🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
CC
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
CC ISC2 Coming Soon

CC

The ISC2 Certified in Cybersecurity (CC) course teaches core security principles, business continuity, access control, network security, and security operations, enabling learners to validate foundational cybersecurity competence.

120
Minutes
100
Questions
700/1000
Passing Score
$199
Exam Cost

Who Should Take This

It is ideal for IT support staff, junior administrators, and recent graduates with basic networking or systems knowledge who want to demonstrate entry‑level cybersecurity expertise. These professionals seek a recognized credential to advance career prospects, support security teams, and meet employer expectations for foundational security competency.

What's Covered

1 All five domains of the ISC2 Certified in Cybersecurity (CC) exam: Domain 1 Security Principles
2 , Domain 2 Business Continuity, Disaster Recovery, and Incident Response
3 , Domain 3 Access Controls Concepts
4 , Domain 4 Network Security
5 , and Domain 5 Security Operations

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

77 learning goals
1 Domain 1: Security Principles
4 topics

Information Assurance Concepts

  • Define the CIA triad components — confidentiality, integrity, and availability — and describe how each protects information assets in organizational environments.
  • Identify the concepts of authentication, authorization, accounting, and non-repudiation as foundational elements of information security assurance.
  • Describe how privacy principles including data minimization, purpose limitation, and consent requirements relate to organizational security policies and regulatory compliance.
  • Apply the CIA triad to classify security incidents by determining which information assurance property has been compromised in a given scenario.

Risk Management Fundamentals

  • Define risk terminology including threat, vulnerability, asset, likelihood, impact, risk appetite, risk tolerance, and residual risk in the context of information security.
  • Identify the four risk treatment strategies — avoidance, mitigation, transfer, and acceptance — and recognize when each is appropriate for a given organizational risk.
  • Apply qualitative risk assessment methods to prioritize identified risks using likelihood-impact matrices and risk scoring techniques.
  • Differentiate between qualitative and quantitative risk analysis approaches including single loss expectancy, annual loss expectancy, and annualized rate of occurrence calculations.

Security Controls

  • Identify the three categories of security controls — administrative, technical, and physical — and list examples of each category in organizational environments.
  • Describe the functional types of security controls including preventive, detective, corrective, deterrent, compensating, and recovery controls.
  • Apply defense-in-depth principles by selecting appropriate layered security controls that combine administrative, technical, and physical measures for a given scenario.
  • Evaluate the effectiveness of security control implementations by analyzing whether controls adequately address identified risks and meet organizational security objectives.

Governance and Compliance

  • Identify key regulations and frameworks including GDPR, HIPAA, PCI DSS, SOX, and NIST Cybersecurity Framework and describe their primary security requirements.
  • Describe the purpose and components of security policies, standards, procedures, and guidelines within an organizational governance hierarchy.
  • Apply organizational security policies to determine appropriate actions when employees, contractors, or third parties violate established security standards.
  • Recognize the ISC2 Code of Ethics canons and describe how ethical obligations guide professional conduct in cybersecurity practice.
2 Domain 2: Business Continuity, Disaster Recovery, and Incident Response
3 topics

Business Continuity Planning

  • Define business continuity planning concepts including business impact analysis, maximum tolerable downtime, recovery time objective, and recovery point objective.
  • Describe the phases of a business continuity plan lifecycle including project initiation, business impact analysis, recovery strategy development, plan design, testing, and maintenance.
  • Apply business impact analysis techniques to identify critical business functions, determine acceptable downtime thresholds, and prioritize recovery sequencing.

Disaster Recovery

  • Identify disaster recovery site types including hot sites, warm sites, cold sites, and cloud-based recovery sites and describe the cost-recovery tradeoffs of each.
  • Describe backup strategies including full, incremental, and differential backups and explain how retention policies and offsite storage support disaster recovery objectives.
  • Apply disaster recovery concepts to select the appropriate recovery site type and backup strategy based on an organization's RTO and RPO requirements.
  • Evaluate disaster recovery plan testing methods including tabletop exercises, walkthroughs, simulations, parallel tests, and full-interruption tests to assess organizational readiness.

