Operations (18%). Security Principles + Network Security account for 50% of your exam, so prioritize those two domains.

What is the passing score for ISC2 CC?

You need a scaled score of 700 out of 1,000 to pass. ISC2 uses a compensatory scoring model, meaning strong performance in heavily-weighted domains (Security Principles, Network Security, Access Controls) can offset weaker performance in lighter domains. A single pass/fail result is calculated on all operational items.

How long does it take to get ISC2 CC certified?

Most beginners take 4-8 weeks from signup to certification: 1-2 weeks to complete the free ISC2 self-paced training, 2-4 weeks to study and take practice tests, 1-2 weeks for exam scheduling and results processing. IT professionals often compress this to 2-3 weeks total. After you pass, ISC2 processes endorsement within a few business days once you agree to the Code of Ethics and pay the $50 AMF.

Do I need work experience for ISC2 CC?

No. The CC is specifically designed for candidates with zero cybersecurity experience — students, career changers, help desk workers, and IT support pros. You must be at least 16 years old to sit for any ISC2 exam. Unlike CISSP and SSCP, passing the CC exam makes you a full certified member, not an Associate — the CC has no experience requirement to drop Associate status.

What happens after I pass the ISC2 CC exam?

You have 9 months to: (1) agree to the ISC2 Code of Ethics, (2) submit your certification application, and (3) pay the $50 Annual Maintenance Fee. Once processed, you become a full ISC2 member with digital badge, logo usage rights, and access to member resources. To maintain certification, earn 45 CPE credits over 3 years (recommend 15/year) — ISC2 offers many free CPE sources including webinars and Professional Development Institute courses.

How much do ISC2 CC holders earn?

CC by itself is entry-level — it helps you land roles rather than commanding a premium. U.S. Bureau of Labor Statistics (2024 data, published 2026) reports a median annual wage of $124,910 for Information Security Analysts, but entry-level SOC analyst, IT support, and help desk roles that CC qualifies you for typically pay $50,000-$75,000 to start. The CCs real value is as a resume differentiator and gateway to higher-paying credentials like Security+, SSCP, and CISSP.

Can I take ISC2 CC online or do I have to go to a test center?

As of 2026, the CC exam is delivered exclusively at Pearson VUE test centers — there is no online proctoring option for CC (unlike CISSP and some CompTIA exams). You must bring two forms of ID, one with a photo. Lockers are provided for personal items. The test center environment is strictly monitored with video recording.

What is the ISC2 CC retake policy?

If you fail, you must wait 30 days before your second attempt. You may take the CC exam a maximum of 3 times in any 12-month rolling period. Retakes cost $199 — the free 1MCC voucher only covers your first attempt. Creating multiple ISC2 accounts to get additional free vouchers violates ISC2 policy and can permanently ban you from ISC2 exams.

Is ISC2 CC worth it in 2026?

Yes, especially through the free 1MCC pathway. For $0 (plus $50 AMF if you pass), you earn an ANAB/ISO 17024 accredited credential from the same body that issues CISSP. It proves cybersecurity literacy to employers, qualifies you for entry-level SOC/IT security roles, and gives you ISC2 member benefits including discounts on CISSP. The only scenario where CC is not worth it: if you already hold Security+ or a higher cert — the content overlap is substantial and employers rarely require both.

ISC2 CC Certified in Cybersecurity Guide (FREE 2026)

ISC2 CC in 2026: The FREE Entry Point to Cybersecurity

The ISC2 Certified in Cybersecurity (CC) is the most accessible cybersecurity certification on the planet right now. Through ISC2's One Million Certified in Cybersecurity (1MCC) initiative, the official self-paced training and the exam are both free — an offering worth roughly $400 — with no experience prerequisites and no expiration date on the voucher once issued.

If you want to break into cybersecurity in 2026 but don't know where to start, CC is the clearest signal on the market. This guide walks you through everything: the exam blueprint, domain-by-domain high-yield topics, a realistic 4-8 week study plan, how CC stacks up against Security+, and the exact steps to go from $0 to certified.

free ISC2 CC practice questionsPractice questions with detailed explanations

ISC2 CC Exam at a Glance (2026)

Detail	Info
Certification Body	ISC2 (International Information System Security Certification Consortium)
Exam Format	Computerized Adaptive Testing (CAT)
Questions	100-125 (multiple choice + advanced items)
Time Limit	2 hours (120 minutes)
Passing Score	700/1000 (scaled, compensatory)
Standard Fee	$199 USD
Via 1MCC Program	FREE (training + one exam attempt)
Annual Maintenance Fee (AMF)	$50/year (CC-only holders)
Delivery	Pearson VUE test centers only
Languages	English, Chinese, Japanese, German, Spanish
Experience Required	None
Age Requirement	16+
Certification Cycle	3 years
CPE Requirement	45 CPE credits over 3 years
Accreditation	ANAB / ISO/IEC 17024
Prerequisites	None
Retake Policy	30-day wait; max 3 attempts per 12 months

Source: ISC2 CC Exam Outline, April 2026.

Heads up: ISC2 will release a refreshed CC Exam Outline effective September 1, 2026. If you test before that date, the current 5-domain outline below applies. If you test after, check the updated outline on isc2.org/certifications/cc — the core domains (and their 26/10/22/24/18 weights) remain, but the refresh integrates AI Security concepts across every domain (see "AI Security on the 2026 CC Exam" section below).

