How to Pass the ISC2 CC Certified in Cybersecurity in 15 Days: 2026 Study Guide
The ISC2 Certified in Cybersecurity (CC) is the fastest path into a cybersecurity career — and it's free for ISC2 members. This 2026 guide covers all 5 domains, a 15-day study plan, the free ISC2 self-paced course, and how CC fits into the SSCP → CISSP career path.
What Is the ISC2 CC and Who Is It For?
The ISC2 Certified in Cybersecurity (CC) is an entry-level certification designed for anyone who wants to launch a cybersecurity career — no prior experience required. Unlike most security certifications that demand years of work history, the CC is explicitly built for career changers, IT professionals pivoting into security, students, and anyone new to the field.
ISC2 introduced the CC in 2022 as a stepping stone toward its more advanced credentials (SSCP, CISSP), and it made waves immediately by offering free access to the official self-paced training course for all candidates. The exam itself costs $199 USD for non-members, and ISC2 members can take it at no additional cost.
The CC validates foundational knowledge across five core domains: security principles, business continuity, access controls, network security, and security operations. It signals to employers that you understand how to think about security — a critical differentiator for entry-level roles like SOC analyst, IT support specialist, junior security analyst, and helpdesk technician moving into security.
ISC2 CC Domain Breakdown
| Domain | Weight | Key Topics |
|---|---|---|
| Domain 1: Security Principles | 26% | CIA triad, authentication, authorization, privacy, risk concepts (threat, vulnerability, likelihood, impact) |
| Domain 2: Business Continuity (BC), Disaster Recovery (DR) & Incident Response | 10% | RTO, RPO, BC vs DR, incident response phases (NIST 4-step), BIA |
| Domain 3: Access Controls Concepts | 22% | DAC, MAC, RBAC, ABAC, physical vs logical controls, least privilege, need-to-know |
| Domain 4: Network Security | 24% | OSI model, TCP/IP, firewalls, IDS/IPS, VPN, Wi-Fi security (WPA2/3), DMZ, segmentation |
| Domain 5: Security Operations | 18% | Data handling, encryption basics (symmetric vs asymmetric), hashing, patch management, logging, SIEM, change management |
The exam consists of 100 multiple-choice questions, with a 3-hour time limit. The passing score is 700 out of 1000 (70%). Questions are scenario-based, testing your ability to apply concepts — not just recall definitions.
15-Day Study Schedule
This schedule assumes 1–2 hours of study per day. It is optimized for the free ISC2 self-paced course combined with active practice questions.
| Day | Focus | Activity |
|---|---|---|
| Day 1 | Orientation | Enroll in the free ISC2 self-paced course; read the exam outline; take a 20-question baseline quiz |
| Day 2 | Domain 1 — Part A | CIA triad: Confidentiality, Integrity, Availability — definitions, real-world scenarios, threats to each |
| Day 3 | Domain 1 — Part B | Risk concepts: threat vs vulnerability vs risk; authentication vs authorization vs accounting (AAA) |
| Day 4 | Domain 2 | BC vs DR vs IR; RTO vs RPO; NIST incident response 4 phases; BIA; complete ISC2 module 2 |
| Day 5 | Domain 3 — Part A | Access control models: DAC, MAC, RBAC, ABAC — when each is used, real examples |
| Day 6 | Domain 3 — Part B | Least privilege, need-to-know, separation of duties; physical controls (locks, badges, CCTV) |
| Day 7 | Review Days 1–6 | 50 practice questions covering Domains 1–3; review every wrong answer; update notes |
| Day 8 | Domain 4 — Part A | OSI model layers 1–4 and their security controls; TCP/IP basics; ports and protocols |
| Day 9 | Domain 4 — Part B | Firewall types (packet filter, stateful, NGFW, WAF); DMZ; network segmentation; VLANs |
| Day 10 | Domain 4 — Part C | IDS vs IPS; HIDS vs NIDS; Wi-Fi security (WEP, WPA, WPA2, WPA3); VPN types |
| Day 11 | Domain 5 — Part A | Symmetric vs asymmetric encryption; AES, DES, RSA; hashing (SHA-256, MD5); digital signatures |
| Day 12 | Domain 5 — Part B | PKI basics; patch management; change management; configuration management; logging and monitoring |
| Day 13 | Full Practice Exam | Take a 100-question timed practice exam; identify weak domains; review all wrong answers in detail |
| Day 14 | Targeted Review | Focus on the 2 weakest domains from Day 13; reread ISC2 course sections; 30 focused questions |
| Day 15 | Final Polish | Light review of key tables (access control models, firewall types, RTO vs RPO); rest; no cramming |
Free Resources for the ISC2 CC
ISC2 Self-Paced Online Training (Free): ISC2 offers a completely free self-paced course that covers all 5 domains. It includes videos, readings, and knowledge checks. Enroll at isc2.org — you only need to create a free ISC2 account. This is your primary study resource and covers everything on the exam.
