Skip to content
MyCyberSecurityPath

ISC2 CC: Free Certification for GRC Entry

What Is the ISC2 Certified in Cybersecurity (CC)?

Section titled “What Is the ISC2 Certified in Cybersecurity (CC)?”

According to ISC2’s official certification page, the Certified in Cybersecurity (CC) is a foundational cybersecurity credential designed for individuals with no prior IT or security experience. ISC2 — the same organisation that maintains the CISSP, the gold standard for experienced security professionals — launched the CC as part of their One Million Certified in Cybersecurity programme, which provides both the self-paced training course and the exam voucher completely free of charge.

The CC validates foundational knowledge across five security domains: security principles, business continuity, access controls, network security, and security operations. While it is newer than CompTIA Security+, the CC is rapidly gaining recognition — particularly for governance, risk, and compliance (GRC) roles where the ISC2 name carries significant weight with hiring managers.

What makes the CC uniquely attractive for career changers is the cost: $0. No training fees. No exam fees. No catches. ISC2 is investing in growing the global cybersecurity workforce, and they are betting that people who start with the CC will eventually pursue the CISSP and other ISC2 certifications. For career changers on a budget, that is an incredible opportunity.

Source: ISC2 official Certified in Cybersecurity programme page at isc2.org (verified March 2026)

When I first heard about the ISC2 CC, I was sceptical. A free certification from the same organisation behind the CISSP? It sounded too good to be true. I was already deep into my CompTIA study plan and figured the CC was probably some watered-down credential nobody would take seriously. But after reading the exam domains — security principles, access controls, incident response — I realised it covers exactly the kind of foundational knowledge that GRC roles ask for. And the fact that it puts “ISC2” on your resume alongside “Certified in Cybersecurity” before you have spent years earning the CISSP? That is genuinely valuable. I wish I had known about it earlier in my journey.

Why Is the ISC2 CC Free?

Section titled “Why Is the ISC2 CC Free?”

In 2022, ISC2 launched the One Million Certified in Cybersecurity initiative with a stated goal of adding one million new cybersecurity professionals to the global workforce. According to ISC2’s own 2024 Cybersecurity Workforce Study, the global cybersecurity workforce gap stands at approximately 4 million unfilled positions worldwide.

To address this shortage, ISC2 made a strategic decision: remove the financial barriers to entry-level certification entirely. The programme includes:

  • Free self-paced online training — ISC2’s official CC course, covering all five exam domains
  • Free exam voucher — one attempt at the CC exam through Pearson VUE, with no cost to the candidate
  • Free ISC2 membership — for CC holders during their first year, giving access to ISC2’s professional network and resources

What is the catch? There is no hidden cost for earning the CC. However, maintaining the certification after the first year requires paying ISC2 Annual Maintenance Fees (AMF) of approximately $50 USD per year and earning Continuing Professional Education (CPE) credits. This is significantly cheaper than the AMF for CISSP holders ($125/year), but it is worth knowing about before you start.

Source: ISC2 One Million Certified in Cybersecurity programme page and ISC2 2024 Cybersecurity Workforce Study (verified March 2026)

Exam Details

Section titled “Exam Details”

The ISC2 CC exam tests foundational cybersecurity knowledge across five domains. Here are the key details:

DetailISC2 CC
Number of questions100
Question typesMultiple choice (adaptive testing — CAT format)
Time allowed2 hours
Passing score700 out of 1,000
Testing providerPearson VUE (in-person or online proctored)
CostFree (through One Million CC programme)
PrerequisitesNone
LanguagesEnglish, with additional languages being added

What Is Adaptive Testing (CAT)?

Section titled “What Is Adaptive Testing (CAT)?”

The CC uses Computerised Adaptive Testing (CAT), which means the exam adjusts question difficulty based on your performance. If you answer a question correctly, the next question may be slightly harder. If you answer incorrectly, the next may be slightly easier. The exam determines your competency level with fewer questions than a traditional fixed-form test.