September 1, 2026 Outline Change: What's New

On April 2, 2026, ISC2 published Exam Guidance for Artificial Intelligence (isc2.org/Insights/2026/04/ISC2-Publishes-Exam-Guidance-AI) mapping how AI security concepts are incorporated into 50+ ISC2 exam domains — including all 5 CC domains. If you test on or after September 1, 2026, expect the following additions:

Domain 1 Security Principles — applying CIA triad to AI systems, data integrity to prevent model poisoning, ethical AI, transparency, bias in automated decisioning.
Domain 2 BC/DR/IR — backing up AI model weights and training datasets (not just data); model drift as a continuity risk; AI-related incidents.
Domain 3 Access Controls — authenticating and authorizing AI agents and service accounts; least privilege for ML pipelines.
Domain 4 Network Security — securing AI API endpoints; prompt-injection awareness at the network boundary.
Domain 5 Security Operations — SIEM + AI for alert triage, reducing alert fatigue, distinguishing AI-automated blocks from events requiring human action.

If you test before September 1, 2026, these AI topics may still appear as unscored beta items but will not count against you. ISC2 has also shipped an AI-adaptive version of the official self-paced training (announced March 2024, enhanced 2026) — the course now tailors pathways based on your prior knowledge and learning speed.

Why CC Is the #1 Entry-Level Cybersecurity Credential in 2026

Not all entry-level certs are created equal. Here's why CC stands out:

It's free. The 1MCC program has delivered millions of free training seats since launch, and as of April 2026 it is still running.
It's vendor-neutral. Unlike Cisco CyberOps or Microsoft SC-900, CC is not tied to a single vendor's product line — everything you learn applies across AWS, Azure, on-prem, and hybrid environments.
It's ISO/IEC 17024 accredited through ANAB — the same accreditation that backs CISSP, CCSP, and SSCP. Employers and government agencies recognize ANAB-accredited credentials as meeting international standards.
It's from ISC2 — the same organization behind CISSP, which means CC is your direct on-ramp to the most respected cybersecurity certification pathway in the world.
No experience required. CompTIA Security+ is technically "no-experience-required," but most hiring managers expect 2+ years of IT experience behind it. CC was purpose-built for true beginners.
Built for the workforce gap. ISC2's 2025 Cybersecurity Workforce Study estimated a global shortfall of 4+ million cybersecurity professionals. CC is ISC2's flagship answer to that gap.

The test question: Can you work after passing CC? Yes — entry-level SOC analyst, IT security support, help desk security, GRC coordinator, and cybersecurity intern roles all explicitly list CC as an acceptable credential in 2026 job postings.

Who Should Take the ISC2 CC Exam?

Candidate Profile	Why CC Fits
College students (including high schoolers 16+)	Zero work experience required; free via 1MCC; builds resume before first internship
Career changers (teachers, military, healthcare, finance)	Low-risk entry point; validates commitment to the field to hiring managers
Help desk / IT support staff	Natural stepping stone to a SOC role; content overlaps with daily IT work
Sysadmins pivoting to security	Fills governance, risk, and policy gaps that pure IT background lacks
Developers moving to AppSec	Grounds you in CIA, access controls, and network security vocabulary
Managers who oversee IT	Gives you shared vocabulary with your security team without deep technical study
International candidates	ANAB/ISO 17024 accreditation is recognized globally; exam offered in 5 languages

If you have 3+ years of hands-on security experience, skip CC and go directly to Security+ or SSCP — the content will feel too basic.

Eligibility & Endorsement Process

Eligibility to Sit the Exam

Age: Minimum 16 years old. Candidates aged 16-17 must have a parent/guardian complete ISC2's minor consent process.
Experience: Zero — this is the only major ISC2 cert with no work-experience path.
Education: None required.
Background check: You agree to ISC2 Code of Ethics; no formal background check.

Endorsement (The 9-Month Clock)

Unlike SSCP and CISSP — which require endorsement by an existing ISC2 member — CC endorsement is a self-completed form where you attest to the ISC2 Code of Ethics and confirm your identity.

You have 9 months from your exam pass date to:

Submit your certification application through your ISC2 account.
Agree to the ISC2 Code of Ethics (4 canons — protect society, act honorably, provide diligent service, advance the profession).
Pay the $50 Annual Maintenance Fee (AMF).

Miss the 9-month window → you must retake the exam.

"Associate of ISC2" — Does It Apply to CC?

For CISSP and SSCP, candidates who pass but lack experience become "Associate of ISC2" while accumulating required years. CC has no experience requirement, so Associate status does not apply — you go straight to full certified member status upon endorsement.

ISC2 CC Exam Content: The 5 Domains

Here is the official 2026 blueprint with domain weights, subtopics, and high-yield drills.

Domain	Weight	Approx. # of Questions*
1. Security Principles	26%	~26-32
2. Business Continuity, DR & Incident Response	10%	~10-13
3. Access Controls Concepts	22%	~22-28
4. Network Security	24%	~24-30
5. Security Operations	18%	~18-23
Total	100%	100-125

*Estimates based on CAT delivery — your exam may have a different mix.

Domain 1: Security Principles (26%) — The Heaviest Domain

This is the conceptual foundation of cybersecurity and by weight the single largest domain. If you only had time to prepare for one domain, this would be it. Expect lots of vocabulary and scenario-matching questions where several answer options sound correct but only one is best.

