The ISC2 CC exam is changing on 1 September 2026, and if you are studying for Certified in Cybersecurity right now, that date matters. ISC2 has confirmed a refreshed exam outline that folds foundational AI security concepts into all five CC domains. Nothing about the certification's value changes, but the questions you face on exam day will.
So should you rush to sit CC before 1 September 2026, or study the new outline and book later? This guide breaks down exactly what is changing, who should book early, and how to decide based on your own readiness rather than panic.
The Short Answer
If you are already close to exam-ready on the current outline, book your CC exam before 1 September 2026 and sit the version you have been studying. If you are only just starting, there is no need to rush. Study the new outline from the outset and book whenever you are ready.
Exam Tip: The change is a content refresh, not a difficulty spike or a version retirement. CC earned under either outline is the same certification with the same three-year term, so there is no penalty for taking the newer version.
The rest of this post gives you the detail behind that decision.
What Is the ISC2 CC Exam?
Certified in Cybersecurity (CC) is ISC2's entry-level certification, aimed at people starting a career in security who have little or no experience. It proves you understand the foundational concepts an employer expects of a junior analyst, help-desk hire, or career changer moving into cyber.
Here are the current exam facts you need before you decide anything.
| Attribute | Detail |
|---|---|
| Exam fee | 199 US dollars in major markets |
| Annual maintenance fee | 50 US dollars once certified |
| Questions | 100 |
| Format | Linear, multiple choice |
| Time limit | 120 minutes |
| Passing score | 700 out of 1000 (scaled) |
| Delivery | Pearson VUE test centres and online proctoring |
| Domains | 5 |
| Validity | 3 years, renewed with CPE credits |
CC remains one of the highest-volume entry-level certifications in the industry, partly because ISC2 has run a free exam and training programme that has certified more than one million people. That popularity is exactly why the outline refresh is worth understanding before you book.
What Is Changing on 1 September 2026?
The current CC exam outline took effect on 1 October 2025. ISC2 has announced a refreshed outline effective 1 September 2026. The headline change is the integration of foundational AI security concepts across every one of the five domains.
The exam keeps its five-domain structure. What changes is that AI-related topics are now woven through each domain rather than sitting in a separate section. For an entry-level exam, that means you will be expected to recognise how AI affects the core principles you already study.
The Five CC Domains
The domain names stay the same. Based on the current outline, the domains and their approximate weightings are as follows. ISC2 has not yet published the exact reweighting for the September 2026 outline, so treat these as the current baseline.
| Domain | Approx. weight |
|---|---|
| Security Principles | 26% |
| Network Security | 24% |
| Access Controls | 22% |
| Security Operations | 18% |
| Business Continuity, Disaster Recovery and Incident Response | 10% |
The New AI Concepts You Will Be Tested On
ISC2 has described how AI now threads through the CC content. These are the specific additions to prepare for if you sit the exam on or after 1 September 2026.
- AI and the CIA triad. The outline introduces how AI affects the core pillars of information security: confidentiality, integrity and availability. You should be able to explain how an AI system can undermine or support each pillar.
- Managing automated accounts. Just like human users, AI bots and automated service accounts must be managed through a formal lifecycle, from provisioning to deprovisioning. Expect questions that treat non-human identities the same way as user accounts.
- Least privilege for AI systems. The refresh emphasises the principle of least privilege applied to automation, so entry-level staff can verify that automated systems hold only the permissions they need.
- Model drift as a continuity risk. The outline adds the concept of model drift, where an AI model's declining performance over time becomes a business continuity risk that needs monitoring.
- Recognising automated threats. Candidates are expected to identify AI assets and recognise automated or AI-driven threats as part of everyday security operations.
Exam Tip: None of these AI topics require you to build or train models. CC is testing recognition and governance, not engineering. If you can explain what could go wrong and which basic control addresses it, you are at the level the exam wants.
Should You Sit CC Before 1 September 2026?
This is the real question, and the honest answer depends on where you are in your study. Book the decision on readiness, not fear of the deadline.
Sit Before 1 September 2026 If...
- You have already studied the current five domains and are scoring consistently on practice questions.
- Your exam is booked, or you can realistically book and sit within the next few weeks.
- You would rather not add the new AI topics to your revision this close to exam day.
If that describes you, book now and sit the outline you already know. There is nothing to gain from waiting, and you avoid restudying material.
Study the New Outline and Book Later If...
- You are early in your preparation and will not be ready before the deadline anyway.
- You want your certification to reflect current, AI-aware content that maps to what employers now ask about.
- You are comfortable learning the additional AI concepts, which are foundational and not heavy.
If you are starting from scratch today, there is little point cramming to beat the deadline. The new outline is entry-level and, arguably, more useful because AI security awareness is now expected in junior roles.
Exam Tip: Whichever version you target, pull the matching exam outline directly from the ISC2 website before you build your study plan. ISC2 had not published the full reweighted September 2026 outline at the time of writing, so verify the official document rather than relying on speculation.
How the CC Change Fits the Wider 2026 ISC2 Shift
CC is not being singled out. ISC2 published formal AI exam guidance in April 2026 and is threading AI security across its whole portfolio. The CCSP exam moved to a refreshed outline on 1 August 2026, and AI concepts have been added to CISSP domains too.
In other words, the CC refresh is the entry-level edge of a portfolio-wide update. Learning these concepts now pays off if you plan to progress from CC to SSCP, CISSP or a specialist AI security credential later. If you are weighing CC against other starter certifications, our comparison of ISC2 CC vs CompTIA Security+ breaks down which entry-level path suits you.
How to Prepare for the Updated CC Exam
Whether you sit before or after the deadline, the study approach is the same. Master the five domains first, then layer the AI concepts on top.
- Anchor on the five domains. Security Principles and Network Security together make up half the exam, so start there.
- Learn the AI additions as extensions, not new subjects. Tie each one to a domain you already know. Model drift sits under business continuity. Least privilege for bots sits under access controls.
- Drill with exam-style questions. CC rewards recognising the best answer under time pressure, so practise in question form rather than only reading.
- Review every wrong answer. Understanding why a distractor is wrong is worth more than memorising the correct option.
- Book with buffer. Give yourself a clear target date so your revision has a deadline, whichever outline you choose.
If you want a broader view of where CC sits among the best starting points this year, see our roundup of the best IT certifications for 2026, and browse the full CertCrush course catalogue to build your study plan.
Frequently Asked Questions
Is CC harder after the September 2026 change?
No. The refresh adds foundational AI awareness across the existing domains. It does not raise the difficulty level or change the entry-level positioning of the exam.
Does my CC stay valid if I passed the old outline?
Yes. CC is valid for three years from your pass date regardless of which outline you sat, and you renew it with continuing professional education credits.
Do I need AI experience to pass the new CC exam?
No. The AI content is conceptual and foundational. You need to recognise risks and basic controls, not build or configure AI systems.
What is the passing score for CC?
You need 700 out of 1000 on a scaled scoring model, and ISC2 uses compensatory scoring so your overall performance decides the result rather than any single domain.
Ready to Start Practising?
The ISC2 CC exam change on 1 September 2026 is not a reason to panic, but it is a reason to make a deliberate choice. If you are close to ready, book before the deadline and sit the outline you know. If you are just starting, study the new AI-aware version and book when you are ready.
Either way, the fastest route to a pass is realistic practice. Create a free CertCrush account to drill CC exam-style questions, track your weak domains, and walk into the test centre confident on whichever outline you sit.