ISC2 CC Exam Newest 2025/2026
ISC2 CC EXAM NEWEST 2025/2026 WITH COMPLETE
QUESTIONS AND CORRECT ANSWERS |ALREADY GRADED
A+||BRAND NEW VERSION!
A _____ is a record of something that has occurred. (D3, L3.2.1)
A)Biometric
B)Law
C)Log
D)Firewall - ANSWER-C is correct. This is a description of a log. A is incorrect;
"biometrics" is a term used to describe access control systems that use
physiological traits of individuals in order to grant/deny access. B is incorrect; laws
are legal mandates. D is incorrect; a firewall is a device for filtering traffic.
For biometric security to function properly, an authorized person's physiological
data must be ______. (D3, L3.2.1)
A)Broadcast
B)Stored
C)Deleted
D)Modified - ANSWER-B is correct. A biometric security system works by capturing
and recording a physiological trait of the authorized person and storing it for
comparison whenever that person presents the same trait in the future. A is
incorrect; access control information should not be broadcast. C is incorrect; if all
biometric data is erased, the data cannot be used for comparison purposes to
1|Page
, ISC2 CC Exam Newest 2025/2026
grant access later. D is incorrect; biometric data should not be modified, or it may
become useless for comparison purposes.
Larry and Fern both work in the data center. In order to enter the data center to
begin their workday, they must both present their own keys (which are different)
to the key reader, before the door to the data center opens.
Which security concept is being applied in this situation? (D3, L3.1.1)
A)Defense in depth
B)Segregation of duties
C)Least privilege
D)Dual control - ANSWER-D is correct. This is an example of dual control, where
two people, each with distinct authentication factors, must be present to perform
a function. A is incorrect; defense in depth requires multiple controls protecting
assets—there is no description of multiple controls in this situation. B is incorrect;
in segregation of duties, the parts of a given transaction are split among multiple
people, and the task cannot be completed unless each of them takes part.
Typically, in segregation of duties, the people involved do not have to take part
simultaneously; their actions can be spread over time and distance. This differs
from dual control, where both people must be present at the same time. C is
incorrect; the situation described in the question does not reduce the permissions
of either person involved or limit their capabilities to their job function.
Which of the following is not an appropriate control to add to privileged
accounts? (D3, L3.1.1)
A)Increased logging
2|Page
, ISC2 CC Exam Newest 2025/2026
B)Multifactor authentication
C)Increased auditing
D)Security deposit - ANSWER-D is correct. We typically do not ask privileged
account holders for security deposits. A, B, and C are incorrect; those are
appropriate controls to enact for privileged accounts.
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or
delete users, but is not allowed to read or modify the data in the database itself.
When Prachi logs onto the system, an access control list (ACL) checks to determine
which permissions Prachi has.
In this situation, what is Prachi? (D3, L3.1.1)
A)The subject
B)The rule
C)The file
D)The object - ANSWER-A is correct. In this situation, Prachi is the subject in the
subject-object-rule relationship. Prachi manipulates the database; this makes
Prachi the subject. B and D are incorrect, because Prachi is the subject in this
situation. C is incorrect, because Prachi is not, and never will be, a file.
Gelbi is a Technical Support analyst for Triffid, Inc. Gelbi sometimes is required to
install or remove software. Which of the following could be used to describe
Gelbi's account? (D3, L3.1.1)
A)Privileged
3|Page
, ISC2 CC Exam Newest 2025/2026
B)Internal
C)External
D)User - ANSWER-A is Correct. This is the description of a privileged account; an
account that typically needs greater permissions than a basic user. B and C are
incorrect; the question does not specify whether Gelbi connects to the
environment from within the network, or from outside. D is incorrect; this is too
vague—Gelbi is a user, but has permissions that are typically greater than what
basic users have.
Triffid Corporation has a rule that all employees working with sensitive hardcopy
documents must put the documents into a safe at the end of the workday, where
they are locked up until the following workday. What kind of control is the process
of putting the documents into the safe? (D1, L1.3.1)
A) Administrative
B) Tangential
C) Physical
D) Technical - ANSWER-A is the correct answer. The process itself is an
administrative control; rules and practices are administrative. The safe itself is
physical, but the question asked specifically about process, not the safe, so C is
incorrect. Neither the safe nor the process is part of the IT environment, so this is
not a technical control; D is incorrect. B is incorrect; "tangential" is not a term
commonly used to describe a particular type of security control, and is used here
only as a distractor.