Subtopics you must master:

CIA Triad — Confidentiality, Integrity, Availability. Know examples of each and which controls protect which property (e.g., encryption → confidentiality; hashing → integrity; redundancy → availability). Some ISC2 materials add Authenticity and Non-repudiation as extensions; know them but remember the core three.
AAA — Authentication (who you are), Authorization (what you can do), Accounting (what you did). Do not confuse with IAAA (Identification + AAA) used in some sources. Non-repudiation (you cannot deny the action) and privacy complete the picture.
MFA factors: something you know (password, PIN), have (token, smart card), are (fingerprint, retina, face), do (typing pattern, gait), somewhere you are (geolocation, network). True MFA requires factors from two different categories — two passwords is NOT MFA.
Risk management lifecycle: identification → assessment → treatment (accept, avoid, transfer, mitigate) → monitoring. Know the difference between risk appetite (what leadership will tolerate) and risk tolerance (acceptable variation).
Threats, vulnerabilities, and exploits — a threat exploits a vulnerability to harm an asset. Risk = Threat × Vulnerability × Impact.
Security controls taxonomy: technical (firewall, encryption), administrative (policy, training), physical (lock, guard, CCTV). Also: preventive (stop before), detective (notice during), corrective (fix after), deterrent (discourage), compensating (substitute), recovery (restore).
Governance documents hierarchy: policy (what — mandatory, broad) → standard (how much — mandatory, specific) → procedure (how — step by step) → guideline (recommendation — optional). Policies come from top-down leadership; procedures from the teams doing the work.
Regulations & laws: GDPR (EU privacy), HIPAA (US healthcare), PCI DSS (payment cards — industry standard, not a law), SOX (US publicly traded companies), FERPA (US student records), GLBA (US financial services), CCPA/CPRA (California privacy).
Privacy principles — data minimization, purpose limitation, consent, right to be forgotten, data subject rights.
ISC2 Code of Ethics — four canons in order: Society → Honorably → Service → Profession. When canons conflict, the earlier one wins. Expect at least one direct question.

High-yield drill: Given a breach scenario, name which CIA property was violated and which control type (preventive/detective/corrective) would have stopped it. Example: Attacker steals a laptop with unencrypted data → Confidentiality violated; encryption (preventive technical control) would have stopped it.

Domain 2: Business Continuity, Disaster Recovery & Incident Response (10%) — The Smallest Domain

Lightest domain by weight, but do not skip — 10-13 questions is still enough to make or break a pass, and the topics are often unfamiliar to non-IT candidates so every point counts.

Subtopics:

BC vs DR: Business Continuity = keep the business running (people, processes, offices) during disruption; Disaster Recovery = restore IT systems, data, and infrastructure after disruption. BC is the umbrella; DR is the technical subset.
Key metrics:
- RTO (Recovery Time Objective) — how fast systems must be back up (clock time).
- RPO (Recovery Point Objective) — how much data loss is tolerable (data currency).
- MTD (Maximum Tolerable Downtime) — hard ceiling before business fails; RTO must be less than MTD.
- MTBF (Mean Time Between Failures) and MTTR (Mean Time to Repair) — reliability metrics.
- WRT (Work Recovery Time) — time to verify systems after DR before resuming normal ops.
BIA (Business Impact Analysis) — identifies critical processes, their dependencies, and the RTO/RPO required for each. BIA comes BEFORE the BC/DR plan, not after.
Incident Response lifecycle (NIST SP 800-61): Preparation → Detection & Analysis → Containment → Eradication → Recovery → Post-Incident Activity (Lessons Learned). Memorize the order.
First responder priorities: protect life and safety first, then contain the incident, then preserve evidence, then eradicate.
Backup types:
- Full — everything, slow to create, fast to restore.
- Incremental — only what changed since the last backup (of any type), fast to create, slow to restore (need full + every incremental).
- Differential — only what changed since the last FULL backup, medium to create, medium to restore (need full + latest differential).
- Synthetic full — merged full built from incrementals.
3-2-1 rule: 3 copies of data, on 2 different media, with 1 off-site.
Site types: hot (live, fully staffed, expensive, minutes RTO), warm (equipment + network, partial data, hours RTO), cold (empty space + power, days/weeks RTO, cheapest), mobile (trailer delivered), reciprocal/cloud (partner agreement or cloud failover).
Exercise types (increasing realism): checklist → structured walk-through → tabletop → simulation → parallel → full interruption test.
Evidence handling — chain of custody, write-blockers for disk imaging, hashing for integrity.

High-yield drill: Given RTO = 4 hours and RPO = 1 hour, which backup strategy and recovery site meet both? (Answer: continuous or hourly snapshot replication to a hot or warm site.)

Domain 3: Access Controls Concepts (22%) — The Identity Core

Access controls are how security is implemented in practice. Expect 22-28 questions covering both physical and logical controls, with heavy focus on which model fits which scenario.

