CC — ISC2 Certified in Cybersecurity Study Plan
A practical 7-, 14-, 30-, and 60/90-day Study Plan for the ISC2 Certified in Cybersecurity (CC) exam.
This Study Plan is for candidates preparing for the real ISC2 Certified in Cybersecurity (CC) exam, exam code CC. It is designed for practical scheduling: diagnostic practice first, focused review by topic, repeated missed-question analysis, timed mock exams, and a final-week routine that reduces last-minute overload.
Use this page as an independent study plan. Confirm the current exam outline and candidate rules directly with ISC2 before your exam date.
Which plan should you use?
| Time until exam | Best for | Daily time target | Main goal |
|---|---|---|---|
| 7 days | You already studied and need final review | 2-4 hours | Stabilize weak areas, improve timing, avoid new overload |
| 14 days | You know some cybersecurity basics but need structure | 1.5-3 hours | Cover all CC domains once, then drill weak areas |
| 30 days | Most working candidates | 45-90 minutes weekdays, 2-3 hours weekends | Build coverage, practice judgment, complete timed mocks |
| 60 days | Newer candidates with steady time | 4-7 hours per week | Learn concepts gradually and practice each domain |
| 90 days | Candidates new to IT/security or with inconsistent time | 3-5 hours per week | Build foundations first, then transition to exam practice |
If you are unsure, take a short diagnostic set first. Your plan should be based on evidence, not confidence.
Start with a diagnostic
Before choosing the detailed schedule, complete a mixed diagnostic practice set covering all major CC areas.
| Diagnostic result | What it means | Recommended plan |
|---|---|---|
| You miss many basic definitions | Foundation gaps | 60/90-day path if possible; otherwise 30-day plan with extra concept review |
| You understand terms but miss scenarios | Judgment and application gaps | 30-day or 14-day focused plan |
| You score inconsistently by topic | Uneven domain strength | 14-day plan if exam is soon; 30-day plan if you have time |
| You are mostly accurate but slow | Timing and confidence issue | 7-day final review plan with timed sets |
| You miss questions because of wording | Exam-reading issue | Add daily question debriefs and answer-choice analysis |
Practice scores are study signals, not official ISC2 pass/fail thresholds. Use them to decide what to review next.
CC topic map for planning
Organize your study around the current ISC2 CC exam outline. At a practical level, your schedule should include these concept areas:
| Area | What to practice |
|---|---|
| Security principles | Confidentiality, integrity, availability, risk, governance, security controls, ethics, policy basics |
| Business continuity, disaster recovery, and incident response concepts | Backup purpose, continuity planning, disaster recovery concepts, incident response roles and flow |
| Access control concepts | Identification, authentication, authorization, accounting, least privilege, MFA, access models |
| Network security | Basic network concepts, segmentation, secure protocols, firewalls, common threats, defense-in-depth |
| Security operations | Logging, monitoring, vulnerability management, change management, secure configuration, awareness, physical security |
The CC exam is foundational. Do not over-prepare with advanced penetration testing, deep cloud architecture, or product-specific administration unless those topics help you understand the basic security concept being tested.
Daily practice rhythm
Use the same rhythm regardless of whether you have 7, 14, 30, or 90 days.
| Block | Time | Action |
|---|---|---|
| Warm-up | 5-10 min | Review yesterday’s missed-question log |
| Concept review | 25-45 min | Study one focused topic, not a whole textbook chapter |
| Active recall | 10-15 min | Write definitions, compare terms, or explain a scenario aloud |
| Practice set | 20-45 min | Answer targeted questions for the topic |
| Review | 20-40 min | Debrief every missed and guessed question |
| Closeout | 5 min | Mark tomorrow’s priority topic |
For short study sessions, keep the practice-and-review loop. It is better to review 15 questions carefully than to rush through 60 questions without learning from them.
Missed-question review method
Every missed question should produce a fix. Use a simple log with five columns.
| Column | What to write |
|---|---|
| Topic | Example: access control, incident response, network security |
| Why I missed it | Knowledge gap, misread, confused terms, changed answer, guessed |
| Correct rule | The principle that would answer similar questions |
| Trap answer | Why the tempting wrong option was wrong |
| Recheck date | When you will test the concept again |
Use this rule:
- If you missed it because you did not know the term, add a definition card.
- If you missed it because two answers looked right, write the difference between them.
- If you missed it because the scenario wording changed the answer, rewrite the question in your own words.
- If you guessed correctly, still log it. A lucky correct answer is not mastery.
- Re-test logged topics within 48 hours, then again during final review.
