(ISC)2 CC Practice Exam 2025 With
100% Correct Answers
Sensitivity is a measure of the ...: - CORRECT ANSWER✔✔... importance assigned to information
by its owner, or the purpose of representing its need for protection.
(Sensitivity is also defined as the measure of the importance assigned to information by its
owner, or the purpose of representing its need for protection)
The process of verifying or proving the user's identification is known as: - CORRECT
ANSWER✔✔Authentication
(Authentication is the verification of the identity of a user, process or device, as a prerequisite to
allowing access to the resources in a given system. In contrast, authorization refers to the
permission granted to users, processes or devices to access specific assets. Confidentiality and
integrity are properties of information and systems, not processes.)
Which of the following Cybersecurity concepts guarantees that information is accessible only to
those authorized to access it? - CORRECT ANSWER✔✔Confidentiality
(Confidentiality, Integrity and Availability are known as the CIA triad, from the model that guides
policies for information security. Confidentiality is the property of data or information not being
made available or disclosed, which leads to sensitive information being protected from
unauthorized access. Integrity refers to the preservation of the consistency, accuracy and
trustworthiness of data. Availability is the property of data being consistently and readily
accessible to the parties authorized to access it. Finally, non-repudiation refers to the inability to
deny the production, approval or transmission of information.)
Which of the following areas is connected to PII? - CORRECT ANSWER✔✔Confidentiality
,(Confidentiality is the most distinctive property of personally identifiable information (see ISC2
study guide, Module 1, under CIA Deep Dive). The remaining options apply to all types of data.
All data requires integrity to be usable. Non-repudiation refers to the inability to deny the
production, approval, or transmission of information. Authentication refers to the access to
information.)
Which of the following properties is NOT guaranteed by Digital Signatures? - CORRECT
ANSWER✔✔Confidentiality
(The correct answer is B. A digital signature is the result of a cryptographic transformation of
data which is useful for providing: data origin authentication, data integrity, and non-
repudiation of the signer (see NIST SP 800-12 Rev. 1 under Digital Signature). However, digital
signatures cannot guarantee confidentiality (i.e. the property of data or information not being
made available or disclosed).)
Which of the following areas is the most distinctive property of PHI? - CORRECT
ANSWER✔✔Confidentiality
(Confidentiality is the most distinctive property of protected health information (see ISC2 Study
Guide, Module 1, under CIA Deep Dive). The remaining options apply to all types of data. All
data requires integrity to be usable. Non-repudiation refers to the inability to deny the
production, approval, or transmission of information. Authentication refers to guaranteeing that
systems and information are accessed by persons and systems that are who they claim to be.)
In risk management, the highest priority is given to a risk where: - CORRECT ANSWER✔✔The
frequency of occurrence is low, and the expected impact value is high
(The highest priority is given to risks estimated to have high impact and low probability over
high probability and low impact value (ISC2 Study Guide, Chapter 1, Module 2). In qualitative
risk analysis, the 'expected probability of occurrence' and the 'frequency of occurrence' refer to
the same thing. The same goes for the concepts of expected impact value (NIST SP 800-30 Rev.
,1 under Impact Value) and potential impact (NIST SP 800-60 Vol. 1 Rev. 1 under Potential
Impact).)
The magnitude of the harm expected as a result of the consequences of an unauthorized
disclosure, modification, destruction, or loss of information, is known as the: - CORRECT
ANSWER✔✔Impact
(The sentence matches the definition of the concept of impact (see NIST SP 800-60 Vol. 1 Rev. 1
under Impact). Furthermore, the ISC2 Study Guide, chapter 1, defines likelihood as the
probability that a potential vulnerability may be exploited. A threat is defined as a circumstance
or event that can adversely impact organizational operations. A vulnerability is a weakness that
a threat can exploit.)
An entity that acts to exploit a target organization's system vulnerabilities is a: - CORRECT
ANSWER✔✔Threat Actor
(A Threat Actor is defined as an individual or a group posing a threat (according to NIST SP 800-
150 under Threat Actor). A Threat Vector is a means by which a Threat Actor gains access to
systems (for example: phishing, trojans, baiting, etc.). An Attacker is always an individual, but a
Threat Actor can be either a group or an entity. A Threat is a circumstance or event that can
adversely impact organizational operations that a Threat Actor can potentially explore through a
Threat Vector.)
