1
(ISC)2 CC Practice Exam 1 Questions
and Correct Answers 2025-2026 Edition.
Graded A
A best practice of patch management is to: - ANSTest patches before
applying them
A biometric reader that grants access to a computer system in a data
center is a: - ANSTechnical Control
(Physical controls have to do with the architectural features of buildings and
facilities. Administrative controls are connected to the actions of people
within the organization. Technical controls are implemented inside of
computer systems. Authorization controls relate to the assets to which a
user is granted access inside a particular computer system (see ISC2
Study Guide Chapter 1, Module 3).)
A chief information security officer (CISO) at a large organization
documented a policy that establishes the acceptable use of cloud
environments for all staff. This is an example of a: (D1, L1.3.1) -
ANSManagement/Administrative control
A cloud arrangement whereby the provider owns and manages the
hardware, operating system, and applications in the cloud, and the
customer owns the data. (D4.3 L4.3.2) - ANSplatform as a service (PaaS)
1
, 2
A common network device used to filter traffic. (D4.1 L4.1.1) - ANSfirewall
A device found not to comply with the security baseline should be: -
ANSDisabled or isolated into a quarantine area until it can be checked and
updated.
A mode of encryption for ensuring confidentiality efficiently, with a minimum
amount of processing overhead (D5.1.2, L5.1.2) - ANSsymmetric
A portion of the organization's network that interfaces directly with the
outside world; typically, this exposed area has more security controls and
restrictions than the rest of the internal IT environment. (D4.3 L4.3.3) -
ANSdemilitarized zone (DMZ)
A ready visual cue to let anyone in contact with the data know what the
classification is. (D5.1.1, L5.1.1) - ANSlabel
A Security safeguard is the same as a: - ANSSecurity control
(Security safeguards are approved security measures taken to protect
computational resources by eliminating or reducing the risk to a system.
These can be measures like hardware and software mechanisms, policies,
procedures, and physical controls (see NIST SP 800-28 Version 2, under
safeguard). This definition matches the definition of security control as the
means of managing risk, including policies, procedures, guidelines,
practices, or organizational structures, which can be of an administrative,
2
, 3
technical, management, or legal nature (see NIST SP 800-160 Vol. 2 Rev.
1 under control).)
A security solution installed on an endpoint in order to detect potentially
anomalous activity. (D4.2 L4.2.2) - ANShost-based intrusion prevention
system
A security solution that detects, identifies and often quarantines potentially
hostile software. (D4.2 L4.2.3) - ANSanti-malware
A set of security controls or system settings used to ensure uniformity of
configuration throughout the IT environment. (D5.2.1, L5.2.1) -
ANSbaseline
A web server that accepts requests from external clients should be placed
in which network? - ANSDMZ
According to ISC2, which are the six phases of data handling? -
ANSCreate -> Store -> Use -> Share -> Archive -> Destroy
According to the canon "Provide diligent and competent service to
principals", ISC2 professionals are to: - ANSAvoid apparent or actual
conflicts of interest.
(The direction for applying the ethical principles of ISC2 states that avoiding
conflicts of interest or the appearance thereof is a consequence of
providing diligent and competent service to principals (see
3
, 4
https://resources.infosecinstitute.com/certification/the-isc2-code-of-ethics-a-
binding-requirement-for-certification/). The other options are consequences
of the remaining three ethical principles.
Topic: PE1-1.4 (ISC)2 Code of Ethics - Chapter 1, Domain 1.4)
After a disaster at our primary site, we are restoring functionality at our
Disaster Recovery (DR) site. Which applications would we get up and
running LAST? - ANSLeast critical.
After an earthquake disrupting business operations, which document
contains the procedures required to return business to normal operation? -
ANSThe Disaster Recovery Plan
(A Disaster Recovery Plan (DRP) is a plan for processing and restoring
operations in the event of a significant hardware or software failure, or of
the destruction of the organization's facilities. The primary goal of a DRP is
to restore the business to the last-known reliable state of operations (see
Chapter 2 ISC2 Study Guide, module 4, under The Goal of Disaster
Recovery). The term 'Business Impact Plan' does not exist. A Business
Continuity Plan (BCP) is a pre-determined set of instructions describing
how an organization's mission/business processes will be sustained during
and after a significant disruption. A Business Impact Analysis (BIA) is a
technique for analyzing how disruptions can affect an organization.
