CCSP Domains Explained: Complete 2026 Guide to All 6 Domains

The ISC2 Certified Cloud Security Professional (CCSP) exam tests your knowledge across six distinct domains of cloud security. Each domain carries a different weight on the exam, and understanding what they cover — and how they connect — is critical to passing.

This guide breaks down every CCSP domain, its exam weight, key topics, and practical study strategies. Whether you're just starting your CCSP journey or doing final review, this is your roadmap.

CCSP Domain Overview & Weights

The CCSP exam contains 150 questions (125 scored, 25 unscored pretest items) and you have 4 hours to complete it. The six domains are not weighted equally — Cloud Data Security carries the most weight at 19%, while Legal, Risk and Compliance carries the least at 14%.

The passing score is 700 out of 1000. ISC2 uses a scaled scoring model, so there's no simple percentage threshold — focus on being strong across all domains rather than gambling on specific ones.

Domain 1: Cloud Concepts, Architecture and Design (17%)

This is your foundation. Domain 1 establishes the conceptual framework for everything else on the exam. If you don't nail this domain, the rest will feel disconnected.

What It Covers

• Cloud computing definitions and characteristics — the five essential characteristics from NIST SP 800-145 (on-demand self-service, broad network access, resource pooling, rapid elasticity, measured service)
• Cloud reference architecture — understanding service models (IaaS, PaaS, SaaS) and deployment models (public, private, hybrid, community)
• Security concepts relevant to cloud — cryptography, access control, virtualization security, and the shared responsibility model
• Design principles of secure cloud computing — defense in depth, zero trust, least privilege as applied to cloud environments
• Evaluating cloud service providers — what to look for in CSP contracts, certifications (SOC 2, ISO 27001), and capabilities

Study Focus

Memorize the NIST cloud computing definitions. Understand the shared responsibility model across all three service models. Know the difference between cloud-native and cloud-enabled architectures. Be comfortable with business requirements driving cloud decisions.

Domain 2: Cloud Data Security (19%)

This is the highest-weighted domain on the CCSP exam, and for good reason — data protection is the core reason cloud security exists. Expect to see the most questions from this domain.

What It Covers

• Cloud data lifecycle — Create, Store, Use, Share, Archive, Destroy. Understand security controls at each phase.
• Data classification and labeling — categorizing data by sensitivity, implementing appropriate controls for each level
• Data privacy and protection — PII handling, data masking, tokenization, anonymization techniques
• Data rights management — DRM, IRM, and how they apply in multi-tenant cloud environments
• Data retention, deletion, and archiving — crypto-shredding, secure deletion challenges in shared storage, legal holds
• Encryption and key management — encryption at rest, in transit, and in use; key management solutions (BYOK, HYOK, CSP-managed)
• Data discovery and classification technologies — DLP tools, data flow mapping, content inspection

Study Focus

Master the cloud data lifecycle — it's the backbone of this domain. Understand key management options and their trade-offs. Know the difference between tokenization and encryption. Be clear on data residency vs. data sovereignty.

Domain 3: Cloud Platform and Infrastructure Security (17%)

Domain 3 gets into the technical infrastructure that runs cloud services. This is where your understanding of networking, virtualization, and physical security in cloud data centers gets tested.

What It Covers

• Cloud infrastructure components — compute, storage, networking fundamentals in cloud environments
• Virtualization security — hypervisor types (Type 1 vs Type 2), VM escape, container security, serverless considerations
• Network security in cloud — VPCs, security groups, NACLs, micro-segmentation, SDN, and network function virtualization
• Physical and environmental controls — data center security, redundancy, understanding CSP facility certifications
• Disaster recovery and business continuity — RPO, RTO, high availability across regions and availability zones
• Management plane security — securing the APIs, consoles, and automation tools used to manage cloud resources

Study Focus

Understand the different isolation mechanisms in cloud (physical, virtual, logical). Know your DR metrics (RPO, RTO, MTBF, MTTR). Be clear on how network security differs between on-premises and cloud — especially the management plane, which is unique to cloud environments.

Domain 4: Cloud Application Security (17%)

This domain focuses on building and deploying secure applications in the cloud. If you have a development background, you'll find familiar territory here. If not, pay extra attention.