This means:

  • You cannot skip questions or go back to previous answers
  • The exam may end before you reach 100 questions if the system has enough data to determine your score
  • Each question matters — take your time and read carefully before answering

Five Exam Domains and Weightings

Section titled “Five Exam Domains and Weightings”

The CC exam is organised into five domains. Understanding the weightings helps you allocate study time effectively:

DomainWeightWhat It Covers
1. Security Principles26%CIA triad, authentication, non-repudiation, privacy, security governance, risk management, ethics, ISC2 Code of Ethics
2. Business Continuity, Disaster Recovery & Incident Response10%Business continuity planning, disaster recovery, incident response lifecycle, incident handling procedures
3. Access Controls Concepts22%Physical and logical access controls, authentication methods, identity management, least privilege, separation of duties
4. Network Security24%Network architecture, network security controls, common threats, firewalls, IDS/IPS, wireless security, network hardening
5. Security Operations18%Data security, system hardening, security policies, security awareness training, logging, monitoring, change management

Key observation for study planning: Security Principles is the largest domain at 26%, followed closely by Network Security at 24% and Access Controls at 22%. Together, these three domains account for 72% of the exam. If you are short on study time, prioritise these three.

Business Continuity/DR/IR is the smallest domain at just 10%, but do not skip it entirely — it contains concepts that appear in almost every GRC job description.

Domain weights source: ISC2 CC Exam Outline (verified March 2026). ISC2 may update domain weights — always check the current exam outline at isc2.org.

ISC2 CC vs CompTIA Security+

Section titled “ISC2 CC vs CompTIA Security+”

This is the question every career changer asks: should I get the CC or Security+? The honest answer is that they serve different purposes, and many people benefit from getting both.

ISC2 CC vs CompTIA Security+

ISC2 CC
  • Cost: FreeTraining and exam both free through One Million CC programme
  • Focus: GRC and governanceStronger on security principles, access controls, and business continuity
  • Difficulty: Moderate100 questions, 2 hours, adaptive testing, passing score 700/1000
  • Recognition: Growing rapidlyISC2 name carries weight in GRC — newer but backed by CISSP organisation
VS
CompTIA Security+ (SY0-701)
  • Cost: ~$404 USDExam voucher only — study materials extra
  • Focus: Broad technical securityStronger on threats, architecture, security operations, and hands-on skills
  • Difficulty: Higher90 questions + PBQs, 90 minutes, passing score 750/900
  • Recognition: Industry standardDoD 8570/8140 approved, most requested cert in job postings per CyberSeek
Verdict: Get ISC2 CC first if you are on a tight budget or targeting GRC roles. Get Security+ first if you are targeting SOC analyst or technical security roles. Ideally, get both — CC is free, so there is no reason not to.
Use case
Budget-conscious career changers: CC first (free), then Security+. Career changers targeting SOC roles: Security+ first, CC as a complement. GRC-focused: CC first, then Security+.

When to Choose CC First

Section titled “When to Choose CC First”
  • You have limited budget and cannot afford the $404 Security+ voucher yet
  • You are specifically targeting GRC, compliance, or audit roles
  • You want to establish an ISC2 membership early for long-term career positioning toward CISSP
  • You want a quick win — the CC can be earned in 4-6 weeks of study, building confidence before tackling Security+

When to Choose Security+ First

Section titled “When to Choose Security+ First”
  • You are targeting SOC Analyst or technical security analyst roles
  • You need a credential that satisfies DoD 8570/8140 requirements (CC does not currently appear on this list)
  • You want the certification that appears in the most job postings according to CyberSeek data
  • You prefer an exam with performance-based questions that test hands-on skills

The Best Strategy: Get Both

Section titled “The Best Strategy: Get Both”

Since the CC is free, the optimal strategy for most career changers is to get both certifications. The CC and Security+ cover overlapping but distinct content. Having both on your resume demonstrates breadth and shows you are serious about the field. The study time for both is roughly 3-5 months total, and the only direct cost is the Security+ exam voucher.

