Browse ISC2 Certification Guides

ISC2 CC Cheat Sheet: Core Controls and Risk Basics

April 24, 2026

ISC2 CC cheat sheet for core controls, risk basics, traps, and final review.

On this page

Use this cheat sheet for ISC2 Certified in Cybersecurity (CC) when you know the terms but need stronger first-answer instincts. CC questions are foundational, but they still reward disciplined security thinking: asset, risk, control objective, evidence, and business impact.

Read every CC question in this order

  1. Identify the domain: security principles, access control, network security, incident response, business continuity, or operations.
  2. Name the asset and the risk before choosing a tool.
  3. Decide whether the best answer is administrative, technical, or physical.
  4. Preserve the correct sequence: policy before procedure, detection before containment when investigating, recovery after containment, lessons learned after restoration.
  5. Reject answers that sound technical but do not address the stated risk.

CC answer sequence

Use this when the stem mixes a security principle, asset, risk, control, or recovery step.

    flowchart TD
	  S["Scenario"] --> A["Name the asset"]
	  A --> R["Name the risk"]
	  R --> C["Choose the control type"]
	  C --> P["Preserve the right sequence"]
	  P --> V["Verify evidence or recovery"]

Security principles

Concept Fast exam rule
confidentiality prevent unauthorized disclosure
integrity prevent unauthorized or undetected change
availability keep systems and data usable when needed
risk likelihood and impact against an asset
threat potential cause of harm
vulnerability weakness that can be exploited
control safeguard that reduces risk
due care and due diligence act responsibly and prove reasonable ongoing effort

Control type chooser

Requirement Control type
define expected behavior administrative control: policy, standard, procedure, training
enforce access or detect activity technical control: MFA, firewall, encryption, logging, EDR
protect facilities and equipment physical control: locks, guards, cameras, badges, environmental controls
prevent event preventive control
discover event detective control
restore after event corrective or recovery control
discourage behavior deterrent control

Access control

Topic What to remember
identification claim an identity
authentication prove the identity
authorization grant permitted actions
accountability tie actions to an identity through logs and audit
least privilege grant only what the role needs
separation of duties split sensitive tasks to reduce fraud or error
MFA combine factors, not two examples of the same factor
lifecycle provision, review, change, disable, and remove access

Network security

Scenario Start with
segment sensitive systems VLANs, firewall rules, network ACLs, and zero-trust principles
protect traffic over untrusted network encryption in transit, VPN, TLS, and certificate validation
detect network attack IDS/IPS, logs, SIEM alerts, and traffic analysis
reduce exposed services hardening, patching, default-deny firewall posture, and service inventory
remote access MFA, least privilege, secure tunnel, device posture, and monitoring
wireless risk strong encryption, authentication, rogue AP detection, and segmentation

Incident response sequence

Phase Exam instinct
preparation policies, roles, tools, training, communications, and backups
detection and analysis validate alert, scope impact, preserve evidence, and classify severity
containment limit spread and protect evidence
eradication remove root cause, malware, bad accounts, or vulnerable component
recovery restore services, monitor, and validate business function
lessons learned document timeline, gaps, control improvements, and ownership

Business continuity and disaster recovery

Term Fast distinction
BIA identifies critical processes and impact of disruption
BCP keeps business functions operating during disruption
DRP restores IT systems after disruption
RTO maximum acceptable time to restore
RPO maximum acceptable data loss measured in time
backup copy of data; not a recovery plan by itself
tabletop exercise discussion-based validation of plan and roles

Security operations

Need Better answer
prove activity logging, monitoring, time sync, retention, and review
manage vulnerabilities inventory, scan, prioritize, patch, verify, and report
protect endpoints hardening, patching, antimalware/EDR, least privilege, and monitoring
protect data classification, handling rules, encryption, access control, retention, and disposal
improve user behavior awareness training tied to phishing, passwords, reporting, and policy
manage third-party risk contracts, due diligence, monitoring, and defined security requirements

Common traps

Trap Better instinct
authentication versus authorization proving identity is not granting access
backup equals continuity continuity also needs roles, priorities, communications, and tested recovery
tool-first response define the risk and control objective first
delete evidence immediately preserve evidence and chain of custody when investigation matters
encryption solves access risk encryption protects data; access control, key management, and monitoring still matter
policy without enforcement policy must be paired with standards, procedures, training, and evidence

Final 15-minute review

If the stem says… Start here
identity or permission identification, authentication, authorization, accountability, least privilege
outage or disaster BIA, BCP, DRP, RTO, RPO, backup validation
suspected attack detect, analyze, contain, eradicate, recover, lessons learned
network exposure segmentation, firewall, encryption, monitoring, hardening
governance or compliance policy, risk, evidence, audit, due care, ownership
data protection classification, access, encryption, retention, disposal

Practice fit

Use IT Mastery for the exact product route, practice status, spaced review when available, and close-answer explanation practice as coverage expands.

Open the exact IT Mastery route here: CC on MasteryExamPrep.

One-line decision rule

CC answers should start from risk and control purpose, then choose the simplest safeguard that protects confidentiality, integrity, availability, and evidence.

Revised on Sunday, May 10, 2026
Study Plan