Subtopics:

Physical access controls
- CPTED (Crime Prevention Through Environmental Design) — natural surveillance, natural access control, territorial reinforcement.
- Deterrents: signs, lighting, fences.
- Barriers: bollards (vehicle), turnstiles, revolving doors, mantraps/access control vestibules (prevent tailgating).
- Detection: CCTV, motion sensors, alarms.
- Identification: badges (proximity, smart cards), biometrics (fingerprint, retina, facial, palm vein).
- Compensating controls: guards, dogs, visitor escorts and logs.
Logical access controls — usernames, passwords (complexity, length, history, lockout), tokens (hard/soft, TOTP/HOTP), smart cards (PIV/CAC), certificates (PKI), SSO, federation (SAML, OAuth, OIDC).
The three As (not to be confused with AAA):
1. Identification — claiming an identity (username).
2. Authentication — proving it (factors).
3. Authorization — what you can do (permissions).
Access control models — memorize all five:
- DAC (Discretionary Access Control) — owner decides. Flexible but weak. Example: Windows NTFS file permissions, Linux chmod, Google Drive sharing.
- MAC (Mandatory Access Control) — system enforces based on labels/clearance; users cannot override. Most restrictive. Example: military classification (Unclassified → Confidential → Secret → Top Secret), SELinux, AppArmor.
- RBAC (Role-Based Access Control) — access by job role; users inherit permissions from their role. Most common in enterprises. Example: all "Nurses" can view patient charts.
- ABAC (Attribute-Based Access Control) — policies evaluate attributes of user, resource, environment, and action. Flexible, dynamic. Example: AWS IAM policies, Azure Conditional Access.
- Rule-Based — explicit rules evaluated in order. Example: firewall ACLs, router access lists.
Principle of least privilege — minimum access to do the job, nothing more.
Separation of duties (SoD) — no single person can complete a sensitive process alone (e.g., one person creates vendor, another approves payment).
Need to know — even with clearance, only see what the task requires.
Job rotation and mandatory vacations — fraud detection controls.
Privileged account management (PAM) — admin, service, and root accounts; just-in-time access; vaulting; session recording.
Password policies — length ≥ 12 chars preferred over complexity; passphrase over password; NIST SP 800-63B no longer mandates periodic rotation if no compromise suspected.

High-yield drill: Match the scenario to the model — "Users in the Finance department can read payroll files" → RBAC. "Only users with a Top Secret clearance can read this file" → MAC. "Allow access if user department = 'Sales' AND time is between 9-5 AND device is managed" → ABAC.

Domain 4: Network Security (24%) — The Second Heaviest Domain

Expect 24-30 questions on networking fundamentals and defensive architecture. If you do not have a networking background, this will be your hardest domain — budget extra time.

Subtopics:

OSI model (7 layers) — Physical, Data Link, Network, Transport, Session, Presentation, Application. Memorize mnemonic: Please Do Not Throw Sausage Pizza Away. Know at least one protocol or device per layer:
- L1 Physical — cables, hubs, repeaters.
- L2 Data Link — MAC addresses, switches, frames, ARP, 802.1X.
- L3 Network — IP addresses, routers, packets, ICMP, OSPF.
- L4 Transport — TCP (reliable) / UDP (fast), segments, port numbers.
- L5 Session — NetBIOS, RPC, session establishment and teardown.
- L6 Presentation — encryption, compression, encoding (ASCII, Unicode, JPEG).
- L7 Application — HTTP, DNS, FTP, SMTP, SSH user-facing protocols.
TCP/IP model (4 layers) — Link, Internet, Transport, Application. Simpler than OSI; often mapped onto it.
TCP 3-way handshake — SYN → SYN/ACK → ACK. 4-way teardown — FIN/ACK. Understand why TCP is "connection-oriented" and UDP is "connectionless."
Common ports: 20/21 FTP, 22 SSH/SFTP, 23 Telnet (insecure), 25 SMTP, 53 DNS, 67/68 DHCP, 69 TFTP, 80 HTTP, 110 POP3, 123 NTP, 143 IMAP, 161/162 SNMP, 389 LDAP, 443 HTTPS, 445 SMB, 636 LDAPS, 3389 RDP.
IP addressing — IPv4 (32-bit, dotted decimal) vs IPv6 (128-bit, hex). Public vs private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. Loopback 127.0.0.1. APIPA 169.254.x.x.
NAT/PAT — Network Address Translation hides internal IPs; Port Address Translation maps many private IPs to one public IP.
DHCP — Discover → Offer → Request → Acknowledge (DORA).
DNS — hierarchical, UDP 53 (queries) / TCP 53 (zone transfers). Know record types: A (IPv4), AAAA (IPv6), MX (mail), CNAME (alias), TXT (SPF/DKIM).
Network devices — hub (L1, dumb repeater, one collision domain), switch (L2, MAC table, separate collision domains), router (L3, IP, separate broadcast domains), firewall (stateful vs stateless vs next-gen/NGFW with app-layer inspection), proxy (forward, reverse), load balancer, WAF (web application firewall).
IDS vs IPS — IDS detects and alerts (passive, out-of-band); IPS blocks (inline, in-band). Both can be signature-based (known patterns) or anomaly/behavior-based (deviation from baseline).
Network segmentation — VLANs (logical separation at L2), DMZ/screened subnet (public-facing buffer zone), zero trust microsegmentation ("never trust, always verify"), air-gapping.
VPN — IPSec (tunnel mode encrypts entire packet, transport mode encrypts payload only; ESP provides confidentiality + integrity, AH provides integrity only), SSL/TLS VPN (clientless, browser-based), site-to-site (branch offices) vs remote-access (individual users), split tunnel vs full tunnel.
Wireless security — WEP (RC4 — broken, do NOT use), WPA (TKIP), WPA2 (CCMP/AES), WPA3 (SAE — current standard). SSID hiding and MAC filtering are weak security-by-obscurity controls.
Cloud security basics — shared responsibility model: IaaS (customer owns OS up), PaaS (customer owns app + data), SaaS (customer owns data + access). Cloud concepts: CASB (Cloud Access Security Broker), SASE (Secure Access Service Edge), SSE (Security Service Edge).
Cloud deployment models — public, private, community, hybrid.
Common network attacks — DDoS (volumetric, protocol, application-layer), MITM (man-in-the-middle), ARP poisoning/spoofing, DNS spoofing/cache poisoning, packet sniffing, on-path, evil twin WiFi, replay, SYN flood, Smurf, ping of death.
Threat actors — script kiddies, hacktivists, organized crime, insider threats, nation-state/APT.

