Free ISC2 Certified in Cybersecurity CC Practice Questions: Security Operations
Practice 10 free ISC2 Certified in Cybersecurity (ISC2 Certified in Cybersecurity CC) questions on Security Operations, with answers, explanations, and the IT Mastery next step.
Try the IT Mastery web app for a richer interactive practice experience with mixed sets, timed mocks, topic drills, explanations, and progress tracking.
Topic snapshot
| Field | Detail |
|---|---|
| Practice target | ISC2 Certified in Cybersecurity CC |
| Topic area | Security Operations and Incident Response |
| Blueprint weight | 17.3% |
| Page purpose | Focused sample questions before returning to mixed practice |
How to use this topic drill
Use this page to isolate Security Operations and Incident Response for ISC2 Certified in Cybersecurity CC. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 17.3% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
Sample questions
These are original IT Mastery practice questions aligned to this topic area. They are not official ISC2 questions, copied live-exam content, or exam dumps. Use them to preview question style and explanation depth before continuing with topic drills, mixed sets, and timed mocks in IT Mastery.
Question 1
Topic: Security Operations and Incident Response
A security team receives credible cyber threat intelligence that attackers are actively exploiting a vulnerability. The asset inventory shows that the organization has an internet-facing server with that same unpatched vulnerability. Which response best applies the 2026 CC operations concept for this situation?
Options:
A. Treat the alert as a false positive
B. Wait for the normal patch cycle
C. Focus only on user awareness training
D. Prioritize mitigation using threat intelligence
Best answer: D
Explanation: Cyber threat intelligence helps security teams make better operational decisions by adding current threat context to known weaknesses. When credible intelligence shows active exploitation and the organization has an exposed vulnerable asset, the team should raise the priority for remediation, containment, or compensating controls. This is a risk-based response: the vulnerability is no longer just theoretical because attackers are known to be using it. The key takeaway is to combine asset knowledge, vulnerability status, and threat intelligence to decide what needs urgent action.
- Waiting for the normal patch cycle ignores the increased likelihood of attack created by active exploitation.
- Treating the alert as a false positive is not supported because the asset inventory confirms exposure to the cited vulnerability.
- User awareness training may reduce social engineering risk, but it does not address an actively exploited server vulnerability.
Question 2
Topic: Security Operations and Incident Response
A billing employee needs to send a spreadsheet containing customer names, account numbers, and payment details to two authorized coworkers. The employee plans to attach the file to a regular email and copy a personal email account for convenience. Which control best reduces the data handling risk?
Options:
A. Store the spreadsheet on a shared desktop folder
B. Use an approved encrypted file-sharing service with access controls
C. Add a confidential label to the spreadsheet filename
D. Ask the employee to delete the email after sending it
Best answer: B
Explanation: Sensitive customer payment data requires controlled storage, sharing, and transmission. A regular email attachment copied to a personal account creates two risks: the data may travel without appropriate protection, and access may extend outside approved business systems. An approved encrypted file-sharing service with access controls directly addresses both issues by protecting transmission and restricting who can open or download the file. Labeling helps users recognize sensitivity, but it does not enforce protection. Deleting a sent message is weak because copies may remain in mailboxes, backups, or personal accounts. A shared desktop folder may increase exposure instead of controlling it.
- Label only helps identify sensitive data but does not prevent unauthorized access or insecure transmission.
- Delete after sending is too late and does not remove copies from recipients, backups, or a personal mailbox.
- Shared desktop storage weakens control because access is harder to restrict and audit.
Question 3
Topic: Security Operations and Incident Response
During a ransomware tabletop exercise, the team identified the suspected entry point quickly. However, responders delayed containment because no one knew who could approve disconnecting affected systems, when to notify leadership, or where to record decisions. Which control best addresses the gap revealed by the exercise?
Options:
A. Update the incident response plan with roles, escalation paths, authority, and documentation steps
B. Add a firewall rule to block ransomware command-and-control traffic
C. Deploy additional endpoint detection on all workstations
D. Require annual password changes for all users
Best answer: A
Explanation: Incident response exercises test more than technical detection. They also reveal whether people know how to communicate, escalate, make authorized decisions, and document actions during an incident. In this scenario, the team found the technical clue but could not act because roles and authority were unclear. The best control is an administrative update to the Incident Response Plan (IRP), followed by training or another exercise to validate it. Technical controls may help detect or block threats, but they do not define who can approve containment or how decisions must be recorded.
