Cybersecurity cert-prep add-on

ISC2 Certified in Cybersecurity (CC) Exam Prep Add-On

Convert GRC and Compliance Fundamentals into an ISC2 CC ramp for the entry credential ISC2 keeps free for first-time test-takers.

$97 add-on25h additional studyTarget exam: ISC2 CC (Certified in Cybersecurity)Exam fee: $50

What the add-on ships

++Five domain reviews mapped to the official ISC2 CC exam outline
++Three full-length 100-question mock exams in the format ISC2 ships
++Walkthrough of the ISC2 free-exam application path for first-time test-takers
++ISC2 endorsement and continuing professional education planning guide
++Direct link to the official ISC2 CC exam outline as the canonical reference

Built on the parent course

++GRC and Compliance Fundamentals seven-module curriculum grounded in NIST CSF 2.0, ISO/IEC 27001:2022, SOC 2
++Risk frameworks, audit lifecycle, evidence collection, and vendor risk practice from the parent course

Parent course: grc and compliance fundamentals

Best for

++Career changers seeking the lowest-friction entry into the cybersecurity credential stack
++Working professionals targeting ISC2 CC as the prerequisite for CISSP-track progression
++Students using the ISC2 Center for Cyber Safety and Education free exam path

Practice surface

++Three 100-question mock exams matching ISC2 CC pacing
++Question bank organized by exam domain for targeted weak-area drilling
++ISC2 endorsement application walkthrough

Buy the add-on

$97 on top of the grc and compliance fundamentals parent course. Lifetime access to the practice materials, mock exams, and exam-day worksheets.

See the parent course

Exam summary

ISC2 Certified in Cybersecurity (CC) is ISC2's entry credential and the lowest-friction path into the ISC2 certification ladder. The exam covers five domains spanning security principles, business continuity, access controls, network security, and security operations. ISC2 keeps the exam fee at $50 for first-time test-takers via the One Million Certified in Cybersecurity initiative, which makes CC the cheapest accredited cybersecurity credential in the catalog. The exam is 100 multiple-choice questions in 120 minutes with a passing score of 700 on a scaled 100-1000 scale.

Domain reviews

Security Principles

26%

Foundational vocabulary the rest of the exam builds on. CIA triad, authentication / authorization, privacy, risk-management process, security controls, and governance.

++CIA triad plus privacy
++Authentication, authorization, non-repudiation
++Risk-management process: identification, assessment, treatment (mitigate, transfer, avoid, accept)
++Security control categories: administrative, technical, physical
++Governance: policies, standards, procedures, guidelines
++Ethics: ISC2 Code of Ethics

Primary sources:

Business Continuity, Disaster Recovery, and Incident Response

10%

Process and concepts for keeping operations going during and after disruptions, plus the canonical incident-response lifecycle.

++Business continuity plan (BCP) purpose, scope, ownership
++Disaster recovery plan (DRP), RTO, RPO
++Backup strategies: full, differential, incremental; on-site, off-site, cloud
++Incident-response lifecycle (NIST SP 800-61 Rev. 2): preparation, detection and analysis, containment / eradication / recovery, post-incident
++Communication during incidents: internal, external, regulatory

Primary sources:

Access Controls Concepts

22%

How identity is established and what each identity is allowed to do. Physical and logical access controls plus the canonical access models.

++Subjects and objects in access control
++Authentication factors: knowledge, possession, inherence
++Authorization models: DAC, MAC, RBAC, ABAC
++Least privilege, segregation of duties, need to know
++Physical access controls: badges, biometrics, mantraps, locks

Primary sources:

Network Security

24%

Network architecture and the controls that protect data moving across networks. Threats, defenses, and the OSI / TCP-IP layering.

++OSI 7-layer model and TCP/IP 4-layer model
++Common network threats: DDoS, MITM, spoofing, sniffing, port scanning
++Network controls: firewall, IDS/IPS, network segmentation (VLAN, DMZ), VPN
++Wireless security: WPA3, SSID broadcasting, MAC filtering limits
++Cloud network security: shared responsibility model, security groups, ACLs

Primary sources:

Security Operations

18%

Day-to-day defense at the operational layer. Data handling, system hardening, configuration management, awareness, and monitoring.

++Data classification and labeling
++Encryption: symmetric, asymmetric, hashing, digital signatures, PKI basics
++Configuration management and change control
++System hardening: removing unnecessary services, default credential change, patching
++Security awareness training, social engineering recognition
++Logging and monitoring, SIEM basics

Primary sources:

Practice scenarios (8)

Practice scenarios are scenario-based learning, not exam-question mimicry. Each scenario maps to a specific exam domain and includes a worked explanation plus a primary-source citation. Reproducing actual exam items would violate the cert body's NDA; the format here exercises the same underlying concepts under different surface phrasing.

Preview scenario 1 of 8 · Security Principlesfree preview

An organization documents a risk it cannot remediate within budget. The leadership team decides to formally acknowledge the risk and continue operating with no additional controls. Which risk-treatment strategy did the team apply?