Risk Management is: - CORRECT ANSWER✔✔The identification, evaluation and prioritization of
risk
(Risk Management is the process of identifying, assessing and mitigating risks (ISC2 Study Guide,
chapter 1, module 2). "Impact and likelihood of a threat" is a definition of risk. "Creating an
incident response team" and "assessing the potential impact of a threat" can be considered Risk
Management actions, but are not in themselves Risk Management.)
, An exploitable weakness or flaw in a system or component is a: - CORRECT
ANSWER✔✔Vulnerability
(A Vulnerability is a weakness in an information system, system security procedures, internal
controls or implementation that could be exploited by a Threat source (NIST SP 800-30 Rev 1).
The Threat is the circumstance or event that can adversely impact operations. A Risk is a
possible event that can negatively impact the organization. A Bug is a flaw causing an
application to produce an unintended or unexpected result that may be exploitable.)
Which of the following is NOT an example of a physical security control? - CORRECT
ANSWER✔✔Firewalls
(Firewalls are a type of electronic equipment which connects to a network that filters inbound
traffic arriving from the Internet, and, thus are a type of technical security controls. Security
cameras, biometric access control and electronic locks, though connected to a network, control
access to physical facilities, and thus are types of physical security controls. (ISC2 Study Guide,
Chapter 1, Module 3))
The implementation of Security Controls is a form of: - CORRECT ANSWER✔✔Risk reduction
(The implementation of Security Controls involves taking actions to mitigate risk, and thus is a
form of risk reduction. Risk acceptance will take no action, risk avoidance will modify operations
in order to avoid risk entirely, and risk transference will transfer the risk to another party.)
Which of the following is an example of a technical security control? - CORRECT
ANSWER✔✔Access Control Lists
(An access control list is a type of technical security control. Bollards, fences and turnstiles
control access to physical facilities, and thus are types of physical security controls. (ISC2 Study
Guide, Chapter 1, Module 3))
100% Correct Answers
Sensitivity is a measure of the ...: - CORRECT ANSWER✔✔... importance assigned to information
by its owner, or the purpose of representing its need for protection.
(Sensitivity is also defined as the measure of the importance assigned to information by its
owner, or the purpose of representing its need for protection)
The process of verifying or proving the user's identification is known as: - CORRECT
ANSWER✔✔Authentication
(Authentication is the verification of the identity of a user, process or device, as a prerequisite to
allowing access to the resources in a given system. In contrast, authorization refers to the
permission granted to users, processes or devices to access specific assets. Confidentiality and
integrity are properties of information and systems, not processes.)
Which of the following Cybersecurity concepts guarantees that information is accessible only to
those authorized to access it? - CORRECT ANSWER✔✔Confidentiality
(Confidentiality, Integrity and Availability are known as the CIA triad, from the model that guides
policies for information security. Confidentiality is the property of data or information not being
made available or disclosed, which leads to sensitive information being protected from
unauthorized access. Integrity refers to the preservation of the consistency, accuracy and
trustworthiness of data. Availability is the property of data being consistently and readily
accessible to the parties authorized to access it. Finally, non-repudiation refers to the inability to
deny the production, approval or transmission of information.)
Which of the following areas is connected to PII? - CORRECT ANSWER✔✔Confidentiality
,(Confidentiality is the most distinctive property of personally identifiable information (see ISC2
study guide, Module 1, under CIA Deep Dive). The remaining options apply to all types of data.
All data requires integrity to be usable. Non-repudiation refers to the inability to deny the
production, approval, or transmission of information. Authentication refers to the access to
information.)
Which of the following properties is NOT guaranteed by Digital Signatures? - CORRECT
ANSWER✔✔Confidentiality
(The correct answer is B. A digital signature is the result of a cryptographic transformation of
data which is useful for providing: data origin authentication, data integrity, and non-
repudiation of the signer (see NIST SP 800-12 Rev. 1 under Digital Signature). However, digital
signatures cannot guarantee confidentiality (i.e. the property of data or information not being
made available or disclosed).)
