ISC2 CC Domain 3: Access Controls Concepts Study Guide

If you’re preparing for the ISC2 Certified in Cybersecurity (CC) exam, ISC2 CC Domain 3: Access Controls Concepts is one of the most practical and high-impact areas you’ll encounter. Weighted at 22% of the 100-question, 120-minute exam, this domain tests your ability to differentiate physical from logical access controls, understand authentication methods like MFA and SSO, and apply authorization models like DAC, MAC, and RBAC. Get this domain right, and you’re a significant step closer to the 700/1000 passing score. Let’s break it down systematically so you not only memorize the vocabulary — you understand why these controls exist and how they work together in real environments.

What Does ISC2 CC Domain 3 Actually Cover?

Domain 3 sits at the intersection of physical security and digital identity management. The CC exam expects you to know how organizations control who gets access to what — and through which mechanisms. At its core, access control is about enforcing the principle of least privilege: ensuring users can only access the resources they need to do their jobs, and nothing more.

The domain breaks down into two major pillars: physical access controls and logical (technical) access controls. Understanding both — and how they complement each other — is essential for the exam and for real-world security work.

Physical Access Controls: More Than Just Locks

Physical access controls are the tangible barriers and mechanisms that protect buildings, server rooms, data centers, and equipment from unauthorized physical entry. The CC exam tests your ability to classify these controls by their function, not just name them.

Types of Physical Control Functions

Preventive controls stop unauthorized access before it happens. Examples include biometric scanners, key card readers, locked server cabinets, and security guards stationed at entry points.
Detective controls identify when unauthorized access has occurred or is occurring. CCTV cameras and audit logs fall into this category — they don’t stop an intruder, but they record evidence.
Deterrent controls discourage unauthorized attempts by signaling risk to a would-be intruder. Warning signs like “Restricted Area — Authorized Personnel Only” are a classic example. They don’t physically block anyone, but they communicate consequences.
Corrective controls help restore normal operations after a security incident, such as incident response procedures or backup systems.

The exam frequently asks you to match a control to its function — so don’t just memorize examples, understand the intent behind each type.

Crime Prevention Through Environmental Design (CPTED)

One concept that surprises many candidates is CPTED — Crime Prevention Through Environmental Design. This approach uses architectural and landscaping choices to naturally deter criminal activity. Think: adequate lighting in parking lots, clear sight lines that eliminate hiding spots, natural barriers like hedges or boulders to control vehicle access, and building layouts that funnel visitors through controlled entry points. CPTED is a proactive, environmental strategy — not a reactive or technological one — and the CC exam expects you to recognize it as a physical security measure distinct from electronic controls or software-based systems.

Logical Access Controls: Protecting Digital Resources

Logical access controls are the software and policy-based mechanisms that govern access to systems, networks, applications, and data. This is where authentication and authorization come into play.

Authentication: Proving Who You Are

Authentication is the process of verifying identity. The CC exam tests three authentication factors:

Something you know — passwords, PINs, security questions
Something you have — smart cards, hardware tokens, mobile authenticator apps
Something you are — biometrics like fingerprints, retina scans, facial recognition

Multi-Factor Authentication (MFA) requires two or more of these factors in combination, dramatically reducing the risk of credential compromise. A password alone (single factor) can be phished or leaked; adding a hardware token or biometric creates a layered defense. Single Sign-On (SSO) allows users to authenticate once and access multiple systems or applications without re-entering credentials — improving usability while centralizing authentication management.

Authorization Models: Deciding What You Can Do

Once identity is verified, authorization determines what resources a user can access and what actions they can perform. The CC exam tests three primary authorization models:

Discretionary Access Control (DAC): The resource owner decides who gets access. Think of sharing a Google Doc — the file creator controls permissions. DAC is flexible but can be inconsistent if owners aren’t security-conscious.
Mandatory Access Control (MAC): Access is determined by security labels assigned to both subjects (users) and objects (resources) by a central authority — typically used in government and military environments. A user with a “Secret” clearance cannot access “Top Secret” files, regardless of their role.
Role-Based Access Control (RBAC): Access is granted based on job roles, not individual identity. A “Finance Analyst” role has access to financial reporting tools; an “HR Manager” role has access to personnel records. RBAC is the most commonly implemented model in enterprise environments and aligns naturally with the principle of least privilege.

Access Control Lists (ACLs)

An Access Control List (ACL) is a fundamental tool for implementing access control decisions. An ACL specifies which users or system processes are permitted or denied access to specific objects — and what operations (read, write, execute, delete) they’re allowed to perform. ACLs appear in file systems (controlling who can open or modify files), routers (filtering network traffic by IP address or port), and firewalls (permitting or blocking connections). Understanding ACLs as a mechanism that enforces authorization policy — not just a list of names — is key for the exam.

Test Your Knowledge

Question 1: A network administrator configures a rule on a firewall that specifies exactly which IP addresses and ports are permitted to communicate with the internal server. What mechanism is the administrator using?

A) A biometric authentication system
B) An access control list (ACL)
C) A single sign-on (SSO) policy
D) A mandatory access control (MAC) label

Answer: B — Access Control List (ACL). ACLs define which subjects (in this case, IP addresses) are granted or denied access to specific objects (the server), and what actions are permitted. They’re a core enforcement tool in both network devices and file systems, giving administrators granular control over traffic and resource access.

Question 2: A security team places

Get Free Study Tips in Your Inbox

Weekly exam strategies, domain breakdowns, and Certcy updates. No spam, unsubscribe anytime.

Ready to Pass Your Certification?

Practice with 310+ expert-written questions across CompTIA A+, ISC2 CC, and SSCP.
Free to start — no credit card required.

Download Certcy Free

Related Study Guides

Cybersecurity Certifications

Access Control Models Explained: DAC, MAC, RBAC, and ABAC

Cybersecurity Certifications

SSCP Domain 2: Access Controls — Complete Study Guide

Cybersecurity Certifications

ISC2 SSCP Certification: Complete Overview and Study Guide

Share this:
X / Twitter
LinkedIn
Facebook

Related Study Guides

Cybersecurity Certifications

ISC2 CC Domain 1: Security Principles Deep Dive (Study Guide)

Cybersecurity Certifications

Security Operations: Monitoring, Logging, and Vulnerability Management Explained

Cybersecurity Certifications

The CIA Triad Explained: Core Security Principles for the ISC2 CC Exam