How many questions are in the CC exam?

The CC exam consists of 100 questions that you need to complete in 2 hours. Questions are multiple choice with a single correct answer. The exam uses a scaled scoring model with a passing score of 700 out of 1000.

What is the CC exam cost and retake policy?

The CC exam costs $249 USD. If you fail, you must wait 30 days before retaking. After a second failure, wait 90 days. After a third failure, wait 180 days. You pay the full fee for each attempt. ISC2 does not offer refunds.

CC Practice Exam - 20 Free Questions

Question 1 of 20 Domain

Exam Complete!

You answered 0 out of 20 questions correctly

Ready for the Complete Exam?

Get access to all 1,500 practice questions across 12 full practice exams

About the CC Exam

The Certified in Cybersecurity (CC) is ISC2's entry-level cybersecurity certification, designed to open the door for individuals transitioning into cybersecurity or IT professionals who want to formalize their security knowledge. Unlike other ISC2 certifications that require years of work experience, the CC has no experience prerequisite—making it the ideal starting point for anyone beginning a cybersecurity career. The certification validates foundational security knowledge across five core domains covering security principles, business continuity, access control, network security, and security operations.

The CC exam consists of 100 questions completed in 2 hours, using a scaled scoring model where a score of 700 out of 1000 is required to pass. The exam costs $249 USD, making it one of the most accessible entry points into the ISC2 certification family. Unlike the advanced CISSP exam, CC questions focus on recognizing security concepts and understanding foundational best practices, rather than managerial decision-making under complex scenarios. This makes the CC an attainable goal for candidates with 3-6 months of focused study, even without prior security work experience.

CC 5 Domains and Weighting:

Domain 1: Security Principles (26%) - Confidentiality, integrity, and availability (CIA triad), authentication, authorization, and non-repudiation concepts, security governance frameworks, ethical principles in information security, security policies and procedures, and the importance of security documentation and awareness programs
Domain 2: Business Continuity (BC), Disaster Recovery (DR), and Incident Response Concepts (10%) - Business continuity planning fundamentals, disaster recovery planning concepts, incident response lifecycle (preparation, detection, containment, eradication, recovery, lessons learned), and the relationship between BC, DR, and incident response
Domain 3: Access Controls Concepts (22%) - Physical and logical access controls, identity management and authentication methods, access control models (DAC, MAC, RBAC), least privilege and need-to-know principles, multi-factor authentication, and account lifecycle management
Domain 4: Network Security (24%) - Network fundamentals (OSI model, TCP/IP), network infrastructure components (routers, switches, firewalls), common network attacks (DoS, phishing, man-in-the-middle), wireless security basics, network segmentation and zoning concepts, and secure network design principles
Domain 5: Security Operations (18%) - Data security controls, system hardening, patch management, encryption basics, logging and monitoring, vulnerability management fundamentals, and configuration management

The CC certification is valid for 3 years. To maintain it, holders must earn 45 CPE (Continuing Professional Education) credits over the 3-year cycle and pay an annual maintenance fee to ISC2. Many CC holders use it as a stepping stone toward the SSCP or eventually the CISSP as they gain work experience. The certification is recognized globally and demonstrates to employers that a candidate has committed to cybersecurity fundamentals using an internationally respected framework.

Why Take This Certification?

No Experience Required - Truly Entry Level: The CC is unique among ISC2 certifications in that it has zero experience prerequisites. Whether you are a student, a career changer, an IT help desk professional, or someone simply curious about cybersecurity, you can sit the exam without needing any prior security work history. ISC2 designed CC specifically to remove barriers to entry and welcome the next generation of security professionals into the field. This makes it the single most accessible credential from one of the world's most respected cybersecurity certification bodies.
ISC2 Brand Recognition with an Achievable Exam: ISC2 is the organization behind the globally recognized CISSP certification. The CC carries the same ISC2 brand credibility while being scoped to foundational knowledge. Employers who recognize CISSP understand the rigor of ISC2's certification standards and will value CC as evidence of genuine commitment to security fundamentals. The $249 exam fee and the lack of experience requirements make this certification financially and practically accessible compared to more advanced certifications.
Strong Foundation for Career Advancement: The CC serves as a launchpad to higher certifications. The knowledge gained studying for CC—CIA triad, access controls, network security basics, incident response concepts—directly supports study for CompTIA Security+, ISC2 SSCP, and ultimately CISSP. Building this foundational vocabulary and conceptual framework early makes subsequent study significantly more efficient. Many security professionals report that a structured entry-level certification like CC gave them the confidence and framework to pursue more advanced credentials.
Growing Demand for Entry-Level Security Talent: The cybersecurity industry faces a chronic talent shortage, with millions of unfilled positions globally. Many organizations actively recruit and train entry-level candidates who demonstrate foundational knowledge and commitment to the field. A CC certification signals to hiring managers that a candidate has the right mindset and baseline knowledge to grow into a security role. Combined with hands-on practice (home labs, CTFs, online platforms like TryHackMe or HackTheBox), CC creates a compelling entry-level security profile.