Study Plan: 4-6 Week ISC2 CC Timeline

Section titled “Study Plan: 4-6 Week ISC2 CC Timeline”

The CC is designed to be achievable in a shorter timeframe than Security+. Here is a study plan for career changers studying 8-10 hours per week:

WeekFocusResources
Week 1Domain 1: Security Principles (26%) — CIA triad, authentication, governance, risk management, ISC2 Code of EthicsISC2 free self-paced course, Chapter 1
Week 2Domain 3: Access Controls (22%) — Physical/logical controls, identity management, least privilege, separation of dutiesISC2 free self-paced course, Chapter 3
Week 3Domain 4: Network Security (24%) — Network architecture, firewalls, IDS/IPS, wireless security, common threatsISC2 free self-paced course, Chapter 4
Week 4Domain 5: Security Operations (18%) — Data security, hardening, policies, logging, monitoring, change managementISC2 free self-paced course, Chapter 5
Week 5Domain 2: BC/DR/IR (10%) + full review of all five domainsISC2 free self-paced course, Chapter 2 + review all chapters
Week 6Practice exams and final review — aim for 80%+ consistently before scheduling the real examPractice questions, flashcards, weak-area review

Why this order? The plan front-loads the three highest-weighted domains (Security Principles, Access Controls, Network Security = 72% of the exam) in the first three weeks. Business Continuity is saved for Week 5 because it is the smallest domain and benefits from the context you build studying the other four domains first.

Free Study Resources for ISC2 CC

Section titled “Free Study Resources for ISC2 CC”
  • ISC2 Official Self-Paced Training — Free through the One Million CC programme. Register at isc2.org. This is the primary study resource and covers all five domains comprehensively.
  • ISC2 CC Exam Outline — Free download from isc2.org. Print it and use it as your study checklist.
  • ISC2 Study App — Free flashcards and practice questions available through ISC2’s member portal.
  • r/ISC2 on Reddit — Active community discussing CC study strategies, exam experiences, and tips.
  • YouTube CC study guides — Multiple free video walkthroughs of all five domains. Search for “ISC2 CC study guide 2026” for current content.

You do not need paid resources for the CC. The free ISC2 training course is comprehensive and aligns directly with the exam. This is one of the few certifications where the official free training is genuinely sufficient on its own.

The study tracker includes an ISC2 CC study timeline that fits alongside your other certifications — so you can stack credentials without burning out.

Career Roadmap & Study TrackerAvailable Now

Step-by-step roadmap with study tracker worksheets and certification decision framework.

Get the Guide → $27

Career Paths That Benefit From ISC2 CC

Section titled “Career Paths That Benefit From ISC2 CC”

The CC is particularly valuable for roles on the governance, risk, and compliance (GRC) side of cybersecurity. According to CyberSeek.org’s career pathway data and ISC2’s workforce research, these roles frequently value ISC2 credentials:

RoleTypical Salary Range (USD)Why CC Helps
GRC Analyst$55,000 - $85,000CC covers governance, risk, and compliance fundamentals directly
Compliance Analyst$50,000 - $80,000CC’s security principles and operations domains align with compliance frameworks
Security Analyst (Junior)$50,000 - $75,000CC demonstrates foundational security knowledge alongside Security+
IT Auditor$55,000 - $90,000CC’s access controls and security operations map to audit requirements
Risk Analyst$55,000 - $85,000CC’s risk management coverage provides the foundational framework
Information Security Specialist$55,000 - $80,000CC + Security+ together cover the breadth expected for entry-level InfoSec roles

Individual results vary based on location, experience, market conditions, and effort invested.

Salary ranges are approximate and based on CyberSeek.org data and ISC2 workforce studies (verified March 2026). Actual compensation depends on location, employer, experience, and market conditions.

The GRC Advantage

Section titled “The GRC Advantage”

Most career changers focus exclusively on SOC Analyst roles, which creates heavy competition. GRC roles are often less competitive because fewer beginners target them — yet they pay comparably and offer strong long-term career growth. The CC positions you for this less crowded entry point.

GRC roles also tend to value communication, documentation, and policy skills — transferable skills that career changers from non-IT backgrounds often already possess. If you spent years writing reports, managing processes, or ensuring regulatory compliance in another industry, those skills translate directly to GRC work.

