Free practice test · no sign-up
ISC2 CC℠Free Certified in Cybersecurity practice test
10 real ISC2 CC℠ practice questions with instant answers and explanations — no account, no credit card, no email. Score yourself, then unlock the full bank of 798questions whenever you’re ready. The ISC2 CC℠ passing score is 700 / 1000.
An attacker successfully exfiltrates encrypted files from a corporate server but is unable to read any of the data inside them. Which security property is LEAST likely to have been compromised by this event?
Answer key
All 10 ISC2 CC℠ questions & answers
Prefer to just read the answers and explanations? Here’s the full key for this free ISC2 CC℠ test.
Q1. An attacker successfully exfiltrates encrypted files from a corporate server but is unable to read any of the data inside them. Which security property is LEAST likely to have been compromised by this event?
Correct answer: D. Confidentiality
Because the files were encrypted, the attacker cannot read the contents, so confidentiality of the data remains intact. Integrity could be questioned if the attacker attempted to modify the files. Availability might be affected if the breach disrupted access to the data. Non-repudiation could be challenged if evidence of participation is disputed after the incident.
Q2. An organization places identified risks into a matrix after completing a qualitative risk assessment. Which two factors are MOST commonly used to position risks within such a matrix?
Correct answer: C. Probability of occurrence and severity of impact
Qualitative risk assessments categorize risks based on how likely they are to occur and how severe the resulting harm would be — these two dimensions form the axes of a typical risk matrix. Annualized Loss Expectancy and Return on Investment are metrics used in quantitative assessments. Net present value and cash flow projections are financial forecasting tools, also part of quantitative methods. Historical frequency and remediation cost likewise belong to quantitative analysis.
Q3. An organization drafts a document establishing expectations for how employees should use company-issued computing devices in a responsible manner. What governance artifact does this describe?
Correct answer: C. Policy
A policy provides high-level direction and expectations for behavior across the organization. Acceptable-use expectations are communicated through policy rather than detailed operational steps. A standard specifies technical or administrative requirements rather than behavioral guidance. A procedure gives step-by-step instructions for completing a specific task. A regulation is an externally imposed legal requirement, not an internal organizational document.
Q4. A data center operator installs fire suppression equipment and strengthens network security configurations to reduce the potential damage from a fire event. Which risk management approach does this illustrate?
Correct answer: D. Risk mitigation
Risk mitigation involves deploying safeguards to lower the likelihood or impact of a risk — installing fire suppression systems and tightening network controls both serve to reduce potential damage without eliminating the underlying activity. Risk transference shifts financial responsibility to another party such as an insurer. Risk acceptance means tolerating the risk without additional countermeasures. Risk avoidance would require eliminating the risky activity entirely, which is not the case here.
Q5. An organization has experienced repeated incidents of unauthorized data access traced back to inadequate password requirements. Which type of control most directly addresses this specific weakness?
Correct answer: C. Administrative control — revising the password policy
Revising the password policy is an administrative control that tackles the root cause — insufficient password requirements — by defining stronger standards for credentials. Reinforced entry points and additional security personnel are physical controls that do not influence logical access to data. Antivirus software is a technical control aimed at malware, not weak authentication practices.
Q6. After identifying a risk that could result in major financial loss, an organization's leadership decides to purchase an insurance policy to cover potential damages. Which risk treatment option does this represent?
Correct answer: D. Risk transference
Purchasing insurance is a classic example of risk transference — the financial consequences of the risk are shifted to the insurer rather than borne solely by the organization. Risk acceptance involves consciously tolerating a risk without action. Risk mitigation focuses on reducing the probability or impact of the risk through controls. Risk avoidance means opting out of the activity that generates the risk.
Q7. An organization cannot implement on-premises encryption for a sensitive dataset and instead replicates the data to an off-site facility to maintain data protection. Which category of security control does this BEST illustrate?
Correct answer: C. Compensating control
A compensating control provides an alternative safeguard when the preferred primary control cannot be implemented. Using an off-site facility substitutes for the unavailable encryption capability, fulfilling the same protective intent. A preventive control blocks threats before they materialize. A detective control identifies incidents after they occur. A corrective control restores normal operations following an incident.
Q8. An IT team schedules automated backups and deploys redundant server clusters across two data centers. Which pillar of information assurance do these measures PRIMARILY support?
Correct answer: C. Availability
Backups and redundancy ensure that systems and data remain accessible even when hardware fails or a disaster strikes — this directly supports availability. Integrity focuses on preventing unauthorized modification of data. Confidentiality controls unauthorized disclosure. Non-repudiation provides proof of actions or transactions and is unrelated to redundancy planning.
Q9. A security team deploys a network appliance that passively watches traffic for known attack signatures and abnormal patterns, generating alerts without blocking traffic. Which control category does this device fall under?
Correct answer: C. Detective
A device that monitors and identifies suspicious activity without actively blocking it is a detective control — an intrusion detection system (IDS) is a prime example. Preventive controls, such as an intrusion prevention system (IPS), actively block malicious traffic. Corrective controls restore systems after a security event. Administrative controls encompass policies, procedures, and training programs.
Q10. An organization deploys firewalls and intrusion detection systems to protect its network infrastructure. How are these controls classified?
Correct answer: D. Technical controls
Firewalls and intrusion detection systems are technology-based mechanisms that enforce security policies — this places them in the technical controls category. Physical controls consist of barriers such as locks, fences, and guards. Administrative controls include policies, procedures, and security awareness training. Operational controls relate to security procedures and day-to-day management practices but are not technology-specific countermeasures.
Exam facts and objectives sourced from the official ISC2 certification page. Last reviewed June 2026.
Ready for the full ISC2 CC℠ bank? Start free.
798 questions, timed mock exams, and missed-question review — 30 free questions, no card.
Start free trial