CIA Triad, risk management, controls, governance, and professional ethics
Domain Weight
Security Principles accounts for 26% of the CC exam.
Security Principles is the highest-weighted domain on the ISC² CC exam. Questions test whether you can apply foundational concepts — not just define them — in organizational scenarios involving policies, risk, and control selection.
Confidentiality
Protect information from unauthorized disclosure. Controls: encryption, access controls, data classification, NDAs, need-to-know.
Integrity
Ensure data is accurate and unaltered. Controls: hashing, digital signatures, change management, version control, checksums.
Availability
Ensure systems and data are accessible when needed. Controls: redundancy, backups, DDoS protection, patching, capacity planning.
Risk Management Lifecycle
Identify assets, threats, and vulnerabilities — inventory what you protect and what can go wrong
Governance sets direction and accountability (board, policies, standards). Management implements day-to-day operations. Exam scenarios often ask which body owns policy approval vs operational enforcement.
ISC² Code of Ethics
Protect society, the common good, necessary public trust and confidence, and the infrastructure
Act honorably, honestly, justly, responsibly, and legally
Provide diligent and competent service to principals
Advance and protect the profession
Exam Focus Areas
Distinguish preventive vs detective vs corrective vs compensating controls
Know when to recommend policy/training (administrative) vs technical controls
Risk acceptance requires documented management approval — not ignoring risk
Practice This Domain
Test your understanding with free practice questions at /certifications/isc2/cc/practice — focus on: Confidentiality, Integrity, Availability (CIA Triad), Risk management concepts, Security controls (physical, technical, administrative).
Read CC notes without distractions
Open Foci to run a focused study block while you review domains, tables, and exam tips.
