ISC2 CC Exam 2025/2026 Exam
Questions and Corresponding Answers
with Surety of 100% Pass Mark
Which access control is more effective at protecting a door against
unauthorized access?
A. Fences
B. Turnstiles
C. Barriers
D. Locks - 🧠ANSWER ✔✔D. Locks
A lock is a device that prevents a physical structure (typically a door) from
being opened, indicating that only the authorized person (i.e. the person
with the key) can open it. A fence or a barrier will prevent ALL access.
Turnstiles are physical barrier that can easily overcome (after all, it is
common knowledge that intruders can easily jump over a turnstile when no
one is watching).
COPYRIGHT©JOSHCLAY 2025/2026. YEAR PUBLISHED 2025. COMPANY REGISTRATION NUMBER: 619652435. TERMS OF USE. PRIVACY
1
STATEMENT. ALL RIGHTS RESERVED
,Which type of attack PRIMARILY aims to make a resource inaccessible to
its intended users?
A. Phishing
B. Denial of Service
C. Trojans
D. Cross-site scripting - 🧠ANSWER ✔✔B. Denial of Service
A denial of service attack (DoS) consists in compromising the availability of
a system or service through a malicious overload of requests, which
causes the activation of safety mechanisms that delay or limit the
availability of that system or service. Due to this, systems or services are
rendered inaccessible to their intended users, Trojans, phishing, and cross-
site scripting attacks try to gain access o the system or data, and therefore
do not primarily aim at compromising the system's availability.
Which devices have the PRIMARY objective of collecting and analyzing
security events?
A. Firewalls
B. Hubs
C. Routers
COPYRIGHT©JOSHCLAY 2025/2026. YEAR PUBLISHED 2025. COMPANY REGISTRATION NUMBER: 619652435. TERMS OF USE. PRIVACY
2
STATEMENT. ALL RIGHTS RESERVED
,D. SIEM - 🧠ANSWER ✔✔D. SIEM
A security Information and Even Management (SIEM) system is an
application that gathers security data from information system components
and presents actionable information through a unified interface. Routers
and Hubs aim to receive and forward traffic. Firewalls filter incoming traffic.
Neither of these last three options aim at collecting and analyzing security
events.
Which access control model specifies access to an object based on the
subject's role in the organization?
A. RBAC
B. MAC
C. ABAC
D. DAC - 🧠ANSWER ✔✔A. RBAC
The role-based access control (RBAC) model is well known for governing
access to objects based on the roles of individual users within the
organization. Mandatory access control is based on security classification.
Attribute-access control is based on complex attribute rules. In
discretionary access control, subjects can grant privileges to other subjects
COPYRIGHT©JOSHCLAY 2025/2026. YEAR PUBLISHED 2025. COMPANY REGISTRATION NUMBER: 619652435. TERMS OF USE. PRIVACY
3
STATEMENT. ALL RIGHTS RESERVED
, and change some of the security attributes of the object they have access
to,
When a company hires an insurance company to mitigate risk, which risk
management technique is being applied?
A. Risk transfer
B. Risk avoidance
C. Risk mitigation
D. Risk tolerance - 🧠ANSWER ✔✔A. Risk transfer
Risk transfer is a risk management strategy that contractually shifts a pure
risk from one party to another (in this case, to an insurance company.) Risk
avoidance consists in stopping activities and exposures that can negatively
affect an organization and its assets. Risk mitigation consists of mechanism
to reduce the risk. Finally, risk tolerance is the degree of risk that an
investor is willing to endure.
Which type of attack will most effectively provide privileged access (root
access in Unix/Linux platforms) to a computer while hiding its presence?
A. Rootkits
B. Phishing
COPYRIGHT©JOSHCLAY 2025/2026. YEAR PUBLISHED 2025. COMPANY REGISTRATION NUMBER: 619652435. TERMS OF USE. PRIVACY
4
STATEMENT. ALL RIGHTS RESERVED
Questions and Corresponding Answers
with Surety of 100% Pass Mark
Which access control is more effective at protecting a door against
unauthorized access?
