Become ISC2 Certified in Cybersecurity you own this product

Everything you need to get the certification

Paulo Carreira and Andreé Miranda Louraço

MEAP began June 2025
Last updated January 2026
Publication in June 2026 (estimated)

ISBN 9781633435667
450 pages (estimated)

Included with a Manning Online subscription

printed in black & white

available in Italian

catalog / Leadership and Careers / Technical Skills / Cybersecurity

resources: Book forum

table of content

Introduction

Part 1: Security Principles

1 Security Concepts of Information Assurance

1.1 Fundamental Terms of Cybersecurity

1.1.1 Organizations

1.1.2 Information Systems and Information Technology

1.1.3 Tangible Assets, Intangible Assets, and Human Assets

1.1.4 Vulnerabilities, Threats, and Actors

1.1.5 Security Controls

1.2 The Confidentiality, Integrity, Availability (CIA) Triad

1.3 Data Classification

1.3.1 Sensitive information

1.3.2 Confidential information

1.3.3 Personally Identifiable Information (PII)

1.3.4 Protected Health Information (PHI)

1.4 Closing Thoughts

1.5 Summary

1.6 Review Questions

1.7 Answers to Review Questions

2 Risk Management

2.1 Risk

2.1.1 Impact

2.1.2 Likelihood

2.1.3 The definition of risk

2.2 Risk Management

2.2.1 Risk management process overview

2.2.2 Risk Assessment

2.2.3 Risk Treatment

2.3 Closing Thoughts

2.4 Summary

2.5 Review Questions

2.6 Answers to Review Questions

3 Understanding Security Controls

3.1 Understanding Security Controls

3.1.1 Categories of Security Controls

3.1.2 Physical controls

3.1.3 Technical controls

3.1.4 Administrative controls

3.1.5 Types of security controls

3.1.6 Understanding security controls by category and by type

3.2 Defense-in-Depth

3.3 Closing Thoughts

3.4 Summary

3.5 Review Questions

3.6 Answers to Review Questions

4 Understanding Governance Processes and Elements

4.1 Governance Framework Overview

4.2 Laws and Regulations

4.2.1 General Data Protection Regulation (GDPR)

4.2.2 Health Insurance Portability and Accountability Act (HIPAA)

4.2.3 Gramm-Leach-Bliley Act (GLBA)

4.3 Standards

4.4 Policies

4.5 Procedures

4.6 Guidelines

4.7 Closing Thoughts

4.8 Summary

4.9 Review Questions

4.10 Answers to Review Questions

5 ISC2 Code of Ethics

5.1 Ethics

5.2 Professional Codes of Conduct

5.3 The ISC2 Code of Ethics

5.3.1 ISC2 Code of Ethics Preamble

5.3.2 The ISC2 Code of Ethics canons

5.3.3 Examples of application of the cannons

5.3.4 Reporting violations

5.4 Closing Thoughts

5.5 Summary

5.6 Review Questions

5.7 Answers to Review Questions

Part 2: Incident Response, Business Continuity, and Disaster Recovery Concepts

6 Incident Response

6.1 Why Is Incident Response Important?

6.2 Events, Incidents, and Security Incidents

6.3 Incident Response Lifecycle

6.3.1 Preparation

6.3.2 Detection and Analysis

6.3.3 Containment, Eradication, and Recovery

6.3.4 Post-Incident activity

6.4 Incident Response Plan

6.5 The Security Operations Center (SOC)

6.5.1 SOC Structure

6.5.2 Escalation

6.6 Closing Thoughts

6.7 Summary

6.8 Review Questions

6.9 Answers to Review Questions

7 Business Continuity Planning

7.1 The importance of Business Continuity

7.2 Business Impact Analysis

7.3 Business Continuity Plan

7.3.1 Developing a Business Continuity Plan

7.3.2 Components of Business Continuity Plan

7.4 Testing the BCP

7.5 Closing Thoughts

7.6 Summary

7.7 Review Questions

7.8 Answers to Review Questions

8 Disaster Recovery Plan

8.1 Disaster Recovery Plan

8.2 Data Recovery Strategies

8.3 Disaster Recovery Infrastructure

8.3.1 Recovery Sites

8.4 Testing the DRP

8.5 Closing Thoughts

8.6 Summary

8.7 Review Questions

8.8 Answers to Review Questions

Part 3: Concepts of Access Control

9 Access Control

9.1 Subjects, Objects, and Rules

9.2 Identification, Authentication, Authorization, and Accountability

9.2.1 Identification

9.2.2 Authentication

9.2.3 Authorization

9.2.4 Accountability

9.3 Identity and Access Management (IAM)

9.4 Account Types