Certification Progression: Where CC Fits Long-Term

Section titled “Certification Progression: Where CC Fits Long-Term”

The CC is not a destination — it is a starting point in a certification journey. Here is how it fits into a long-term progression:

Certification Progression From ISC2 CC

Building from free entry-level to senior security credentials

ISC2 CC
Entry Level — Free
Security fundamentals
GRC foundation
ISC2 membership
CompTIA Security+
Entry Level — ~$404
Broader technical coverage
DoD 8570 compliant
Most requested in job postings
CySA+ or SSCP
Intermediate — 1-2 years experience
CySA+: SOC and blue team focus
SSCP: ISC2 security administration
Choose based on career direction
CISSP
Senior — 5+ years experience
Security management and architecture
Requires 5 years experience
Gold standard for senior roles
Idle

How CC Stacks With Other Entry Certifications

Section titled “How CC Stacks With Other Entry Certifications”

The CC works best as part of a certification stack rather than as a standalone credential. Here is how different stacking strategies work:

Certification StackTarget RoleTimeline
CC aloneVery early career exploration, GRC internships4-6 weeks
CC + Security+SOC Analyst, Junior Security Analyst, GRC Analyst5-7 months total
CC + Security+ + CySA+SOC Analyst Tier 2, Threat Analyst12-18 months total
CC + Security+ + cloud cert (AWS/Azure)Cloud Security Analyst8-12 months total
CC → SSCP → CISSPGRC career track within ISC2 ecosystem5+ years

The CC + Security+ combination is the strongest entry-level stack because it gives you credentials from both major certification bodies (ISC2 and CompTIA), covers both governance and technical domains, and the CC costs nothing extra.

Exam Day Tips

Section titled “Exam Day Tips”

Before the Exam

Section titled “Before the Exam”
  • Complete the ISC2 self-paced training at least once through, taking notes on each domain
  • Score 80%+ consistently on practice questions before scheduling the exam
  • Understand CAT format — you cannot go back to previous questions, so read each question carefully and commit to your answer
  • Register through ISC2 to receive your free exam voucher, then schedule at Pearson VUE

During the Exam

Section titled “During the Exam”
  • Read every question completely before considering the answers — adaptive tests penalise rushed wrong answers
  • Eliminate obviously wrong answers first, then choose among remaining options
  • Manage your pace — 100 questions in 2 hours gives you roughly 72 seconds per question, but the exam may end early if the adaptive engine has enough data
  • Do not panic if questions feel harder — that means the adaptive system is testing your upper bounds, which can be a good sign
  • Focus on the ISC2 perspective — ISC2 exams often test what you should do according to best practices, not necessarily what you would do in practice

After the Exam

Section titled “After the Exam”
  • You receive your result immediately at the testing centre
  • If you pass, ISC2 will email you with instructions to endorse your certification
  • Since the CC has no experience requirement, you do not need a sponsor — you self-endorse by agreeing to the ISC2 Code of Ethics
  • Your ISC2 membership begins immediately, giving you access to member resources

Maintaining Your CC Certification

Section titled “Maintaining Your CC Certification”

Once you earn the CC, maintaining it requires:

  • Annual Maintenance Fee (AMF): Approximately $50 USD per year (first year free through the One Million CC programme)
  • Continuing Professional Education (CPE) credits: 15 CPE credits per year, or 45 over the three-year certification cycle
  • CPE activities include: Attending webinars, completing training courses, reading security publications, volunteering, or mentoring

CPE credits are not difficult to earn. ISC2 provides free webinars and resources that count toward your CPE requirement. Many career changers earn credits naturally through their ongoing study and professional development activities.

AMF and CPE requirements source: isc2.org (verified March 2026). ISC2 may update fees and requirements — verify current details before earning your certification.

Summary and Key Takeaways

Section titled “Summary and Key Takeaways”

The ISC2 CC is a genuinely valuable free certification for career changers entering cybersecurity, especially those targeting GRC and compliance roles.

  • It is completely free — training and exam through ISC2’s One Million CC programme. No other recognised cybersecurity certification offers this.
  • It covers five foundational domains with Security Principles (26%), Network Security (24%), and Access Controls (22%) carrying the most weight.
  • It uses adaptive testing (CAT) — 100 questions, 2 hours, 700/1000 to pass. You cannot go back to previous questions.
  • It is achievable in 4-6 weeks of focused study using ISC2’s free self-paced training.
  • It complements Security+ rather than replacing it. The ideal entry-level stack is CC + Security+ together.
  • It positions you for GRC roles where the ISC2 name carries particular weight with hiring managers.
  • It establishes your ISC2 membership early, creating a pathway to SSCP and eventually CISSP as you gain experience.
  • Annual maintenance costs $50/year after the first year, plus 15 CPE credits annually.