Incident Response

  • List the phases of the NIST incident response lifecycle: preparation, detection and analysis, containment, eradication, recovery, and post-incident activity.
  • Describe the roles and responsibilities of an incident response team including incident commander, technical lead, communications coordinator, and legal counsel.
  • Apply incident classification criteria to categorize security events by severity level and determine the appropriate escalation and notification procedures.
  • Analyze post-incident lessons-learned reports to identify root causes, recommend corrective actions, and improve future incident response procedures.
3 Domain 3: Access Controls Concepts
4 topics

Access Control Concepts

  • Define the core access control concepts of subjects, objects, and actions and describe how access control policies regulate interactions between them.
  • Identify the principle of least privilege and describe how it limits user access rights to the minimum permissions necessary to perform assigned job functions.
  • Describe separation of duties and dual control mechanisms and explain how they prevent fraud and reduce the risk of insider threats.
  • Apply the principle of least privilege to assign appropriate access permissions for users, service accounts, and applications in a given organizational scenario.

Access Control Models

  • Identify the major access control models including discretionary access control (DAC), mandatory access control (MAC), role-based access control (RBAC), and attribute-based access control (ABAC).
  • Compare DAC, MAC, RBAC, and ABAC models by analyzing their enforcement mechanisms, flexibility, administrative overhead, and suitability for different organizational environments.
  • Apply role-based access control principles to design user role hierarchies that enforce least privilege and separation of duties within an enterprise directory service.

Authentication Mechanisms

  • Identify the three authentication factor categories — something you know, something you have, and something you are — and list common examples of each.
  • Describe multi-factor authentication (MFA) implementations including hardware tokens, software authenticators, SMS codes, biometrics, and FIDO2/WebAuthn standards.
  • Describe single sign-on (SSO) concepts and federated identity management using protocols such as SAML, OAuth 2.0, and OpenID Connect.
  • Apply password policy best practices including complexity requirements, length minimums, rotation policies, and account lockout thresholds to strengthen authentication security.
  • Evaluate authentication mechanism strengths and weaknesses to determine the appropriate MFA combination for a given security requirement and user population.

Identity Management and Account Administration

  • Describe the identity lifecycle phases including provisioning, review, maintenance, and deprovisioning of user accounts across organizational systems.
  • Apply account management procedures to implement user provisioning, access reviews, privilege escalation controls, and timely account deprovisioning upon role changes or termination.
  • Analyze access review audit results to identify excessive privileges, orphaned accounts, and policy violations that require remediation action.
4 Domain 4: Network Security
4 topics

Networking Fundamentals

  • Identify the layers of the OSI model and TCP/IP model and describe the security-relevant protocols and services operating at each layer.
  • Describe common network protocols including TCP, UDP, IP, HTTP, HTTPS, DNS, DHCP, ARP, and ICMP and identify their default port numbers and functions.
  • Describe IPv4 and IPv6 addressing concepts including subnetting, CIDR notation, private address ranges (RFC 1918), and network address translation (NAT).
  • Differentiate between network topologies including star, mesh, bus, and ring and assess how topology choices affect network resilience and security.

Network Security Infrastructure

  • Identify network security devices including firewalls, routers, switches, load balancers, proxy servers, and network access control (NAC) appliances and describe their security functions.
  • Describe firewall types including packet-filtering, stateful inspection, application-layer gateways, and next-generation firewalls and identify appropriate use cases for each.
  • Describe intrusion detection systems (IDS) and intrusion prevention systems (IPS) including signature-based and anomaly-based detection methods.
  • Apply network segmentation principles using VLANs, DMZs, and micro-segmentation to isolate sensitive systems and reduce the attack surface in enterprise networks.
  • Evaluate network security architecture designs to determine whether defense-in-depth principles are properly implemented across perimeter, internal, and endpoint layers.

Secure Communications

  • Describe VPN technologies including site-to-site and remote-access VPNs using IPsec and TLS/SSL tunneling protocols for secure network communications.
  • Describe the TLS handshake process and explain how digital certificates, certificate authorities, and public key infrastructure (PKI) enable secure web communications.
  • Apply secure communication protocols to select appropriate encryption methods for data in transit based on sensitivity requirements and performance constraints.