7-day final review plan
Use this plan if your exam is in one week and you have already studied most CC topics. The goal is not to relearn everything. The goal is to reduce avoidable mistakes.
| Day | Main focus | Practice target | Review task |
|---|---|---|---|
| 1 | Diagnostic mixed set | Medium-length mixed set | Build weak-area list; rank top 5 topics |
| 2 | Security principles and risk | Targeted questions | Review CIA, control types, policy, ethics, risk wording |
| 3 | Access control and identity | Targeted questions | Compare authentication, authorization, accounting, MFA, least privilege |
| 4 | Network security | Timed mixed set | Review segmentation, secure protocols, firewall purpose, common attacks |
| 5 | BC/DR/IR and operations | Targeted questions | Review incident flow, backup purpose, monitoring, change and configuration concepts |
| 6 | Full timed mock or longest available timed set | Timed exam-style session | Deep review only; no broad new content |
| 7 | Light final review | Short confidence set only | Review notes, formulas/terms if any, logistics, rest |
7-day rules
- Stop adding new resources by Day 5.
- On Day 6, review every missed or guessed question from the timed mock.
- On Day 7, do not take a difficult full mock unless it calms you down. Most candidates benefit more from light review and rest.
- Prioritize high-frequency foundational distinctions:
- Risk vs threat vs vulnerability
- Preventive vs detective vs corrective controls
- Authentication vs authorization
- Business continuity vs disaster recovery
- Incident response vs routine operations
- Encryption in transit vs encryption at rest
- Policy vs procedure vs standard
14-day focused plan
Use this if you have two weeks and can study most days. The plan covers all topics quickly, then shifts to weak-area repair.
| Day | Focus | Study actions |
|---|---|---|
| 1 | Diagnostic and schedule | Take a mixed diagnostic; create missed-question log; identify weakest two areas |
| 2 | Security principles | Review CIA, risk, governance basics, control categories, security awareness |
| 3 | Security principles practice | Targeted practice; write one-page summary of key principles |
| 4 | Access control concepts | Review identification, authentication, authorization, accounting, MFA, least privilege |
| 5 | Access control practice | Drill scenario questions; compare access models and account lifecycle concepts |
| 6 | Network fundamentals | Review network components, segmentation, protocols by purpose, secure communication |
| 7 | Timed mixed checkpoint | Take a timed mixed set; review misses before studying anything new |
| 8 | Network security practice | Drill firewall purpose, basic network threats, defense-in-depth, secure configurations |
| 9 | BC/DR/IR concepts | Review business continuity, disaster recovery, backups, incident response flow |
| 10 | Security operations | Review logging, monitoring, vulnerability management, change management, physical security |
| 11 | Operations and IR practice | Drill scenarios; update weak-area list |
| 12 | Full timed mock or longest available timed set | Simulate test conditions; mark guessed answers |
| 13 | Weak-area sprint | Re-study top weak topics only; repeat missed questions in new order |
| 14 | Final review | Light mixed set; review notes; prepare exam-day logistics |
14-day priorities
Spend more time on concept comparison than passive reading. The CC exam rewards knowing which security concept best fits a scenario.
Use quick comparison prompts:
| Prompt | You should be able to explain |
|---|---|
| “What is being protected?” | Confidentiality, integrity, availability, safety, privacy, business operations |
| “What stage is this?” | Prevention, detection, response, recovery |
| “Who needs access?” | Least privilege, role-based need, identity lifecycle |
| “What control type is this?” | Administrative, technical, physical; preventive, detective, corrective |
| “What is the best first action?” | Escalate, contain, document, verify, communicate through the right channel |
30-day balanced plan
Use this if you want a realistic work-compatible plan. It gives you enough time to cover the CC domains, practice by topic, and complete timed review.