ISC2 CC Official Study Guide: A paid book published by Wiley/Sybex, authored by Mike Chapple and David Seidl. Excellent for candidates who prefer structured reading over video. Available on Amazon and the ISC2 bookstore.
ISC2 Candidate Community: The official ISC2 candidate forum (community.isc2.org) has a dedicated CC subforum where candidates share tips, confirm domain coverage, and discuss tricky questions.
CertLand Practice Exams: Use domain-filtered practice questions to test yourself on weak areas before exam day. The CC practice bank on CertLand covers all 5 domains with scenario-based questions that mirror the real exam format.
Career Path: CC to SSCP to CISSP
The CC is the entry point to the ISC2 certification ladder. Here is how it connects to more advanced credentials:
CC (Certified in Cybersecurity) — No experience required. Validates foundational knowledge. Target audience: career changers, students, IT staff entering security. Opens doors to SOC analyst, junior security roles, helpdesk-to-security transitions.
SSCP (Systems Security Certified Practitioner) — Requires 1 year of paid work experience in at least one of the 7 SSCP domains (or a relevant degree to waive it). Covers deeper technical content: cryptography, network and communications security, incident detection and response. Target audience: security administrators, systems administrators with security responsibilities, network engineers moving into security.
CISSP (Certified Information Systems Security Professional) — Requires 5 years of paid work experience in at least two of the 8 CISSP domains. The gold standard in cybersecurity management and architecture. Required for senior security engineer, CISO, security architect, and director-level roles. Holding the CC counts as 1 year of experience credit toward the CISSP requirement.
The practical career trajectory looks like this: earn the CC while in your first IT role or still studying, use it to land a junior security or SOC analyst position, gain experience over 1–2 years while preparing for SSCP, then build toward CISSP as you move into senior roles.
Top 5 Exam Tips for the ISC2 CC
1. Think like a manager, not a technician. ISC2 exams favor answers that protect the business, follow process, and minimize risk — not answers that are the most technically clever. When two answers look correct, pick the one that follows proper procedure or addresses the root cause.
2. Memorize RTO vs RPO before exam day. These two terms appear in Domain 2 questions constantly, and they are easy to confuse. RPO = how much data you can afford to lose (measured in time). RTO = how fast you must restore operations. "Minimize data loss" always points to RPO.
3. Know the NIST incident response phases in order. The 4 NIST phases are: Preparation, Detection and Analysis, Containment/Eradication/Recovery, Post-Incident Activity. Questions will test whether Containment comes before Eradication — it does, always.
4. Use the process of elimination aggressively. CC questions often have one clearly wrong answer and one answer that is partially right. Eliminate the obviously wrong options first, then evaluate what remains based on the scenario's business context.
5. Flag and move on. You have 3 hours for 100 questions — that is 1.8 minutes per question. Do not spend 5 minutes on a single hard question. Flag it, move on, and return at the end. Your first instinct on scenario questions is usually correct.
The ISC2 CC is genuinely achievable in 15 days of focused study. The free official course removes the financial barrier, and the exam itself rewards conceptual understanding over memorization. Build your foundation with the CC, earn your first security role, and use it as the launchpad toward SSCP and eventually CISSP.
Comments
No comments yet. Be the first!
Comments are reviewed before publication.