High-yield drill: Given an attack signature, identify which defensive layer (firewall, IDS/IPS, segmentation, encryption) would stop it. Example: ARP spoofing on a flat network → VLAN segmentation + dynamic ARP inspection.

Domain 5: Security Operations (18%) — The Day-to-Day Tools

This domain covers what security practitioners do every day — protecting data, configuring systems, training users, and responding to what the monitoring reveals.

Subtopics:

Data handling lifecycle — create → store → use → share → archive → destroy. Different controls apply at each stage (e.g., encryption in transit vs at rest vs in use).
Data states — at rest (disk), in transit/motion (network), in use/processing (RAM/CPU). Each state needs different controls.
Data classification — private sector: public, internal, confidential, restricted; US government: Unclassified, CUI (Controlled Unclassified Information), Confidential, Secret, Top Secret.
Data roles — owner (accountable, classifies data), custodian (technical implementation), processor (acts on behalf of owner), user/subject (uses data).
Data destruction — clearing (overwrite), purging (degaussing), destruction (shred, crush, incinerate). Degaussing does NOT work on SSDs.
Encryption:
- Symmetric (one shared key) — fast, for bulk data. AES (current standard), DES (broken), 3DES (deprecated), Blowfish, Twofish, RC4.
- Asymmetric (public + private key pair) — slow, for key exchange and digital signatures. RSA, ECC (Elliptic Curve), Diffie-Hellman, ElGamal.
- Hybrid systems (TLS, PGP) use asymmetric to exchange a symmetric session key, then use symmetric for bulk.
- Public key encrypts (confidentiality); private key decrypts. Private key signs (non-repudiation); public key verifies.
Hashing — one-way, keyless, produces fixed-length digest. MD5 (broken — collisions), SHA-1 (deprecated), SHA-256/384/512 (current), SHA-3. Purpose: integrity, NOT confidentiality.
Salting — random data added to password before hashing to defeat rainbow tables. Use unique salt per password.
PKI basics — Certificate Authority (CA), Registration Authority (RA), Certificate Signing Request (CSR), X.509 digital certificates, Certificate Revocation List (CRL), OCSP, root CA, intermediate CA.
Digital signatures — provide integrity + authentication + non-repudiation. Sign hash with private key.
Configuration management — baselines, hardening, CIS Benchmarks, DISA STIGs, Group Policy, Ansible/Puppet/Chef, immutable infrastructure.
Patch management — test → stage → deploy → verify. Emergency patches bypass testing only when necessary.
Vulnerability management — scanning (authenticated vs unauthenticated), CVSS scoring, remediation prioritization.
Logging & monitoring — SIEM (Security Information and Event Management — Splunk, Sentinel, QRadar), log aggregation, correlation rules, retention policies, chain of custody.
Security awareness training — annual mandatory training, phishing simulations, policy acknowledgments, role-specific training (developers, executives, admins).
Data loss prevention (DLP) — endpoint DLP (agent on device), network DLP (inline on egress), cloud DLP (CASB integration).
Email security — SPF, DKIM, DMARC for anti-spoofing; secure email gateways; sandbox detonation.

High-yield drill: Given an encryption scenario, pick symmetric vs asymmetric:

Bulk data encryption → symmetric (AES).
Key exchange during a TLS handshake → asymmetric (RSA/ECDHE).
Digitally signing an email → asymmetric (sign with your private key).
Storing a password for verification → hashing with salt (bcrypt, Argon2), not encryption.

AI Security on the 2026 CC Exam (What Most Competitor Guides Miss)

Most CC guides published before April 2026 do not mention AI. That is outdated. Per ISC2's Exam Guidance for Artificial Intelligence (published April 2, 2026), AI security concepts have been integrated into every CC domain. If you test on or after September 1, 2026, you will see these concepts — and even before that date, ISC2 often pilots new items as unscored beta questions.

