100+ Free IIBA CCA Practice Questions

Pass your IIBA Certificate in Cybersecurity Analysis (CCA) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Under the NIST Cybersecurity Framework 2.0 (released February 2024), which function was newly added to the original five Core Functions to emphasize organizational oversight of cybersecurity risk?

Govern

Authorize

Anticipate

Monitor

to track

2026 Statistics

Key Facts: IIBA CCA Exam

Exam Questions

IIBA

90 min

Time Limit

IIBA

$250/$400

Exam Fee (Member/Non)

IIBA

6 areas

Learning Outcomes

IIBA

Online

Proctored Delivery

IIBA

Global

Availability

IIBA

The IIBA CCA is a standalone cybersecurity certificate aimed at business analysts who need to translate security and compliance needs into requirements, user stories, and acceptance criteria. The 75-question, 90-minute online proctored exam covers six learning areas: risk management, threat assessment, security solutions, compliance and regulation, BA cybersecurity practice, and governance and ethics. It is globally available with a member fee of $250 and a non-member fee of $400, and it is positioned as an entry-to-intermediate credential.

Sample IIBA CCA Practice Questions

Try these sample questions to test your IIBA CCA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Under the NIST Cybersecurity Framework 2.0 (released February 2024), which function was newly added to the original five Core Functions to emphasize organizational oversight of cybersecurity risk?

A.Govern

B.Authorize

C.Anticipate

D.Monitor

Explanation: NIST CSF 2.0, published in February 2024, added GOVERN as a sixth Core Function alongside Identify, Protect, Detect, Respond, and Recover. GOVERN establishes and monitors the organization's cybersecurity risk management strategy, expectations, and policy, ensuring cybersecurity is treated as an enterprise risk alongside legal, financial, and operational risk.

2A business analyst is documenting a risk register for a new payment platform. Which formula best represents quantitative risk?

A.Risk = Threat - Vulnerability

B.Risk = Likelihood x Impact

C.Risk = Asset Value / Control Cost

D.Risk = Confidentiality + Integrity + Availability

Explanation: Risk is conventionally expressed as Likelihood (or probability) multiplied by Impact (or consequence). This formula is used in NIST SP 800-30 and ISO 27005 risk assessments and lets analysts compare risks on a consistent scale to support treatment decisions.

3Which risk treatment option is being applied when an organization purchases a cyber insurance policy to cover potential ransomware payouts?

A.Risk avoidance

B.Risk mitigation

C.Risk transfer

D.Risk acceptance

Explanation: Buying insurance shifts the financial impact of a realized risk to a third party (the insurer). ISO 27005 and NIST SP 800-39 categorize this as risk transfer (or risk sharing). The likelihood of the event does not change, only who bears the loss.

4Which element of the CIA triad is MOST directly compromised when an attacker performs a ransomware attack that encrypts production databases?

A.Confidentiality

B.Integrity

C.Availability

D.Non-repudiation

Explanation: Ransomware primarily targets availability by rendering data and systems inaccessible until a key is provided. Modern ransomware groups often add data exfiltration, which then also impacts confidentiality, but the encryption-for-ransom mechanic itself is an availability attack.

5ISO/IEC 27001:2022 reorganized Annex A controls into how many controls grouped under four themes?

A.114 controls in 14 domains

B.93 controls in 4 themes

C.75 controls in 5 themes

D.133 controls in 11 domains

Explanation: ISO/IEC 27001:2022 (published October 2022) restructured Annex A from 114 controls in 14 domains down to 93 controls organized into four themes: Organizational, People, Physical, and Technological. The change aligned with ISO/IEC 27002:2022 and introduced 11 new controls including threat intelligence and ICT readiness for business continuity.

6An organization's risk register lists a residual risk that remains after controls are applied. What is residual risk?

A.The risk before any controls are implemented

B.The risk that remains after risk treatment has been applied

C.The total risk transferred to an insurer

D.Risk introduced by the controls themselves

Explanation: Residual risk is the risk remaining after the organization has applied its chosen risk treatment (controls, transfer, avoidance). ISO 27005 requires senior management to formally accept residual risk. Inherent risk is the pre-treatment risk; secondary risk is risk introduced by the response itself.

7Within NIST CSF 2.0, the IDENTIFY function is concerned with which type of activity?

A.Detecting anomalies through continuous monitoring

B.Developing organizational understanding of assets, business environment, and risks

C.Containing incidents and coordinating response activities

D.Restoring services and capabilities after a cybersecurity incident

Explanation: IDENTIFY focuses on developing organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Its categories include Asset Management, Business Environment, Governance (now mostly under GOVERN in 2.0), Risk Assessment, Risk Management Strategy, and Supply Chain Risk Management.

8A BA is performing a Business Impact Analysis for a critical SaaS application. Which two metrics are MOST important to capture for continuity planning?

A.RPO and RTO

B.MTTR and SLA

C.CVSS and CVE

D.TPM and HSM

Explanation: Recovery Point Objective (RPO) is the maximum acceptable data loss measured in time, and Recovery Time Objective (RTO) is the maximum acceptable downtime. Together they drive backup frequency, replication architecture, and recovery procedures, and they are central deliverables of a Business Impact Analysis.

