The ISC2 Certified Cloud Security Professional (CCSP) exam tests your knowledge across six distinct domains of cloud security. Each domain carries a different weight on the exam, and understanding what they cover — and how they connect — is critical to passing.
This guide breaks down every CCSP domain, its exam weight, key topics, and practical study strategies. Whether you're just starting your CCSP journey or doing final review, this is your roadmap.
📋 Table of Contents
- CCSP Domain Overview & Weights
- Per-Domain Quick Reference Table
- Domain 1: Cloud Concepts, Architecture and Design (17%)
- Domain 2: Cloud Data Security (19%)
- Domain 3: Cloud Platform and Infrastructure Security (17%)
- Domain 4: Cloud Application Security (17%)
- Domain 5: Cloud Security Operations (16%)
- Domain 6: Legal, Risk and Compliance (14%)
- August 2026 Exam Outline Changes
- Which Domains to Prioritize
- Estimated Study Hours Per Domain
- Study Tips by Domain
- Common Misconceptions Per Domain
- Exam Format & Requirements
- Frequently Asked Questions
CCSP Domain Overview & Weights
The CCSP exam contains 150 questions (125 scored, 25 unscored pretest items) and you have 4 hours to complete it. The six domains are not weighted equally — Cloud Data Security carries the most weight at 19%, while Legal, Risk and Compliance carries the least at 14%.
CCSP Domain Weights at a Glance
- Domain 1: Cloud Concepts, Architecture and Design 17% of exam
- Domain 2: Cloud Data Security 19% of exam — highest weight
- Domain 3: Cloud Platform and Infrastructure Security 17% of exam
- Domain 4: Cloud Application Security 17% of exam
- Domain 5: Cloud Security Operations 16% of exam
- Domain 6: Legal, Risk and Compliance 14% of exam
The passing score is 700 out of 1000. ISC2 uses a scaled scoring model, so there's no simple percentage threshold — focus on being strong across all domains rather than gambling on specific ones.
Per-Domain Quick Reference Table
Here's everything you need at a glance — domain weights, approximate question counts, study priority, and estimated study hours for the typical candidate. Adjust based on your background.
Domain 1: Cloud Concepts, Architecture and Design (17%)
This is your foundation. Domain 1 establishes the conceptual framework for everything else on the exam. If you don't nail this domain, the rest will feel disconnected.
What It Covers
- Cloud computing definitions and characteristics — the five essential characteristics from NIST SP 800-145 (on-demand self-service, broad network access, resource pooling, rapid elasticity, measured service)
- Cloud reference architecture — understanding service models (IaaS, PaaS, SaaS) and deployment models (public, private, hybrid, community)
- Security concepts relevant to cloud — cryptography, access control, virtualization security, and the shared responsibility model
- Design principles of secure cloud computing — defense in depth, zero trust, least privilege as applied to cloud environments
- Evaluating cloud service providers — what to look for in CSP contracts, certifications (SOC 2, ISO 27001), and capabilities
Study Focus
Memorize the NIST cloud computing definitions. Understand the shared responsibility model across all three service models. Know the difference between cloud-native and cloud-enabled architectures. Be comfortable with business requirements driving cloud decisions.
Domain 2: Cloud Data Security (19%)
This is the highest-weighted domain on the CCSP exam, and for good reason — data protection is the core reason cloud security exists. Expect to see the most questions from this domain.
What It Covers
- Cloud data lifecycle — Create, Store, Use, Share, Archive, Destroy. Understand security controls at each phase.
- Data classification and labeling — categorizing data by sensitivity, implementing appropriate controls for each level
- Data privacy and protection — PII handling, data masking, tokenization, anonymization techniques
- Data rights management — DRM, IRM, and how they apply in multi-tenant cloud environments
- Data retention, deletion, and archiving — crypto-shredding, secure deletion challenges in shared storage, legal holds
- Encryption and key management — encryption at rest, in transit, and in use; key management solutions (BYOK, HYOK, CSP-managed)
- Data discovery and classification technologies — DLP tools, data flow mapping, content inspection
Study Focus
Master the cloud data lifecycle — it's the backbone of this domain. Understand key management options and their trade-offs. Know the difference between tokenization and encryption. Be clear on data residency vs. data sovereignty.
Domain 3: Cloud Platform and Infrastructure Security (17%)
Domain 3 gets into the technical infrastructure that runs cloud services. This is where your understanding of networking, virtualization, and physical security in cloud data centers gets tested.