Weekly structure
| Week | Goal | Output by end of week |
|---|---|---|
| Week 1 | Build baseline and security principles | Diagnostic complete; principles notes; first weak-area list |
| Week 2 | Access control and network security | Targeted drills complete; comparison notes built |
| Week 3 | BC/DR/IR and security operations | Operations and incident concepts reviewed; second weak-area list |
| Week 4 | Timed practice and final repair | Timed mocks reviewed; final notes condensed |
30-day calendar
| Day | Focus | Study actions |
|---|---|---|
| 1 | Diagnostic | Mixed diagnostic; set up missed-question log |
| 2 | Exam outline review | Map your resources to ISC2 CC topic areas; remove irrelevant advanced material |
| 3 | Security principles | CIA, risk, governance, security controls |
| 4 | Security principles drill | Targeted questions; log misses |
| 5 | Ethics and policy basics | ISC2 ethics awareness, policy/procedure/standard distinctions |
| 6 | Mixed review | Re-test Days 3-5 topics |
| 7 | Weekly checkpoint | Short timed mixed set; review misses |
| 8 | Access control concepts | Identification, authentication, authorization, accounting |
| 9 | Access control models | Least privilege, MFA, account lifecycle, access review concepts |
| 10 | Access control drill | Scenario questions; compare similar terms |
| 11 | Network basics | Network components, segmentation, common protocol purposes |
| 12 | Network security | Firewalls, secure communication, wireless/security basics, common attack concepts |
| 13 | Network drill | Targeted practice; draw a simple secure network diagram |
| 14 | Timed checkpoint | Timed mixed set; update weak-area list |
| 15 | Business continuity | Continuity planning, critical functions, backup concepts |
| 16 | Disaster recovery | Recovery concepts, resilience, restoration priorities |
| 17 | Incident response | Preparation, detection, containment, eradication, recovery, lessons learned |
| 18 | IR drill | Scenario questions; identify best next action |
| 19 | Security operations | Logging, monitoring, vulnerability management, change management |
| 20 | Physical and administrative operations | Awareness, acceptable use, secure handling, facility controls |
| 21 | Weekly checkpoint | Mixed practice; review all guessed answers |
| 22 | Weak-area review 1 | Re-study weakest domain from the log |
| 23 | Weak-area review 2 | Re-study second weakest domain |
| 24 | Full timed mock or longest timed set | Simulate exam conditions as closely as possible |
| 25 | Mock review | Review every miss, guess, and slow question |
| 26 | Targeted repair | Practice the top 3 missed topics from the mock |
| 27 | Second timed mixed set | Focus on pacing and reading accuracy |
| 28 | Final content review | Condense notes to 2-4 pages |
| 29 | Light final drill | Short mixed set; no new resources |
| 30 | Exam readiness and rest | Review logistics, confidence notes, and missed-question summary |
30-day weekend use
If you study mostly on weekends, use weekend sessions for tasks that need uninterrupted time:
- Full timed practice
- Deep mock review
- Rebuilding weak concepts
- Drawing network or incident-response workflows
- Reviewing all missed questions from the week
Use weekdays for shorter drills and flash review.
60/90-day full preparation path
Use this if you are new to cybersecurity, have inconsistent study time, or want to avoid cramming.
How to choose 60 vs 90 days
| Choose 60 days if… | Choose 90 days if… |
|---|---|
| You have IT experience or prior security exposure | You are new to IT or cybersecurity vocabulary |
| You can study at least 4-7 hours weekly | You may miss study weeks due to work or school |
| You can learn from practice questions quickly | You need more time with definitions and scenarios |
| You already understand basic networking | You need to build networking foundations first |
60-day path
| Weeks | Focus | Practice approach |
|---|---|---|
| 1-2 | Foundations and security principles | Diagnostic, vocabulary, CIA, risk, control types, ethics |
| 3 | Access control | Identity concepts, authentication, authorization, least privilege, MFA |
| 4 | Network security | Network basics, segmentation, secure protocols, common threats |
| 5 | BC/DR/IR | Continuity, disaster recovery, backup purpose, incident response flow |
| 6 | Security operations | Logging, monitoring, vulnerability management, change management, physical controls |
| 7 | Mixed practice and weak areas | Timed mixed sets; targeted review by missed-question log |
| 8 | Final review | Full timed mock, weak-area sprint, light final review |
90-day path
| Phase | Weeks | Focus | What to produce |
|---|---|---|---|
| Foundation | 1-3 | Cybersecurity vocabulary, basic networking, CIA, risk | Definitions list and simple diagrams |
| Core coverage | 4-7 | Security principles, access control, network security | Topic notes and targeted practice logs |
| Operations coverage | 8-10 | BC/DR/IR, security operations, monitoring, change concepts | Scenario notes and missed-question log |
| Exam practice | 11-12 | Mixed timed practice and weak-area repair | Mock review notes and final summary |
| Final readiness | 13 | Light review and exam logistics | Condensed notes and rest plan |
Full-path weekly rhythm
| Day type | Task |
|---|---|
| Study Day 1 | Learn one concept area and make short notes |
| Study Day 2 | Practice targeted questions and log misses |
| Study Day 3 | Re-test missed topics from earlier in the week |
| Weekend or long session | Mixed set, diagramming, and deeper review |
For a 60/90-day plan, do not wait until the final month to practice questions. Start with small targeted sets in Week 1 so you learn how concepts appear in exam-style wording.