9Which qualitative risk assessment technique uses ratings such as Low/Medium/High/Critical on impact and likelihood axes?

A.Monte Carlo simulation

B.Heat map (risk matrix)

C.Fault Tree Analysis

D.Bowtie analysis

Explanation: A heat map or risk matrix plots qualitative impact and likelihood on a grid, producing color-coded zones (often green/yellow/red). It is the most common qualitative technique referenced in ISO 27005 and NIST SP 800-30 and is the format BAs typically present to executive stakeholders.

10An organization implements segregation of duties so that the developer who writes code cannot deploy it to production. This control is BEST classified as which type?

A.Detective control

B.Preventive control

C.Corrective control

D.Compensating control

Explanation: Segregation of duties (SoD) is a preventive control: it stops a single individual from performing fraudulent or erroneous end-to-end actions. Preventive controls aim to keep an undesirable event from occurring. Detective controls find events after the fact, and corrective controls remediate impact.

About the IIBA CCA Exam

The IIBA Certificate in Cybersecurity Analysis (CCA) validates a business analyst's ability to bring cybersecurity considerations into requirements, design, and solution evaluation. The exam covers risk management, threat assessment, security solutions, compliance, BA-specific cybersecurity practice, and governance and ethics, aligned with frameworks like NIST CSF 2.0, ISO 27001:2022, and PCI DSS v4.0.

Questions

75 scored questions

Time Limit

90 minutes

Passing Score

Scaled cut score (not published)

Exam Fee

$250 member / $400 non-member (International Institute of Business Analysis (IIBA))

IIBA CCA Exam Content Outline

20%

Cybersecurity Risk Management

Risk identification, assessment, and treatment using NIST CSF 2.0 and ISO 27001/27005

15%

Threat Assessment

STRIDE, PASTA, MITRE ATT&CK, threat intelligence, and vulnerability management

20%

Security Solutions

IAM, encryption, network security, endpoint, cloud, and SIEM/SOAR

15%

Compliance and Regulation

GDPR, CCPA/CPRA, HIPAA, PCI DSS v4.0, NIST 800-53/800-171

15%

Cybersecurity for BA Practice

Security elicitation, misuse cases, BABOK alignment, and security NFRs

15%

Governance and Ethics

Policy hierarchy, IIBA ethics, privacy by design, and data classification

How to Pass the IIBA CCA Exam

What You Need to Know

Passing score: Scaled cut score (not published)
Exam length: 75 questions
Time limit: 90 minutes
Exam fee: $250 member / $400 non-member

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

IIBA CCA Study Tips from Top Performers

1Memorize the six NIST CSF 2.0 Core Functions (Govern, Identify, Protect, Detect, Respond, Recover) and what each owns

2Know how ISO 27001:2022 reorganized Annex A into 93 controls across 4 themes (Organizational, People, Physical, Technological)

3Be fluent in STRIDE categories and PASTA's 7 stages — they are common threat-modeling test points

4Understand authentication factors (know/have/are), access models (DAC/MAC/RBAC/ABAC), and federation protocols (SAML, OAuth, OIDC)

5Know GDPR mechanics: 72-hour breach notice, controller vs processor, lawful bases, DPIAs, and one-month SAR response

6Practice writing security user stories with measurable acceptance criteria and trace them to controls in an RTM

7Study the policy hierarchy (Policy > Standard > Procedure > Guideline) and IIBA's Code of Ethical Conduct

8Take at least two full-length 75-question timed practice runs before scheduling the exam

Frequently Asked Questions

What is the IIBA CCA exam format?

The IIBA CCA exam has 75 multiple-choice questions to be completed in 90 minutes. It is delivered online via remote proctoring. IIBA does not publish the exact passing cut score; the result is reported as Pass/Fail.

What does the CCA cost?

The CCA exam fee is $250 for IIBA members and $400 for non-members (USD). IIBA membership at around $129/year typically pays for itself if you take any IIBA exam.

Are there prerequisites for the CCA?

No formal prerequisites are required. IIBA recommends foundational business analysis knowledge such as that covered by the BABOK Guide or ECBA-level study.

What frameworks should I study for the CCA?

Focus on NIST Cybersecurity Framework 2.0 (with the new GOVERN function), ISO/IEC 27001:2022, PCI DSS v4.0, GDPR, MITRE ATT&CK, OWASP Top 10:2021, and BABOK Guide alignment for security requirements.

How long should I study for the CCA?

Plan for 40-80 hours over 6-10 weeks. Distribute your time roughly to the published learning-outcome weights (20% risk, 15% threat, 20% solutions, 15% compliance, 15% BA practice, 15% governance) and complete 200+ practice questions before testing.

What jobs does the CCA support?

The CCA strengthens the resume of business analysts working on regulated, security-sensitive, or critical-infrastructure programs. Common titles include Cybersecurity Business Analyst, Privacy/Risk BA, GRC Analyst, and Security Product Owner.