ISC2 Certified in Cybersecurity (CC) Practice

Questions

Introduction
This document compiles practice questions for the ISC2 Certified in Cybersecurity (CC)
exam, focusing on commonly tested topics across the five exam domains: Security Prin-
ciples (26%), Business Continuity, Disaster Recovery & Incident Response Concepts
(10%), Access Controls Concepts (22%), Network Security (24%), and Security Oper-
ations (18%). These questions are sourced from reputable resources to help candidates
prepare effectively.

Sample Questions
Domain 1: Security Principles
1. Which of the following best describes the principle of least privilege?
A. Ensuring that users have access to all resources
B. Limiting user access to the minimum necessary to perform their job functions
C. Granting full access to administrators
D. Allowing temporary access to users for any tasks
Answer: B
Explanation: The principle of least privilege restricts user access to only what is
necessary for their job, reducing the risk of unauthorized access or data breaches.
2. What is the primary goal of implementing security policies in an orga-
nization?
A. To ensure legal compliance
B. To create a framework for security controls and procedures
C. To enforce strong passwords
D. To train employees in cybersecurity
Answer: B
Explanation: Security policies provide a structured approach, outlining objectives
and measures to ensure a consistent, comprehensive security posture.

1
 3. Which security principle focuses on ensuring that data cannot be altered
without authorization?
A. Confidentiality
B. Integrity
C. Availability
D. Authentication
Answer: B
Explanation: Integrity ensures that data is accurate, reliable, and protected from
unauthorized modifications.
4. Which of the following is an example of a physical security control?
A. Firewalls
B. Encryption
C. Security guards
D. Antivirus software
Answer: C
Explanation: Security guards are a physical security measure to prevent unau-
thorized access to an organizations infrastructure.
5. Which of the following best describes the concept of defense in depth?
A. Using a single security measure to protect assets
B. Implementing multiple layers of security controls
C. Applying security only at the perimeter of the network
D. Relying on user education for security
Answer: B
Explanation: Defense in depth uses multiple security layers to ensure protection
even if one layer fails.

Domain 2: Business Continuity, Disaster Recovery & Incident

Response Concepts
1. What is the main goal of business continuity planning?
A. To restore normal operations after a disaster
B. To identify potential threats to the organization
C. To develop incident response procedures
D. To ensure the continuous availability of critical business functions
Answer: D
Explanation: Business continuity planning focuses on maintaining essential func-
tions during and after a disaster to minimize disruptions.

2
2. Which phase of the disaster recovery plan involves the restoration of
normal operations?
A. Response
B. Recovery
C. Mitigation
D. Business Impact Analysis (BIA)
Answer: B
Explanation: The recovery phase involves actions to restore normal business op-
erations after a disaster.
3. What is the purpose of conducting a Business Impact Analysis (BIA)?
A. To assess the security posture of an organization
B. To determine the impact of disruptions on business operations
C. To identify potential security threats
D. To develop security policies
Answer: B
Explanation: A BIA identifies critical business functions and assesses the impact
of disruptions to prioritize recovery efforts.
4. Which of the following is a primary component of an incident response
plan?
A. Risk assessment
B. Communication procedures
C. Security policy development
D. Physical security measures
Answer: B
Explanation: Communication procedures are essential in incident response plans
to ensure prompt information dissemination.
5. What is the main purpose of disaster recovery testing?
A. To ensure compliance with regulations
B. To validate the effectiveness of the disaster recovery plan
C. To train employees on security policies
D. To identify potential threats to the organization
Answer: B
Explanation: Disaster recovery testing verifies that the plan can restore critical
functions within required timeframes.

3
Domain 3: Access Controls Concepts
1. Which access control model is based on the classification of information
and clearance levels of users?
A. Role-Based Access Control (RBAC)
B. Discretionary Access Control (DAC)
C. Mandatory Access Control (MAC)
D. Attribute-Based Access Control (ABAC)
Answer: C
Explanation: MAC assigns access rights based on information classification and
user clearance, commonly used in high-security environments.
2. What is the primary purpose of the principle of separation of duties?
A. To reduce the risk of errors and fraud
B. To enforce strong password policies
C. To limit access to sensitive information
D. To ensure data availability
Answer: A
Explanation: Separation of duties divides responsibilities to prevent fraud and
errors by ensuring no single individual controls all aspects of a process.

Additional Questions from Other Domains

1. What is meant by non-repudiation?
A. If a user does something, they cant later claim that they didnt do it
B. Ensuring data is encrypted
C. Providing access to authorized users
D. Backing up data regularly
Answer: A
Explanation: Non-repudiation ensures that a user cannot deny having performed
an action, typically achieved through mechanisms like digital signatures.
2. Which is likely used in disaster recovery?
A. Firewalls
B. Data backups
C. Intrusion detection systems
D. Encryption
Answer: B
Explanation: Data backups are a critical component of disaster recovery to restore
systems and data after a disruption.

4
 3. Which third-party security service is best to detect unauthorized sensi-
tive information storage?
A. Firewall
B. Antivirus
C. Data Loss Prevention (DLP)
D. Intrusion Detection System (IDS)
Answer: C
Explanation: DLP systems are designed to detect and prevent unauthorized stor-
age or transmission of sensitive information.

Resources for Further Practice

For additional practice questions, including those in PDF format, refer to the following
resources:
• InfosecTrain: Comprehensive questions with answers and explanations. https://
www.infosectrain.com/blog/commonly-asked-isc2-cc-exam-questions-with-answers/
• Scribd: 49 multiple-choice questions in PDF format. https://www.scribd.com/
document/690132786/ISC2-Certified-in-Cybersecurity-Exam-Questions
• EDUSUM: Free sample questions and premium practice exams. https://www.
edusum.com/isc2/isc2-cc-certification-sample-questions
• GitHub Repository: Study materials and dump questions. https://github.
com/AyemunHossain/ISC2-CC-Dump-Questions-Study-Material
• ISC2 Practice Quiz: Official 10-question quiz. https://cloud.connect.isc2.
org/cc-quiz

Preparation Tips
• Understand Concepts: Focus on understanding the principles behind each ques-
tion rather than memorizing answers, as exam questions may vary.
• Use Multiple Resources: Combine official ISC2 materials (e.g., free training,
exam outline) with third-party question banks for comprehensive preparation.
• Review Explanations: Pay attention to explanations to grasp why an answer is
correct, which helps with similar questions on the exam.
• Join Communities: Engage with the ISC2 Community or forums like Reddit for
insights and additional resources.

Conclusion
These practice questions cover key concepts likely to appear on the ISC2 CC exam. By
practicing with these and exploring the listed resources, you can build confidence and

5
readiness for the exam. Ensure you review all five domains and verify answers against
official materials for accuracy.