What It Covers
- Cloud infrastructure components — compute, storage, networking fundamentals in cloud environments
- Virtualization security — hypervisor types (Type 1 vs Type 2), VM escape, container security, serverless considerations
- Network security in cloud — VPCs, security groups, NACLs, micro-segmentation, SDN, and network function virtualization
- Physical and environmental controls — data center security, redundancy, understanding CSP facility certifications
- Disaster recovery and business continuity — RPO, RTO, high availability across regions and availability zones
- Management plane security — securing the APIs, consoles, and automation tools used to manage cloud resources
Study Focus
Understand the different isolation mechanisms in cloud (physical, virtual, logical). Know your DR metrics (RPO, RTO, MTBF, MTTR). Be clear on how network security differs between on-premises and cloud — especially the management plane, which is unique to cloud environments.
Domain 4: Cloud Application Security (17%)
This domain focuses on building and deploying secure applications in the cloud. If you have a development background, you'll find familiar territory here. If not, pay extra attention.
What It Covers
- Secure software development lifecycle (SSDLC) — integrating security into every phase of development
- Cloud-specific application threats — OWASP Top 10, injection attacks, broken authentication, SSRF in cloud environments
- Identity and access management (IAM) — federated identity, SAML, OAuth, OpenID Connect, MFA in cloud applications
- Application security testing — SAST, DAST, IAST, penetration testing, and bug bounty considerations in cloud
- Software supply chain security — third-party libraries, container image scanning, CI/CD pipeline security
- API security — securing RESTful APIs, API gateways, rate limiting, authentication mechanisms
Study Focus
Focus on the SSDLC phases and what security activities happen at each stage. Understand identity federation protocols (SAML vs OAuth vs OIDC — know the differences). Be familiar with common cloud application threats and their mitigations.
Domain 5: Cloud Security Operations (16%)
Operations is where theory meets reality. This domain tests your ability to implement, manage, and maintain cloud security on a day-to-day basis.
What It Covers
- Physical and logical infrastructure — building and managing secure cloud infrastructure operations
- Operational controls and standards — ITIL, change management, configuration management, patch management in cloud
- Security operations center (SOC) — monitoring, logging, SIEM, incident detection in cloud environments
- Incident management — cloud-specific IR procedures, forensics challenges (volatile evidence, shared infrastructure), chain of custody
- Supply chain management — assessing and managing third-party risk, vendor lock-in considerations
- Continuity and disaster recovery — testing DR plans, backup strategies, cross-region replication
Study Focus
Understand cloud forensics challenges — you can't just pull a hard drive when the infrastructure is virtualized and shared. Know the differences between cloud-aware and traditional incident response. Master the operational concepts: change management, configuration baselines, and patch management workflows.
Domain 6: Legal, Risk and Compliance (14%)
The lowest-weighted domain, but don't underestimate it. Legal and compliance questions can be tricky because they require understanding specific regulations and frameworks.
What It Covers
- Legal requirements and unique risks — international privacy laws (GDPR, CCPA, HIPAA), cross-border data transfer mechanisms
- Privacy issues — data subject rights, privacy impact assessments, privacy by design in cloud
- Audit processes and methodologies — SOC 1/2/3 reports, ISO 27001 audits, right to audit clauses
- Cloud compliance frameworks — CSA STAR, FedRAMP, ISO 27017/27018, and how they apply to cloud services
- Risk management — quantitative vs qualitative risk assessment, risk treatment options, risk frameworks (NIST RMF, ISO 31000)
- Contracts and vendor management — SLAs, data processing agreements, exit strategies, vendor lock-in
Study Focus
Don't try to memorize every law — focus on the principles. Understand data controller vs processor responsibilities. Know the major compliance frameworks and what they certify. Be clear on audit types and what each SOC report covers.
August 2026 Exam Outline Changes: What We Know
ISC2 has officially announced that effective August 1, 2026, the CCSP exam will be based on a new exam outline. The full revised outline had not been published at the time of this writing, but here's what candidates should know:
What Typically Changes in ISC2 Exam Outline Revisions
Based on historical CCSP and CISSP outline revisions, candidates should anticipate:
- Domain weight shifts — some domains gain or lose a few percentage points reflecting industry emphasis changes. Cloud operations and AI/ML security have been growing topics.
- New subtopics — expect coverage of serverless security, container orchestration (Kubernetes), cloud-native zero trust, and AI workload security to expand.
- Removed or consolidated subtopics — older, less relevant concepts (some legacy virtualization specifics) may be retired or merged.
- Updated regulatory references — the legal and compliance domain typically gets refreshed with the latest frameworks (e.g., post-Brexit UK GDPR clarifications, updated CCPA regulations).
