IIBA members save 15%* on the Certificate in Cybersecurity Analysis (IIBA-CCA) exam fee or bundle for a limited time!
This offer ends on September 30, 2024—don’t miss out on this exclusive chance to start your certification journey at a discounted rate.
By obtaining the IIBA-CCA certification, you validate your cybersecurity analysis capabilities and position yourself for significant financial rewards and career growth. Invest in your future and maximize your salary potential with the IIBA-CCA certification.
Courses are presented by two leading experts in cybersecurity analysis and the learning material is aligned with leading industry standards in cybersecurity.
IIBA and IEEE Computer Society’s program provides the credibility of a joint certification and the opportunity to learn key cybersecurity concepts and tools business analysis professionals need to demonstrate core competencies.
The exam consists of 75 multiple choice, knowledge-based questions and must be completed within 90 minutes.
It is a live, online-delivered exam that requires a computer, webcam, microphone, and access to the Internet.
Find additional useful CCA exam information such as:
The cybersecurity learning modules provide the basics of cybersecurity needed to assist in the overall cybersecurity solution. The comprehensive resources provide the essential concepts to assist in the overall cybersecurity solution.
To complement our Cybersecurity Analysis Certification (IIBA-CCA), the IIBA®-CCA Certification Handbook is now available.
Read the Certification Handbook
Special pricing for members when logged in.
* All amounts are in USD currency. *Prices are subject to change without notice.
Special pricing for members when logged in.
Special pricing for members when logged in.
This member-exclusive PDF provides business professionals with a solid understanding of cybersecurity analysis and the essential concepts to assist in the overall cybersecurity solution.
Limited practical experience. Expertise is developed in a safe, structured environment (small, less complex efforts) where guidance is both sought and provided
Basic Knowledge: Has a fundamental awareness of basic skills and knowledge involved in the work.
Understands: Recognizes the key elements of the work and why they are important. However, not expected to have the experience nor skill to execute
Follows Rules: Adheres to prescribed ways to complete the work but needs rules and guidelines to successfully execute.
1.1 General Awareness: Understands the role of Business Analysis in Cybersecurity
1.2 Practical Knowledge: Follows Rules to conduct a stakeholder analysis
1.3 Practical Knowledge: Follows Rules using existing documentation to draft a RACI for a Cybersecurity project or program initiative
1.4 General Awareness: Understands how to locate the organization's security framework or model, or know that one does not yet exist
1.5 General Awareness: Understands what an Information Security Management System (ISMS) is and its objective
1.6 General Awareness: Understands what data privacy is
1.7 General Awareness: Understands the difference between an internal and external audit.
1.8 Practical Knowledge: Follows Rules and knows the difference between compliance and best practice
2.1 General Awareness: Understands what a cyber risk is
2.2 General Awareness: Basic Knowledge of what a Cybersecurity Risk Assessment is
2.3 Practical Knowledge: Follows Rules for the inputs to a Business Case that BAs are typically responsible for
2.4 General Awareness: Understands what Disaster Recovery Plans and Business Continuity Plans are
2.5 Practical Knowledge: Follows Rules to develop a business process flow diagram, and identify steps along the path that present potential cybersecurity vulnerabilities
3.1 General Awareness: Understands what Cybersecurity Controls are and where to find various versions
3.2 General Awareness: Understands the three attributes of secure information: confidentiality, integrity and availability
3.3 General Awareness: Understands the difference between a cyber threat and a cyber vulnerability
3.4 Practical Knowledge: Follows Rules to identify typical impacts of a cyber-attack to an organization
4.1 General Awareness: Understands that there are multiple layers of technology to protect
4.2 General Awareness: Understands what is meant by Endpoint Security
5.1 General Awareness: Understands what Information Classification means
5.2 General Awareness: Understands what Information Categorization means
5.3 General Awareness: Understands what Data Security at Rest means
5.4 General Awareness: Understands what Data Security in Transit means
5.5 General Awareness: Understands what Encryption is
5.6 General Awareness: Understands what a Digital Signature is
6.1 Practical Knowledge: Follows Rules to set up authorization
6.2 General Awareness: Understands what authentication is
6.3 General Awareness: Understands what access control means
6.4 General Awareness: Understands what Privileged Account Management is
6.5 Practical Knowledge: Follows Rules and is familiar with key actions employees should take responsibility for to maintain security
6.6 General Awareness: Understands the principle of least privilege
6.7 Practical Knowledge: Follows Rules to elicit user access requirements
7.1 Practical Knowledge: Follows Rules to identify a Security Requirement when presented with a list of requirements
7.2 General Awareness: Understands what SaaS, IaaS and PaaS are
7.3 Practical Knowledge: Follows Rules to document a current state business process including current technology
7.4 General Awareness: Understands a target state business process for a cybersecurity initiative
7.5 Practical Knowledge: Follows Rules to map cybersecurity solution components back to security requirements
8.1 General Awareness: Understands how to create and maintain a risk log
8.2 General Awareness: Basic Knowledge of the four risk treatment options: Accept, Avoid, Transfer, Mitigate
8.3 General Awareness: Understands what residual risk is
8.4 General Awareness: Understands how to create a report template for Security metrics
8.5 General Awareness: Understands Root Cause Analysis
A) Risk Response Plan.