AI terms to know for CC:

Term	Definition	Why it matters for CC
Model poisoning	Attacker corrupts training data to alter AI behavior	Integrity violation (Domain 1)
Prompt injection	Malicious input designed to manipulate LLM output	Input validation control (Domain 4/5)
Model drift	AI model accuracy degrades over time as data shifts	BC/DR risk (Domain 2)
Adversarial examples	Inputs crafted to fool a trained model	Threat vector (Domain 1)
Shadow AI	Unsanctioned AI tools employees use at work	Governance risk (Domain 1/5)
AI bias / fairness	Discriminatory or skewed AI outputs	Ethics + Code of Ethics (Domain 1)
Explainability / XAI	Ability to understand how an AI reached a decision	Governance + audit (Domain 1/5)
AI alert triage	SIEM using ML to correlate/prioritize alerts	Reduces SOC alert fatigue (Domain 5)
Data minimization in AI	Only collect/retain data needed for model purpose	Privacy principle (Domain 1)
Synthetic data	Generated data used to train models without exposing real PII	Privacy-preserving technique (Domain 5)

High-yield AI drill: An attacker feeds mislabeled images into a publicly-updating image classifier, causing misclassification. Which CIA property is violated, and which control category applies? Answer: Integrity; administrative + technical controls — data validation, training-pipeline access controls, and provenance logging.

Pass Rate & Difficulty: What the Community Reports

ISC2 does not publish official CC pass rates. However, based on 2024-2026 community data (ISC2 Community forums, Reddit r/isc2, Cybrary, Discord study groups):

Candidate Background	Community-Reported First-Attempt Pass Rate
Complete beginners (no IT)	~55-65%
IT professionals (1-3 years)	~75-85%
Security+ holders	~85-95%
Candidates scoring 80%+ on official ISC2 practice test	~90%+

Difficulty signals:

Most candidates finish in 60-90 minutes of the 120-minute window.
CAT delivery means questions get harder as you answer correctly — expect several "I have never seen this word" items; that usually means you are doing well.
The biggest pitfall is over-thinking scenario questions. ISC2 questions are designed to have exactly one best answer — if two options look correct, look for the one that addresses the root cause or the BEST practice in that context.

Bottom line: CC is the easiest ISC2 exam, but it is not a giveaway. Plan at least 30-60 hours of focused study.

free ISC2 CC practice testPractice questions with detailed explanations

4-8 Week Study Plan (Two Tracks)

Track A — Complete Beginner (8 Weeks, ~60 hours)

Week	Focus	Study Hours	Milestone
1	Sign up for 1MCC + ISC2 self-paced training. Domain 1 Part 1 (CIA, AAA, MFA).	6-8	Understand CIA triad
2	Domain 1 Part 2 (risk, controls, governance, Code of Ethics).	6-8	Pass Domain 1 quiz 80%+
3	Domain 4 Network Security Part 1 (OSI, TCP/IP, ports, IP addressing).	8-10	Memorize OSI + common ports
4	Domain 4 Part 2 (firewalls, IDS/IPS, VPN, wireless, cloud).	6-8	Pass Domain 4 quiz 80%+
5	Domain 3 Access Controls (all 5 models + physical).	6-8	Pass Domain 3 quiz 80%+
6	Domain 5 Security Operations (crypto, hashing, DLP, awareness).	6-8	Pass Domain 5 quiz 80%+
7	Domain 2 BC/DR/IR + full cumulative review.	6-8	Complete 2 full-length practice exams
8	Test-taking strategy, weak-area review, exam scheduling.	4-6	Take real exam

Track B — IT-Experienced (4 Weeks, ~30 hours)

Week	Focus	Study Hours	Milestone
1	Skim Domain 1 + Domain 2. Focus: ISC2 Code of Ethics, risk treatment, BIA.	6-8	Pass practice test 75%+
2	Domain 3 + Domain 5 (access models + crypto/ops nuances).	8-10	Pass practice test 80%+
3	Domain 4 Network Security — deep review of CC-specific vocabulary.	6-8	Pass practice test 85%+
4	Two full-length practice exams + weak area cleanup. Schedule real exam.	6-8	Take real exam

Daily routine that works: 45 min reading → 30 min flashcards (Anki, Quizlet, or ISC2 official flash cards) → 30 min practice questions with explanations.

FREE vs Paid Study Resources

FREE Resources (Start Here)

Resource	Link	Notes
ISC2 Official Self-Paced Training	isc2.org/candidate	100% free via 1MCC. ~15-20 hours of video + assessments.
ISC2 Official CC Flash Cards	isc2.org/certifications/cc/cc-self-study-resources	Free digital flash cards from ISC2.
Prabh Nair YouTube	youtube.com/@PrabhNair1	Free full CC playlist — best YouTube coverage.
Mike Chapple free content	LinkedIn Learning sampler + YouTube	Excellent Domain 1 explanations.
Destination Certification	destcert.com	Free CC MindMap videos (Rob Witcher).
OpenExamPrep (this site)	Start FREE ISC2 CC Practice	100+ free CC practice questions, AI tutor, flashcards.

Paid Resources (Only If You Need More)

Resource	Cost	Notes
Thor Pedersen Udemy CC bundle	~$15-30 (sale)	Most popular paid CC course; includes practice tests.
ISC2 Official CC Textbook	~$40-50	Comprehensive but dry; best as reference.
ISC2 Training Bundles	$199-399	Includes textbook + exam voucher; only worth it if 1MCC has ended.
Pete Zerger "Cram" video	Free on YouTube	60-minute exam cram — last-week review only.

Our recommendation for most candidates: Free ISC2 self-paced training + Prabh Nair YouTube + OpenExamPrep practice tests. Total cost: $0.

Exam-Day Strategy (Pearson VUE)

Format Reminders

Linear vs CAT: CC delivers CAT (Computerized Adaptive Testing) — you cannot go back to previous questions. Commit to each answer before moving on.
100-125 items — expect your exam to end somewhere in that range based on performance.
2 hours — budget ~60 seconds per question. Most candidates finish with 30+ minutes to spare.

