ISC2 CC Practice Exam Latest 2026 Questions
and Correct Detailed Answers Already Graded A+
In risk management concepts, a(n) _________ is something a security practitioner
might need to protect.
Vulnerability
Asset
Threat
Likelihood - CORRECT ANSWER-B is correct. An asset is anything with value, and a
security practitioner may need to protect assets. A, C, and D are incorrect because
vulnerabilities, threats and likelihood are terms associated with risk concepts, but
are not things that a practitioner would protect.
The European Union (EU) law that grants legal protections to individual human
privacy
The Privacy Human Rights Act
The General Data Protection Regulation
The Magna Carta
The Constitution - CORRECT ANSWER-B is correct: The GDPR is the EU law that
treats privacy as a human right. A is incorrect because there is no Privacy Human
Rights Act, which is only used here as a distractor. C is incorrect because the
,Magna Carta is a British law describing the relationship between the monarchy
and the people, and does not mention privacy. D is incorrect because the
Constitution is the basis of United States federal law, and does not mention
privacy.
Of the following, which would probably not be considered a threat
Natural disaster
Unintentional damage to the system caused by a user
A laptop with sensitive data on it
An external attacker trying to gain unauthorized
access to the environment - CORRECT ANSWER-C is correct. A laptop, and the
data on it, are assets, not threats. All the other answers are examples of threats,
as they all have the potential to cause adverse impact to the organization and the
organization's assets.
Olaf is a member of ISC2 and a security analyst for Triffid Corporation. During an
audit, Olaf is asked whether Triffid is currently following a particular security
practice. Olaf knows that Triffid is not adhering to that standard in that particular
situation, but that saying this to the auditors will reflect poorly on Triffid. What
should Olaf do?
Tell the auditors the truth
Ask supervisors for guidance
,Ask ISC2 for guidance
Lie to the auditors - CORRECT ANSWER-A is the best answer. The ISC2 Code of
Ethics requires that members "act honorably, honestly, justly, responsibly" and
also "advance and protect the profession." Both requirements dictate that Olaf
should tell the truth to the auditors. While the Code also says that Olaf should
"provide diligent and competent service to principals," and Olaf's principal is
Triffid in this case, lying does not serve Triffid's best long-term interests, even if
the truth has some negative impact in the short term
Tina is an ISC2 member and is invited to join an online group of IT security
enthusiasts. After attending a few online sessions, Tina learns that some
participants in the group are sharing malware with each other, in order to use it
against other organizations online. What should Tina do?
Nothing
Stop participating in the group
Report the group to law enforcement
Report the group to ISC2 - CORRECT ANSWER-B is the best answer. The ISC2 Code
of Ethics requires that members "protect society, the common good, necessary
public trust and confidence, and the infrastructure"; this would include a
prohibition against disseminating and deploying malware for offensive purposes.
However, the Code does not make ISC2 members into law enforcement officers;
there is no requirement to get involved in legal matters beyond the scope of
personal responsibility. Tina should stop participating in the group, and perhaps
, (for Tina's own protection) document when participation started and stopped,
but no other action is necessary on Tina's part.
The Triffid Corporation publishes a strategic overview of the company's intent to
secure all the data the company possesses. This document is signed by Triffid
senior management. What kind of document is this?
Policy
Procedure
Standard
Law - CORRECT ANSWER-A is correct. This is an internal, strategic document, and
is therefore a policy. B is incorrect; this is a strategic overview, not a specific
process or practice, so it is not a procedure. C is incorrect; this is an internal
document, not an industry-wide recognized set of practices, so it is not a
standard. D is incorrect; this is not a legal mandate issued by a government, so it
is not a law.
A system that collects transactional information and stores it in a record in order
to show which users performed which actions is an example of providing
________.
Non-repudiation
Multifactor authentication
Biometrics
and Correct Detailed Answers Already Graded A+
In risk management concepts, a(n) _________ is something a security practitioner
might need to protect.
Vulnerability
Asset
Threat
Likelihood - CORRECT ANSWER-B is correct. An asset is anything with value, and a
security practitioner may need to protect assets. A, C, and D are incorrect because
vulnerabilities, threats and likelihood are terms associated with risk concepts, but
are not things that a practitioner would protect.
The European Union (EU) law that grants legal protections to individual human
privacy
The Privacy Human Rights Act
The General Data Protection Regulation
The Magna Carta
The Constitution - CORRECT ANSWER-B is correct: The GDPR is the EU law that
treats privacy as a human right. A is incorrect because there is no Privacy Human
Rights Act, which is only used here as a distractor. C is incorrect because the
,Magna Carta is a British law describing the relationship between the monarchy
and the people, and does not mention privacy. D is incorrect because the
Constitution is the basis of United States federal law, and does not mention
privacy.
Of the following, which would probably not be considered a threat
Natural disaster
Unintentional damage to the system caused by a user
A laptop with sensitive data on it
An external attacker trying to gain unauthorized
access to the environment - CORRECT ANSWER-C is correct. A laptop, and the
data on it, are assets, not threats. All the other answers are examples of threats,
as they all have the potential to cause adverse impact to the organization and the
organization's assets.
Olaf is a member of ISC2 and a security analyst for Triffid Corporation. During an
audit, Olaf is asked whether Triffid is currently following a particular security
practice. Olaf knows that Triffid is not adhering to that standard in that particular
situation, but that saying this to the auditors will reflect poorly on Triffid. What
should Olaf do?
Tell the auditors the truth
Ask supervisors for guidance
,Ask ISC2 for guidance
Lie to the auditors - CORRECT ANSWER-A is the best answer. The ISC2 Code of
Ethics requires that members "act honorably, honestly, justly, responsibly" and
also "advance and protect the profession." Both requirements dictate that Olaf
should tell the truth to the auditors. While the Code also says that Olaf should
"provide diligent and competent service to principals," and Olaf's principal is
Triffid in this case, lying does not serve Triffid's best long-term interests, even if
the truth has some negative impact in the short term
Tina is an ISC2 member and is invited to join an online group of IT security
enthusiasts. After attending a few online sessions, Tina learns that some
participants in the group are sharing malware with each other, in order to use it
against other organizations online. What should Tina do?
Nothing
Stop participating in the group
Report the group to law enforcement
Report the group to ISC2 - CORRECT ANSWER-B is the best answer. The ISC2 Code
of Ethics requires that members "protect society, the common good, necessary
public trust and confidence, and the infrastructure"; this would include a
prohibition against disseminating and deploying malware for offensive purposes.
However, the Code does not make ISC2 members into law enforcement officers;
there is no requirement to get involved in legal matters beyond the scope of
personal responsibility. Tina should stop participating in the group, and perhaps
, (for Tina's own protection) document when participation started and stopped,
but no other action is necessary on Tina's part.
The Triffid Corporation publishes a strategic overview of the company's intent to
secure all the data the company possesses. This document is signed by Triffid
senior management. What kind of document is this?
Policy
Procedure
Standard
Law - CORRECT ANSWER-A is correct. This is an internal, strategic document, and
is therefore a policy. B is incorrect; this is a strategic overview, not a specific
process or practice, so it is not a procedure. C is incorrect; this is an internal
document, not an industry-wide recognized set of practices, so it is not a
standard. D is incorrect; this is not a legal mandate issued by a government, so it
is not a law.
A system that collects transactional information and stores it in a record in order
to show which users performed which actions is an example of providing
________.
Non-repudiation
Multifactor authentication
Biometrics
