Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

200+ Free CC Practice Questions

Pass your ISC2 CC Certified in Cybersecurity exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
200+ Questions
100% Free
1 / 200
Question 1
Score: 0/0

Which risk treatment strategy involves deciding that the cost of mitigation exceeds the potential loss?

A
B
C
D
to track
Same family resources

Explore More ISC2 Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CISSP

Practice QuestionsStudy GuideFlashcards
1 video1 blog

ISC2 SSCP

Practice Questions
1 blog

ISC2 Certified in Governance, Risk and Compliance (CGRC)

Practice Questions

ISC2 Certified Secure Software Lifecycle Professional (CSSLP)

Practice Questions

CCSP

Practice Questions

ISC2 HealthCare Information Security and Privacy Practitioner (HCISPP)

Practice Questions

More From This Family

Videos and articles for deeper review.

VideoCISSP Study Plan: 3-Month Schedule + Hours (2026)ArticleISC2 CC Certified in Cybersecurity Guide (FREE 2026)24 min readArticleCISSP Study Plan: 3-Month Schedule + Hours (2026)16 min readArticleISC2 SSCP 2026: CAT Strategy for Security Administrators7 min read
2026 Statistics

Key Facts: CC Exam

100-125

Exam Items

ISC2

700/1000

Scaled Passing Grade

ISC2

2 hours

Exam Duration

ISC2

US$199

Standard Exam Fee

ISC2

CAT

Exam Format

ISC2

None

Experience Required

Entry-level

ISC2 CC is a 2-hour CAT exam with 100-125 multiple-choice and advanced items, a 700/1000 scaled passing grade, and five weighted domains: Security Principles (26%), Business Continuity/DR/Incident Response (10%), Access Controls Concepts (22%), Network Security (24%), and Security Operations (18%). No prior work experience is required. The standard CC exam fee is US$199 in major ISC2 regions. Public enrollment in the One Million Certified in Cybersecurity program ends May 20, 2026; candidates with unexpired codes may schedule and test by December 31, 2026.

Sample CC Practice Questions

Try these sample questions to test your CC exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 200+ question experience with AI tutoring.

1Which of the following is the correct definition of confidentiality in the CIA triad?
A.Ensuring data is accessible when needed
B.Preventing unauthorized access to information
C.Verifying the accuracy and completeness of data
D.Tracking user actions for accountability
Explanation: Confidentiality ensures that information is accessible only to those authorized to have access. It prevents unauthorized disclosure of sensitive data. Availability ensures data is accessible when needed, integrity ensures accuracy, and accountability involves tracking actions.
2A company implements a system to verify that financial records have not been tampered with. Which security principle is being enforced?
A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
Explanation: Integrity ensures that data is accurate, complete, and has not been modified without authorization. This includes protecting against unauthorized modification, deletion, or tampering. Financial record verification is a classic example of integrity protection.
3Which security principle is primarily concerned with ensuring systems and data are accessible to authorized users when needed?
A.Confidentiality
B.Integrity
C.Availability
D.Authentication
Explanation: Availability ensures that systems, data, and resources are accessible and usable by authorized users when needed. This includes protecting against denial-of-service attacks, hardware failures, and ensuring adequate capacity and performance.
4What type of security control is a firewall that blocks unauthorized network traffic?
A.Administrative control
B.Physical control
C.Technical control
D.Operational control
Explanation: Firewalls are technical (or logical) controls because they use technology to enforce security policies. Technical controls include hardware and software mechanisms like firewalls, encryption, and access control systems. Administrative controls are policies and procedures, while physical controls protect physical assets.
5Which of the following BEST describes a preventive security control?
A.A security camera that records activity
B.An antivirus program that blocks malware
C.A log review that detects suspicious activity
D.A backup system that restores lost data
Explanation: Preventive controls are designed to stop security incidents before they occur. An antivirus program that blocks malware is a preventive control. Security cameras are detective controls, log reviews are detective controls, and backup systems are corrective controls.
6A security guard monitoring building entrances represents which type of security control?
A.Technical control
B.Physical control
C.Administrative control
D.Logical control
Explanation: Security guards are physical controls because they protect physical assets and facilities. Physical controls include guards, fences, locks, and surveillance cameras. Technical controls are technology-based, and administrative controls are policy-based.
7Which of the following is an example of an administrative security control?
A.Encryption of sensitive data
B.Security awareness training program
C.Biometric access control system
D.Fire suppression system
Explanation: Administrative controls are policy, procedure, or training-based controls. Security awareness training is an administrative control. Encryption is a technical control, biometric systems are technical controls, and fire suppression is a physical control.
8In risk management, what term describes the process of identifying and evaluating potential threats to an organization?
A.Risk mitigation
B.Risk assessment
C.Risk transfer
D.Risk acceptance
Explanation: Risk assessment is the process of identifying potential threats, vulnerabilities, and the likelihood and impact of risks. Risk mitigation reduces risk, risk transfer shifts risk (like insurance), and risk acceptance acknowledges but does not address the risk.
9A company decides to purchase cyber insurance to offset potential financial losses from a data breach. Which risk treatment strategy is being used?
A.Risk avoidance
B.Risk mitigation
C.Risk transfer
D.Risk acceptance
Explanation: Risk transfer involves shifting the financial impact of risk to a third party, typically through insurance. Risk avoidance eliminates the risk entirely, risk mitigation reduces the risk, and risk acceptance means acknowledging the risk without taking action.
10According to the (ISC)² Code of Ethics, which of the following is a priority for certified professionals?
A.Maximize profits for their employer
B.Protect society, the common good, and the infrastructure
C.Prioritize client requests above all else
D.Maintain technical certifications through any means
Explanation: The (ISC)² Code of Ethics states that certified professionals must protect society, the common good, necessary public trust and confidence, and the infrastructure. This is the primary canon, taking precedence over employer loyalty or client requests.

