CC exam domains
The CC exam is weighted across 5 domains. Pick any domain below to drill it — or read the full breakdown in the FAQ.
| Exam domain | Exam weight | Practice |
|---|---|---|
| Security Principles | 26% | Practice this topic |
| Business Continuity (BC), Disaster Recovery (DR) & Incident Response Concepts | 10% | Practice this topic |
| Access Controls Concepts | 22% | Practice this topic |
| Network Security | 24% | Practice this topic |
| Security Operations | 18% | Practice this topic |
Sample CC questions
A sample of the CC questions on this hub. Each links through to the full question, the correct answer, and an explanation of why every other option is wrong.
- A small marketing firm identifies a risk that an internal wiki server could briefly go offline during rare regional power flickers. After analysis, th…View question
- A system administrator built all company web servers from a documented secure baseline last year. During a recent review, several servers were found r…View question
- An attacker on the same office LAN sends forged replies mapping the default gateway's IP address to the attacker's own MAC address. Nearby workstation…View question
- Two companies that have never exchanged keys before want to begin sending encrypted messages to each other over the internet. They need a way for each…View question
- A user connects to their bank's website over public Wi-Fi at a coffee shop. An attacker on the same network positions their device so that all traffic…View question
- A new employee is going through onboarding and receives a document that outlines what activities are permitted when using the company's computers, ema…View question
- An employee logs into the corporate VPN by entering a password and then typing a six-digit code displayed on a physical key fob issued by the company.…View question
- A financial services firm performs nightly backups of its transaction database. During a quarterly review, the security team runs a restore of a backu…View question
- A regional flood forces a retail company to close its main office for several days. Before the disruption, the company had documented alternate work l…View question
- A company created a business continuity plan two years ago. Since then, it has moved several critical applications to a new cloud provider, hired a ne…View question
Key CC terms
Start with these terms, then explore the full glossary. Each links to a plain-English definition written for the CC exam.
CC frequently asked questions
What is the CC certification?+
CC is ISC2’s foundational credential, created to help newcomers break into cybersecurity and to establish a baseline of security knowledge.
It requires no prior work experience, which makes it a common first certification for students, career changers, and IT staff moving toward a security role.
What topics are on the CC exam?+
The CC exam is organised into five weighted domains. The percentages below are ISC2’s official weightings for the current outline (effective October 1, 2025), so bias your study toward the heavier domains — Security Principles and Network Security together account for half the exam. Note that ISC2 has announced a new CC exam outline effective September 1, 2026; verify the current outline on the ISC2 site before you book.
Security Principles (26%)
The largest domain. Covers the CIA triad plus authentication, non-repudiation, and privacy; basic risk management (threats, vulnerabilities, likelihood, impact, and treatment); the three types of security controls (technical, administrative, physical); the ISC2 Code of Ethics; and governance elements such as policies, standards, procedures, and regulations. (Least privilege is drilled under Access Controls and defense in depth under Network Security.)
Business Continuity (BC), Disaster Recovery (DR) & Incident Response Concepts (10%)
Covers the purpose and components of business continuity (BC) and disaster recovery (DR), incident-response (IR) terminology and the response team, how BC, DR, and IR relate, and the importance of testing plans.
Access Controls Concepts (22%)
Covers physical and logical access controls, the subject/object/rule model, least privilege and segregation of duties, authentication factors and multi-factor authentication, and the DAC, MAC, and RBAC access-control models.
Network Security (24%)
Covers networking basics (OSI and TCP/IP, ports, protocols), common threats such as DoS/DDoS and on-path attacks, network security infrastructure (firewalls, IDS/IPS, VPNs, segmentation), and securing on-premises and cloud/hybrid environments.
Security Operations (18%)
Covers data handling (classification, labeling, retention, secure destruction), encryption basics for data at rest and in transit, configuration management and hardening, patching, and security awareness training and best-practice policies.
Is the CC hard?+
CC is a foundational, entry-level exam, so the difficulty is in the breadth of new terminology rather than deep technical judgment — it introduces the whole vocabulary of cybersecurity at once.
The challenge for beginners is keeping concepts straight across five domains and applying them to simple scenarios. Consistent review of the fundamentals is enough to pass; no advanced experience is needed.
How many questions are on the CC exam and how long is it?+
The live CC exam is a Computerized Adaptive Test (CAT) of 100–125 items in 120 minutes, using multiple choice and advanced item types.
Our full-length practice mock uses a fixed 100-question, 120-minute session so you can rehearse pacing across all five domains before test day.
What score do you need to pass the CC?+
CC is scored on a scale of 0 to 1000, and you need a scaled score of 700 to pass. Because the live exam is adaptive, questions are not all worth the same and there is no penalty for guessing, so answer everything. Our practice mock uses a 70% threshold as a study checkpoint; aim comfortably beyond it before test day.
How much does the CC exam cost?+
The CC exam fee is set by ISC2 and varies by region — check the ISC2 site for current pricing, including any free-exam programs ISC2 runs for newcomers. Certification requires a small annual maintenance fee to stay active. Everything on this hub is free.
Who should take the CC?+
CC is aimed at students, career changers, and IT professionals who want to move into cybersecurity, as well as anyone who needs a validated baseline of security knowledge.
There is no work-experience requirement, which is what makes CC a genuine entry point to the field.
What jobs and salaries can the CC lead to?+
CC maps to entry- or junior-level roles such as security analyst, SOC analyst, help-desk-to-security transitions, and IT roles with security responsibilities.
How much any certification affects pay depends heavily on geography, seniority, and hands-on experience, so treat any single salary figure with caution. CC is best viewed as proof of foundational knowledge and a first step toward certifications like Security+ or CISSP.
How long does it take to study for the CC?+
Beginners often need three to six weeks of steady study, focused on learning and organizing new terminology across the five domains.
Review every explanation, including for questions you answered correctly, because CC distractors are built from plausible-sounding but incorrect basics. Use the per-domain results here to find your weakest area, then finish with full-length timed mocks.
How should you prepare for the CC?+
Study the five domains above, giving the heaviest weight to Security Principles and Network Security, then drill questions domain by domain. Every MockAPI question reveals a full explanation and tells you why each wrong answer is wrong.
When you can answer comfortably, move to full-length timed mocks. Use the glossary to keep terms like the CIA triad, least privilege, and MFA straight, and aim to score consistently above the checkpoint before you book.
Can you take the CC exam online?+
ISC2 delivers CC at Pearson VUE test centers — there is currently no at-home online-proctored option, so you sit the exam in person at a scheduled testing center. Bring government-issued photo ID; the center provides a secure, monitored environment. (ISC2 has at times run free CC exam vouchers as part of its One Million Certified in Cybersecurity pledge — check the ISC2 site for current availability.)
If you do not pass, ISC2 enforces a retake policy with a waiting period between attempts — check the current policy before rebooking.
What certification should you take after the CC?+
After CC, the common next step is CompTIA Security+ for a broader technical foundation, and later ISC2’s CISSP as you gain experience.
For many, the real next step is landing that first security role. Pairing CC with hands-on practice is what turns the certificate into a career.