Certification guide
Certified in Cybersecurity (CC) is ISC2’s entry point into the profession — the credential built for people stepping into their first security role, changing careers, or finishing a degree, with no work experience required. It comes from the same certifying body behind the CISSP, which is exactly the point: passing the CC starts an ISC2 record that compounds as you move up through SSCP, CGRC, CCSP, and eventually CISSP. It proves to a hiring manager that you have a working command of security principles, access control, networking, operations, and incident response basics — the vocabulary and judgment a junior analyst is expected to bring on day one.
The exam outline in force today took effect October 1, 2025, and its defining change is AI. ISC2 wove foundational AI security through all five domains: data poisoning as an integrity attack on machine-learning models, AI-generated phishing and voice cloning as network threats, the “security of the AI workspace” — meaning the data-leakage risk when employees paste confidential information into public chatbots — and the governance expectation that acceptable use policies now cover generative AI tools. ISC2 has also announced a refreshed outline effective September 1, 2026, so if your test date falls after that, pull the updated outline before finalizing your plan. The exam itself is delivered as a computerized adaptive test at Pearson VUE: 100–125 items in two hours, scored against a 700-out-of-1000 scaled bar.
The five domains
Security Principles
Domain 1 · 26%The heaviest domain and the conceptual foundation for everything else: the CIA triad, authentication factors and MFA, non-repudiation, privacy, the risk management process (identify, assess, treat — avoid, accept, mitigate, transfer), the three control categories (technical, administrative, physical), the ISC2 Code of Ethics canons in priority order, and the governance hierarchy of policies, standards, procedures, and guidelines. The AI thread starts here too — expect model poisoning framed as an integrity problem and data leakage to public AI tools framed as a confidentiality problem.
Business Continuity, Disaster Recovery & Incident Response Concepts
Domain 2 · 10%The lightest domain, but dense with definitions the exam loves: the purpose and components of BC, DR, and IR plans, the business impact analysis, RTO versus RPO, hot/warm/cold recovery sites, the incident response lifecycle in order, why containment comes before eradication, and what a lessons-learned review is actually for. Ten questions’ worth of material you can lock down in an afternoon — do not leave these on the table.
Access Controls Concepts
Domain 3 · 22%Physical and logical access side by side: tailgating and the vestibules that defeat it, badges, visitor accountability, and bollards on the physical end; identification–authentication–authorization–accounting, least privilege, need to know, separation of duties, dual control, privileged account handling, and the DAC/MAC/RBAC/rule-based model distinctions on the logical end. Provisioning and deprovisioning discipline — especially what happens the moment an employee is terminated — and privilege creep round out the domain.
Network Security
Domain 4 · 24%The most technical domain and the one career-changers should budget the most time for: OSI layers and what routers and switches actually do, TCP versus UDP, well-known ports, IPv4 versus IPv6, and Wi-Fi security generations. Threats cover DoS/DDoS, on-path attacks, viruses, worms, trojans, ransomware, and AI-enhanced social engineering; defenses cover firewalls, IDS versus IPS, HIDS versus NIDS, SIEM, segmentation and VLANs, DMZs, VPNs, zero trust, cloud service and deployment models, and data-center fundamentals like UPS-plus-generator power redundancy.
Security Operations
Domain 5 · 18%The day-to-day discipline: data classification, handling, and proper media sanitization; encryption in transit and at rest, hashing for integrity, and symmetric versus asymmetric basics; logging, monitoring, and retention; configuration baselines, change management, patch management, and system hardening; and the policy suite — acceptable use, BYOD, password, data handling, and privacy — plus the security awareness program that makes it stick. The 2025 outline expects the AUP conversation to include generative AI tools explicitly.
Practicing for it
Our practice exam mirrors the real thing where it counts: 100 questions stratified to the official domain weights — 26 on security principles, 10 on BC/DR/IR, 22 on access controls, 24 on network security, and 18 on security operations — on a 120-minute timer. Every question is a one-best-answer item with plausible near-miss distractors and a full explanation of why the credited answer beats the alternatives, including the AI-integrated material from the October 2025 outline. The pass mark is set at 70%, an honest raw-score equivalent of ISC2’s 700/1000 scaled bar — and because the draw matches the official weights, a passing score here means you covered the whole outline, not luck in the heavy ones.
ISC2 CC - Practice Exam
Full-length 100-question ISC2 Certified in Cybersecurity practice exam stratified to the official domain weights (26/10/22/24/18), including the AI security concepts woven through the October 2025 exam…
Subscribe to startTreat your results diagnostically. Score each domain separately: if you are strong in Domains 1 and 3 but leaking points in Domain 4, that is where the next study block goes — networking is where candidates without an IT background lose the most ground. And since Domain 2 is only ten percent of the exam but nearly pure definitions, it is the cheapest ten percent you will ever earn.
Trademark notice & independence. CC®, CISSP®, SSCP®, CCSP®, CGRC®, and ISC2® are registered trademarks of ISC2, Inc. Certifym is an independent study resource and is not affiliated with, endorsed by, or sponsored by ISC2. The CC exam outline and its domain structure are the property of ISC2, Inc.; candidates should download the official, current exam outline directly from isc2.org.
All questions, answers, and explanations on Certifym are original content created for practice purposes. They are not actual ISC2 examination questions and are not represented as such. Practicing with these materials does not guarantee a passing result on any live certification exam.
