ISC2 CC Exam Questions with
Correct Solutions||Already
Graded A+||Updated 2025/2026
Syllabus||100% Guaranteed
Pass||<<Recent Version>>
Risk - ANSWER ✓ A possible event which can have a negative impact upon the
organization.
Risk Acceptance - ANSWER ✓ Determining that the potential benefits of a
business function outweigh the possible risk impact/likelihood and performing that
business function with no other action.
Risk Assessment - ANSWER ✓ The process of identifying and analyzing risks to
organizational operations (including mission, functions, image, or reputation),
organizational assets, individuals and other organizations. The analysis performed
as part of risk management which incorporates threat and vulnerability analyses
and considers mitigations provided by security controls planned or in place.
Risk Avoidance - ANSWER ✓ Determining that the impact and/or likelihood of a
specific risk is too great to be offset by the potential benefits and not performing a
certain business function because of that determination.
Risk Management - ANSWER ✓ The process of identifying, evaluating and
controlling threats, including all the phases of risk context (or frame), risk
assessment, risk treatment and risk monitoring.
Risk Management Framework - ANSWER ✓ A structured approach used to
oversee and manage risk for an enterprise. Source: CNSSI 4009
Risk Mitigation - ANSWER ✓ Putting security controls in place to reduce the
possible impact and/or likelihood of a specific risk.
, Risk Tolerance - ANSWER ✓ The level of risk an entity is willing to assume in
order to achieve a potential desired result. Source: NIST SP 800-32. Risk
threshold, risk appetite and acceptable risk are also terms used synonymously with
risk tolerance.
Risk Transference - ANSWER ✓ Paying an external party to accept the financial
impact of a given risk.
Risk Treatment - ANSWER ✓ The determination of the best way to address an
identified risk.
Security Controls - ANSWER ✓ The management, operational and technical
controls (i.e., safeguards or countermeasures) prescribed for an information system
to protect the confidentiality, integrity and availability of the system and its
information. Source: FIPS PUB 199
Sensitivity - ANSWER ✓ A measure of the importance assigned to information by
its owner, for the purpose of denoting its need for protection. Source: NIST SP
800-60 Vol 1 Rev 1
Single-Factor Authentication - ANSWER ✓ Use of just one of the three available
factors (something you know, something you have, something you are) to carry out
the authentication process being requested.
State - ANSWER ✓ The condition an entity is in at a point in time.
System Integrity - ANSWER ✓ The quality that a system has when it performs its
intended function in an unimpaired manner, free from unauthorized manipulation
of the system, whether intentional or accidental. Source: NIST SP 800-27 Rev. A
Technical Controls - ANSWER ✓ Security controls (i.e., safeguards or
countermeasures) for an information system that are primarily implemented and
executed by the information system through mechanisms contained in the
hardware, software or firmware components of the system.
Threat - ANSWER ✓ Any circumstance or event with the potential to adversely
impact organizational operations (including mission, functions, image or
reputation), organizational assets, individuals, other organizations or the nation
, through an information system via unauthorized access, destruction, disclosure,
modification of information and/or denial of service. Source: NIST SP 800-30 Rev
1
Threat Actor - ANSWER ✓ An individual or a group that attempts to exploit
vulnerabilities to cause or force a threat to occur.
Threat Vector - ANSWER ✓ The means by which a threat actor carries out their
objectives.
Token - ANSWER ✓ A physical object a user possesses and controls that is used
to authenticate the user's identity. Source: NISTIR 7711
Vulnerability - ANSWER ✓ Weakness in an information system, system security
procedures, internal controls or implementation that could be exploited by a threat
source. Source: NIST SP 800-30 Rev 1
Institute of Electrical and Electronics Engineers - ANSWER ✓ IEEE is a
professional organization that sets standards for telecommunications, computer
engineering and similar disciplines.
Application Server - ANSWER ✓ A computer responsible for hosting applications
to user workstations. NIST SP 800-82 Rev.2
Asymmetric Encryption - ANSWER ✓ An algorithm that uses one key to encrypt
and a different key to decrypt the input plaintext.
Checksum - ANSWER ✓ A digit representing the sum of the correct digits in a
piece of stored or transmitted digital data, against which later comparisons can be
made to detect errors in the data.
Ciphertext - ANSWER ✓ The altered form of a plaintext message so it is
unreadable for anyone except the intended recipients. In other words, it has been
turned into a secret.