For the most current details on what's changing, see our dedicated article: CCSP Exam Outline Changing August 2026: What You Need to Know →
Which Domains to Prioritize
While you need competency across all six domains, here's a strategic prioritization based on exam weight and difficulty:
🎯 High Priority
- Domain 2: Cloud Data Security (19%) Highest weight, broad scope
- Domain 1: Cloud Concepts (17%) Foundation for everything else
📊 Medium Priority
- Domain 3: Platform & Infrastructure (17%) Technical but manageable
- Domain 4: Application Security (17%) Easier if you have dev experience
📋 Don't Neglect
- Domain 5: Operations (16%) Practical, often overlooked
- Domain 6: Legal & Compliance (14%) Lowest weight but tricky
⏱️ Time Allocation Tip
- Spend ~25% of study time on Domains 1 & 2 They set the foundation and carry the most weight
- Spend ~15% on each remaining domain Even coverage prevents weak spots
Estimated Study Hours Per Domain
How long should you spend on each domain? The answer depends on your background — a cloud architect will breeze through Domain 3, while the same person might need extra time on Domain 6. Here are baseline estimates for candidates with moderate IT security experience (3–5 years) and some cloud exposure:
📅 Recommended Study Time by Domain
- Domain 1 — Cloud Concepts & Architecture: 15–20 hours Foundational — get this right before moving on
- Domain 2 — Cloud Data Security: 20–25 hours Highest weight, broadest scope — invest accordingly
- Domain 3 — Platform & Infrastructure Security: 15–20 hours Reduce if you have hands-on cloud networking experience
- Domain 4 — Cloud Application Security: 15–20 hours Add 10+ hours if you don't have a development background
- Domain 5 — Cloud Security Operations: 15–20 hours Don't rush this — IR/forensics nuances take time to absorb
- Domain 6 — Legal, Risk and Compliance: 10–15 hours Lowest weight but tricky; GDPR alone deserves a full study session
Total: 90–120 hours for most candidates. Add 20–30% if you're new to cloud environments. CISSP holders can typically cut total time by 25–30% due to domain overlap in cryptography, access control, and risk management.
Want a week-by-week schedule? See our complete CCSP Study Plan: How to Pass in 90 Days →
Study Tips by Domain
General Strategy
- Think like a cloud security architect — the CCSP tests your ability to make risk-based decisions, not just recall facts
- Understand "why" not just "what" — the exam rewards conceptual understanding over memorization
- Cross-reference domains — concepts like encryption, access control, and risk management span multiple domains. Study them holistically.
- Use the ISC2 exam outline as your checklist — every subtopic listed is fair game
Domain-Specific Tips
- Domain 1: Create flashcards for NIST definitions and cloud characteristics. Draw the shared responsibility model from memory.
- Domain 2: Practice the data lifecycle with real scenarios. For each phase, list the security controls that apply.
- Domain 3: Build a mental model of cloud networking layers. If you have access to AWS/Azure/GCP, create a VPC to understand the concepts hands-on.
- Domain 4: Review the OWASP Top 10 and map each vulnerability to cloud-specific scenarios. Understand the SSDLC phases.
- Domain 5: Focus on the differences between cloud and traditional incident response. Know the forensics challenges unique to cloud.
- Domain 6: Create a comparison chart of major regulations (GDPR, HIPAA, SOX) and their cloud implications. Know SOC report types.
Common Misconceptions Per Domain
These are the mistakes that trip up even well-prepared candidates. Knowing what not to believe is half the battle.
Domain 1 — Cloud Concepts: "The shared responsibility model is the same across all service models"
False. The shared responsibility boundary shifts significantly between IaaS, PaaS, and SaaS. In IaaS, you're responsible for everything from the OS up. In SaaS, the CSP handles almost everything — your responsibility narrows to user access, data governance, and configuration. The exam loves scenario questions where the "correct" answer depends on which service model is in play.
Domain 2 — Cloud Data Security: "Deleting a file means the data is gone"
In shared cloud storage, you can't guarantee physical destruction of underlying media. This is why crypto-shredding exists — destroy the encryption key, and the data becomes permanently unrecoverable even if residual bits remain on hardware. The exam frequently tests when crypto-shredding is the appropriate sanitization method in cloud environments.
Domain 3 — Infrastructure Security: "Physical data center security is my CSP's problem"
You may not manage the physical infrastructure, but you're still responsible for understanding it. The CCSP exam expects you to evaluate CSP physical security (Tier ratings, certifications, redundancy), ask the right contract questions, and understand how physical controls affect your residual risk. Ignorance is not a valid risk treatment strategy.
Domain 4 — Application Security: "A WAF is enough to secure cloud applications"
A web application firewall is one layer — not a security program. The CCSP exam expects you to understand that secure applications require security baked into every phase of the SSDLC: threat modeling at design, SAST during coding, DAST in testing, and continuous monitoring in production. Bolting a WAF onto an insecure application is a compensating control, not a fix.