9.5 Privileged Access Management (PAM)

9.6 Principles of Access Control

9.6.1 Least Privilege

9.6.2 Segregation of Duties (SoD)

9.6.3 Two-Person Control

9.6.4 Need-to-Know

9.6.5 Defense-in-Depth

9.7 Closing Thoughts

9.8 Summary

9.9 Review Questions

9.10 Answers to Review Questions

10 Physical Access Controls

10.1 Physical Access Protection

10.1.1 Security perimeters

10.1.2 Protecting the outer perimeter

10.1.3 Protecting the inner perimeter

10.1.4 Protecting work-area perimeters

10.1.5 Protecting secure-area perimeters

10.2 Physical Authentication

10.2.1 Sign-in and ID verification

10.2.2 Badge systems

10.2.3 Biometrics

10.3 Physical Access Monitoring

10.3.1 Security guards

10.3.2 Security cameras (CCTV)

10.3.3 Alarm systems

10.3.4 Physical access logs

10.4 Closing Thoughts

10.5 Summary

10.6 Review Questions

10.7 Answers to Review Questions

11 Logical Access Controls

11.1 Access Control Models

11.1.1 Discretionary access control (DAC)

11.1.2 Mandatory access control (MAC)

11.1.3 Role-Based access control (RBAC)

11.2 Identity Management

11.2.1 Directory services

11.2.2 Single Sign-On (SSO)

11.2.3 Federated Identity Management (FIM)

11.3 Monitoring Logical Access

11.3.1 Logical access logging

11.3.2 Log centralization

11.3.3 Typical suspicious access patterns

11.3.4 Privilege monitoring

11.4 Closing Thoughts

11.5 Summary

11.6 Review Questions

11.7 Answers to Review Questions

Part 4: Network Security

12 Networking

12.1 Networking Overview

12.2 Network Components

12.2.1 Endpoint devices

12.2.2 Network Interface Cards

12.2.3 Hubs and Repeaters

12.2.4 Switches

12.2.5 Routers

12.2.6 Wireless Access Point (WAP)

12.2.7 Proxy Servers

12.2.8 Firewalls

12.2.9 Connection links

12.3 Types of Networks

12.3.1 LAN, MAN, WAN, HAN

12.3.2 Wired and Wireless Networks

12.3.3 Internet of Things (IoT)

12.4 Addressing

12.4.1 MAC Addresses

12.4.2 IP Addresses

12.4.3 DNS

12.5 Networking Models

12.5.1 Data communication layers

12.5.2 Application (upper) layers

12.5.3 Encapsulation and Decapsulation

12.5.4 Layer responsibilities

12.6 Logical Ports

12.6.1 Well-known ports and port ranges

12.6.2 Secure ports and secure protocols

12.7 Network Segmentation

12.7.1 Physical segmentation

12.7.2 Virtual Local Area Networks (VLANs)

12.7.3 Subnetting

12.7.4 Micro-segmentation

12.7.5 Demilitarized Zone (DMZ)

12.7.6 Virtual Private Networks (VPN)

12.8 Closing Thoughts

12.9 Summary

12.10 Review Questions

12.11 Answers to Review Questions

13 Network Threats and Attacks

13.1. The Stages of a Cyber Attack

13.1.1. Reconnaissance

13.1.2. Weaponization

13.1.3. Delivery

13.1.4. Exploitation

13.1.5. Installation

13.1.6. Command and Control (C2)

13.1.7. Objective Execution

13.2. Understanding Threats and Attacks

13.2.1. Malware

13.2.2. Scripting Attacks

13.2.3. Password Attacks

13.2.4. Social Engineering

13.2.5. Spoofing

13.2.6. On-Path Attacks

13.2.7. Denial of Service (DoS) Attacks

13.2.8. Side-Channel Attacks

13.2.9. Physical Attacks

13.2.10. Insider Threats

13.2.11. Advanced Persistent Threats (APT)

13.3. Detecting, Preventing, and Containing Threats

13.3.1. Threat Intelligence

13.3.2. IDS and IPS

13.3.3. Logging and Monitoring

13.3.4. Security Information and Event Management (SIEM) Systems

13.3.5. Endpoint Protection

13.3.6. Firewalls

13.3.7. Email and Web Application Filtering

13.3.8. Network Access Control

13.3.9. Wireless Security

13.3.10. IoT Security

13.4. Network Security Assessment and Testing

13.4.1. Security Scanning

13.4.2. Understanding Vulnerability Assessments

13.4.3. Penetration Testing

13.5. Closing Thoughts

13.6. Summary

13.7. Review Questions

13.8. Answer to Review Questions

14 On-Premises and Cloud Infrastructure

14.1 Data Centers

14.1.1 High availability

14.1.2 Power redundancy

14.1.3 Network redundancy

14.1.4 Physical redundancy

14.1.5 HVAC and Environmental Controls

14.1.6 Physical security

14.1.7 On-premises infrastructure

