ISC2 CC EXAM NEWEST 2025/2026 WITH COMPLETE QUESTIONS AND CORRECT ANSWERS |ALREADY GRADED A+||BRAND NEW VERSION!

ISC2 CC Exam Newest 2025/2026


ISC2 CC EXAM NEWEST 2025/2026 WITH COMPLETE
QUESTIONS AND CORRECT ANSWERS |ALREADY GRADED
A+||BRAND NEW VERSION!
In which of the following access control models can the creator of an object
delegate permission?
A. RBAC
B. MAC
C. DAC
D. ABAC - ANSWER-C. DAC
In a Discretionary Access Control model, the permissions associated with each
object (file or data) are set by the owner of the object. In this model, the creator
of an object implicitly becomes its owner, and therefore can decide who will have
permission over the objects. In the remaining models, access specifications are
centrally determined,


Which of the following is NOT a possible model for the Incident Response Team
(IRT)?
A. Dedicated
B. Hybrid
C. Pre-existing
D. Leveraged - ANSWER-C. Pre-existing
The three possible models for incident response are Leveraged, Dedicated, and
Hybrid (see ISC2 Study Guide, Chapter 2, Module 1) under Chapter Takeaways).
The term 'Pre-existing' is not a valid model for IRT.


1|Page

, ISC2 CC Exam Newest 2025/2026



What are the components of an incident response plan?
A. Preparation - Detection and Analysis - Containment - Eradication - Post-Incident
Activity - Recovery
B. Preparation - Detection and Analysis - Containment, Eradication and Recovery -
Post-Incident - Activity
C. Preparation - Detection and Analysis - Recovery - Containment - Eradication -
Post-Incident - Activity
D. Preparation - Detection and Analysis - Eradication - Recovery - Containment -
Post-Incident - Activity - ANSWER-B. Preparation - Detection and Analysis -
Containment, Eradication and Recovery - Post-Incident - Activity
The components commonly found in an incident response plan are (in his order):
Preparation; Detection and analysis; Containment, Eradication and Recovery; Post-
Incident Activity (see the ISC2 Chapter 2, Module 1, under Components of an
Incident Response Plan).


With respect to risk management, which of the following options should be
prioritized?
A. The expected probability of occurrence is high, and the potential impact is low
B. The frequency of occurrence is low, and the expected impact value is high
C. The expected probability of occurrence is low, and the potential impact is low
D. The frequency of occurrence is high, and the expected impact value is low. -
ANSWER-B. The frequency of occurrence is low, and the expected impact value is
high
The highest priority should be given to risks estimated to high impact and low
probability over high probability and low impact value (ISC2 Study Guide, Chapter
1, Module 2). In qualitative risk analysis, the 'expected probability of occurrence'

2|Page

, ISC2 CC Exam Newest 2025/2026

and the 'frequency of occurrence' refer to the same thing. The same goes for the
concepts of expected impact value (NIST SP 800-30 Rev 1 under Impact Value) and
potential impact (NIST SP 800-60 Vol. 1 Rev.1 under Potential Impact).


Which access control model can grant access to a give object based on complex
rules?
A. RBAC
B. DAC
C. ABAC
D. MAC - ANSWER-C. ABAC
ABAC is an access control model that controls access to objects using rules that
are evaluated according to the attributes of the subject, relevant objects, and
attributes of the environment and action. The RBAC and MAC models are based
on more straightforward and relatively less flexible rule systems, which are
evaluated according to subject roles and security classifications. The rules that can
be specified in a DAC model are even simpler than those of the previous two
models.


Which of these has the PRIMARY objective of identifying and prioritizing critical
business processes?
A. Disaster Recovery Plan
B. Business Impact Analysis
C. Business Impact Plan
D. Business Continuity Plan - ANSWER-B. Business Impact Analysis
The term 'Business Impact Plan' does not exist. A Business Impact Analysis (BIA) is
a technique for analyzing how disruptions can affect an organization, and
determines the criticality of all business activities and associated resources. A
3|Page

, ISC2 CC Exam Newest 2025/2026

Business Continuity Plan (BCP) is a pre-determined set of instructions describing
how the mission/business processes of an organization will be sustained during
and after a significant disruption. A Disaster Recovery Plan is a written plan for
recovering information systems in response to a major failure or disaster.


Which of the following are NOT types of security controls?
A. System-specific controls
B. Common controls
C. Hybrid controls
D. Storage controls - ANSWER-D. Storage controls
Storage controls are not a type of security control. Security controls are
safeguards or countermeasures that an organization can employ to avoid,
counteract or minimize security risks. System-specific controls are security
controls that provide security capability for only one specific information system.
Common controls are security controls that provide security capability for multiple
information systems. Hybrid controls have characteristics of both system-specific
and common controls.


Which of the following is NOT an ethical canon of the (ISC)2?
A. Provide active and qualified service to principal
B. Act honorably, honestly, justly, responsibly, and legally
C. Advance and protect the profession
D. Protect society, the common good, necessary public trust and confidence, and
the infrastructure - ANSWER-A. Provide active and qualified service to principal
In the code of ethics, we read "Provide diligent and competent service to
principals", and not "Provide active and qualified service to principals."; all the

4|Page