- Endpoint detection may improve visibility, but the exercise already found the entry point and exposed a process gap.
- Firewall blocking targets a possible threat path, not the missing authority and escalation process.
- Password changes are unrelated to the communication, approval, and documentation failures shown in the exercise.
Question 4
Topic: Security Operations and Incident Response
A support team exports customer records from a ticketing system to troubleshoot a billing issue. The file includes names, email addresses, and payment-card fragments, and the company policy labels this data as regulated and business-critical. What is the BEST action before sharing the file with another internal team?
Options:
A. Post it in a team chat for faster review
B. Apply the required label and approved handling controls
C. Share it normally because the recipients are employees
D. Remove the label to avoid drawing attention
Best answer: B
Explanation: Data classification and handling requirements should change when data is sensitive, regulated, or business-critical. In this scenario, the file contains customer information and payment-card fragments, and policy already identifies it as regulated and business-critical. The support team should apply the proper data label and use approved handling controls, such as limiting access, using approved storage or transfer methods, and following retention or masking requirements if required by policy.
Internal sharing does not remove the need to protect regulated data. The key takeaway is that classification drives handling, not convenience or employee status.
- Employee access fails because internal recipients still need an approved business need and proper handling controls.
- Removing the label increases risk because labels communicate required protection and handling rules.
- Team chat sharing is risky because convenience does not override approved transfer, access, and retention requirements.
Question 5
Topic: Security Operations and Incident Response
A junior administrator bypassed the normal change process and enabled a new remote management setting on several production servers. The setting has not been security tested, and monitoring now shows failed login attempts from an external network. What is the BEST action to reduce risk while following change management principles?
Options:
A. Disable all remote access across the organization
B. Revert the change and submit it for review and testing
C. Leave the setting enabled and monitor for one week
D. Approve the change retroactively because it is already deployed
Best answer: B
Explanation: Change management protects production systems by requiring authorization, testing, documentation, and a rollback path before changes are deployed. In this scenario, the change is both unauthorized and untested, and there is already a security clue: failed external login attempts. The safest entry-level response is to reduce the immediate risk by reverting the change, then route it through normal review and testing before any future deployment. Monitoring alone does not correct the exposed condition, and retroactive approval bypasses the control purpose. The key takeaway is to restore a known approved state first, then evaluate the change properly.
- Monitor only fails because observation does not remove the untested external exposure.
- Retroactive approval fails because it normalizes a bypass of authorization and testing controls.
- Disable all remote access is too broad and may disrupt valid business operations beyond the affected change.
Question 6
Topic: Security Operations and Incident Response
A small office still runs a file-sharing appliance whose vendor stopped releasing security patches and no longer provides support. The appliance remains connected to the internal network because it still works. Which concept does this situation best illustrate?
Options:
A. Redundant system design
B. End-of-life asset risk
C. Change management approval
D. Security awareness training
Best answer: B
Explanation: End-of-life asset risk occurs when software, hardware, or embedded devices are still in use after the vendor stops providing patches, updates, or support. Even if the asset still functions, it can become a weak point because newly discovered vulnerabilities may not be fixed and troubleshooting help may not be available. In asset lifecycle management, these systems should be tracked, risk-assessed, isolated if needed, and planned for replacement or retirement. The key issue is not whether the device works, but whether it can still be securely maintained.
- Change approval is about controlling authorized modifications, not the risk from unsupported assets.
- Redundancy improves availability by adding backup capacity, but it does not address missing vendor patches.
- Awareness training helps users recognize threats, but the described risk comes from the appliance lifecycle state.
Question 7
Topic: Security Operations and Incident Response
A company receives a cyber threat intelligence report that financially motivated threat actors are targeting similar organizations by using leaked passwords for credential-stuffing attacks against customer portals. The portal stores customer contact information. Which control best addresses the risk described without relying on uncertain actor attribution?
