ISC2 · Foundational

ISC2 CC — Certified in Cybersecurity (CC) practice exam & study guide

Certified in Cybersecurity (CC) is ISC2’s entry-level certification for people starting a cybersecurity career. It validates foundational knowledge across five domains — security principles; business continuity, disaster recovery, and incident response; access controls; network security; and security operations — with no work experience required.

CC is a beginner, knowledge-based exam — multiple choice that tests whether you understand core cybersecurity concepts, not whether you can operate advanced tools. The live exam uses Computerized Adaptive Testing (CAT).

This free hub gives you everything you need to prepare: a syllabus breakdown by exam domain, realistic practice questions with teacher-style explanations, a glossary of the foundational security terms the exam relies on, and full-length timed mock exams that mirror the real testing experience.

100
Questions
120 min
Time limit
70%
Mock pass %
5
Domains

Start studying CC

New here? Follow the three steps below in order. Everything is free and needs no account.

  1. 1
    Learn the plan

    See all 5 domains in exam-weight order.

    Open study path
  2. 2
    Drill by domain

    Practice one topic at a time with explained answers.

    Start with the first domain
  3. 3
    Sit a timed mock

    100 questions · 120 min · 70% to pass our mock.

    Take the mock exam

All CC study resources

CC exam domains

The CC exam is weighted across 5 domains. Pick any domain below to drill it — or read the full breakdown in the FAQ.

Exam domainExam weightPractice
Security Principles26%Practice this topic
Business Continuity (BC), Disaster Recovery (DR) & Incident Response Concepts10%Practice this topic
Access Controls Concepts22%Practice this topic
Network Security24%Practice this topic
Security Operations18%Practice this topic

Sample CC questions

A sample of the CC questions on this hub. Each links through to the full question, the correct answer, and an explanation of why every other option is wrong.

Key CC terms

Start with these terms, then explore the full glossary. Each links to a plain-English definition written for the CC exam.

CC frequently asked questions

What is the CC certification?+

CC is ISC2’s foundational credential, created to help newcomers break into cybersecurity and to establish a baseline of security knowledge.

It requires no prior work experience, which makes it a common first certification for students, career changers, and IT staff moving toward a security role.

What topics are on the CC exam?+

The CC exam is organised into five weighted domains. The percentages below are ISC2’s official weightings for the current outline (effective October 1, 2025), so bias your study toward the heavier domains — Security Principles and Network Security together account for half the exam. Note that ISC2 has announced a new CC exam outline effective September 1, 2026; verify the current outline on the ISC2 site before you book.

Security Principles (26%)

The largest domain. Covers the CIA triad plus authentication, non-repudiation, and privacy; basic risk management (threats, vulnerabilities, likelihood, impact, and treatment); the three types of security controls (technical, administrative, physical); the ISC2 Code of Ethics; and governance elements such as policies, standards, procedures, and regulations. (Least privilege is drilled under Access Controls and defense in depth under Network Security.)

Business Continuity (BC), Disaster Recovery (DR) & Incident Response Concepts (10%)

Covers the purpose and components of business continuity (BC) and disaster recovery (DR), incident-response (IR) terminology and the response team, how BC, DR, and IR relate, and the importance of testing plans.

Access Controls Concepts (22%)

Covers physical and logical access controls, the subject/object/rule model, least privilege and segregation of duties, authentication factors and multi-factor authentication, and the DAC, MAC, and RBAC access-control models.

Network Security (24%)

Covers networking basics (OSI and TCP/IP, ports, protocols), common threats such as DoS/DDoS and on-path attacks, network security infrastructure (firewalls, IDS/IPS, VPNs, segmentation), and securing on-premises and cloud/hybrid environments.

Security Operations (18%)

Covers data handling (classification, labeling, retention, secure destruction), encryption basics for data at rest and in transit, configuration management and hardening, patching, and security awareness training and best-practice policies.

Is the CC hard?+

CC is a foundational, entry-level exam, so the difficulty is in the breadth of new terminology rather than deep technical judgment — it introduces the whole vocabulary of cybersecurity at once.

The challenge for beginners is keeping concepts straight across five domains and applying them to simple scenarios. Consistent review of the fundamentals is enough to pass; no advanced experience is needed.

How many questions are on the CC exam and how long is it?+

The live CC exam is a Computerized Adaptive Test (CAT) of 100–125 items in 120 minutes, using multiple choice and advanced item types.

Our full-length practice mock uses a fixed 100-question, 120-minute session so you can rehearse pacing across all five domains before test day.

What score do you need to pass the CC?+

CC is scored on a scale of 0 to 1000, and you need a scaled score of 700 to pass. Because the live exam is adaptive, questions are not all worth the same and there is no penalty for guessing, so answer everything. Our practice mock uses a 70% threshold as a study checkpoint; aim comfortably beyond it before test day.

How much does the CC exam cost?+

The CC exam fee is set by ISC2 and varies by region — check the ISC2 site for current pricing, including any free-exam programs ISC2 runs for newcomers. Certification requires a small annual maintenance fee to stay active. Everything on this hub is free.

Who should take the CC?+

CC is aimed at students, career changers, and IT professionals who want to move into cybersecurity, as well as anyone who needs a validated baseline of security knowledge.

There is no work-experience requirement, which is what makes CC a genuine entry point to the field.

What jobs and salaries can the CC lead to?+

CC maps to entry- or junior-level roles such as security analyst, SOC analyst, help-desk-to-security transitions, and IT roles with security responsibilities.

How much any certification affects pay depends heavily on geography, seniority, and hands-on experience, so treat any single salary figure with caution. CC is best viewed as proof of foundational knowledge and a first step toward certifications like Security+ or CISSP.

How long does it take to study for the CC?+

Beginners often need three to six weeks of steady study, focused on learning and organizing new terminology across the five domains.

Review every explanation, including for questions you answered correctly, because CC distractors are built from plausible-sounding but incorrect basics. Use the per-domain results here to find your weakest area, then finish with full-length timed mocks.

How should you prepare for the CC?+

Study the five domains above, giving the heaviest weight to Security Principles and Network Security, then drill questions domain by domain. Every MockAPI question reveals a full explanation and tells you why each wrong answer is wrong.

When you can answer comfortably, move to full-length timed mocks. Use the glossary to keep terms like the CIA triad, least privilege, and MFA straight, and aim to score consistently above the checkpoint before you book.

Can you take the CC exam online?+

ISC2 delivers CC at Pearson VUE test centers — there is currently no at-home online-proctored option, so you sit the exam in person at a scheduled testing center. Bring government-issued photo ID; the center provides a secure, monitored environment. (ISC2 has at times run free CC exam vouchers as part of its One Million Certified in Cybersecurity pledge — check the ISC2 site for current availability.)

If you do not pass, ISC2 enforces a retake policy with a waiting period between attempts — check the current policy before rebooking.

What certification should you take after the CC?+

After CC, the common next step is CompTIA Security+ for a broader technical foundation, and later ISC2’s CISSP as you gain experience.

For many, the real next step is landing that first security role. Pairing CC with hands-on practice is what turns the certificate into a career.