Which of the following areas is the most distinctive property of PHI? - CORRECT
ANSWER✔✔Confidentiality
(Confidentiality is the most distinctive property of protected health information (see ISC2 Study
Guide, Module 1, under CIA Deep Dive). The remaining options apply to all types of data. All
data requires integrity to be usable. Non-repudiation refers to the inability to deny the
production, approval, or transmission of information. Authentication refers to guaranteeing that
systems and information are accessed by persons and systems that are who they claim to be.)
In risk management, the highest priority is given to a risk where: - CORRECT ANSWER✔✔The
frequency of occurrence is low, and the expected impact value is high
(The highest priority is given to risks estimated to have high impact and low probability over
high probability and low impact value (ISC2 Study Guide, Chapter 1, Module 2). In qualitative
risk analysis, the 'expected probability of occurrence' and the 'frequency of occurrence' refer to
the same thing. The same goes for the concepts of expected impact value (NIST SP 800-30 Rev.
,1 under Impact Value) and potential impact (NIST SP 800-60 Vol. 1 Rev. 1 under Potential
Impact).)
The magnitude of the harm expected as a result of the consequences of an unauthorized
disclosure, modification, destruction, or loss of information, is known as the: - CORRECT
ANSWER✔✔Impact
(The sentence matches the definition of the concept of impact (see NIST SP 800-60 Vol. 1 Rev. 1
under Impact). Furthermore, the ISC2 Study Guide, chapter 1, defines likelihood as the
probability that a potential vulnerability may be exploited. A threat is defined as a circumstance
or event that can adversely impact organizational operations. A vulnerability is a weakness that
a threat can exploit.)
An entity that acts to exploit a target organization's system vulnerabilities is a: - CORRECT
ANSWER✔✔Threat Actor
(A Threat Actor is defined as an individual or a group posing a threat (according to NIST SP 800-
150 under Threat Actor). A Threat Vector is a means by which a Threat Actor gains access to
systems (for example: phishing, trojans, baiting, etc.). An Attacker is always an individual, but a
Threat Actor can be either a group or an entity. A Threat is a circumstance or event that can
adversely impact organizational operations that a Threat Actor can potentially explore through a
Threat Vector.)
Risk Management is: - CORRECT ANSWER✔✔The identification, evaluation and prioritization of
risk
(Risk Management is the process of identifying, assessing and mitigating risks (ISC2 Study Guide,
chapter 1, module 2). "Impact and likelihood of a threat" is a definition of risk. "Creating an
incident response team" and "assessing the potential impact of a threat" can be considered Risk
Management actions, but are not in themselves Risk Management.)
, An exploitable weakness or flaw in a system or component is a: - CORRECT
ANSWER✔✔Vulnerability
(A Vulnerability is a weakness in an information system, system security procedures, internal
controls or implementation that could be exploited by a Threat source (NIST SP 800-30 Rev 1).
The Threat is the circumstance or event that can adversely impact operations. A Risk is a
possible event that can negatively impact the organization. A Bug is a flaw causing an
application to produce an unintended or unexpected result that may be exploitable.)
Which of the following is NOT an example of a physical security control? - CORRECT
ANSWER✔✔Firewalls
(Firewalls are a type of electronic equipment which connects to a network that filters inbound
traffic arriving from the Internet, and, thus are a type of technical security controls. Security
cameras, biometric access control and electronic locks, though connected to a network, control
access to physical facilities, and thus are types of physical security controls. (ISC2 Study Guide,
Chapter 1, Module 3))
The implementation of Security Controls is a form of: - CORRECT ANSWER✔✔Risk reduction
(The implementation of Security Controls involves taking actions to mitigate risk, and thus is a
form of risk reduction. Risk acceptance will take no action, risk avoidance will modify operations
in order to avoid risk entirely, and risk transference will transfer the risk to another party.)
Which of the following is an example of a technical security control? - CORRECT
ANSWER✔✔Access Control Lists
(An access control list is a type of technical security control. Bollards, fences and turnstiles
control access to physical facilities, and thus are types of physical security controls. (ISC2 Study
Guide, Chapter 1, Module 3))
