Free ISC2 Certified in Cybersecurity CC Practice Questions: Security Principles
Practice 10 free ISC2 Certified in Cybersecurity (ISC2 Certified in Cybersecurity CC) questions on Security Principles, with answers, explanations, and the IT Mastery next step.
Try the IT Mastery web app for a richer interactive practice experience with mixed sets, timed mocks, topic drills, explanations, and progress tracking.
Topic snapshot
| Field | Detail |
|---|---|
| Practice target | ISC2 Certified in Cybersecurity CC |
| Topic area | Security Principles |
| Blueprint weight | 24% |
| Page purpose | Focused sample questions before returning to mixed practice |
How to use this topic drill
Use this page to isolate Security Principles for ISC2 Certified in Cybersecurity CC. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 24% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
Sample questions
These are original IT Mastery practice questions aligned to this topic area. They are not official ISC2 questions, copied live-exam content, or exam dumps. Use them to preview question style and explanation depth before continuing with topic drills, mixed sets, and timed mocks in IT Mastery.
Question 1
Topic: Security Principles
A security team is updating internal documents for remote work. One document should suggest preferred practices, such as using a privacy screen in public places, but business units may use equivalent methods when justified. Which document type is the BEST FIT for this content?
Options:
A. Policy
B. Procedure
C. Guideline
D. Standard
Best answer: C
Explanation: A guideline is the best fit when the organization wants to recommend a good practice but allow flexibility. In this scenario, the privacy screen recommendation supports secure remote work, but business units may use equivalent methods when justified. That makes it advisory rather than mandatory. A standard would set required rules or specifications, a procedure would give step-by-step instructions, and a policy would state high-level management expectations or requirements. The key distinction is that guidelines guide behavior, while standards must be followed.
- Standard as flexible advice fails because standards normally define mandatory requirements or specifications.
- Procedure as recommendation fails because procedures describe required step-by-step actions.
- Policy as detailed practice fails because policies set high-level direction rather than optional practice suggestions.
Question 2
Topic: Security Principles
A small clinic copies patient records to portable backup drives that are sent weekly to off-site storage. A risk assessment identifies the main risk: if a drive is lost in transit, an unauthorized person could read sensitive patient data. Which control best reduces the impact of this risk?
Options:
A. Have the courier sign a pickup log
B. Encrypt the backup drives before transport
C. Increase the backup frequency to daily
D. Record the risk and accept it
Best answer: B
Explanation: Risk reduction means selecting a control that lowers the likelihood or impact of a specific risk. Here, the loss of a portable drive is still possible, but encryption reduces the impact because the data should not be readable without the key. The control is matched to the asset and harm: sensitive patient data exposed during transport. A pickup log may support accountability, and more frequent backups may improve recovery, but neither directly protects confidentiality if the drive is lost.
- Backup frequency improves availability and recovery points, but it does not stop someone from reading data on a lost drive.
- Pickup log provides custody evidence, but it does not protect the contents of the drive.
- Risk acceptance may be valid in some cases, but it does not reduce the stated likelihood or impact.
Question 3
Topic: Security Principles
A company is building its governance document inventory. One requirement says: “Organizations that process residents’ personal data must report qualifying breaches to the national regulator and may face penalties for noncompliance.” Which source type should the security manager classify this requirement as?
Options:
A. Technical standard
B. Law or regulation
C. Procedure
D. Internal policy
Best answer: B
Explanation: Laws and regulations are external obligations created or enforced by governments or regulators. They may impose mandatory requirements and penalties for noncompliance. Internal policies, standards, procedures, frameworks, and guidelines can help an organization meet those obligations, but they are created or adopted by the organization. In this scenario, the breach-reporting requirement comes from a national regulator and includes penalties, so it should be classified as a law or regulation. The key distinction is source and enforceability: external legal mandate versus internal direction or implementation detail.
- Internal policy fails because a policy is management’s internal direction, even when it is written to support legal compliance.