14.2 Cloud Infrastructure

14.2.1 Cloud service providers and customers

14.2.2 Virtualization

14.2.3 The essential characteristics of Cloud Computing

14.3 Cloud Service Models

14.4 Cloud Deployment Models

14.4.1 Public Cloud

14.4.2 Private Cloud

14.4.3 Community Cloud

14.4.4 Hybrid Cloud

14.5 Managed Service Providers

14.5.1 Service Level Agreement (SLA)

14.5.2 Memorandum of Understanding (MOU)/Memorandum of Agreement (MOA)

14.6 Closing Thoughts

14.7 Summary

14.8 Review Questions

14.9 Answers to Review Questions

Part 5: Security Operations

15 Data Security

15.1 Cryptography

15.1.1 Symmetric Encryption

15.1.2 Asymmetric Encryption

15.1.3 Comparing Symmetric with Asymmetric Encryption

15.1.4 Hashing

15.1.5 Digital Signatures

15.1.6 Public Key Infrastructure (PKI)

15.2 Data Handling

15.2.1 States of Data

15.2.2 Data Lifecycle

15.2.3 Data Classification

15.2.4 Data Labelling

15.2.5 Data Retention

15.2.6 Data Destruction

15.2.7 Data Exfiltration Prevention

15.2.8 Data Loss Prevention

15.3 Closing thoughts

15.4 Summary

15.5 Review Questions

15.6 Answer to Review Questions

16 System Hardening

16.1 Purpose of System Hardening

16.2 Methods for Hardening

16.2.1 Policies for hardening

16.2.2 Attack surface reduction techniques

16.3 Security Baselines

16.4 Patching

16.5 Updates

16.6 Change Management

16.6.1 Change Management Lifecycle

16.7 Closing Thoughts

16.8 Summary

16.9 Review Questions

16.10 Answer to review questions

17 Security Policy Best Practices

17.1 Why Are Security Policies Necessary?

17.2 Elements of Security Policies

17.2.1 Senior Management Support Statement

17.2.2 Defined Purpose and Objectives

17.2.3 Scope and Applicability

17.2.4 Clear Definitions and Language

17.2.5 Exception Management Process

17.2.6 Regular Review and Maintenance

17.2.7 Enforcement and Consequences

17.3 The Data Handling Policy

17.4 The Password Policy

17.5 The Acceptable Use Policy (AUP)

17.6 The Bring Your Own Device (BYOD) Policy

17.7 Change Management Policy

17.8 The Privacy Policy

17.9 Closing Thoughts

17.10 Summary

17.11 Review Questions

17.12 Answers to Review Questions

18 Security Awareness Training

18.1 Security Awareness

18.2 The Security Culture

18.3 Security Awareness Programs

18.3.1 Why Establish a Security Awareness Program

18.3.2 Building Blocks of a Security Awareness Program

18.4 Security Education, Training and Awareness

18.4.1 Education

18.4.2 Training

18.4.3 Awareness

18.5 Summary

18.6 Review Questions

18.7 Answer to Review Questions

Part 6: Practice Exams

19 Exam 1

20 Exam 2

Appendices

Appendix A: Glossary of Terms

Appendix B: List of Acronyms

Appendix C: Reference Materials

Appendix D: Answers to Review Questions

Appendix E: Additional Resources for Further Study

Overview

5 ISC2 Code of Ethics

This chapter explains why a strong ethical foundation is indispensable for cybersecurity professionals who are entrusted with sensitive data, privileged access, and powerful tools. It distinguishes personal ethics from professional ethics and shows how formal codes guide behavior when competing values collide. Through common dilemmas—such as balancing compassion and fairness, privacy and transparency, or safety and profit—the chapter frames ethics as practical decision-making anchored in policies, law, and professional standards.

ISC2’s Code of Ethics is presented as the profession’s compass, composed of a preamble and four canons that set expectations for certified members. The preamble emphasizes safeguarding society and the common good and makes compliance a condition of certification. The four canons require practitioners to: prioritize societal welfare and public trust, including the security of critical infrastructure; act honorably, honestly, responsibly, and within the law; deliver competent, diligent, and economical service to their principals; and advance and protect the profession through continuous learning, community contribution, and addressing unethical conduct.