A vendor sells a particular operating system (OS). In order to deploy the OS
securely on different platforms, the vendor publishes several sets of instructions
4|Page
ISC2 CC EXAM NEWEST 2025/2026 WITH COMPLETE
QUESTIONS AND CORRECT ANSWERS |ALREADY GRADED
A+||BRAND NEW VERSION!
A _____ is a record of something that has occurred. (D3, L3.2.1)
A)Biometric
B)Law
C)Log
D)Firewall - ANSWER-C is correct. This is a description of a log. A is incorrect;
"biometrics" is a term used to describe access control systems that use
physiological traits of individuals in order to grant/deny access. B is incorrect; laws
are legal mandates. D is incorrect; a firewall is a device for filtering traffic.
For biometric security to function properly, an authorized person's physiological
data must be ______. (D3, L3.2.1)
A)Broadcast
B)Stored
C)Deleted
D)Modified - ANSWER-B is correct. A biometric security system works by capturing
and recording a physiological trait of the authorized person and storing it for
comparison whenever that person presents the same trait in the future. A is
incorrect; access control information should not be broadcast. C is incorrect; if all
biometric data is erased, the data cannot be used for comparison purposes to
1|Page
, ISC2 CC Exam Newest 2025/2026
grant access later. D is incorrect; biometric data should not be modified, or it may
become useless for comparison purposes.
Larry and Fern both work in the data center. In order to enter the data center to
begin their workday, they must both present their own keys (which are different)
to the key reader, before the door to the data center opens.
Which security concept is being applied in this situation? (D3, L3.1.1)
A)Defense in depth
B)Segregation of duties
C)Least privilege
D)Dual control - ANSWER-D is correct. This is an example of dual control, where
two people, each with distinct authentication factors, must be present to perform
a function. A is incorrect; defense in depth requires multiple controls protecting
assets—there is no description of multiple controls in this situation. B is incorrect;
in segregation of duties, the parts of a given transaction are split among multiple
people, and the task cannot be completed unless each of them takes part.
Typically, in segregation of duties, the people involved do not have to take part
simultaneously; their actions can be spread over time and distance. This differs
from dual control, where both people must be present at the same time. C is
incorrect; the situation described in the question does not reduce the permissions
of either person involved or limit their capabilities to their job function.
Which of the following is not an appropriate control to add to privileged
accounts? (D3, L3.1.1)
A)Increased logging
2|Page
, ISC2 CC Exam Newest 2025/2026
B)Multifactor authentication
C)Increased auditing
D)Security deposit - ANSWER-D is correct. We typically do not ask privileged
account holders for security deposits. A, B, and C are incorrect; those are
appropriate controls to enact for privileged accounts.
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or
delete users, but is not allowed to read or modify the data in the database itself.
When Prachi logs onto the system, an access control list (ACL) checks to determine
which permissions Prachi has.
In this situation, what is Prachi? (D3, L3.1.1)
A)The subject
B)The rule
C)The file
D)The object - ANSWER-A is correct. In this situation, Prachi is the subject in the
subject-object-rule relationship. Prachi manipulates the database; this makes
Prachi the subject. B and D are incorrect, because Prachi is the subject in this
situation. C is incorrect, because Prachi is not, and never will be, a file.
Gelbi is a Technical Support analyst for Triffid, Inc. Gelbi sometimes is required to
install or remove software. Which of the following could be used to describe
Gelbi's account? (D3, L3.1.1)
A)Privileged
3|Page
, ISC2 CC Exam Newest 2025/2026
B)Internal
C)External
D)User - ANSWER-A is Correct. This is the description of a privileged account; an
account that typically needs greater permissions than a basic user. B and C are
incorrect; the question does not specify whether Gelbi connects to the
environment from within the network, or from outside. D is incorrect; this is too
vague—Gelbi is a user, but has permissions that are typically greater than what
basic users have.
Triffid Corporation has a rule that all employees working with sensitive hardcopy
documents must put the documents into a safe at the end of the workday, where
they are locked up until the following workday. What kind of control is the process
of putting the documents into the safe? (D1, L1.3.1)
A) Administrative
B) Tangential
C) Physical
D) Technical - ANSWER-A is the correct answer. The process itself is an
administrative control; rules and practices are administrative. The safe itself is
physical, but the question asked specifically about process, not the safe, so C is
incorrect. Neither the safe nor the process is part of the IT environment, so this is
not a technical control; D is incorrect. B is incorrect; "tangential" is not a term
commonly used to describe a particular type of security control, and is used here
only as a distractor.
A vendor sells a particular operating system (OS). In order to deploy the OS
securely on different platforms, the vendor publishes several sets of instructions
4|Page