Day-Before Checklist

Locate the Pearson VUE test center; plan a 30-min buffer for traffic/parking.
Prepare two forms of ID (one photo, both matching the name on your ISC2 account).
Sleep 8 hours. Do not cram the morning of.
No personal items in the testing room — lockers are provided.

During the Exam

Read the full question stem before looking at options. ISC2 loves distractors placed as tempting wrong answers.
Eliminate obviously wrong options first. You can usually get to 50/50 quickly.
Pick the BEST answer, not the "correct" answer. Often multiple options are technically correct; only one is best.
Watch for absolute words (always, never, only) — they are usually wrong.
Do not panic on unfamiliar terms. CAT throws hard items at strong performers.
Manage time, not pace. Check the clock every 25-30 questions.

Post-Exam

You receive a preliminary pass/fail result at the test center immediately.
Official results and endorsement instructions arrive via email within ~7 business days.

After You Pass: Endorsement, AMF & CPEs

Endorsement (1-2 weeks after passing)

Log in to your ISC2 account.
Submit certification application (no ISC2 member sponsor required for CC).
Agree to the ISC2 Code of Ethics.
Pay $50 AMF (waived for first year under 1MCC Candidate benefit).
Receive digital badge + certificate.

Maintaining Certification (3-Year Cycle)

45 CPE credits total across the 3-year cycle.
Minimum 10 CPEs per year to stay in good standing.
CPEs are split into Group A (direct domain content, 30+ required) and Group B (professional development, 15 max).
Free CPE sources: ISC2 webinars, ISC2 Professional Development Institute (PDI), local chapter meetings, blog/article writing, Udemy/Coursera security courses.

Member Benefits

Digital badge + logo usage rights.
Access to ISC2 member forums and local chapters (200+ worldwide).
Discounts on CISSP and other ISC2 training bundles.
Voting rights in ISC2 Board of Directors elections.

CC vs CompTIA Security+ vs SSCP vs GSEC: Which to Pick

Feature	ISC2 CC	CompTIA Security+	ISC2 SSCP	GIAC GSEC
Level	Entry	Entry-Intermediate	Intermediate	Intermediate
Experience req.	None	None (2 yrs recommended)	1 year	None
Cost	$0-199	$404	$599	$999+ (practice tests not included)
Questions	100-125 (CAT)	Up to 90 + PBQs	125	106-180
Passing	700/1000	750/900	700/1000	73%
Validity	3 years	3 years	3 years	4 years
DoD 8140	No (yet)	Yes	Yes	Yes
Hands-on?	No	Yes (PBQs)	Limited	Heavy
Difficulty (1-10)	3-4	5-6	7	8-9
Best for	True beginners, students	IT pros, DoD roles	Sysadmins & SOC	Hands-on defenders

Quick Picker

No IT background, no budget → CC (free).
IT background + DoD/federal job target → Security+.
1-2 years security experience → SSCP.
Technical depth + money no object → GSEC.
Stacking strategy (recommended): CC → Security+ → SSCP → CISSP.

The CC Stacking Strategy: From $0 to Six Figures

CC's highest ROI is as the first rung of a certification ladder. Here's the proven 5-year stack thousands of ISC2 members have followed:

Year	Cert	Cost	Time Investment	Salary Lift
0-3 months	ISC2 CC	$0 (1MCC) + $50 AMF	30-60 hrs	Qualifies for $50-70K SOC/help-desk security roles
3-12 months	CompTIA Security+ (or Network+ first if weak on networking)	$404	80-120 hrs	DoD 8140 eligible; $65-85K SOC Analyst I
1-2 years	ISC2 SSCP (1 yr experience req.)	$599 + $125/yr AMF (rolls into CC AMF if you hold both)	100-150 hrs	Mid-level SOC, sysadmin security; $80-105K
2-3 years	CompTIA CySA+ or PenTest+ or CCSP (track split)	$404-$599	100-150 hrs	Specialist premium; $95-125K
5+ years	ISC2 CISSP (5 yrs experience in 2 of 8 domains; CC waives 1 year)	$749 + $125/yr AMF	200-400 hrs	Senior/lead/architect; $120-180K

Why this order works:

CC before Security+ — CC teaches the ISC2 vocabulary (best-answer wording, Code of Ethics, governance) you'll need for SSCP and CISSP later. Security+ alone does not.
Security+ before SSCP — SSCP assumes hands-on IT competence; Security+ fills that gap.
SSCP before CISSP — SSCP content is the operational subset of CISSP. Studying SSCP gives you 40-60% of CISSP Domain 7 (Security Operations) for free.
CISSP only after 5 years — ISC2 waives 1 year of experience if you already hold CC (or Security+/SSCP/CySA+/etc.), so 4 years of real work + CC = CISSP eligible.
AMF stacking — Holding multiple ISC2 certs does NOT multiply your AMF. The single AMF is $125/year once you hold a full member cert (CISSP/SSCP/CCSP), which replaces your $50 CC-only AMF. Your CC AMF does not stack on top.

ROI math: $0 (CC) → $404 (Sec+) → $599 (SSCP) → $749 (CISSP) = $1,752 in exam fees over 5 years to move from $50K to $150K+. That is a ~90x return on certification spend.

