How to Pass the ISC2 CC (Certified in Cybersecurity): Beginner's Strategy

ISC2 CC: Your First Step Into Cybersecurity

The ISC2 Certified in Cybersecurity (CC) is designed for people with no prior cybersecurity experience. It is the ideal first certification for career changers, students, and IT professionals looking to pivot into security. ISC2 offers free exam vouchers and self-paced training, making it one of the most accessible certifications available.

The exam has 100 questions in 2 hours with a passing score of 700/1000. It covers five domains. No prior experience is required.

Domain-by-Domain Strategy

Domain 1: Security Principles (26%)

The highest-weighted domain. Covers the CIA triad, authentication, authorization, non-repudiation, privacy, and governance.

Key concepts: CIA triad — confidentiality (preventing unauthorized disclosure), integrity (preventing unauthorized modification), availability (ensuring authorized access). Authentication factors: something you know (password), something you have (token), something you are (biometric). Non-repudiation: proving that an action was performed by a specific entity (digital signatures). Least privilege principle. Separation of duties. Defense in depth.

This domain is concept-heavy. Understand the WHY behind each principle, not just the definition.

Domain 2: Business Continuity, Disaster Recovery, and Incident Response (10%)

The smallest domain but still important. Covers BCP, DRP, and IR basics.

Key concepts: BIA (Business Impact Analysis) identifies critical business functions. RTO and RPO — know the definitions and how they drive recovery strategy. Backup types: full, incremental, differential. Incident response phases: preparation, detection, containment, eradication, recovery, lessons learned.

Domain 3: Access Controls Concepts (22%)

Covers physical and logical access controls.

Key concepts: Physical controls: fences, locks, cameras, guards, mantraps/vestibules. Logical controls: passwords, tokens, biometrics, smart cards. Access control models: DAC (owner decides), MAC (system enforces based on labels), RBAC (role-based), rule-based. Principle of least privilege applied to access control. Account management: provisioning, review, de-provisioning.

Domain 4: Network Security (24%)

Covers basic network concepts and security controls.

Key concepts: OSI model (physical, data link, network, transport, session, presentation, application) — know what operates at each layer. TCP/IP fundamentals. Common ports: HTTP (80), HTTPS (443), FTP (21), SSH (22), DNS (53), SMTP (25), RDP (3389). Firewalls: packet filtering, stateful inspection. IDS vs IPS (detection vs prevention). VPN concepts. Wireless security: WPA2, WPA3. Network segmentation and DMZ.

Domain 5: Security Operations (18%)

Covers data handling, logging, change management, and security awareness.

Key concepts: Data classification: public, internal, confidential, restricted. Data handling procedures based on classification. Logging and monitoring basics. Change management process. Security awareness training. Patch management. Physical security operations.

Study Strategy

The CC exam is approachable but not trivial. Many candidates underestimate it because it is labeled "entry-level."

Week 1: Domain 1 (Security Principles) — build the foundation.

Week 2: Domain 3 (Access Controls) and Domain 4 (Network Security).

Week 3: Domain 5 (Security Operations) and Domain 2 (BCP/DR/IR).

Week 4: Practice exams and review.

Four weeks is sufficient for most candidates with basic IT knowledge. If you are completely new to IT, add 2-3 weeks for networking and operating system fundamentals.

Free ISC2 Resources

ISC2 provides free self-paced training for the CC exam. Use it — it covers exactly what the exam tests. Combine it with practice questions to reinforce your learning.

The CC is also a stepping stone to CISSP. Once you pass CC, you become an ISC2 member and can start working toward the experience requirements for CISSP.

Start practicing with CyberCertPrep's CC (ISC2) question bank — designed specifically for beginners with clear explanations that build your security knowledge from the ground up.