ISC2 Certified in Cybersecurity (CC)

 Security Principles, which make up 26% of the exam, cover topics like:

·       Understand the security concepts of information assurance

o   CIA Triad

o   Authentication

o   Non-Repudiation

o   Privacy

·       Understand the risk management process

o   Risk Management

o   Risk Identification, assessment, and treatment

·       Understand security controls

o   Technical

o   Administrative

o   Physical

·       Understand ISC2 Code of Ethics

·       Understand governance processes

o   Policies

o   Procedures

o   Standards

o   Regulations and laws

As you can see, these topics are common among security in general. Frankly, these are topics and concepts that everyone should be familiar with and are the foundational concepts of security.

Business Continuity (BC), Disaster Recovery (DR) & Incident Response Concepts covers 10% of the exam and was one of the more interesting topics for me personally. My company is unique in the fact that BC sits within the corporate security side of the house while DR is governed by the cyber and IT department. We are fairly young in our journey in Business Continuity, so it will be interesting to see if the reporting structure of these two change in the future. However, I will say we have a really good relationship with the teams involved so it works well. I found this domain interesting as we in the early stages of establishing our BC plans and I have been pretty involved in the team getting it off the ground.

·       Understand business continuity (BC)

·       Understand disaster recover (DR)

·       Understand incident response

Access Controls Concepts taking up 22% of the exam. Much of this section is what my team and I do only a daily basis. Therefore, this domain was relatively easy for me.

·       Understand physical access controls

o   Physical security controls (e.g., badge systems, gate entry, environmental design)

o   Monitoring (e.g., security guards, closed-circuit television (CCTV), alarm systems, logs)

o   Authorized versus unauthorized personnel

·       Understand logical access controls

o   Principle of least privilege

o   Segregation of duties

o   Discretionary access control (DAC)

o   Mandatory access control (MAC)

o   Role-based access control (RBAC)

Network Security is the second largest portion with 24%. If there was a domain that was difficult for me, I would say it was this one. Strictly because I do not come from a network background and did not already have all this knowledge down.  If you do come from a IT or Networking background, I’m sure this domain is merely a review for you.

·       Understand computer networking

o   Networks (e.g., Open Systems Interconnection (OSI) model, Transmission Control Protocol/Internet Protocol(TCP/IP) model, Internet Protocol version 4 (IPv4), Internet Protocol version 6 (IPv6), WiFi)

o   Ports

o   Application

·       Understand network threats and attacks

o   Types of threats (e.g., distributed denial-of-service (DDoS), virus, worm, Trojan, man-in-the-middle (MITM), side-channel)

o   Identification (e.g., intrusion detection system (IDS), host-based intrusion detection system (HIDS), network intrusion detection system (NIDS))

o   Prevention (e.g., antivirus, scans, firewalls, intrusion prevention system (IPS))

·       Understand network security infrastructure

o   On-premises (e.g., power, data center/closets, Heating, Ventilation, and Air Conditioning (HVAC), environmental, fire suppression, redundancy, memorandum of understanding (MOU)/memorandum of agreement (MOA))

o   Design (e.g., network segmentation (demilitarized zone (DMZ), virtual local area network (VLAN), virtual private network (VPN), micro-segmentation), defense in depth, Network Access Control (NAC) (segmentation for embedded systems, Internet of Things (IoT))

o   Cloud (e.g., service-level agreement (SLA), managed service provider (MSP), Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS), hybrid

And finally, Security Operations with the last 18% of the exam. Most of this domain is fairly straightforward and I would assume you are at least familiar with the concepts and terminology. I find encryption to be intriguing and ordered an additional book to have a better understanding. However, that book was completely unnecessary for this exam.

·       Understand data security

o   Encryption (e.g., symmetric, asymmetric, hashing)

o   Data handling (e.g., destruction, retention, classification, labeling)

o   Logging and monitoring security events

·       Understand system hardening

o   Configuration management (e.g., baselines, updates, patches)

·       Understand best practice security policies

o   Data handling policy

o   Password policy

o   Acceptable Use Policy (AUP)

o   Bring your own device (BYOD) policy

o   Change management policy (e.g., documentation, approval, rollback)

o   Privacy policy

·       Understand security awareness training

o   Purpose/concepts (e.g., social engineering, password protection)

I was able to take the exam free of cost thanks to ISC2 and their pledge to give away one million new CC certifications. If you are interested, take a look at their site to get signed up: https://www.isc2.org/landing/1mcc

The exam took me around an hour to complete but you get up to two hours so make sure to take your time. The questions were all multiple choice and you get between 100-125 on your exam. Once you pass the exam you will need to $50 to be awarded the certification and join ISC2 as a member. If you take advantage of the webinars provided with your membership, the $50 is well worth the cost.

The only negative part of the process for me was the free training provided by ISC2 for the CC exam. I wasn’t much of a fan of the free training, but it was free so I can’t complain too much. I don’t believe you would be able to confidently pass the exam with it by itself if you are new to security. None of these concepts were completely new to me, but I did find value in taking Mike Chappels Certified in Cyber Security course on LinkedIn and then also purchased this study guide. Between Mike Chappels’ course and the study guide, I think anyone could succeed with proper preparation. The study guide also comes with practice tests which you can do through the book itself or on the online platform through McGraw Hill.

I currently manage a team of Security System Specialist and Security System Coordinators who oversee our access control, CCTV, alarms, GSOC, and security assessments. I have begun recommending this exam to all of my team members to take as well. Even though the title says Certified in Cybersecurity, I believe the topics covered here are valuable to anyone working in the security industry, cyber or physical. The gap between cyber and physical security is narrowing every year. We are long past the days where physical security was simply gate guards, fences, and analog cameras. If the two sides of the house are going to stay separate, no matter how blurry the lines are, we should at least conduct our due diligence and educate ourselves on the current security landscape and threat vectors.

If you are interested in obtaining a security certification or simply contemplating on making a career change to security, I would highly recommend you look at the ISC2 Certified in Cybersecurity exam. The cost is minimal while the upside reward is limitless. If you are a manager of a security team, I would recommend you look at this exam as additional training for your team. Again, the cost is minimal and can be very rewarding for your team. Set this as one of their goals for their 2026 review!