CC — ISC2 Certified in Cybersecurity Exam Blueprint
Practical exam blueprint for ISC2 Certified in Cybersecurity (CC) candidates reviewing core cybersecurity principles, access control, network security, operations, and incident readiness.
How to Use This Exam Blueprint
Use this independent Exam Blueprint as a practical study map for the ISC2 Certified in Cybersecurity (CC) exam, exam code CC. It is designed to help you turn broad cybersecurity exam areas into concrete readiness tasks.
Do not use it as a list of guaranteed questions. Instead, use it to answer three questions:
- Can I explain the concept clearly?
- Can I choose the right control, process, or response in a scenario?
- Can I avoid common beginner-level cybersecurity traps under exam pressure?
Suggested rating:
| Rating | Meaning | What to do next |
|---|---|---|
| Red | You recognize the term but cannot apply it | Review definitions, examples, and simple scenarios |
| Yellow | You can answer direct questions but miss scenario nuance | Practice mixed questions and explain why wrong answers are wrong |
| Green | You can apply the idea in unfamiliar situations | Keep it warm with final-review drills |
Topic-area readiness map
Common CC readiness areas include security principles, business continuity and disaster recovery, access control, network security, and security operations. Exact exam emphasis can change, so treat the table below as a study checklist rather than a scoring guide.
| Readiness area | What to review | You are ready when you can… |
|---|---|---|
| Security principles | Confidentiality, integrity, availability, risk, governance, policies, ethics, security control types | Match a security goal to a real scenario and select an appropriate control |
| Risk concepts | Threats, vulnerabilities, likelihood, impact, risk treatment, residual risk, control selection | Explain why risk is not the same as a threat or vulnerability |
| Security controls | Administrative, technical, physical; preventive, detective, corrective, deterrent, compensating | Classify controls from examples such as locks, logging, training, encryption, and backups |
| Governance and documentation | Policies, standards, procedures, guidelines, acceptable use, security awareness | Identify which document or activity is appropriate for a given need |
| Data protection | Data classification, handling, retention, encryption, hashing, backups, privacy basics | Choose a protection method based on sensitivity, use case, and risk |
| Identity and access control | Identification, authentication, authorization, accountability, MFA, least privilege, access reviews | Troubleshoot access scenarios without confusing authentication and authorization |
| Access control models | DAC, MAC, RBAC, ABAC, privilege management, separation of duties | Select a suitable access model or principle from a short business scenario |
| Network security | Network devices, segmentation, firewalls, VPNs, secure protocols, wireless security, IDS/IPS | Read a simple network scenario and identify the best security control |
| Endpoint and system security | Hardening, patching, anti-malware, secure configuration, asset inventory, removable media | Prioritize basic operational controls for servers, laptops, and user devices |
| Security operations | Logging, monitoring, vulnerability management, change management, configuration management | Decide what evidence to collect and what operational process applies |
| Incident response | Preparation, detection, analysis, containment, eradication, recovery, lessons learned | Choose the next response step without skipping evidence preservation or containment |
| Business continuity and disaster recovery | BIA, BCP, DRP, backups, restore testing, RTO, RPO, alternate sites | Distinguish continuity planning from incident response and disaster recovery |
| Physical and environmental security | Badges, locks, guards, cameras, secure areas, fire suppression, power, HVAC | Match physical controls to asset protection and safety goals |
| Human factors | Social engineering, phishing, training, insider risk, reporting culture | Identify likely human-risk controls and awareness actions |
Core security principles checklist
Use this section to verify that you can apply foundational cybersecurity language correctly.
CIA triad and security goals
Can you do this?
- Explain confidentiality as preventing unauthorized disclosure.
- Explain integrity as preventing unauthorized or improper alteration.
- Explain availability as ensuring authorized access when needed.
- Identify which part of the CIA triad is most affected in a scenario.
- Recognize that one control can support more than one security goal.
- Explain why security usually involves tradeoffs with cost, usability, performance, and business need.
