Domain Map and Time Allocation

The Five Domains and Their Verified Weights

The CC exam is organized around five domains. Weights shape how many items each area can supply, so they should shape your plan — but a 10 percent domain can still decide an item if the question lands on incident ordering or recovery. These weights are confirmed against the ISC2 outline effective October 1, 2025.

Security Principles is the largest domain and the foundation: confidentiality-integrity-availability (the CIA triad), authentication versus authorization, non-repudiation, privacy, governance, risk, the ISC2 Code of Ethics, and security control types (technical, administrative, physical; preventive, detective, corrective). The other four domains assume this vocabulary, so weak Domain 1 quietly costs you points everywhere.

Network Security (24%) and Access Controls (22%) are close behind — expect many practical items on secure protocols, segmentation, and identity/least-privilege. Security Operations (18%) covers monitoring, logging, awareness, change, and physical security. BC/DR/IR (10%) is smallest but intensely practical.

A Weight-Based Time Allocation

For a candidate with 60 focused study hours, a defensible first-pass allocation tracks the weights:

This is a starting budget, not a fixed rule. After a diagnostic quiz, move hours toward measured weakness. If you already know CIA, authentication, and policy but miss segmentation and secure protocols, shift time from Domain 1 to Domain 4. If you work in IT support and know networks but find policy and incident concepts new, push hours into Domains 1 and 2.

What Each Domain Feels Like in Questions

The Weekly Mix

Do not read one domain start-to-finish and forget it. Blend four activities every week so concepts stay retrievable under time pressure:

• Read and annotate to build vocabulary and concept boundaries.
• Scenario review to convert terms into workplace decisions (the real skill the exam tests).
• Recall drills to make high-yield facts fast — domain weights, the CIA triad, control categories, RTO versus RPO.
• Timed mixed sets to rehearse pacing and the no-going-back CAT discipline.

High-Yield Facts Hidden Inside Each Domain

Domain weight tells you how many items to expect, but certain compact facts inside each domain repay memorization far beyond their size because they anchor multiple questions. Drill these to instant recall:

• Domain 1 (Security Principles): the CIA triad; authentication (proving who you are) versus authorization (what you may do) versus accounting/accountability; non-repudiation; the three control categories (technical/logical, administrative/managerial, physical) and the four functional types (preventive, detective, deterrent, corrective); the difference between a risk, a threat, and a vulnerability; risk treatment options — accept, avoid, mitigate, transfer; and the ISC2 Code of Ethics canons in order.
• Domain 2 (BC/DR/IR): Business Impact Analysis (BIA); Recovery Time Objective (RTO) versus Recovery Point Objective (RPO); the incident-response phases (preparation, detection, response, recovery); the order of a disaster-recovery effort versus business-continuity planning.
• Domain 3 (Access Controls): the three authentication factor types (something you know, have, are); least privilege and need-to-know; separation of duties; the access-control models (DAC, MAC, RBAC); the account lifecycle from provisioning to deprovisioning.
• Domain 4 (Network Security): secure versus insecure protocol pairs (HTTPS over HTTP, SSH over Telnet, SFTP over FTP); the OSI versus TCP/IP layers at a high level; segmentation, DMZ, firewalls, VPNs; common attacks such as DDoS, on-path (man-in-the-middle), and phishing.
• Domain 5 (Security Operations): data handling and classification; logging and monitoring; the change-management process; backup types (full, incremental, differential); security awareness training; and physical controls.

Most candidates who fail do so because Domain 1 vocabulary is shaky, which then drags down items in Domains 3, 4, and 5 that assume those terms. Fix the foundation first.

Scenario: Rebalancing by Evidence

A candidate studies 20 hours and takes a mixed review. They ace definitions but miss items asking for the first incident-response action and items distinguishing authentication from authorization. Their next week should not simply repeat the original table. They should add incident-ordering practice (Domain 2) and account-lifecycle and access scenarios (Domain 3). Domain weights set the budget; missed-question patterns tell you where the next hour pays the most. Treat the domain map like a spending plan — invest most where the exam invests most, but keep a reserve to repair weak decisions before test day.