Browse ISC2 Certification Guides

ISC2 CC Sample Questions with Explanations

April 25, 2026

ISC2 CC sample questions with explanations, traps, topic labels, and IT Mastery route links.

On this page

These original sample questions are designed to help you check how the exam topics appear in decision-style prompts. They are not taken from the live exam.

Use these sample questions as a guided self-assessment for Certified in Cybersecurity (CC) topics such as confidentiality, integrity, availability, access control, risk, incident response, security awareness, backups, and basic operations. CC questions reward practical security judgment more than memorized tool names.

Where these questions fit in the CC guide

The sample set below is part of the ISC2 CC guide path:

CC cybersecurity fundamentals sample questions

Work through each prompt before opening the explanation. Strong CC answers usually identify the asset, risk, control objective, and escalation path before selecting the action.

Question 1

Topic: Responding to a suspected phishing message

An employee receives an email that appears to come from payroll and asks them to sign in through an unfamiliar link. The employee is unsure whether it is legitimate. What is the best first action?

  • A. Forward the message to coworkers and ask whether they received it too.
  • B. Click the link from a personal phone to avoid using the company laptop.
  • C. Report the message through the approved security process without clicking the link.
  • D. Reply to the sender and ask them to prove their identity.

Best answer: C

Explanation: The safe action preserves the message for review and avoids interacting with a possible credential-harvesting link. CC questions often test simple escalation and awareness behavior before technical investigation.

Why the other choices are weaker:

  • A spreads the suspicious message and may increase risk.
  • B still interacts with the link and could expose credentials or the device.
  • D engages a potentially malicious sender and does not follow the approved process.

What this tests: Security awareness, phishing response, reporting, and safe user behavior.

Related topics: Phishing; Awareness; Reporting; Incident response

Question 2

Topic: Authentication vs authorization

A user successfully signs in to a file portal with MFA but cannot open the finance folder. Which security concept explains the second decision?

  • A. Authorization, because the system is deciding whether the signed-in user has permission to access the folder.
  • B. Availability, because the folder may be stored on redundant disks.
  • C. Nonrepudiation, because the user cannot deny signing in.
  • D. Authentication, because the user already proved identity with MFA.

Best answer: A

Explanation: Authentication proves identity. Authorization determines what that identity is allowed to do. The folder access decision is authorization.

Why the other choices are weaker:

  • B relates to system uptime, not access permission.
  • C relates to accountability and proof of action.
  • D describes the sign-in step, not the folder-permission decision.

What this tests: Distinguishing authentication, authorization, accountability, and availability.

Related topics: Authorization; Authentication; MFA; Access control

Question 3

Topic: Protecting availability after ransomware

A small organization is worried that ransomware could encrypt file shares and prevent normal operations. Which control most directly improves the ability to recover business data?

  • A. Publish the file share publicly so employees can access it from anywhere.
  • B. Disable logging to reduce system load.
  • C. Use tested, protected backups with recovery procedures.
  • D. Give every user local administrator access so they can fix their own device.

Best answer: C

Explanation: Backups that are protected and tested support recovery when production data is unavailable or corrupted. The key word is tested: a backup plan is weak if restoration has never been validated.

Why the other choices are weaker:

  • A increases exposure and does not improve recovery.
  • B weakens detection and investigation.
  • D increases privilege risk and does not preserve data.

What this tests: Availability, backup strategy, recovery planning, and operational resilience.

Related topics: Backups; Availability; Ransomware resilience; Recovery

Question 4

Topic: Choosing a risk response

A department identifies an old internal system with moderate risk. Replacing it immediately is too expensive, but compensating controls can reduce exposure while a replacement plan is funded. Which risk response best describes this approach?

  • A. Risk acceptance, because no action will be taken.
  • B. Risk avoidance, because the activity is stopped entirely.
  • C. Risk transfer, because responsibility is moved to an insurer.
  • D. Risk mitigation, because controls are added to reduce likelihood or impact.

Best answer: D

Explanation: Adding compensating controls reduces risk without eliminating the activity. That is mitigation, even if a longer-term replacement is planned.

Why the other choices are weaker:

  • A would mean knowingly retaining the risk without additional treatment.
  • B would stop the risky activity or remove the asset from use.
  • C shifts financial impact but does not describe the added controls.

What this tests: Basic risk treatment choices and compensating-control logic.

Related topics: Risk management; Mitigation; Compensating controls; Governance

Independent study note

Tech Exam Lexicon and IT Mastery are independent study tools. They are not affiliated with, endorsed by, or sponsored by ISC2 or any certification body.

Revised on Sunday, May 10, 2026
Study Plan
FAQ