Scenario cues:
| Scenario cue | Likely concept being tested |
|---|---|
| Sensitive records are viewed by unauthorized users | Confidentiality |
| Transaction data is changed without approval | Integrity |
| A critical system is offline during business hours | Availability |
| A system is encrypted but no one has the recovery key | Availability and key management |
| A user has more access than required | Least privilege and authorization |
Risk, threat, vulnerability, and impact
Be ready to distinguish the core risk terms.
| Term | Practical meaning | Example |
|---|---|---|
| Asset | Something valuable to protect | Customer database, laptop, application, network device |
| Threat | Potential cause of harm | Malware, insider misuse, fire, attacker, accidental deletion |
| Vulnerability | Weakness that could be exploited | Missing patch, weak password, open share, poor training |
| Likelihood | Chance that a threat will exploit a vulnerability | High phishing exposure in an untrained workforce |
| Impact | Business or operational harm if the event occurs | Data loss, downtime, legal exposure, reputational damage |
| Risk | Potential loss from threat plus vulnerability plus impact | Ransomware affecting unpatched systems |
| Control | Safeguard used to reduce risk | MFA, backups, patching, training, segmentation |
| Residual risk | Risk remaining after controls | Remaining phishing risk after MFA and training |
Useful relationship:
\[ \text{Risk} \approx \text{Likelihood} \times \text{Impact} \]If quantitative terms appear in your study materials, know the relationship conceptually:
\[ \text{Annualized Loss Expectancy} = \text{Single Loss Expectancy} \times \text{Annualized Rate of Occurrence} \]Do not just memorize formulas. Be ready to explain whether an organization should avoid, mitigate, transfer, or accept risk.
Security control types
| Control example | Category to recognize | What it does |
|---|---|---|
| Security policy | Administrative | Sets management direction |
| Background checks | Administrative | Reduces personnel risk |
| Firewall rule | Technical | Restricts network traffic |
| MFA | Technical | Strengthens authentication |
| Encryption | Technical | Protects confidentiality of data |
| Logging and monitoring | Technical / detective | Records and detects activity |
| Door lock | Physical | Restricts facility access |
| Security camera | Physical / detective | Records activity |
| Backup restore process | Corrective | Supports recovery |
| Security awareness training | Administrative / preventive | Reduces human-error risk |
Can you do this?
- Classify a control as administrative, technical, or physical.
- Classify a control as preventive, detective, corrective, deterrent, or compensating.
- Identify when a compensating control is needed because the preferred control is not feasible.
- Choose layered controls instead of relying on one safeguard.
- Explain defense in depth using simple examples.
Governance, policy, and documentation checklist
Know the difference between high-level direction and step-by-step execution.
| Artifact | Purpose | Exam-readiness cue |
|---|---|---|
| Policy | States required behavior or management intent | Broad, mandatory, approved by leadership |
| Standard | Defines specific mandatory requirements | Password standard, encryption standard, configuration standard |
| Procedure | Gives step-by-step instructions | How to create an account, restore a backup, respond to an alert |
| Guideline | Provides recommended practice | Helpful but usually less mandatory than a policy or standard |
| Baseline | Minimum secure configuration | Starting point for consistent hardening |
| Risk register | Tracks identified risks and responses | Used for risk management visibility |
| Asset inventory | Lists assets to protect and manage | Needed for patching, ownership, and incident response |
| Data classification scheme | Labels data by sensitivity | Drives handling, storage, sharing, and protection rules |
Can you do this?
- Select the correct document type from a scenario.
- Explain why policies need supporting standards and procedures.
- Recognize that management owns risk decisions.
- Identify why asset ownership matters.
- Explain acceptable use, security awareness, and user responsibilities.
- Distinguish due care from due diligence at a basic level.
- Recognize ethical responsibilities around confidentiality, authorization, and reporting.
Identity and access control checklist
Access control is a high-value exam area because many questions test precise terminology.
Identity lifecycle and AAA
| Concept | Meaning | Readiness prompt |
|---|---|---|
| Identification | Claiming an identity | “Who are you?” |
| Authentication | Proving the claimed identity | Password, MFA, certificate, biometric |
| Authorization | Granting permitted access | What the authenticated user may do |
| Accountability | Tying actions to an identity | Logs, audit trails, unique user IDs |
| Accounting | Recording use of resources | Access logs, session records, usage tracking |
Can you do this?
- Explain why shared accounts weaken accountability.
- Recognize that a successful login is authentication, not authorization.
- Identify when MFA is appropriate.
- Explain why deprovisioning is critical when users change roles or leave.
- Identify the purpose of access reviews.
