ISC2 CC Certified in Cybersecurity Exam Prep 2026
Edition: Complete Practice Test Bank with 180
Questions and Detailed Answers with Rationales
– Fully Updated for the New Security
Governance Domain and Latest Exam Objectives
ISC2 CC 2026 Practice Exam
Exam Code: CC
Effective Date: September 1, 2026
Domain Weights:
• Security Principles (24%)
• Security Governance (17.3%)
• Identity & Access Management (20%)
• Network & Cloud Security (21.3%)
• Security Operations (17.3%)
Instructions: Select the best answer for each question.
Domain 1: Security Principles
,1. Which of the following best describes the primary
goal of the security principle "Confidentiality"?
A) Ensuring data is always available when needed
B) Guaranteeing that data has not been altered by
unauthorized parties
C) Preventing unauthorized disclosure of sensitive
information
D) Tracking user actions for accountability
<details>
<summary><strong>Rationale:</strong></summary>
Confidentiality ensures that data is only accessible to
authorized individuals. Availability (A), Integrity (B), and
Accountability (D) are separate security goals [citation:1].
</details> <br>
2. An attacker tricks an employee into revealing their
login credentials by pretending to be IT support over
the phone. This is an example of:
A) Phishing
B) Smishing
C) Vishing
D) Whaling
<details>
<summary><strong>Rationale:</strong></summary>
,**Vishing** (Voice phishing) uses voice calls to deceive
victims. Phishing is email, Smishing is SMS, and Whaling
targets executives [citation:1]. </details> <br>
3. A company decides to stop using a legacy system that
cannot be secured. This is an example of which risk
response strategy?
A) Mitigate
B) Avoid
C) Transfer
D) Accept
<details>
<summary><strong>Rationale:</strong></summary>
**Risk avoidance** means eliminating the risk entirely
by discontinuing the activity or asset. Mitigation reduces
risk, transfer shifts it (e.g., insurance), and acceptance
acknowledges it without action [citation:1][citation:8].
</details> <br>
4. A zero-day vulnerability is particularly dangerous
because:
A) It requires physical access to exploit
B) No patch or fix is currently available from the vendor
C) It only affects cloud-based infrastructure
D) It is a configuration issue, not a software flaw
, <details>
<summary><strong>Rationale:</strong></summary> The
term "zero-day" refers to the fact that the vendor has
had **zero days** to prepare a fix. The vulnerability is
unknown to the vendor at the time of exploitation
[citation:1]. </details> <br>
5. What does "Non-repudiation" provide in the context
of digital communications?
A) Data is available 99.999% of the time
B) Proof that an action was performed by a specific user
C) Data is encrypted both at rest and in transit
D) No single point of failure exists in the network
<details>
<summary><strong>Rationale:</strong></summary>
**Non-repudiation** uses digital signatures or audit logs
to prevent a user from denying that they performed an
action (e.g., "I didn't send that email"). It provides proof
of origin and integrity [citation:1][citation:4]. </details>
<br>
Domain 2: Security Governance (NEW for 2026)
6. A bank requires employees to take annual training on
how to handle customer financial data. This is an
Edition: Complete Practice Test Bank with 180
Questions and Detailed Answers with Rationales
– Fully Updated for the New Security
Governance Domain and Latest Exam Objectives
ISC2 CC 2026 Practice Exam
Exam Code: CC
Effective Date: September 1, 2026
Domain Weights:
• Security Principles (24%)
• Security Governance (17.3%)
• Identity & Access Management (20%)
• Network & Cloud Security (21.3%)
• Security Operations (17.3%)
Instructions: Select the best answer for each question.
Domain 1: Security Principles
,1. Which of the following best describes the primary
goal of the security principle "Confidentiality"?
A) Ensuring data is always available when needed
B) Guaranteeing that data has not been altered by
unauthorized parties
C) Preventing unauthorized disclosure of sensitive
information
D) Tracking user actions for accountability
<details>
<summary><strong>Rationale:</strong></summary>
Confidentiality ensures that data is only accessible to
authorized individuals. Availability (A), Integrity (B), and
Accountability (D) are separate security goals [citation:1].
</details> <br>
2. An attacker tricks an employee into revealing their
login credentials by pretending to be IT support over
the phone. This is an example of:
A) Phishing
B) Smishing
C) Vishing
D) Whaling
<details>
<summary><strong>Rationale:</strong></summary>
,**Vishing** (Voice phishing) uses voice calls to deceive
victims. Phishing is email, Smishing is SMS, and Whaling
targets executives [citation:1]. </details> <br>
3. A company decides to stop using a legacy system that
cannot be secured. This is an example of which risk
response strategy?
A) Mitigate
B) Avoid
C) Transfer
D) Accept
<details>
<summary><strong>Rationale:</strong></summary>
**Risk avoidance** means eliminating the risk entirely
by discontinuing the activity or asset. Mitigation reduces
risk, transfer shifts it (e.g., insurance), and acceptance
acknowledges it without action [citation:1][citation:8].
</details> <br>
4. A zero-day vulnerability is particularly dangerous
because:
A) It requires physical access to exploit
B) No patch or fix is currently available from the vendor
C) It only affects cloud-based infrastructure
D) It is a configuration issue, not a software flaw
, <details>
<summary><strong>Rationale:</strong></summary> The
term "zero-day" refers to the fact that the vendor has
had **zero days** to prepare a fix. The vulnerability is
unknown to the vendor at the time of exploitation
[citation:1]. </details> <br>
5. What does "Non-repudiation" provide in the context
of digital communications?
A) Data is available 99.999% of the time
B) Proof that an action was performed by a specific user
C) Data is encrypted both at rest and in transit
D) No single point of failure exists in the network
<details>
<summary><strong>Rationale:</strong></summary>
**Non-repudiation** uses digital signatures or audit logs
to prevent a user from denying that they performed an
action (e.g., "I didn't send that email"). It provides proof
of origin and integrity [citation:1][citation:4]. </details>
<br>
Domain 2: Security Governance (NEW for 2026)
6. A bank requires employees to take annual training on
how to handle customer financial data. This is an