B) Risk Owner.
C) Risk Category.
D) Risk Score.
A) A policy defines objectives and governance; a standard describes how to implement policies through specific controls.
B) A policy is a guideline, whereas a standard must be followed.
C) Policies are internal to the enterprise; standards are mandated by external regulators.
D) Standards define what an enterprise must do, whereas policies describe how a standard is implemented.
A) Assessment of potential providers and a ranking of their capabilities.
B) Implementation plans describing outsourcing arrangements.
C) Analysis of potential risks, including the probability and impact of the risk.
D) Detailed metrics that will be used to assess the performance of the selected vendor.
A) information categorization and multi-factor authentication.
B) cryptographic policy management and training.
C) concurrent session control and firewalls.
D) hardware security modules and certificate authorities.
A) cost can decrease exponentially along with the returns.
B) cost can decrease exponentially while the returns may not.
C) cost can increase exponentially while the returns may not.
D) cost can increase exponentially along with the returns.
A) for calling functions usually real-time.
B) for accessing databases usually overnight.
C) for triggering operations usually real-time.
D) for initiating updates usually overnight.
A) A survey of the market.
B) A comparison of practices or results to those of other organizations.
C) A risk assessment method that compares vulnerabilities to known attacks on other peer organizations.
D) A way to identify and implement innovative practices not found in other organizations.
A) the architecture and designs align with the organization's core goals and strategic direction.
B) employees are trained to recognize phishing attacks.
C) a control framework is in place.
D) an organizational risk assessment includes assets used by engineering teams.
A) from the branch in the hierarchy to a leaf in the hierarchy.
B) from a leaf in the hierarchy to the branch in the hierarchy.
C) from the root in the hierarchy to a branch in the hierarchy.
D) from a branch in the hierarchy to the root of the hierarchy.
A) monitor ongoing, problematic data access.
B) secure information stored in databases.
C) eliminate threats.
D) identify classification categories.
A) To preserve the cost that was invested in those IT assets.
B) To protect the data and information within the IT assets where it is stored and transmitted.
C) To comply with the regulations.
D) To match what the peer companies are doing.
A) Information Classification.
B) Role Based Access.
C) Preferred Access.
D) Shared Account.
A) risk appetite.
B) vulnerability impact.
C) risk management.
D) risk capacity.
A) Principle of Least Privilege.
B) Principle of Defense in Depth.
C) Principle of Thinking Evil.
D) Principle of Simplicity.
A) the users may be able to exploit a bug.
B) the user may have malware installed on their computer that will be able to intercept information.
C) it may allow unintended direct execution of commands.
D) passwords may be easily guessed by outsiders.
1. B)
2. A)
3. C)
4. D)
5. C)
6. A)
7. B)
8. A)
9. D)
10. C)
11. B)
12. B)
13. D)
14. A)
15. C)
Cybersecurity Overview and Basic Concepts | 14% |
Enterprise Risk | 14% |
Cybersecurity Risks and Controls | 12% |
Securing the Layers | 5% |
Data Security | 15% |
User Access Control | 15% |
Solution Delivery | 13% |
Operations | 12% |
*Terms & Conditions:
This offer is applicable to active IIBA members who purchase any of the following between September 1 and September 30, 2024, until 23:59 ET (UTC -4): IIBA®-CCA bundle, IIBA®-CCA exam, IIBA®-CCA exam rewrite, IIBA®-CPOA bundle, IIBA®-CPOA exam, IIBA®-CPOA exam rewrite, IIBA®-CBDA exam, IIBA®-CBDA exam rewrite, IIBA®-AAC exam, or IIBA®-AAC exam rewrite. Non-members can qualify for this offer by becoming an IIBA member before making eligible purchases. This offer does not apply to bulk or Volume Purchase Agreement (VPA) transactions and cannot be combined with any other promotional code, discount, or offer. Please note that this offer is subject to change without notice. The discounted prices will automatically appear in the cart once a member is logged in.