- Apply least privilege to users, administrators, service accounts, and applications.
- Recognize excessive privilege, privilege creep, and orphaned accounts.
- Explain separation of duties using a simple business process.
Authentication factor checks
| Factor type | Examples | Watch for |
|---|---|---|
| Something you know | Password, PIN | Weak passwords, reuse, phishing |
| Something you have | Token, smart card, authenticator app | Loss, theft, enrollment process |
| Something you are | Fingerprint, face, other biometric | False acceptance/rejection, privacy concerns |
| Somewhere you are | Location-based signal | Useful as context, not always sufficient alone |
| Something you do | Behavioral pattern | Often supplemental |
Can you do this?
- Distinguish MFA from using two passwords.
- Identify password policy tradeoffs.
- Recognize the role of account lockout, monitoring, and user education.
- Understand why privileged accounts require stronger controls.
Access control models
| Model or principle | Basic idea | Scenario cue |
|---|---|---|
| DAC | Owner controls access | File owner grants permissions |
| MAC | Central authority and labels control access | Highly structured sensitivity labels |
| RBAC | Access based on job role | “Accounting clerk,” “HR manager,” “server admin” |
| ABAC | Access based on attributes and conditions | User, device, location, time, data classification |
| Least privilege | Minimum access needed | Reduce blast radius |
| Need to know | Access only when business need exists | Sensitive data handling |
| Separation of duties | Split critical tasks among people | Prevent fraud or unchecked changes |
Can you do this?
- Pick RBAC when access follows job roles.
- Pick ABAC when context and attributes drive access.
- Recognize why MAC is stricter and centrally controlled.
- Explain how separation of duties reduces abuse and error.
- Identify when temporary privileged access should be approved, logged, and removed.
Network security checklist
You do not need to become a network engineer for the CC exam, but you should be comfortable with common network security concepts and controls.
Network concepts and devices
| Topic | What to know | Ready when you can… |
|---|---|---|
| LAN, WAN, internet, intranet | Basic network scopes | Identify where a control may sit |
| Router | Connects networks and routes traffic | Distinguish routing from switching |
| Switch | Connects devices on a local network | Understand local segmentation basics |
| Firewall | Allows or blocks traffic by rules | Choose firewalling for traffic restriction |
| IDS | Detects suspicious activity | Recognize alerting without blocking |
| IPS | Detects and can block activity | Recognize inline prevention |
| VPN | Creates encrypted tunnel | Identify remote access or site-to-site protection |
| Proxy | Intermediates client requests | Understand filtering and logging use cases |
| WAF | Protects web applications | Use for web-specific attack filtering |
| NAC | Controls device access to network | Use for device posture and admission control |
| SIEM | Aggregates and correlates logs | Use for monitoring and investigation |
Can you do this?
- Explain why segmentation reduces lateral movement.
- Identify a DMZ-style placement for public-facing systems.
- Choose a VPN for secure remote connectivity.
- Distinguish IDS alerts from IPS blocking.
- Recognize why default-deny rules are often safer than broad allow rules.
- Explain why unnecessary services and open ports increase attack surface.
- Identify secure administration methods over insecure alternatives.
Protocol and service review cues
| Service concept | Be ready to recognize | Security cue |
|---|---|---|
| Web traffic | HTTP and HTTPS | Prefer encrypted web communication |
| Name resolution | DNS | DNS issues can affect availability and redirection risk |
| Address assignment | DHCP | Misconfiguration can disrupt connectivity |
| SMTP, IMAP, POP concepts | Phishing and malware delivery are common risks | |
| Remote administration | SSH, RDP concepts | Restrict, monitor, and protect with strong authentication |
| File transfer | Secure vs insecure transfer methods | Avoid sending sensitive data unprotected |
| Directory services | Central identity and authentication | Protect privileged access and directory infrastructure |
| Wireless | Wi-Fi authentication and encryption | Avoid weak or open wireless configurations |
Can you do this?
- Identify when encryption in transit is needed.
- Recognize secure alternatives to cleartext protocols.
- Explain why network diagrams help incident response and control placement.
- Identify the security value of logging network activity.