Options:
A. Increase badge checks at the data center
B. Require MFA for customer portal logins
C. Create a new acceptable use policy
D. Wait for confirmed actor attribution
Best answer: B
Explanation: Threat actor type can help prioritize risk, but control selection should be based on the asset at risk and the observed behavior or tactics. Here, the relevant facts are the customer portal, stored customer information, and credential stuffing with leaked passwords. MFA is a strong access control because a stolen password alone should not be enough to access an account. The organization does not need perfect attribution to act; the technical behavior is clear enough to choose a preventive control. Actor labels are useful context, but the best response maps to the specific attack method.
- Physical control mismatch fails because badge checks do not address credential stuffing against an online portal.
- Policy-only response is weaker because acceptable use rules do not stop attackers using leaked passwords.
- Attribution delay fails because waiting for a confirmed actor identity leaves a clear current risk untreated.
Question 8
Topic: Security Operations and Incident Response
A company needs to encrypt large database backup files before placing them in offline storage. The same recovery team will decrypt the files later, and the team can securely protect a shared secret key. Which data security practice is the best fit?
Options:
A. Data masking
B. Symmetric encryption
C. Asymmetric encryption
D. Hashing
Best answer: B
Explanation: Symmetric encryption uses the same secret key to encrypt and decrypt data. It is commonly a better fit for encrypting large amounts of data, such as backups, when the parties or systems involved can securely manage the shared key. Asymmetric encryption uses a public/private key pair and is useful when parties need to exchange information without first sharing a secret, but it is not usually the best choice for bulk file encryption. Hashing and masking are different data protection practices and do not provide reversible encryption for full backup restoration.
- Public/private keys are useful for asymmetric encryption scenarios, but the stem already allows a protected shared secret for bulk data.
- Hashing creates a fixed value for verification, not reversible encrypted backup content.
- Masking hides sensitive fields for limited viewing, but it does not support restoring full encrypted backups.
Question 9
Topic: Security Operations and Incident Response
A company wants a documented artifact that tells teams who to contact, what roles they have, and what high-level steps to follow when a suspected security incident occurs. Which 2026 CC concept best matches this purpose?
Options:
A. Vulnerability scan report
B. Business impact analysis
C. Incident Response Plan
D. Data retention policy
Best answer: C
Explanation: An Incident Response Plan (IRP) guides the organization’s coordinated response when a security incident is suspected or confirmed. It identifies roles, communication and escalation paths, and the general phases or actions responders should follow so teams do not improvise during a stressful event. The plan supports consistent triage, containment, recovery, and communication across technical, management, legal, and business stakeholders.
A vulnerability scan report may provide evidence of weaknesses, and a business impact analysis supports continuity planning, but neither is the primary artifact for directing incident response actions.
- Retention focus fails because data retention defines how long information is kept, not how responders coordinate during an incident.
- Scan output fails because a vulnerability scan report lists findings; it does not assign response roles or guide incident handling.
- Continuity analysis fails because a business impact analysis identifies critical processes and impacts, not incident response coordination steps.
Question 10
Topic: Security Operations and Incident Response
A company requires files labeled Restricted to be shared externally only through an approved secure file-transfer service that records recipient, label, and encryption status. A security analyst must verify whether teams are following this data handling requirement. Which evidence is most useful for this review?
Options:
A. The written data handling policy
B. Secure transfer audit logs for
RestrictedfilesC. Annual security awareness attendance records
D. A network diagram of the file-transfer service
Best answer: B
Explanation: Evidence for data handling compliance should show actual handling activity, not just intended behavior. In this scenario, the requirement includes a specific label, approved transfer method, recipient tracking, and encryption status. Audit logs from the secure file-transfer service can be reviewed to confirm whether restricted files were sent through the approved channel and whether the required handling details were recorded. Policies and training support the program, but they do not prove that users followed the requirement for specific file transfers. The key takeaway is to prefer activity records that map directly to the data handling rule being tested.
- Training records show users were educated, but they do not prove specific restricted files were handled correctly.
- Written policy defines the requirement, but it is not evidence of actual compliance.
- Network diagrams show architecture context, but they do not show file labels, recipients, or encryption status for transfers.
Continue in the web app
Use IT Mastery for interactive ISC2 Certified in Cybersecurity CC practice with mixed sets, timed mocks, topic drills, explanations, and progress tracking.
Try ISC2 Certified in Cybersecurity CC on Web