What It Covers

• Secure software development lifecycle (SSDLC) — integrating security into every phase of development
• Cloud-specific application threats — OWASP Top 10, injection attacks, broken authentication, SSRF in cloud environments
• Identity and access management (IAM) — federated identity, SAML, OAuth, OpenID Connect, MFA in cloud applications
• Application security testing — SAST, DAST, IAST, penetration testing, and bug bounty considerations in cloud
• Software supply chain security — third-party libraries, container image scanning, CI/CD pipeline security
• API security — securing RESTful APIs, API gateways, rate limiting, authentication mechanisms

Study Focus

Focus on the SSDLC phases and what security activities happen at each stage. Understand identity federation protocols (SAML vs OAuth vs OIDC — know the differences). Be familiar with common cloud application threats and their mitigations.

Domain 5: Cloud Security Operations (16%)

Operations is where theory meets reality. This domain tests your ability to implement, manage, and maintain cloud security on a day-to-day basis.

What It Covers

• Physical and logical infrastructure — building and managing secure cloud infrastructure operations
• Operational controls and standards — ITIL, change management, configuration management, patch management in cloud
• Security operations center (SOC) — monitoring, logging, SIEM, incident detection in cloud environments
• Incident management — cloud-specific IR procedures, forensics challenges (volatile evidence, shared infrastructure), chain of custody
• Supply chain management — assessing and managing third-party risk, vendor lock-in considerations
• Continuity and disaster recovery — testing DR plans, backup strategies, cross-region replication

Study Focus

Understand cloud forensics challenges — you can't just pull a hard drive when the infrastructure is virtualized and shared. Know the differences between cloud-aware and traditional incident response. Master the operational concepts: change management, configuration baselines, and patch management workflows.

Domain 6: Legal, Risk and Compliance (14%)

The lowest-weighted domain, but don't underestimate it. Legal and compliance questions can be tricky because they require understanding specific regulations and frameworks.

What It Covers

• Legal requirements and unique risks — international privacy laws (GDPR, CCPA, HIPAA), cross-border data transfer mechanisms
• Privacy issues — data subject rights, privacy impact assessments, privacy by design in cloud
• Audit processes and methodologies — SOC 1/2/3 reports, ISO 27001 audits, right to audit clauses
• Cloud compliance frameworks — CSA STAR, FedRAMP, ISO 27017/27018, and how they apply to cloud services
• Risk management — quantitative vs qualitative risk assessment, risk treatment options, risk frameworks (NIST RMF, ISO 31000)
• Contracts and vendor management — SLAs, data processing agreements, exit strategies, vendor lock-in

Study Focus

Don't try to memorize every law — focus on the principles. Understand data controller vs processor responsibilities. Know the major compliance frameworks and what they certify. Be clear on audit types and what each SOC report covers.

Which Domains to Prioritize

While you need competency across all six domains, here's a strategic prioritization based on exam weight and difficulty:

Study Tips by Domain

General Strategy

• Think like a cloud security architect — the CCSP tests your ability to make risk-based decisions, not just recall facts
• Understand "why" not just "what" — the exam rewards conceptual understanding over memorization
• Cross-reference domains — concepts like encryption, access control, and risk management span multiple domains. Study them holistically.
• Use the ISC2 exam outline as your checklist — every subtopic listed is fair game

Domain-Specific Tips

• Domain 1: Create flashcards for NIST definitions and cloud characteristics. Draw the shared responsibility model from memory.
• Domain 2: Practice the data lifecycle with real scenarios. For each phase, list the security controls that apply.
• Domain 3: Build a mental model of cloud networking layers. If you have access to AWS/Azure/GCP, create a VPC to understand the concepts hands-on.
• Domain 4: Review the OWASP Top 10 and map each vulnerability to cloud-specific scenarios. Understand the SSDLC phases.
• Domain 5: Focus on the differences between cloud and traditional incident response. Know the forensics challenges unique to cloud.
• Domain 6: Create a comparison chart of major regulations (GDPR, HIPAA, SOX) and their cloud implications. Know SOC report types.

Exam Format & Requirements

The CCSP is a challenging certification, but with structured study across all six domains, it's absolutely achievable. The key is understanding concepts and their relationships rather than rote memorization. Cloud security is fundamentally about making informed risk decisions — and that's exactly what the exam tests.