What You'll Learn in the CC Exam

The CC exam tests foundational cybersecurity knowledge across five domains, covering the essential principles and practices that every security professional must understand. Unlike advanced certifications that test complex risk management decisions and architectural design, CC validates that candidates understand core security concepts clearly enough to recognize correct practices, identify threats, and understand the purpose of common security controls. The focus is on comprehension and recognition of security fundamentals, building the vocabulary and conceptual foundation for a cybersecurity career.

Security Principles and Governance

CIA Triad: Understanding confidentiality (preventing unauthorized disclosure), integrity (ensuring data accuracy and preventing unauthorized modification), and availability (ensuring authorized users can access resources when needed). Recognizing how different security controls map to CIA objectives and how trade-offs between security properties affect security design decisions.
Authentication and Access Concepts: Distinguishing between identification (claiming an identity), authentication (proving that identity), authorization (granting permissions), and accountability (logging actions). Understanding multi-factor authentication factors (something you know, have, or are) and why layering multiple factors dramatically reduces unauthorized access risk.
Security Governance Basics: Understanding the role of security policies, standards, procedures, and guidelines. Recognizing the difference between preventive, detective, and corrective controls. Understanding why organizations need security governance frameworks and how security policies provide the foundation for all security decisions.

Business Continuity, Disaster Recovery, and Incident Response

BC and DR Concepts: Understanding the purpose of Business Continuity Planning (ensuring the organization can continue operations during disruptions) and Disaster Recovery Planning (restoring IT systems after an incident). Recognizing key metrics: Recovery Time Objective (RTO, maximum acceptable downtime), Recovery Point Objective (RPO, maximum acceptable data loss), and how these objectives drive backup and redundancy decisions.
Incident Response Lifecycle: Understanding the six phases of incident response: Preparation (policies, tools, training), Identification (detecting the incident), Containment (limiting damage), Eradication (removing the threat), Recovery (restoring systems), and Lessons Learned (improving future response). Recognizing the importance of each phase and the sequence in which they should be executed.

Network Security and Access Controls

Network Security Fundamentals: Understanding the OSI model layers and their security relevance, common network protocols (TCP/IP, DNS, HTTP/HTTPS), firewall functions and placement, the purpose of DMZs and network segmentation, and recognizing common network attacks (DoS/DDoS, phishing, ARP poisoning, man-in-the-middle attacks).
Access Control Models: Understanding Discretionary Access Control (DAC, where owners control access), Mandatory Access Control (MAC, where labels and clearances control access), and Role-Based Access Control (RBAC, where job functions control access). Applying least privilege (granting minimum necessary access) and need-to-know principles in access decisions.
Security Operations: Understanding the importance of patch management, system hardening (reducing attack surface by disabling unnecessary services), encryption basics (protecting data at rest and in transit), and the role of logging and monitoring in detecting security incidents. Recognizing how vulnerability management programs systematically identify and remediate weaknesses.

How to Prepare for the CC Exam

The CC is designed to be achievable by motivated candidates in 1-3 months of focused study, even without prior security experience. ISC2 provides free self-paced training specifically for the CC certification, making it one of the most cost-effective entry points into the cybersecurity field. The exam tests conceptual understanding rather than deep technical expertise, so study should focus on learning security vocabulary, understanding why controls exist, and recognizing best practices—not memorizing implementation details.