Cryptography and data protection checklist
Focus on what each method is for, not advanced mathematics.
| Concept | Purpose | Common trap |
|---|---|---|
| Encryption | Protects confidentiality by making data unreadable without a key | Confusing encryption with hashing |
| Symmetric encryption | Same key encrypts and decrypts | Key sharing must be protected |
| Asymmetric encryption | Public/private key pair | Often used for key exchange, digital signatures, certificates |
| Hashing | One-way integrity check | Hashing is not encryption |
| Salting | Adds uniqueness to password hashes | Helps defend against precomputed attacks |
| Digital signature | Integrity, authenticity, non-repudiation support | Not the same as simply encrypting data |
| Certificate | Binds identity to a public key | Trust depends on certificate validation |
| Data at rest | Stored data | Disk, database, backup, removable media encryption |
| Data in transit | Moving data | TLS, VPN, secure transfer |
| Data in use | Actively processed data | Usually hardest to protect |
Can you do this?
- Decide whether a scenario needs encryption, hashing, or digital signatures.
- Explain why passwords should be hashed, not stored in plaintext.
- Recognize why key management is critical.
- Identify that losing encryption keys can affect availability.
- Explain data classification and handling at a basic level.
- Choose stronger handling for sensitive or regulated data.
- Recognize the risk of unencrypted backups and removable media.
Security operations checklist
Security operations questions often test what to do first, what evidence matters, and which process applies.
Operational controls
| Area | What to review | Ready when you can… |
|---|---|---|
| Asset management | Inventory, ownership, lifecycle | Explain why unknown assets are hard to protect |
| Configuration management | Baselines, approved changes, secure settings | Identify configuration drift |
| Change management | Request, review, approval, testing, rollback | Explain why emergency changes still need documentation |
| Patch management | Prioritize and apply updates | Balance risk, testing, and urgency |
| Vulnerability management | Scan, validate, prioritize, remediate, rescan | Distinguish finding a weakness from fixing it |
| Malware defense | Prevention, detection, response | Identify basic endpoint protection actions |
| Logging | Collect relevant events | Know logs support detection and accountability |
| Monitoring | Review and alert on activity | Identify suspicious patterns |
| Backup operations | Create, protect, and test backups | Explain why restore testing matters |
| Security awareness | Train users to report and avoid risk | Recognize human-focused controls |
Can you do this?
- Prioritize critical vulnerabilities on exposed systems.
- Explain why vulnerability scans can produce false positives.
- Identify why patching requires testing and rollback planning.
- Recognize when a baseline or hardening standard is needed.
- Explain why logs need time synchronization and protection from tampering.
- Identify when an alert should be escalated.
- Recognize the value of lessons learned after incidents.
- Explain why backups should be protected from ransomware.
Logging and monitoring readiness
| Event or evidence | Why it matters |
|---|---|
| Successful and failed logins | Detect brute force, misuse, and suspicious access |
| Privileged actions | Support accountability and investigation |
| Firewall and network events | Identify blocked or suspicious traffic |
| Endpoint alerts | Detect malware or policy violations |
| File access events | Investigate unauthorized data access |
| Change records | Validate whether activity was approved |
| Backup job results | Confirm recovery capability |
| Vulnerability scan findings | Track exposure and remediation |
Can you do this?
- Identify which log source is most relevant to a scenario.
- Explain why logs should be retained long enough for investigations.
- Distinguish detection from prevention.
- Recognize that an alert is not automatically a confirmed incident.
Incident response, business continuity, and disaster recovery checklist
These areas are related but not interchangeable.
| Concept | Primary purpose | Example |
|---|---|---|
| Incident response | Handle a security event or incident | Malware infection, account compromise, data exposure |
| Business continuity | Keep essential business functions operating | Workarounds, alternate processes, continuity planning |
| Disaster recovery | Restore IT systems after disruption | Recover servers, networks, applications, data |
| Business impact analysis | Identify critical functions and impacts | Determine recovery priorities |
| Backup and restore | Recover data and systems | Restore from clean, tested backups |
| Tabletop exercise | Practice response decisions | Walk through ransomware scenario |
Incident response flow
Be ready to choose the next reasonable step in a scenario.
| Phase | Typical activities | Exam cue |
|---|---|---|
| Preparation | Plans, training, tools, contacts, playbooks | “Before an incident occurs…” |
| Detection and analysis | Identify, validate, scope, classify | “An alert has fired…” |
| Containment | Limit damage and spread | “Prevent further compromise…” |
| Eradication | Remove cause of compromise | “Remove malware or close exploited weakness…” |
| Recovery | Restore normal operations safely | “Bring systems back online…” |
| Lessons learned | Improve controls and process | “After the incident…” |
Can you do this?
