If you’re looking to break into cybersecurity, the ISC2 Certified in Cybersecurity (CC) is one of the most accessible and respected entry-level certifications you can earn. With no prerequisites, a free ISC2 membership upon passing, and exam vouchers that ISC2 frequently offers at no cost, the CC removes nearly every barrier that typically stands between beginners and a credential that hiring managers actually recognize. In this guide, we’ll break down exactly what the exam covers, how it’s structured, and what you need to do to pass it confidently.
What Is the ISC2 CC Certification?
The ISC2 Certified in Cybersecurity is an entry-level certification from ISC2 — the same organization behind the globally recognized CISSP. The CC is designed to validate foundational cybersecurity knowledge and signal to employers that you understand core security principles, can think about risk, and are serious about the field.
Here’s what makes it unique among entry-level certs:
- No prerequisites — You don’t need work experience or another certification to sit the exam.
- Free ISC2 membership — After passing, you become an Associate of ISC2 at no cost, giving you access to a global professional community.
- Often free to take — ISC2 has run extended promotions offering the exam voucher at no charge. Check their website for current offers.
- Vendor-neutral — The CC doesn’t tie you to any specific platform or product, making it broadly applicable across industries.
ISC2 CC Exam Format and Passing Score
Before you study, you need to know exactly what you’re preparing for. The ISC2 CC exam is:
- Format: Linear (non-adaptive) — you see all questions in sequence
- Questions: 100 multiple-choice
- Time limit: 120 minutes (2 hours)
- Passing score: 700 out of 1000
- Validity: 3 years, with 45 Continuing Professional Education (CPE) credits required to maintain it
A 700/1000 passing score means you need to answer roughly 70% of questions correctly. That’s achievable with focused preparation — but it does require that you understand concepts deeply enough to apply them, not just recognize terms.
The 5 Domains You Need to Master
The ISC2 CC exam is organized into five domains. Each domain carries a specific weight, so your study time should reflect those percentages.
1. Security Principles (26%)
This is the largest domain and your first priority. It covers the foundational concepts that underpin all of cybersecurity: the CIA Triad (Confidentiality, Integrity, Availability), governance frameworks, risk management concepts, and the three categories of security controls — administrative, technical, and physical. You’ll also need to understand non-repudiation, threat actors, and why concepts like Defense in Depth and Zero Trust Architecture matter in real environments.
2. Network Security (24%)
The second-largest domain tests your understanding of how networks are built and secured. Expect questions on the OSI model, TCP/IP fundamentals, firewalls, IDS/IPS systems, VPNs, network segmentation, and wireless security protocols. Cloud networking is increasingly tested here as well. You don’t need to be a network engineer, but you do need to understand why a VLAN isolates traffic or how an IPS differs from an IDS.
3. Access Controls Concepts (22%)
Access control is at the heart of cybersecurity operations. This domain covers both physical and logical access controls, authentication methods including Multi-Factor Authentication (MFA) and Single Sign-On (SSO), and authorization models like Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role-Based Access Control (RBAC). The Principle of Least Privilege — granting users only the access they need to do their job — is a recurring theme here.
4. Security Operations (18%)
This domain covers the day-to-day work of keeping systems secure: data classification and protection, system hardening, monitoring and logging practices, vulnerability management, and patch management. Security awareness training also falls here, reflecting the reality that human behavior is often the weakest link in any security posture.
5. Business Continuity, Disaster Recovery & Incident Response (10%)
The smallest domain by weight, but don’t skip it. You’ll need to understand the difference between a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP), backup strategies (full, incremental, differential), the incident response lifecycle, and key metrics like Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
Test Your Knowledge
Let’s put two foundational concepts to the test. Try answering these before reading the explanations.
Question 1: A company wants to ensure that only authorized users can access sensitive files, and that their access is limited strictly to what their job requires. Which security principle is being applied?