Network Threats and Attacks

  • Identify common network-based attacks including denial of service (DoS/DDoS), man-in-the-middle, ARP spoofing, DNS poisoning, and session hijacking.
  • Describe wireless network security threats including evil twin attacks, deauthentication attacks, and rogue access points and identify WPA3 as the current security standard.
  • Apply network hardening techniques including disabling unnecessary services, closing unused ports, implementing access control lists, and enforcing secure protocols to mitigate common network attacks.
  • Analyze network traffic patterns and indicators of compromise to determine whether observed activity represents a network-based attack or normal operations.
5 Domain 5: Security Operations
5 topics

Data Security and Protection

  • Identify data classification levels including public, internal, confidential, and restricted and describe how classification drives security control selection.
  • Describe data states — at rest, in transit, and in use — and identify appropriate encryption and protection methods for each state.
  • Apply data handling procedures including labeling, storage, transmission, retention, and destruction methods that comply with organizational data classification policies.
  • Describe secure data destruction methods including degaussing, cryptographic erasure, physical destruction, and secure overwriting per NIST SP 800-88 guidelines.

Encryption Concepts

  • Define symmetric and asymmetric encryption and identify representative algorithms including AES, 3DES, RSA, and Elliptic Curve Cryptography (ECC).
  • Describe hashing algorithms including SHA-256, SHA-3, and MD5 and explain how hashing supports data integrity verification and password storage.
  • Describe digital signatures and explain how they combine hashing and asymmetric encryption to provide authentication, integrity, and non-repudiation.
  • Apply encryption selection criteria to choose appropriate symmetric or asymmetric algorithms based on use case requirements including key distribution, performance, and security strength.

Security Monitoring and Logging

  • Describe the purpose and components of security information and event management (SIEM) systems and how they aggregate and correlate security events from multiple sources.
  • Identify the types of security logs including system logs, application logs, firewall logs, authentication logs, and network flow data and describe what each captures.
  • Apply log management best practices including centralized collection, time synchronization, retention policies, and integrity protection to support security monitoring and forensic investigation.
  • Analyze SIEM alerts and dashboard outputs to differentiate between true security incidents, false positives, and benign anomalies requiring further investigation.

Change Management and Configuration Management

  • Describe the change management process including request, review, approval, implementation, verification, and documentation phases in IT environments.
  • Identify configuration management concepts including baselines, configuration items, configuration management databases (CMDBs), and automated configuration enforcement tools.
  • Apply change management procedures to evaluate proposed system changes for security impact and ensure proper testing and rollback plans are in place before implementation.

Security Awareness and Training

  • Identify common social engineering attacks including phishing, spear phishing, vishing, smishing, pretexting, baiting, and tailgating and describe indicators of each.
  • Describe the components of an effective security awareness training program including role-based training, phishing simulations, and metrics for measuring program effectiveness.
  • Apply physical security concepts including badge access, visitor management, environmental controls, mantrap/vestibule entry systems, and video surveillance to protect organizational assets.
  • Evaluate organizational vulnerability to social engineering by assessing employee awareness levels, existing training program gaps, and susceptibility patterns from phishing simulation results.

Scope

Included Topics

  • All five domains of the ISC2 Certified in Cybersecurity (CC) exam: Domain 1 Security Principles (26%), Domain 2 Business Continuity, Disaster Recovery, and Incident Response (10%), Domain 3 Access Controls Concepts (22%), Domain 4 Network Security (24%), and Domain 5 Security Operations (18%).
  • Foundational cybersecurity concepts including confidentiality, integrity, availability (CIA triad), authentication, authorization, non-repudiation, privacy, risk management fundamentals, security governance, compliance frameworks, and professional ethics aligned to ISC2 CC exam objectives.
  • Core security topics including access control models, network security architecture, firewalls, IDS/IPS, VPNs, encryption fundamentals, incident response procedures, business continuity planning, disaster recovery, security operations practices, data handling, logging, monitoring, and change management.
  • Entry-level scenario-based reasoning about security controls, threat identification, vulnerability management, and applying security best practices in organizational contexts.

Not Covered

  • Advanced cryptographic algorithm internals, key derivation function mathematics, and cipher suite engineering not required at the CC foundational level.
  • Deep penetration testing methodologies, exploit development, reverse engineering, and advanced red-team techniques beyond basic vulnerability awareness.
  • Vendor-specific product configurations, proprietary tool administration, and platform-specific implementation details.
  • Advanced forensic analysis procedures, chain-of-custody legal protocols, and expert-level incident investigation techniques.
  • Enterprise architecture frameworks (TOGAF, Zachman) and advanced governance models beyond basic security governance concepts.

Official Exam Page

Learn more at ISC2

Visit

CC is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

(ISC)²®, CISSP®, CCSP®, SSCP®, CSSLP®, and all (ISC)² certification marks are registered trademarks of (ISC)². (ISC)² does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.