- Avoid jumping to recovery before containment.
- Preserve evidence when investigation may be needed.
- Escalate according to the incident response plan.
- Identify when communication should follow approved channels.
- Distinguish an event from an incident.
- Explain why lessons learned should update policies, controls, and training.
Continuity and recovery terms
| Term | Meaning | Practical cue |
|---|---|---|
| RTO | How quickly a service should be restored | Maximum tolerable downtime target |
| RPO | How much data loss is acceptable, measured as time | Backup frequency and data recovery target |
| BIA | Business impact analysis | Identifies critical functions and dependencies |
| BCP | Business continuity plan | Keeps business operating |
| DRP | Disaster recovery plan | Restores technology services |
| Backup retention | How long backups are kept | Supports recovery and compliance needs |
| Restore test | Verification that recovery works | Untested backups are only assumptions |
Can you do this?
- Explain the difference between RTO and RPO.
- Identify that frequent backups help reduce data loss.
- Recognize that backups must be protected, monitored, and tested.
- Distinguish high availability from backup recovery.
- Identify why business priorities should drive recovery order.
Physical security and human risk checklist
Physical and human controls are core security topics, not side issues.
| Area | Controls to recognize | Ready when you can… |
|---|---|---|
| Facility access | Badges, guards, locks, mantraps, visitor logs | Select appropriate access restriction |
| Monitoring | Cameras, alarms, motion detection | Identify detective physical controls |
| Environmental protection | Fire suppression, HVAC, water detection, power controls | Match controls to availability risks |
| Device protection | Cable locks, secure storage, screen locks, clean desk | Reduce theft and exposure |
| Social engineering | Phishing, tailgating, pretexting, baiting | Identify attack type and user response |
| Awareness | Training, reporting, simulations, reminders | Choose training or reporting improvements |
Can you do this?
- Identify tailgating and the purpose of anti-tailgating controls.
- Recognize phishing indicators and appropriate reporting actions.
- Explain why security awareness is preventive but not sufficient alone.
- Match environmental controls to availability risks.
- Identify when physical access can bypass technical controls.
Scenario and decision-point checks
Use these prompts to test whether you can apply concepts instead of only defining them.
| Scenario | Best exam posture | Watch for |
|---|---|---|
| User reports clicking a suspicious link | Follow incident reporting and triage process; collect details; contain if needed | Do not ignore because “nothing happened yet” |
| Former employee account is still active | Disable account, review access, investigate activity if needed | Orphaned accounts and deprovisioning failures |
| Admin needs temporary elevated access | Approve, limit, log, monitor, and remove access after use | Permanent excessive privilege |
| Public web server must be protected | Segment, harden, patch, monitor, restrict traffic, consider web-specific controls | Placing public systems directly with internal sensitive systems |
| Backup jobs are successful but never restored | Schedule restore testing | Assuming backup success equals recovery success |
| Sensitive file is emailed unencrypted | Consider classification, handling policy, encryption, and incident process | Treating all data the same |
| Firewall allows all inbound traffic | Apply least functionality and restrictive rules | Convenience over security |
| Vulnerability scan shows many findings | Prioritize by exposure, severity, asset value, and exploitability | Treating all findings equally |
| Logs show repeated failed logins | Investigate brute force or misconfiguration; consider lockout and MFA | Assuming failed logins are harmless |
| Laptop containing sensitive data is lost | Report incident, assess encryption, remote wipe if available, follow procedure | Waiting to see if data appears online |
| Business wants zero downtime | Discuss availability architecture, cost, RTO/RPO, and risk | Assuming backups alone provide zero downtime |
| User can log in but cannot access a file | Authentication succeeded; authorization may be missing | Confusing authentication with authorization |
Artifact readiness checklist
You should be able to identify why each artifact matters and when it is used.