Timed mock exam strategy
Timed practice is most useful after you have enough content coverage to learn from the result.
| Plan | First timed checkpoint | Full timed mock timing | Final timed practice |
|---|---|---|---|
| 7 days | Day 1 or Day 4 | Day 6 if you can review it fully | Avoid heavy timed testing the day before |
| 14 days | Day 7 | Day 12 | Day 13 only if short and targeted |
| 30 days | Day 7 or 14 | Day 24 | Day 27 or 28 |
| 60 days | Week 4 or 5 | Week 7 | Early Week 8 |
| 90 days | Week 6 or 7 | Week 11 or 12 | Early final week |
How to review a timed mock
Do not only check the score. Use the mock to answer these questions:
| Review question | What to do next |
|---|---|
| Which topics caused the most misses? | Schedule targeted review within 24 hours |
| Which questions took too long? | Practice reading the scenario and identifying the security goal |
| Which wrong answers looked tempting? | Write the distinction between the correct and trap answer |
| Which correct answers were guesses? | Treat them as weak areas |
| Did fatigue affect accuracy? | Adjust break, sleep, and study timing before exam day |
Hands-on and scenario review for CC
The CC exam is concept-focused, but light hands-on review can make the concepts more concrete. Keep it simple and relevant.
| Concept | Practical review activity |
|---|---|
| Access control | Compare examples of user, group, role, privilege, and permission |
| MFA | List factors: something you know, have, are, do, or somewhere you are |
| Network segmentation | Draw a simple network with users, servers, firewall, and restricted zones |
| Logging and monitoring | Review examples of login logs, alert messages, and escalation notes |
| Backups | Explain why backup creation, storage, testing, and restoration are different tasks |
| Incident response | Walk through a malware alert from detection to lessons learned |
| Security controls | Label controls as administrative, technical, or physical |
Avoid spending hours configuring tools unless the activity directly improves your understanding of a CC concept.
Final-week rules
During the final week, your job is to protect accuracy and recall.
Stop adding new material
Stop adding new books, video courses, or large question banks about 72 hours before the exam unless you discover a critical gap. New resources late in the process often create confusion.
Use a narrow review list
Your final review list should include:
- Missed-question log
- Definitions you repeatedly confuse
- Control type comparisons
- Access control comparisons
- Incident response sequence and decision points
- Network security basics
- Exam logistics and required identification or appointment details from ISC2
Reduce avoidable mistakes
Before answering each practice question, ask:
- What is the security goal?
- Is the question asking for first, best, most likely, or most appropriate?
- Is this prevention, detection, response, or recovery?
- Is the answer technical, administrative, or physical?
- Did I eliminate answers that are true but not best for the scenario?
Exam-readiness checks
Use these checks 3-5 days before your exam.
| Readiness check | Ready if… |
|---|---|
| Coverage | You have reviewed every major CC topic area at least once |
| Missed-question log | Most recent misses are explainable and not repeating in clusters |
| Timed practice | You can complete timed sets without rushing blindly |
| Scenario judgment | You can identify the best security action, not just define terms |
| Concept comparisons | You can explain common pairs without notes |
| Final notes | Your review notes fit into a short, readable summary |
| Logistics | You know your appointment details, identification requirements, and exam rules from ISC2 |
If two or more readiness checks are weak, use remaining time for targeted repair instead of broad reading.
High-value comparison list
Review these pairs repeatedly. Many foundational cybersecurity questions test whether you can distinguish similar terms.
| Pair | Know the difference |
|---|---|
| Threat vs vulnerability | A potential cause of harm vs a weakness that can be exploited |
| Risk vs impact | Likelihood/uncertainty of loss vs the consequence if it occurs |
| Authentication vs authorization | Proving identity vs granting access |
| Identification vs authentication | Claiming an identity vs verifying it |
| Least privilege vs need to know | Minimum permissions vs access only to required information |
| Preventive vs detective control | Stops or reduces occurrence vs identifies activity after or during it |
| Corrective vs compensating control | Fixes/restores vs provides an alternative control |
| Business continuity vs disaster recovery | Keeping critical operations running vs restoring systems/services |
| Incident response vs problem management | Handling security events vs resolving underlying operational issues |
| Encryption vs hashing | Reversible protection for confidentiality vs one-way integrity verification |
| Policy vs procedure | Management intent/rules vs step-by-step execution |
Practical next step
Choose the plan that matches your exam date, take a diagnostic mixed practice set, and build your missed-question log today. Your next study session should be based on the weakest CC topic shown by that diagnostic, not on the chapter or video that feels easiest.