Complete the Free ISC2 CC Self-Paced Training (2-4 weeks): ISC2 offers free self-paced training for the CC certification at isc2.org. This official courseware covers all 5 domains in the exam outline and is the most authoritative study resource available. The training includes video lessons, knowledge checks, and module assessments. Work through each domain systematically, taking notes on key terms and concepts. Pay particular attention to the CIA triad, access control models, and incident response lifecycle—these are foundational concepts that appear throughout multiple domains.
Supplement with Practice Questions and Domain Review (3-4 weeks): After completing the official training, reinforce your knowledge with practice questions to identify weak areas. Work through at least 300-500 practice questions before attempting the exam, focusing on understanding why correct answers are correct and why distractors are wrong. For any domain where you score below 70%, revisit the official training material and look for additional resources (YouTube explanations, security glossary reviews). The CC exam is straightforward if you have genuinely understood the concepts—not merely memorized answers.
Use Free Study Resources to Build Vocabulary (ongoing): Supplement your study with free resources: the ISC2 CC Study Guide, Professor Messer's Security+ course (covers overlapping foundational content), and cybersecurity glossary resources. Watch YouTube explanations for concepts you find confusing—access control models, encryption basics, and network segmentation are commonly misunderstood by first-time security students. Join the ISC2 Community forum where CC candidates share study tips and ask questions. The CC community is generally supportive of entry-level learners.
Schedule and Take the Exam with Confidence (final preparation): When you are consistently scoring 75-80% on practice exams, schedule your CC exam at a Pearson VUE testing center or online proctored session. On exam day, read each question carefully—CC questions test whether you understand the concept, so eliminate clearly wrong answers first and choose the option that most directly addresses the security principle being tested. The 2-hour time limit is generous for 100 questions; most candidates finish with time to review. Trust your preparation—the CC tests fundamental concepts that a focused 1-3 months of study covers thoroughly.

The CC exam is the ideal starting point for anyone entering cybersecurity. It validates that you understand the language and principles of information security, creating a strong foundation for future certifications and career growth. Review the official ISC2 CC certification page for the current exam outline, pricing, and free training resources. The combination of zero prerequisites, free training, and a $249 exam fee makes CC the most accessible professional security certification available from a globally recognized certification body.

Frequently Asked Questions

Are these actual exam questions?

No. All Nex Arc practice questions are original content created by certified professionals based on official exam guides and publicly available documentation. We do not offer brain dumps, leaked questions, or actual exam content. Using or distributing real exam questions violates certification provider agreements and can result in certification revocation. Our questions are designed to test the same knowledge and skills as the real exam, using different scenarios and wording.

How many questions are in the actual CC exam?

The CC exam consists of 100 multiple-choice questions to complete in 2 hours. Each question has one correct answer. The exam uses a scaled scoring model with a passing score of 700 out of 1000. Our premium course includes 1,500 practice questions across 12 full practice exams with detailed explanations.

What's the passing score?

The passing score is 700 out of 1000 on a scaled scoring model. Not all questions carry the same weight. Focus on understanding security concepts across all 5 domains rather than memorizing isolated facts. Candidates who score consistently above 70% on practice exams are generally well-prepared.

How do I access the full CC practice exam?

Click on the "Buy Now" button in the sidebar to purchase the complete course. After payment, you'll have instant access to all 12 practice exams with 1,500 questions with detailed explanations and lifetime access.

What are the prerequisites for the CC exam?

The CC has NO experience requirements. It is ISC2's entry-level certification designed specifically for people transitioning into cybersecurity, recent graduates, IT professionals expanding into security, or anyone interested in formalizing their cybersecurity knowledge. You do not need any prior work experience or certifications to sit for the CC exam—this is what makes it unique among ISC2 credentials.

How long is the CC certification valid?

The CC certification is valid for 3 years. To maintain it, you must earn 45 CPE (Continuing Professional Education) credits over the 3-year cycle—15 CPE per year minimum—and pay an annual maintenance fee to ISC2. CPE credits can be earned through training, attending security conferences, reading security books, or contributing to the security community. After 3 years, recertify by completing CPE requirements or retaking the exam.

What is the exam cost and retake policy?

The CC exam costs $249 USD. If you don't pass on your first attempt, you must wait 30 days before retaking. After the second failed attempt, wait 90 days. After the third failed attempt, wait 180 days (6 months). There is no limit to the number of attempts, but you pay the full $249 fee for each attempt. ISC2 does not offer refunds for failed exams. With ISC2's free training and thorough preparation with practice questions, most candidates are well-positioned to pass on the first attempt.

How does the CC compare to CompTIA Security+?

Both CC and CompTIA Security+ are entry-to-intermediate cybersecurity certifications with no strict experience prerequisites, but they differ in depth, cost, and recognition. CC (ISC2) focuses on conceptual security principles and is slightly more foundational in scope, while Security+ covers a broader range of technical topics including specific security technologies, protocols, and implementation details. Security+ costs $392 and is widely required for U.S. Department of Defense positions (DoD 8570). CC ($249) benefits from ISC2's prestige and positions candidates within the ISC2 certification pathway toward SSCP and CISSP. Both are valuable—Security+ may have a slight edge for technical security roles, while CC offers a cleaner progression path for those aiming toward ISC2's advanced certifications.

ISC2 Certified in Cybersecurity (CC) Practice Exams 2026