A. Fences
B. Turnstiles
C. Barriers
D. Locks - 🧠ANSWER ✔✔D. Locks
A lock is a device that prevents a physical structure (typically a door) from
being opened, indicating that only the authorized person (i.e. the person
with the key) can open it. A fence or a barrier will prevent ALL access.
Turnstiles are physical barrier that can easily overcome (after all, it is
common knowledge that intruders can easily jump over a turnstile when no
one is watching).
COPYRIGHT©JOSHCLAY 2025/2026. YEAR PUBLISHED 2025. COMPANY REGISTRATION NUMBER: 619652435. TERMS OF USE. PRIVACY
1
STATEMENT. ALL RIGHTS RESERVED
,Which type of attack PRIMARILY aims to make a resource inaccessible to
its intended users?
A. Phishing
B. Denial of Service
C. Trojans
D. Cross-site scripting - 🧠ANSWER ✔✔B. Denial of Service
A denial of service attack (DoS) consists in compromising the availability of
a system or service through a malicious overload of requests, which
causes the activation of safety mechanisms that delay or limit the
availability of that system or service. Due to this, systems or services are
rendered inaccessible to their intended users, Trojans, phishing, and cross-
site scripting attacks try to gain access o the system or data, and therefore
do not primarily aim at compromising the system's availability.
Which devices have the PRIMARY objective of collecting and analyzing
security events?
A. Firewalls
B. Hubs
C. Routers
COPYRIGHT©JOSHCLAY 2025/2026. YEAR PUBLISHED 2025. COMPANY REGISTRATION NUMBER: 619652435. TERMS OF USE. PRIVACY
2
STATEMENT. ALL RIGHTS RESERVED
,D. SIEM - 🧠ANSWER ✔✔D. SIEM
A security Information and Even Management (SIEM) system is an
application that gathers security data from information system components
and presents actionable information through a unified interface. Routers
and Hubs aim to receive and forward traffic. Firewalls filter incoming traffic.
Neither of these last three options aim at collecting and analyzing security
events.
Which access control model specifies access to an object based on the
subject's role in the organization?
A. RBAC
B. MAC
C. ABAC
D. DAC - 🧠ANSWER ✔✔A. RBAC
The role-based access control (RBAC) model is well known for governing
access to objects based on the roles of individual users within the
organization. Mandatory access control is based on security classification.
Attribute-access control is based on complex attribute rules. In
discretionary access control, subjects can grant privileges to other subjects
COPYRIGHT©JOSHCLAY 2025/2026. YEAR PUBLISHED 2025. COMPANY REGISTRATION NUMBER: 619652435. TERMS OF USE. PRIVACY
3
STATEMENT. ALL RIGHTS RESERVED
, and change some of the security attributes of the object they have access
to,
When a company hires an insurance company to mitigate risk, which risk
management technique is being applied?
A. Risk transfer
B. Risk avoidance
C. Risk mitigation
D. Risk tolerance - 🧠ANSWER ✔✔A. Risk transfer
Risk transfer is a risk management strategy that contractually shifts a pure
risk from one party to another (in this case, to an insurance company.) Risk
avoidance consists in stopping activities and exposures that can negatively
affect an organization and its assets. Risk mitigation consists of mechanism
to reduce the risk. Finally, risk tolerance is the degree of risk that an
investor is willing to endure.
Which type of attack will most effectively provide privileged access (root
access in Unix/Linux platforms) to a computer while hiding its presence?
A. Rootkits
B. Phishing
COPYRIGHT©JOSHCLAY 2025/2026. YEAR PUBLISHED 2025. COMPANY REGISTRATION NUMBER: 619652435. TERMS OF USE. PRIVACY
4
STATEMENT. ALL RIGHTS RESERVED
