In 2022, ISC2 launched the One Million Certified in Cyber Security program, along with a new exam and certification, called the Certified in Cyber Security (CC) program. In this program, the first one million people to sign up receive a free self-paced training module and exam attempt. I signed up last year, when I heard about the course with the goal of experiencing ISC2-led training and exams, as I considered future training and certification options.
About Me
Before discussing the material and the exam, I think it’s important to set a baseline for my experience, and the perspective that gives me over the material. I’ve been in IT for 10 years, starting in a NOC before moving to the blue-team side of cybersecurity. About 5 years ago, I made the transition to the red-team side of things and have been working to help my clients through offensive security ever since.
The Course
Like other ISC2 course, the CC exam is divided into domains. In this case, there are five:
• Domain 1. Security Principles
• Domain 2. Business Continuity (BC), Disaster Recovery (DR) & Incident Response Concepts
• Domain 3. Access Controls Concepts
• Domain 4. Network Security
• Domain 5. Security Operations
Each of these domains is covered in the official course by approximately 2-4 hours of video as well as detailed outlines and notes. ISC2 also publishes an e-textbook for an additional fee. Each of these topics is covered very broadly, and introduces fundamental knowledge about the subject. For example, Domain 3, Access Controls Concepts, contains material about various Access Control schemes, such as Role-based Access Control, Mandatory Access Control, etc.
The Exam
The CC exam is 100 multiple-choice questions. There is no official passing score, as that is determined by the exact question on the test, similar to other ISC2 exams. Non-official sources that I could find estimated it at around 70%. A candidate has 2 hours total to answer as many questions as possible.
To prepare for the exam, I watched the videos in the official course, and took notes when necessary. I also purchased a set of practice exams and went through each of them and reviewing the questions that I missed with the explanations.
On exam day, I drove to the Pearson test center, which was located at a community college about an hour and half away from me. I thought it was unusual that the local community college and Pearson center didn’t provide any available test times.
Check in was familiar to anyone who has taken a proctored exam before. I showed up at my scheduled time, and along with the other students taking an exam that day, the proctors checked our IDs, made us empty our pockets, and took our pictures. I learned talking to the others that they were mostly there to take the entry-level CompTIA exams, and that none of them had heard about the CC exam.
The exam was a standard computer-based test. It took me about 30 minutes, and in my mind the questions were more difficult that either the third-party or official practice tests I had taken. Upon exiting the testing room, I was given a piece of paper that had informed me that I provisionally passed the exam.
Verdict
Who is this certification for? In my opinion, it would best be pursued by someone who is entry-level, looking to get their first exposure to cybersecurity, such as a help desk employee or perhaps a student.