Topic: Understanding Disaster Recovery (DR))
4
(ISC)2 CC Practice Exam 1 Questions
and Correct Answers 2025-2026 Edition.
Graded A
A best practice of patch management is to: - ANSTest patches before
applying them
A biometric reader that grants access to a computer system in a data
center is a: - ANSTechnical Control
(Physical controls have to do with the architectural features of buildings and
facilities. Administrative controls are connected to the actions of people
within the organization. Technical controls are implemented inside of
computer systems. Authorization controls relate to the assets to which a
user is granted access inside a particular computer system (see ISC2
Study Guide Chapter 1, Module 3).)
A chief information security officer (CISO) at a large organization
documented a policy that establishes the acceptable use of cloud
environments for all staff. This is an example of a: (D1, L1.3.1) -
ANSManagement/Administrative control
A cloud arrangement whereby the provider owns and manages the
hardware, operating system, and applications in the cloud, and the
customer owns the data. (D4.3 L4.3.2) - ANSplatform as a service (PaaS)
1
, 2
A common network device used to filter traffic. (D4.1 L4.1.1) - ANSfirewall
A device found not to comply with the security baseline should be: -
ANSDisabled or isolated into a quarantine area until it can be checked and
updated.
A mode of encryption for ensuring confidentiality efficiently, with a minimum
amount of processing overhead (D5.1.2, L5.1.2) - ANSsymmetric
A portion of the organization's network that interfaces directly with the
outside world; typically, this exposed area has more security controls and
restrictions than the rest of the internal IT environment. (D4.3 L4.3.3) -
ANSdemilitarized zone (DMZ)
A ready visual cue to let anyone in contact with the data know what the
classification is. (D5.1.1, L5.1.1) - ANSlabel
A Security safeguard is the same as a: - ANSSecurity control
(Security safeguards are approved security measures taken to protect
computational resources by eliminating or reducing the risk to a system.
These can be measures like hardware and software mechanisms, policies,
procedures, and physical controls (see NIST SP 800-28 Version 2, under
safeguard). This definition matches the definition of security control as the
means of managing risk, including policies, procedures, guidelines,
practices, or organizational structures, which can be of an administrative,
2
, 3
technical, management, or legal nature (see NIST SP 800-160 Vol. 2 Rev.
1 under control).)
A security solution installed on an endpoint in order to detect potentially
anomalous activity. (D4.2 L4.2.2) - ANShost-based intrusion prevention
system
A security solution that detects, identifies and often quarantines potentially
hostile software. (D4.2 L4.2.3) - ANSanti-malware
A set of security controls or system settings used to ensure uniformity of
configuration throughout the IT environment. (D5.2.1, L5.2.1) -
ANSbaseline
A web server that accepts requests from external clients should be placed
in which network? - ANSDMZ
According to ISC2, which are the six phases of data handling? -
ANSCreate -> Store -> Use -> Share -> Archive -> Destroy
According to the canon "Provide diligent and competent service to
principals", ISC2 professionals are to: - ANSAvoid apparent or actual
conflicts of interest.
(The direction for applying the ethical principles of ISC2 states that avoiding
conflicts of interest or the appearance thereof is a consequence of
providing diligent and competent service to principals (see
3
, 4
https://resources.infosecinstitute.com/certification/the-isc2-code-of-ethics-a-
binding-requirement-for-certification/). The other options are consequences
of the remaining three ethical principles.
Topic: PE1-1.4 (ISC)2 Code of Ethics - Chapter 1, Domain 1.4)
After a disaster at our primary site, we are restoring functionality at our
Disaster Recovery (DR) site. Which applications would we get up and
running LAST? - ANSLeast critical.
After an earthquake disrupting business operations, which document
contains the procedures required to return business to normal operation? -
ANSThe Disaster Recovery Plan
(A Disaster Recovery Plan (DRP) is a plan for processing and restoring
operations in the event of a significant hardware or software failure, or of
the destruction of the organization's facilities. The primary goal of a DRP is
to restore the business to the last-known reliable state of operations (see
Chapter 2 ISC2 Study Guide, module 4, under The Goal of Disaster
Recovery). The term 'Business Impact Plan' does not exist. A Business
Continuity Plan (BCP) is a pre-determined set of instructions describing
how an organization's mission/business processes will be sustained during
and after a significant disruption. A Business Impact Analysis (BIA) is a
technique for analyzing how disruptions can affect an organization.
Topic: Understanding Disaster Recovery (DR))
4