If you are a career changer on a budget, the CC should be one of the first certifications you earn. It costs nothing, teaches foundational concepts, and puts the ISC2 name on your resume from day one.

Exam details, domain weights, pricing, and programme availability are subject to change. Always verify current information directly at isc2.org before registering.

Individual results vary based on location, experience, market conditions, and effort invested. This guide provides general guidance and does not guarantee employment outcomes.

Technical content verified in March 2026 against the ISC2 CC Exam Outline, ISC2 One Million Certified in Cybersecurity programme details, and ISC2 2024 Cybersecurity Workforce Study.

Frequently Asked Questions

Is the ISC2 CC really free?

Yes. Through ISC2's One Million Certified in Cybersecurity programme, both the self-paced training course and the exam voucher are completely free. The only costs are the annual maintenance fee of approximately $50 USD per year after your first year, and any optional study materials you choose to purchase.

Is ISC2 CC easier than CompTIA Security+?

Generally yes. The CC covers foundational concepts at a slightly less technical depth than Security+. The CC has 100 multiple-choice questions in 2 hours with adaptive testing, while Security+ has up to 90 questions including performance-based questions in 90 minutes. Most career changers find the CC achievable in 4-6 weeks of study compared to 3-5 months for Security+.

Is ISC2 CC recognised by employers?

Recognition is growing rapidly. The ISC2 name carries significant weight in the cybersecurity industry, particularly for GRC and compliance roles. While Security+ currently appears in more job postings, the CC is increasingly listed as a desirable or accepted credential, especially by employers who already value ISC2 certifications like CISSP.

Should I get ISC2 CC or CompTIA Security+ first?

If budget is tight, get the CC first since it is free. If you are targeting SOC analyst roles, get Security+ first since it appears in more technical job postings and satisfies DoD 8570/8140 requirements. Ideally, get both — the CC costs nothing and the combined stack is stronger than either alone.

Does ISC2 CC satisfy DoD 8570/8140 requirements?

As of March 2026, the CC does not appear on the DoD 8570.01-M or 8140 approved certifications list. If you need a certification for government or defence contractor roles, CompTIA Security+ is the entry-level credential that satisfies those requirements.

How long does the ISC2 CC take to study for?

Most career changers can prepare for the CC in 4-6 weeks studying 8-10 hours per week. The ISC2 free self-paced training course is comprehensive and sufficient on its own. The exam covers foundational concepts that are achievable in a shorter timeframe than Security+.

What experience do I need for ISC2 CC?

None. The CC has no work experience prerequisites and no formal education requirements. It is specifically designed for people entering the cybersecurity field with no prior experience. After passing, you self-endorse by agreeing to the ISC2 Code of Ethics — no sponsor needed.

How do I maintain my ISC2 CC certification?

After your first year (which is free), you pay an annual maintenance fee of approximately $50 USD and earn 15 Continuing Professional Education (CPE) credits per year. CPE credits can be earned through webinars, training, reading, volunteering, and other professional development activities. ISC2 provides free resources that count toward your CPE requirement.

Related sections

Certification Guide

Overview of all recommended certifications and the order to take them.

Explore CompTIA Security+

How Security+ compares to ISC2 CC and when to choose each.

Explore Study Strategies

Study techniques that work for certification exams.

Explore Career Roadmap

See where ISC2 CC fits in the full cybersecurity career path for beginners.

Explore

More resources

ISC2 One Million Certified in Cybersecurity

Register for free CC training and exam voucher through ISC2's workforce development programme.

Visit ISC2 CC Exam Outline

Official exam domain outline with detailed objectives — the definitive study checklist.

Visit ISC2 2024 Cybersecurity Workforce Study

ISC2's annual research on the global cybersecurity workforce gap and hiring trends.

Visit CyberSeek Career Pathway

Interactive tool showing cybersecurity career paths, certifications, and job market data.

Visit