1
(ISC)2 CC Practice Exam 1 Questions
and Correct Answers 2025-2026 Edition.
Graded A
A best practice of patch management is to: - ANSTest patches
before applying them
A biometric reader that grants access to a computer system in a
data center is a: - ANSTechnical Control
(Physical controls have to do with the architectural features of
buildings and facilities. Administrative controls are connected to
the actions of people within the organization. Technical controls
are implemented inside of computer systems. Authorization
controls relate to the assets to which a user is granted access
inside a particular computer system (see ISC2 Study Guide
Chapter 1, Module 3).)
A chief information security officer (CISO) at a large organization
documented a policy that establishes the acceptable use of cloud
environments for all staff. This is an example of a: (D1, L1.3.1) -
ANSManagement/Administrative control
A cloud arrangement whereby the provider owns and manages
the hardware, operating system, and applications in the cloud,
and the customer owns the data. (D4.3 L4.3.2) - ANSplatform as
1
, 2
a service (PaaS)
2
, 3
A common network device used to filter traffic. (D4.1 L4.1.1) -
ANSfirewall
A device found not to comply with the security baseline should
be: - ANSDisabled or isolated into a quarantine area until it can
be checked and updated.
A mode of encryption for ensuring confidentiality efficiently, with
a minimum amount of processing overhead (D5.1.2, L5.1.2) -
ANSsymmetric
A portion of the organization's network that interfaces directly
with the outside world; typically, this exposed area has more
security controls and restrictions than the rest of the internal IT
environment. (D4.3 L4.3.3) - ANSdemilitarized zone (DMZ)
A ready visual cue to let anyone in contact with the data know
what the classification is. (D5.1.1, L5.1.1) - ANSlabel
A Security safeguard is the same as a: - ANSSecurity control
(Security safeguards are approved security measures taken to
protect computational resources by eliminating or reducing the
risk to a system. These can be measures like hardware and
software mechanisms, policies, procedures, and physical controls
(see NIST SP 800-28 Version 2, under safeguard). This definition
matches the definition of security control as the means of
3
, 4
managing risk, including policies, procedures, guidelines,
practices, or organizational structures, which can be of an
administrative,
4
(ISC)2 CC Practice Exam 1 Questions
and Correct Answers 2025-2026 Edition.
Graded A
A best practice of patch management is to: - ANSTest patches
before applying them
A biometric reader that grants access to a computer system in a
data center is a: - ANSTechnical Control
(Physical controls have to do with the architectural features of
buildings and facilities. Administrative controls are connected to
the actions of people within the organization. Technical controls
are implemented inside of computer systems. Authorization
controls relate to the assets to which a user is granted access
inside a particular computer system (see ISC2 Study Guide
Chapter 1, Module 3).)
A chief information security officer (CISO) at a large organization
documented a policy that establishes the acceptable use of cloud
environments for all staff. This is an example of a: (D1, L1.3.1) -
ANSManagement/Administrative control
A cloud arrangement whereby the provider owns and manages
the hardware, operating system, and applications in the cloud,
and the customer owns the data. (D4.3 L4.3.2) - ANSplatform as
1
, 2
a service (PaaS)
2
, 3
A common network device used to filter traffic. (D4.1 L4.1.1) -
ANSfirewall
A device found not to comply with the security baseline should
be: - ANSDisabled or isolated into a quarantine area until it can
be checked and updated.
A mode of encryption for ensuring confidentiality efficiently, with
a minimum amount of processing overhead (D5.1.2, L5.1.2) -
ANSsymmetric
A portion of the organization's network that interfaces directly
with the outside world; typically, this exposed area has more
security controls and restrictions than the rest of the internal IT
environment. (D4.3 L4.3.3) - ANSdemilitarized zone (DMZ)
A ready visual cue to let anyone in contact with the data know
what the classification is. (D5.1.1, L5.1.1) - ANSlabel
A Security safeguard is the same as a: - ANSSecurity control
(Security safeguards are approved security measures taken to
protect computational resources by eliminating or reducing the
risk to a system. These can be measures like hardware and
software mechanisms, policies, procedures, and physical controls
(see NIST SP 800-28 Version 2, under safeguard). This definition
matches the definition of security control as the means of
3
, 4
managing risk, including policies, procedures, guidelines,
practices, or organizational structures, which can be of an
administrative,
4