| Artifact | What to inspect or understand |
|---|---|
| Security policy | Required behavior and management expectations |
| Acceptable use policy | User rules for systems, internet, email, and data |
| Incident response plan | Roles, escalation, communication, procedures |
| Business continuity plan | Critical processes and continuity methods |
| Disaster recovery plan | Technical restoration steps and recovery priorities |
| Business impact analysis | Criticality, dependencies, recovery priorities |
| Asset inventory | What exists, who owns it, where it is, and how critical it is |
| Data classification matrix | Sensitivity levels and handling requirements |
| Access control matrix | Who has access to what and why |
| Network diagram | System placement, connections, trust boundaries |
| Firewall rule request | Source, destination, service, business justification |
| Vulnerability scan report | Findings, affected assets, severity, remediation status |
| Change ticket | Approval, testing, implementation, rollback |
| Backup report | Job success, failures, retention, restore-test evidence |
| Security awareness record | Training completion and user reporting expectations |
Can you do this?
- Choose the artifact that best supports a given task.
- Identify missing information in a security request.
- Explain why documentation must be maintained, not just created.
- Recognize when evidence supports accountability or auditability.
Common weak areas and traps
| Trap | Correct exam-ready thinking |
|---|---|
| Treating threat, vulnerability, and risk as the same thing | A threat exploits a vulnerability and creates risk to an asset |
| Confusing authentication and authorization | Authentication proves identity; authorization grants permissions |
| Assuming encryption solves every problem | Encryption helps confidentiality but does not fix weak access, poor key management, or availability |
| Confusing hashing with encryption | Hashing is one-way; encryption is reversible with a key |
| Skipping containment in incident response | Limit damage before full recovery |
| Treating backups as proven recovery | Recovery requires successful restore testing |
| Choosing technology before requirements | Identify risk, asset value, business need, and constraints first |
| Ignoring physical security | Physical access can undermine technical controls |
| Overlooking human factors | Training, reporting, and process matter |
| Selecting the most complex control automatically | The best answer is often appropriate, risk-based, and practical |
| Assuming compliance equals security | Compliance may support security but does not eliminate risk |
| Forgetting residual risk | Controls reduce risk; they rarely remove all risk |
| Not reading words like “first,” “best,” or “most likely” | These words determine the expected decision |
| Treating every alert as an incident | Alerts require analysis and validation |
| Treating every vulnerability equally | Prioritize by risk, exposure, and asset criticality |
Final-week checklist
Use the final week to strengthen judgment, not to memorize random facts.
Seven to five days out
- Re-read your weakest topic areas using this checklist.
- Create a short list of terms you still confuse.
- Drill CIA, risk, control types, access control, network controls, incident response, and recovery terms.
- Review every missed practice question and write the reason you missed it.
- Practice explaining why each wrong option is wrong.
Four to two days out
- Complete mixed-topic practice sets.
- Focus on scenario wording: first, best, most appropriate, most likely.
- Review incident response order and continuity terminology.
- Review authentication versus authorization examples.
- Review encryption, hashing, certificates, and secure communication concepts.
- Review security operations artifacts: logs, vulnerability reports, change tickets, backups, and asset inventory.
Final day
- Stop trying to learn large new resources.
- Review your personal trap list.
- Review quick definitions and scenario cues.
- Sleep and manage test-day logistics.
- Enter the exam ready to reason through scenarios, not just recall terms.
Personal readiness scorecard
Mark each row red, yellow, or green.
| Area | Red / Yellow / Green | Notes |
|---|---|---|
| CIA triad and basic principles | ||
| Risk terminology and risk treatment | ||
| Security control categories | ||
| Policies, standards, procedures, guidelines | ||
| Data classification and handling | ||
| Encryption, hashing, and certificates | ||
| Identification, authentication, authorization | ||
| MFA and password concepts | ||
| Least privilege and access reviews | ||
| DAC, MAC, RBAC, ABAC | ||
| Network devices and segmentation | ||
| Firewalls, VPNs, IDS, IPS | ||
| Secure protocols and wireless basics | ||
| Asset, patch, and vulnerability management | ||
| Logging and monitoring | ||
| Malware and endpoint protection basics | ||
| Incident response lifecycle | ||
| Business continuity and disaster recovery | ||
| RTO, RPO, BIA, BCP, DRP | ||
| Physical security and social engineering |
Practical next step
After marking the scorecard, choose your three weakest yellow or red areas and complete targeted practice for each. Then move to mixed CC practice questions so you can test topic recognition, scenario judgment, and elimination skills together.