- Technical standard fails because a standard defines specific required settings or methods, such as encryption strength or password length.
- Procedure fails because a procedure gives step-by-step instructions for performing a task, not the external authority requiring it.
Question 4
Topic: Security Principles
A help desk team handles account lockout requests differently depending on who is on shift. Management wants staff to follow the same approved sequence each time, including identity verification, ticket updates, and escalation steps. Which policy artifact is most appropriate?
Options:
A. Policy
B. Standard
C. Guideline
D. Procedure
Best answer: D
Explanation: A procedure is the right artifact when staff need repeatable operational steps. In this scenario, the help desk must perform the same sequence for identity verification, ticket documentation, and escalation during account lockout requests. Procedures translate security expectations into specific actions that workers can follow consistently. A policy states management intent, a standard defines mandatory requirements, and a guideline gives recommended advice. The need for an approved sequence of steps points to a procedure.
- Policy confusion fails because a policy states high-level direction, not the detailed sequence for handling each request.
- Standard confusion fails because a standard sets required rules or specifications, not task-by-task workflow steps.
- Guideline confusion fails because guidelines are recommended practices and usually do not provide mandatory repeatable instructions.
Question 5
Topic: Security Principles
A junior security analyst discovers that a coworker copied customer data to a personal cloud account to finish work from home. The coworker asks the analyst not to report it because the data was not shared publicly. Which action best reflects professional and ethical conduct?
Options:
A. Post a warning about the coworker on social media
B. Ignore it because no public disclosure occurred
C. Report the issue through approved internal channels
D. Ask the coworker to delete it without documenting anything
Best answer: C
Explanation: Professional and ethical security conduct requires honesty, lawful behavior, and responsible handling of potential data exposure. Customer data copied to an unauthorized personal account is a security and privacy concern even if it was not posted publicly. The analyst should follow the organization’s approved reporting or escalation process so the issue can be assessed, contained, documented, and handled fairly. Acting alone, hiding the issue, or making a public accusation can increase risk and damage trust.
The key takeaway is to protect the public and the organization through responsible, authorized action.
- No public disclosure is not enough to dismiss the event because unauthorized storage can still violate policy or law.
- Undocumented deletion may hide evidence and prevent proper assessment, notification, or corrective action.
- Social media exposure is unprofessional and may create additional privacy, legal, and reputational harm.
Question 6
Topic: Security Principles
A company encrypts a customer database and restricts administrator access, but its latest assessment still rates the residual risk of unauthorized disclosure as “medium.” The approved risk tolerance for customer privacy risks is “low.” Which recommendation best aligns with the role of risk tolerance?
Options:
A. Wait until the next annual review
B. Apply additional risk treatment
C. Remove the risk from reporting
D. Accept the risk as documented
Best answer: B
Explanation: Risk tolerance defines how much residual risk the organization is willing to accept for a specific area or objective. In this scenario, the remaining risk is “medium,” but the approved tolerance for customer privacy risks is “low.” That means the residual risk is outside the acceptable range and should not simply be accepted. The organization should pursue more risk treatment, such as stronger controls, risk transfer, or changing the activity, until the residual risk is within tolerance or is formally escalated to the proper risk owner. The key takeaway is that residual risk is acceptable only when it fits the organization’s defined appetite or tolerance.
- Accepting documentation fails because documentation alone does not make a risk acceptable when it exceeds tolerance.
- Removing from reporting weakens governance and hides a known risk instead of treating or escalating it.
- Waiting for review delays action even though the current assessment already shows the risk is outside tolerance.
Question 7
Topic: Security Principles
A small company has separate policies for passwords, remote access, backups, and incident reporting. Leadership wants a consistent way to show which security objectives each document supports and to identify gaps across the full program. Which action is the BEST FIT?