Practical guidance illustrates how intent, impact, and legality determine ethical standing in day-to-day choices (for example, the acceptable use of public information, or the risks of deceptive online personas). The chapter also outlines reporting: anyone may file complaints related to the first two canons, canon III complaints require a contractual relationship, and canon IV matters are limited to ISC2 members. Candidates must sign the Code after passing the exam, and the exam may test scenario-based judgment. Ultimately, consistent adherence to these standards builds trust, safeguards organizations and the public, and underpins professional credibility.

Summary of ISC2 Canons and their main goals

Answers to Review Questions

The correct answer is B. While reporting security vulnerabilities is an important aspect of information security; it is not explicitly stated as a principle within the ISC2 Code of Ethics Canons.
The correct answer is C. Provide diligent and competent service to principals. This principle emphasizes the importance of providing quality service to clients or employers and fulfilling professional responsibilities with due care and expertise.
The correct answer is A. Protect society, the common good, necessary public trust and confidence, and the infrastructure. This Canon emphasizes a security analyst's duty to avoid harm and uphold public well-being by protecting society, the common good, necessary public trust and confidence, and the infrastructure.
The correct answer is D. Having fake social media profiles and accounts can be socially objectionable but does not violate the ISC2 Ethics Canons. That being said, seeking to gain unauthorized access to resources on the internet, compromising the privacy of users, and disrupting the intended use of the internet are all considered unethical behaviors by ISC2, as well as by other similar professional organizations. Aside from being violations of professional codes of conduct, such actions may also be in violation of laws and regulations.
The correct answer is C. The ISC2 Code of Ethics applies specifically to ISC2 members and certified professionals, not to all members of the information security. All the other statements are true. Adherence to the code is a condition of certification, failure to comply with the code may result in revocation of certification, and members who observe a breach of the code are required to report the possible violation.

FAQ

What is the ISC2 Code of Ethics and why does it matter for CC candidates?

The Code sets professional standards for integrity, accountability, and respect for the law and stakeholders. Adherence is a condition of certification, and all Certified in Cybersecurity (CC) candidates must sign it after passing the exam.

What does the Preamble emphasize?

It stresses a duty to protect society and the common good, maintain public trust, and serve clients and peers ethically. It also states that strict adherence to the Code is mandatory for certification.

What are the four ISC2 Code of Ethics canons?

- Protect society, the common good, public trust and confidence, and the infrastructure: Put public welfare and trust first and safeguard digital infrastructure.
- Act honorably, honestly, justly, responsibly, and legally: Demonstrate integrity, avoid improper favors, consider consequences, and obey the law.
- Provide diligent and competent service to principals: Deliver skilled, accurate, relevant, and efficient work to those who engage your services.
- Advance and protect the profession: Pursue continuing education, contribute to the community, and report unethical conduct.

Who are “principals” in Canon III?

“Principals” are those who engage your services—typically your employer or clients. Your duty is to provide competent, accurate, relevant, and cost‑effective advice and services.

How should I approach ethical dilemmas (e.g., wrongdoing by a colleague or friend)?

Remain impartial, follow established policies and laws, and let evidence guide actions. Prioritize the public good, document decisions, and escalate through proper channels rather than showing favoritism.

Are ISC2 members required to report unethical behavior?

Yes. Members are expected to intervene and report suspected violations. They must also refuse to break the law, even if pressured by superiors.

How do I report a suspected Code of Ethics violation, and who can file?

Submit a formal ethics complaint to ISC2. Complaints about Canons I and II may be filed by anyone. Canon III complaints require a contractual relationship with the member. Canon IV complaints are limited to ISC2 members.

Do fake or anonymous online accounts violate the Code?

Not inherently. They become unethical when used for deception or harm (e.g., impersonation, misleading customers, phishing). Intent and impact determine alignment with the Code.

Is using a competitor’s public information for product ideas ethical?

Generally yes, if you use only publicly available information, respect intellectual property, and follow applicable laws and company policies. Do not use proprietary or confidential data.

Is liking a competitor’s social media post unethical?

No. It is typically acceptable if no confidential information is disclosed and company policies permit it. Professional respect and lawful conduct remain essential.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$47.99 $35.99

you save $12.00 (25%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$47.99 $35.99

you save $12.00 (25%)

eBook

pdf, ePub, online

$47.99 $35.99

you save $12.00 (25%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more