Classification - ANSWER ✓ Classification identifies the degree of harm to the
organization, its stakeholders or others that might result if an information asset is
divulged to an unauthorized person, process or organization. In short, classification
Correct Solutions||Already
Graded A+||Updated 2025/2026
Syllabus||100% Guaranteed
Pass||<<Recent Version>>
Risk - ANSWER ✓ A possible event which can have a negative impact upon the
organization.
Risk Acceptance - ANSWER ✓ Determining that the potential benefits of a
business function outweigh the possible risk impact/likelihood and performing that
business function with no other action.
Risk Assessment - ANSWER ✓ The process of identifying and analyzing risks to
organizational operations (including mission, functions, image, or reputation),
organizational assets, individuals and other organizations. The analysis performed
as part of risk management which incorporates threat and vulnerability analyses
and considers mitigations provided by security controls planned or in place.
Risk Avoidance - ANSWER ✓ Determining that the impact and/or likelihood of a
specific risk is too great to be offset by the potential benefits and not performing a
certain business function because of that determination.
Risk Management - ANSWER ✓ The process of identifying, evaluating and
controlling threats, including all the phases of risk context (or frame), risk
assessment, risk treatment and risk monitoring.
Risk Management Framework - ANSWER ✓ A structured approach used to
oversee and manage risk for an enterprise. Source: CNSSI 4009
Risk Mitigation - ANSWER ✓ Putting security controls in place to reduce the
possible impact and/or likelihood of a specific risk.
, Risk Tolerance - ANSWER ✓ The level of risk an entity is willing to assume in
order to achieve a potential desired result. Source: NIST SP 800-32. Risk
threshold, risk appetite and acceptable risk are also terms used synonymously with
risk tolerance.
Risk Transference - ANSWER ✓ Paying an external party to accept the financial
impact of a given risk.
Risk Treatment - ANSWER ✓ The determination of the best way to address an
identified risk.
Security Controls - ANSWER ✓ The management, operational and technical
controls (i.e., safeguards or countermeasures) prescribed for an information system
to protect the confidentiality, integrity and availability of the system and its
information. Source: FIPS PUB 199
Sensitivity - ANSWER ✓ A measure of the importance assigned to information by
its owner, for the purpose of denoting its need for protection. Source: NIST SP
800-60 Vol 1 Rev 1
Single-Factor Authentication - ANSWER ✓ Use of just one of the three available
factors (something you know, something you have, something you are) to carry out
the authentication process being requested.
State - ANSWER ✓ The condition an entity is in at a point in time.
System Integrity - ANSWER ✓ The quality that a system has when it performs its
intended function in an unimpaired manner, free from unauthorized manipulation
of the system, whether intentional or accidental. Source: NIST SP 800-27 Rev. A
Technical Controls - ANSWER ✓ Security controls (i.e., safeguards or
countermeasures) for an information system that are primarily implemented and
executed by the information system through mechanisms contained in the
hardware, software or firmware components of the system.
Threat - ANSWER ✓ Any circumstance or event with the potential to adversely
impact organizational operations (including mission, functions, image or
reputation), organizational assets, individuals, other organizations or the nation
, through an information system via unauthorized access, destruction, disclosure,
modification of information and/or denial of service. Source: NIST SP 800-30 Rev
1
Threat Actor - ANSWER ✓ An individual or a group that attempts to exploit
vulnerabilities to cause or force a threat to occur.
Threat Vector - ANSWER ✓ The means by which a threat actor carries out their
objectives.
Token - ANSWER ✓ A physical object a user possesses and controls that is used
to authenticate the user's identity. Source: NISTIR 7711
Vulnerability - ANSWER ✓ Weakness in an information system, system security
procedures, internal controls or implementation that could be exploited by a threat
source. Source: NIST SP 800-30 Rev 1
Institute of Electrical and Electronics Engineers - ANSWER ✓ IEEE is a
professional organization that sets standards for telecommunications, computer
engineering and similar disciplines.
Application Server - ANSWER ✓ A computer responsible for hosting applications
to user workstations. NIST SP 800-82 Rev.2
Asymmetric Encryption - ANSWER ✓ An algorithm that uses one key to encrypt
and a different key to decrypt the input plaintext.
Checksum - ANSWER ✓ A digit representing the sum of the correct digits in a
piece of stored or transmitted digital data, against which later comparisons can be
made to detect errors in the data.
Ciphertext - ANSWER ✓ The altered form of a plaintext message so it is
unreadable for anyone except the intended recipients. In other words, it has been
turned into a secret.
Classification - ANSWER ✓ Classification identifies the degree of harm to the
organization, its stakeholders or others that might result if an information asset is
divulged to an unauthorized person, process or organization. In short, classification