About the CC Exam

The ISC2 Certified in Cybersecurity (CC) is an entry-level cybersecurity certification for newcomers, career changers, students, and early IT professionals. The current CC exam outline is effective October 1, 2025, with a notice that a refreshed outline applies September 1, 2026. The exam uses Computerized Adaptive Testing (CAT), allows 2 hours, includes 100-125 multiple-choice and advanced items, and covers Security Principles, Business Continuity/Disaster Recovery/Incident Response, Access Controls Concepts, Network Security, and Security Operations.

Assessment

100-125 multiple-choice and advanced items

Time Limit

2 hours

Passing Score

700/1000 scaled score

Exam Fee

US$199 standard registration (ISC2 / Pearson VUE)

CC Exam Content Outline

26%

Security Principles

Confidentiality, integrity, availability, authentication, non-repudiation, privacy, risk management, security controls, ISC2 Code of Ethics, governance, policies, procedures, standards, regulations, and laws

10%

Business Continuity, Disaster Recovery, and Incident Response Concepts

Business continuity purpose and components, disaster recovery purpose and components, incident response purpose and components, resilience planning, recovery objectives, playbooks, and lessons learned

22%

Access Controls Concepts

Physical security controls, monitoring, authorized versus unauthorized personnel, least privilege, segregation of duties, discretionary access control, mandatory access control, and role-based access control

24%

Network Security

OSI and TCP/IP models, IPv4, IPv6, Wi-Fi, ports, applications, network threats and attacks, IDS/HIDS/NIDS, antivirus, scans, firewalls, IPS, segmentation, DMZs, VLANs, VPNs, micro-segmentation, defense in depth, NAC, IoT, and cloud service models

18%

Security Operations

Encryption, hashing, data handling, destruction, retention, classification, labeling, logging, monitoring, configuration management, baselines, updates, patches, data handling policy, password policy, acceptable use, BYOD, change management, privacy policy, and awareness training

How to Pass the CC Exam

What You Need to Know

  • Passing score: 700/1000 scaled score
  • Assessment: 100-125 multiple-choice and advanced items
  • Time limit: 2 hours
  • Exam fee: US$199 standard registration

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

CC Study Tips from Top Performers

1Start with Security Principles because it is the largest domain and anchors the rest of the exam.
2Do not treat 700/1000 as a percentage; ISC2 uses scaled scoring.
3Practice CAT-style discipline: answer carefully, commit, and move forward because adaptive exams do not reward second-guessing.
4Use the domain weights to allocate time, but use missed-question patterns to decide what to study next.
5Memorize the difference between policy, standard, procedure, and guideline; CC asks many governance questions through short scenarios.
6Know access-control models and lifecycle steps: identification, authentication, authorization, accountability, provisioning, review, and deprovisioning.
7For network questions, map symptoms to OSI/TCP-IP layers, then choose the control or device that best fits the scenario.

Frequently Asked Questions

What is the ISC2 CC exam format in 2026?

The current ISC2 CC exam uses Computerized Adaptive Testing (CAT). ISC2 lists a 2-hour time limit, 100-125 multiple-choice and advanced item types, a 700 out of 1000 passing grade, and Pearson VUE test-center delivery. The current outline is effective October 1, 2025, and ISC2 has posted a notice that a refreshed outline applies September 1, 2026.

Do I need experience for the ISC2 CC certification?

No. Certified in Cybersecurity is designed as an entry-level ISC2 certification with no professional experience requirement to sit for the exam. It is a fit for students, career changers, early IT workers, and candidates building a foundation before Security+, SSCP, or CISSP.

Is the ISC2 CC exam still free through 1MCC?

ISC2 announced on April 22, 2026 that public enrollment in the One Million Certified in Cybersecurity program will end on May 20, 2026. Candidates who already have unexpired exam codes may schedule and take the exam by December 31, 2026. After the program concludes, CC exam and education options are available for purchase like other ISC2 exams and courses.

What are the five domains of ISC2 CC?

The official CC domains are Security Principles (26%), Business Continuity, Disaster Recovery, and Incident Response Concepts (10%), Access Controls Concepts (22%), Network Security (24%), and Security Operations (18%).

How long should I study for the ISC2 CC exam?

Most new candidates should plan 40-80 focused study hours. Candidates with IT or security experience may need less, while complete beginners should spend extra time on networking basics, access control models, BC/DR/IR terminology, security operations vocabulary, and scenario-based practice.

Does ISC2 publish the CC pass rate?

No. ISC2 does not publish a public CC pass-rate percentage. A better readiness target is evidence-based: explain every official domain objective in your own words, score consistently on mixed practice sets, and review missed questions until you can identify why each wrong option is wrong.

What jobs can ISC2 CC help with?

CC is a foundation credential for entry-level cybersecurity and IT security support roles such as SOC analyst trainee, junior security analyst, help desk with security responsibilities, GRC coordinator, cybersecurity intern, and security operations support. It is strongest when paired with hands-on labs, networking fundamentals, and practice reading alerts, logs, policies, and access-control scenarios.