A. Mitigate
B. Transfer
C. Avoid
D. Accept

Answer: D

Acceptance is the documented decision to continue operating with the residual risk rather than adding controls (mitigate), shifting to a third party (transfer), or ceasing the activity (avoid). Acceptance is appropriate when the cost of additional controls exceeds the expected loss. The decision should be documented and approved by an authority with the appropriate risk appetite.

Reference: NIST SP 800-39 Managing Information Security Risk

Unlock the rest

7 more practice scenarios with full explanations and primary-source citations

The remaining scenarios cover every exam domain at the same depth as the preview above. Includes the exam-day strategy guide and additional study resources. $97 one-time, lifetime access.

Exam-day strategy

++Read each question for the specific verb. ISC2 CC questions often turn on 'best', 'first', 'least', or 'most accurate' qualifiers.
++Eliminate two distractors before choosing between the remaining options. The right answer is usually the most policy-aligned and least surprising.
++Watch for ISC2 Code of Ethics traps. When the scenario hints at a conflict between operational expediency and ethics, the exam expects the ethical choice.
++Pace at roughly 60 seconds per question on the first pass. The 120-minute clock is generous; do not rush.
++On uncertain questions, flag and return. Your first informed guess is usually correct; don't overthink unless new information changes the picture.

Additional resources

Sources

Official ISC2 CC (Certified in Cybersecurity) exam page (certifying body)

Exam fee and blueprint last verified 2026-05-22. Confirm current values with the certifying body before scheduling the exam.

What the add-on ships

++Five domain reviews mapped to the official ISC2 CC exam outline

++Three full-length 100-question mock exams in the format ISC2 ships

++Walkthrough of the ISC2 free-exam application path for first-time test-takers

++ISC2 endorsement and continuing professional education planning guide

++Direct link to the official ISC2 CC exam outline as the canonical reference

Exam summary

Domain reviews

Security Principles

26%

Foundational vocabulary the rest of the exam builds on. CIA triad, authentication / authorization, privacy, risk-management process, security controls, and governance.

++CIA triad plus privacy
++Authentication, authorization, non-repudiation
++Risk-management process: identification, assessment, treatment (mitigate, transfer, avoid, accept)
++Security control categories: administrative, technical, physical
++Governance: policies, standards, procedures, guidelines
++Ethics: ISC2 Code of Ethics

Primary sources:

Business Continuity, Disaster Recovery, and Incident Response

10%

Process and concepts for keeping operations going during and after disruptions, plus the canonical incident-response lifecycle.

++Business continuity plan (BCP) purpose, scope, ownership
++Disaster recovery plan (DRP), RTO, RPO
++Backup strategies: full, differential, incremental; on-site, off-site, cloud
++Incident-response lifecycle (NIST SP 800-61 Rev. 2): preparation, detection and analysis, containment / eradication / recovery, post-incident
++Communication during incidents: internal, external, regulatory

Primary sources:

Access Controls Concepts

22%

How identity is established and what each identity is allowed to do. Physical and logical access controls plus the canonical access models.

++Subjects and objects in access control
++Authentication factors: knowledge, possession, inherence
++Authorization models: DAC, MAC, RBAC, ABAC
++Least privilege, segregation of duties, need to know
++Physical access controls: badges, biometrics, mantraps, locks

Primary sources:

Network Security

24%

Network architecture and the controls that protect data moving across networks. Threats, defenses, and the OSI / TCP-IP layering.

++OSI 7-layer model and TCP/IP 4-layer model
++Common network threats: DDoS, MITM, spoofing, sniffing, port scanning
++Network controls: firewall, IDS/IPS, network segmentation (VLAN, DMZ), VPN
++Wireless security: WPA3, SSID broadcasting, MAC filtering limits
++Cloud network security: shared responsibility model, security groups, ACLs

Primary sources:

Security Operations

18%

Day-to-day defense at the operational layer. Data handling, system hardening, configuration management, awareness, and monitoring.

++Data classification and labeling
++Encryption: symmetric, asymmetric, hashing, digital signatures, PKI basics
++Configuration management and change control
++System hardening: removing unnecessary services, default credential change, patching
++Security awareness training, social engineering recognition
++Logging and monitoring, SIEM basics

Primary sources:

Practice scenarios (8)

Preview scenario 1 of 8 · Security Principlesfree preview

A. Mitigate
B. Transfer
C. Avoid
D. Accept

Answer: D

Reference: NIST SP 800-39 Managing Information Security Risk

Unlock the rest

7 more practice scenarios with full explanations and primary-source citations

The remaining scenarios cover every exam domain at the same depth as the preview above. Includes the exam-day strategy guide and additional study resources. $97 one-time, lifetime access.

Exam-day strategy

++Read each question for the specific verb. ISC2 CC questions often turn on 'best', 'first', 'least', or 'most accurate' qualifiers.

++Eliminate two distractors before choosing between the remaining options. The right answer is usually the most policy-aligned and least surprising.

++Watch for ISC2 Code of Ethics traps. When the scenario hints at a conflict between operational expediency and ethics, the exam expects the ethical choice.

++Pace at roughly 60 seconds per question on the first pass. The 120-minute clock is generous; do not rush.

++On uncertain questions, flag and return. Your first informed guess is usually correct; don't overthink unless new information changes the picture.