Salary & Career Outlook

Roles CC Qualifies You For

SOC Analyst I — $50,000-$75,000
IT Security Support — $45,000-$65,000
Cybersecurity Intern — $20-30/hr
GRC Coordinator — $55,000-$75,000
Junior Penetration Tester (with other skills) — $55,000-$80,000
Help Desk with Security Focus — $40,000-$60,000

Industry Outlook (BLS 2024-2034)

Information Security Analysts: 29% job growth 2024-2034, much faster than average.
2024 median annual wage: $124,910 (BLS OOH, published 2026).
Top-paying industries: Financial services, tech, federal government, defense contractors.
Remote work: ~50% of cybersecurity roles offer hybrid or fully remote in 2026.

Source: BLS Occupational Outlook Handbook — Information Security Analysts.

Common Mistakes: Why Candidates Fail CC

Treating it like a technical exam. CC is a concepts exam. Configuring a firewall is not tested — recognizing why a firewall belongs at a network edge is.
Ignoring the ISC2 Code of Ethics. Almost every candidate gets at least one Code of Ethics question. Memorize the four canons in order.
Not taking enough practice tests. If you are not scoring 80%+ on multiple practice tests, you are not ready.
Skimming Domain 2. It's only 10%, but missing all 10-13 questions can sink you.
Wasting time on one hard question. In CAT, you cannot go back anyway — commit and move on.
Forgetting the 9-month endorsement window. You passed, now act quickly to complete endorsement and pay AMF.
Creating multiple ISC2 accounts to get a second free voucher. This is a policy violation and can permanently ban you.
Assuming 1MCC lasts forever. Treat it as a limited-time offer — ISC2 has not confirmed a 2027 extension as of April 2026.

Next Steps After CC

Your CC unlocks a clear progression path:

Within 6 Months of CC

CompTIA Security+ (SY0-701) — adds DoD 8140 eligibility and hands-on PBQ experience.
CompTIA Network+ — fills any networking gaps from Domain 4.

1-2 Years After CC

ISC2 SSCP — the operational counterpart to CISSP; 1 year experience required.
CompTIA CySA+ — focused on SOC analyst skills.
GIAC GSEC — if you want hands-on depth.

3-5 Years After CC

ISC2 CISSP — the gold standard; 5 years experience in 2 of 8 domains.
CCSP — if you specialize in cloud security.
CISM / CISA — if you pivot toward management or audit.

Strategic tip: Use your free ISC2 Candidate year to book a CISSP webinar or chapter event. Networking at ISC2 local chapters is one of the highest-ROI moves a CC holder can make.

Final CTA: Start Practicing Today

The CC is the cheapest, fastest, and most accessible path into cybersecurity in 2026 — but only if you take action. Most candidates who fail never actually schedule the exam. Lock in a date, then reverse-engineer your study plan from there.

OpenExamPrep's free ISC2 CC practice testPractice questions with detailed explanations

✓Key Facts

ISC2 CC in 2026: The FREE Entry Point to Cybersecurity

ISC2 CC Exam at a Glance (2026)

September 1, 2026 Outline Change: What's New

Why CC Is the #1 Entry-Level Cybersecurity Credential in 2026

Who Should Take the ISC2 CC Exam?

Eligibility & Endorsement Process

Eligibility to Sit the Exam

Endorsement (The 9-Month Clock)

"Associate of ISC2" — Does It Apply to CC?

ISC2 CC Exam Content: The 5 Domains

Domain 1: Security Principles (26%) — The Heaviest Domain

Domain 2: Business Continuity, Disaster Recovery & Incident Response (10%) — The Smallest Domain

Domain 3: Access Controls Concepts (22%) — The Identity Core

Domain 4: Network Security (24%) — The Second Heaviest Domain

Domain 5: Security Operations (18%) — The Day-to-Day Tools

AI Security on the 2026 CC Exam (What Most Competitor Guides Miss)

Pass Rate & Difficulty: What the Community Reports

4-8 Week Study Plan (Two Tracks)

Track A — Complete Beginner (8 Weeks, ~60 hours)

Track B — IT-Experienced (4 Weeks, ~30 hours)

FREE vs Paid Study Resources

FREE Resources (Start Here)

Paid Resources (Only If You Need More)

Exam-Day Strategy (Pearson VUE)

Format Reminders

Day-Before Checklist

During the Exam

Post-Exam

After You Pass: Endorsement, AMF & CPEs

Endorsement (1-2 weeks after passing)

Maintaining Certification (3-Year Cycle)

Member Benefits

CC vs CompTIA Security+ vs SSCP vs GSEC: Which to Pick

Quick Picker

The CC Stacking Strategy: From $0 to Six Figures

Salary & Career Outlook

Roles CC Qualifies You For

Industry Outlook (BLS 2024-2034)

Common Mistakes: Why Candidates Fail CC

Next Steps After CC

Within 6 Months of CC

1-2 Years After CC

3-5 Years After CC

Final CTA: Start Practicing Today

Official Sources

Free Study Resources

ISC2 Certified in Cybersecurity (CC)

Related Articles

AIGP Exam Guide 2026: FREE IAPP AI Governance Prep

ARRT Radiation Therapy Exam Guide 2026: Pass the 200-Item Board (FREE)

AWS Certified AI Practitioner (AIF-C01) Exam Guide 2026: FREE Study Plan, Bedrock Deep Dive, Pass Rate

Stay Updated