Options:
A. Replace all standards with optional guidelines
B. Assign each team to create its own control categories
C. Map the documents to a security framework
D. Convert every policy into a step-by-step procedure
Best answer: C
Explanation: A security framework helps organize related controls and objectives into a consistent structure. In this scenario, the company already has multiple documents, but leadership needs to see how they fit together and where gaps exist. Mapping policies, standards, and procedures to a framework makes the program easier to govern, review, and improve without requiring every document to serve the same purpose.
A policy states management direction, a standard defines required rules, and a procedure gives step-by-step instructions. A framework ties these pieces together by providing categories, control areas, or objectives that can be used across the organization.
- Procedures only fails because procedures explain how to perform tasks, but they do not organize the whole control program.
- Optional guidelines fail because replacing standards would weaken required security expectations.
- Team-created categories fail because inconsistent categories make gap analysis and governance harder.
Question 8
Topic: Security Principles
A contractor needs access to an internal ticketing system. Company policy says access rights can be evaluated only after the person is verified as an approved user. Which action is the BEST fit before access is considered?
Options:
A. Record the contractor’s ticket activity
B. Assign the contractor the least-privilege role
C. Authenticate the contractor using approved credentials
D. Encrypt the contractor’s network connection
Best answer: C
Explanation: Authentication is the AAA function used to verify that an entity is who or what it claims to be before access is granted or evaluated. In this scenario, the policy requires the person to be verified first, so the immediate need is authentication, such as approved credentials or MFA. After that, authorization can determine what the contractor is allowed to do. Accounting can record activity, and encryption can protect data in transit, but neither verifies the user’s identity.
- Least privilege is an authorization decision that should happen after identity is verified.
- Activity logging supports accounting and auditing, but it does not prove identity before access.
- Connection encryption protects confidentiality in transit, but it does not authenticate the user for access decisions.
Question 9
Topic: Security Principles
A startup completed an initial risk assessment last year. Since then, it added a new cloud application and several remote employees. The security manager says the risk register should be reviewed and updated as conditions change, not just filed with the original assessment.
Which concept does this description best illustrate?
Options:
A. Security policy publication
B. Annual compliance audit
C. Risk management lifecycle
D. Risk acceptance
Best answer: C
Explanation: Risk management is a lifecycle, not a one-time documentation task. Organizations identify risks, analyze their likelihood and impact, choose treatments, monitor results, and revisit the risk register when business processes, technology, threats, or controls change. In the scenario, the new cloud application and remote workforce change the risk picture, so the assessment and risk register need review. The key idea is iteration: risk decisions must stay aligned with current conditions.
- Risk acceptance is only one possible treatment decision, not the ongoing process of reviewing changing risks.
- Annual compliance audit may provide evidence at a point in time, but it does not replace continuous risk monitoring.
- Security policy publication communicates rules, but publishing a policy alone does not maintain the risk register as conditions change.
Question 10
Topic: Security Principles
A clinic discovers that a patient’s lab result in its records system was changed by someone who was not authorized to edit it. The system is still online, and no evidence shows the record was viewed by outsiders. Which cybersecurity objective is most directly affected?
Options:
A. Accounting
B. Integrity
C. Availability
D. Confidentiality
Best answer: B
Explanation: The core concept is the CIA triad: confidentiality protects against unauthorized disclosure, integrity protects against unauthorized modification, and availability protects against service disruption. In this case, the key fact is that the lab result was changed without authorization. The system remained online, so availability is not the main issue. There is also no evidence of unauthorized viewing, so confidentiality is not the best match. The direct security objective affected is the accuracy and trustworthiness of the record.
- Confidentiality trap fails because the stem does not show unauthorized viewing or disclosure of the lab result.
- Availability trap fails because the records system is still online and usable.
- Accounting trap fails because tracking user actions may help investigate, but it is not the objective directly harmed by data alteration.
Continue in the web app
Use IT Mastery for interactive ISC2 Certified in Cybersecurity CC practice with mixed sets, timed mocks, topic drills, explanations, and progress tracking.
Try ISC2 Certified in Cybersecurity CC on Web