- Neu
E-Book, Englisch, 296 Seiten
Doshi (ISC)2 Certified in Cybersecurity (CC) Exam Guide
1. Auflage 2026
ISBN: 978-1-80730-192-7
Verlag: Packt Publishing
Format: EPUB
Kopierschutz: 0 - No protection
Master core security concepts and pass the ISC2 Certified in Cybersecurity (CC) exam
E-Book, Englisch, 296 Seiten
ISBN: 978-1-80730-192-7
Verlag: Packt Publishing
Format: EPUB
Kopierschutz: 0 - No protection
Prepare for the ISC2 Certified in Cybersecurity (CC) exam without getting buried in jargon. Written by Hemang Doshi (CA, CISA, CC), an IT auditor and ISO 27001 lead auditor, this guide explains each objective in plain language.
You'll cover disaster recovery and incident response; access controls; network security; and security operations, sequenced to build confidence and reinforced with frequent checks for understanding. The book coverage reflects the 2025 exam, including the 2-hour, 100-125 item CAT format.
To help you practice the way the exam asks questions, you get topic-wise review MCQs, 50-100 flashcards, 25 focused exam tips, and two full 125-question mock exams with explanations. By the end of the course, you will be able to evaluate basic cybersecurity risks, select appropriate controls, and explain key cybersecurity concepts.
Autoren/Hrsg.
Weitere Infos & Material
1
Security Principles
It was a normal Monday morning at ABC Techassurance LLP. Employees logged in, emails started flowing, and the office buzzed with its usual energy. But within minutes, things began to go wrong.
First, the HR team noticed that the employee salary folder, which was normally locked behind strict access controls, was suddenly visible to everyone. Next, the operations team discovered that the company website had been replaced with a strange message. And then, the helpdesk phone began ringing nonstop: "We can't access our systems!"
What caused all this chaos? It was a single attacker who found a small vulnerability and used it to break , damage , and destroy all within an hour.
None of this had to happen. Each failure could have been prevented with simple security principles that we will look at in this chapter. Once you understand them, you will be able to look at incidents like this and know exactly what went wrong, why it happened, and how to prevent them from happening again. This chapter is intended to refine your knowledge of basic security principles. It covers the following key concepts:
- The confidentiality, integrity, and availability (CIA) triad
- Non-repudiation
- Authentication
- Message digests
- Privacy
- The risk management process
- Physical, technical, and administrative controls
- Preventive, detective, and corrective controls
- The ISC2 Code of Ethics
- Governance processes
The concepts covered in this chapter will help you answer questions from Domain 1 of the ISC2 Certified in Cybersecurity exam, Security Principles. The first concept to look at is the foundation of information security: the CIA triad.
The CIA triad
The most common goal of a cyber-attack is financial gain, and this is achieved through disclosure, alteration, and denial of data. This is often remembered as DAD. Disclosure involves exposing sensitive data, such as credit card details, without permission. Alteration means changing data without authorization – for example, an employee modifying customer account details in the database without permission to hide an unauthorized transaction. Denial refers to making systems or services unavailable, such as when an attacker takes down a company's website, making it unavailable to customers and users.
To counter DAD, organizations apply the CIA triad, i.e., confidentiality, integrity, and availability. Each CIA element is designed to prevent or reduce the risks posed by disclosure, alteration, and denial. It is the core of information security, ensuring that information is safe and useful.
The example that opened this chapter demonstrates the three core principles of the CIA triad: confidentiality was breached when sensitive salary information was exposed to unauthorized users; integrity was compromised when the company website was altered without authorization; and availability was impacted when employees were unable to access systems and applications. Next, we will look at the three elements in greater detail.
Free benefits with your book
Your purchase includes a free PDF copy of this book along with access to an online cert prep platform designed to help you ace your ISC2 Certified in Cybersecurity. Check the section in the to unlock them instantly and maximize your learning experience.
Here's what you'll find on the online platform:
- 2 mock exams (of 150 questions each)
- 258 Flashcards
- 20 Exam Tips
- More than 450 review questions
Confidentiality
Confidentiality means keeping information hidden from people who shouldn't see it. Only authorized users should have access to sensitive data. For example, an HR department should keep employee salary information in a password-protected folder where only the HR manager and other authorized staff can access it.
As mentioned earlier, one of the goals of an intrusion is to disclose sensitive information. Confidentiality controls are implemented to prevent such unauthorized disclosure and ensure that information is accessed only by authorized individuals. The principle of confidentiality applies to both data at rest and data in transit.
Data at rest refers to data stored in systems such as databases, laptops, USBs, or other removable devices, which can be protected using methods like encryption. Data in transit refers to data being transferred over a network, which can be protected using secure protocols such as HTTPS or VPN to prevent interception.
Integrity
Integrity means ensuring that information is accurate and not changed without permission. If someone alters a file, we must be able to detect and prevent it. A good example is a bank storing transaction records—if anyone tries to change the amount in a transaction, the system detects the change and raises an alert. Integrity-related controls are applied to counter unauthorized alteration.
Integrity can be further understood in two ways: data integrity and system integrity. Data integrity ensures that the actual data (such as records, files, and databases) remains accurate, complete, and unaltered unless properly authorized. System integrity ensures that the system itself, including operating systems, applications, and configurations, is not tampered with or modified in an unauthorized manner. Both are essential to maintain trust in information and systems.
Availability
Availability means that information and systems should be accessible as and when authorized users need them. For example, a hospital must keep its patient database available at all times, even during power outages, so doctors can access emergency records. They cannot afford any downtime as it may lead to injury or even death.
Availability-related controls are applied to counter denial of services or access.
Figure 1.1: CIA triad
Understanding the CIA triad is not just theoretical. As a security professional, your job is to actively protect confidentiality, integrity, and availability in real business environments. You must think like both a defender and an attacker, asking: "If I were an attacker, how could I cause disclosure, alteration, or denial? And as a security professional, how do I prevent it?" One example of confidentiality being ensured is by encrypting a database and allowing access only to authorized employees. Similarly, integrity is maintained by restricting who can modify customer account details, applying change approval processes, and keeping audit logs to detect any unauthorized alterations. Availability is ensured by implementing system backups, redundancy, and disaster recovery plans so that the website and database remain accessible to customers even during technical failures or cyber-attacks.
Disaster recovery plans are covered in more detail in .
In real-world environments, you often need to balance confidentiality, integrity, and availability because strengthening one area can impact another. For example, very strict access controls improve confidentiality but may slow down business operations and reduce availability for users who need quick access. Strong change control processes protect integrity, but it can also delay urgent system updates when speed is required. Making systems widely accessible improves availability but can increase exposure risks and affect confidentiality. As a security professional, your responsibility is to understand business priorities, assess risks, recommend practical security controls, and find the right balance between protection and usability. The mindset to adopt is simple: security must protect the business, not block the business.
Figure 1.2: Confidentiality versus availability
Mapping attack objectives to CIA security principles
All cyber-attacks are essentially attempts to compromise one or more elements of the CIA triad. SQL injection attacks integrity, and denial of service reduces availability, for instance. The following examples are of types of...