Domain 5 — Security Operations: "Cloud incident response works the same as on-premises"
It doesn't. In cloud environments, volatile evidence (RAM, running processes) can vanish instantly when instances terminate. You don't have physical access to hardware. Logs may be controlled by the CSP. Chain of custody is harder to establish. The CCSP tests cloud-specific IR procedures: snapshoting instances before termination, working with CSP APIs for log acquisition, and understanding what forensic artifacts are and aren't available.
Domain 6 — Legal & Compliance: "GDPR only applies to EU-based companies"
GDPR has extraterritorial reach. Any organization that processes the personal data of EU residents — regardless of where that organization is headquartered — must comply. A US company with European customers is subject to GDPR. Know the key roles: data controller (determines purpose/means of processing) vs data processor (processes on behalf of the controller). Also know the 72-hour breach notification requirement — it's a perennial exam topic.
Exam Format & Requirements
CCSP Exam Quick Facts
- Questions: 150 (125 scored + 25 unscored pretest) You won't know which are unscored
- Time: 4 hours ~1.6 minutes per question
- Passing Score: 700/1000 Scaled scoring
- Format: Multiple choice Single and multiple answer
- Cost: $599 USD (US/APAC) Reschedule: $50 · Cancel: $100
- Experience Required: 5 years IT + 3 years infosec + 1 year in a CCSP domain CISSP can substitute all CCSP experience
- Endorsement: Required post-pass from an ISC2-certified professional Must be in good standing
The CCSP is a challenging certification, but with structured study across all six domains, it's absolutely achievable. The key is understanding concepts and their relationships rather than rote memorization. Cloud security is fundamentally about making informed risk decisions — and that's exactly what the exam tests.
Frequently Asked Questions
Which CCSP domain is the hardest?
Most candidates find Domain 2 (Cloud Data Security) or Domain 4 (Cloud Application Security) most challenging. Domain 2 has the highest weight (19%) and the broadest scope — from data lifecycle management to key management strategies. Domain 4 is a consistent stumbling block for non-developers. Domain 6 (Legal, Risk and Compliance) also surprises many candidates with its international regulation complexity — don't discount it just because it carries the lowest weight.
How many questions per domain does the CCSP exam have?
The exam has 125 scored questions (plus 25 unscored pretest questions you can't identify). Based on official weights: Domain 2 ≈ 24 questions; Domains 1, 3, and 4 ≈ 21 questions each; Domain 5 ≈ 20 questions; Domain 6 ≈ 18 questions. ISC2 doesn't publish exact per-domain counts — these are approximations based on the published percentages.
Do you need to pass each CCSP domain separately?
No. The CCSP uses a single composite scaled score out of 1,000 — you need 700 to pass. There are no per-domain minimums. A strong performance in most domains can offset a weaker domain. If you fail, ISC2 provides a performance report showing how you did in each domain area — useful for targeting your retake prep.
Can I take the CCSP without a CISSP?
Yes. You can sit the exam and earn the CCSP without a CISSP. However, you'll need 5 years of cumulative paid IT experience (3 in infosec, 1 in a CCSP domain) plus endorsement from an ISC2-certified professional. An active CISSP waives all CCSP experience requirements. If you lack the experience, you can still pass and earn the Associate of ISC2 designation, then have 6 years to fulfill the experience requirement.
What is changing in the August 2026 CCSP exam?
ISC2 has confirmed a new exam outline effective August 1, 2026. The full revised outline was not published at the time of this writing. Expect updates to reflect emerging cloud security areas: AI/ML workload security, container orchestration, serverless patterns, and refreshed regulatory content. If you exam before August 1, the current outline applies. See our full guide: CCSP Exam Changes August 2026 →
How long does it take to study for the CCSP?
Plan for 90–120 hours of structured study over 3–6 months. Experienced cloud security pros may be ready in 8–10 weeks. Newer candidates should plan for 4–6 months. Domain 2 and Domain 4 typically need the most attention. CISSP holders often cut 25–30% off prep time due to significant conceptual overlap. See our CCSP 90-Day Study Plan →
Is CCSP harder than CISSP?
Most candidates who've taken both say CISSP is harder overall — broader scope (8 vs 6 domains), adaptive testing, and steeper experience requirements. However, CCSP can feel harder for candidates who lack hands-on cloud experience, since theoretical knowledge alone isn't enough for many scenario questions. If you hold a CISSP, the CCSP will feel like familiar territory with a cloud-specific lens. Want a deeper comparison? See CCSP vs CISSP: Which Should You Get First? →
Ready to Start Preparing?
Practice with thousands of expert-verified CCSP and CISSP questions. AI-powered gap analysis tells you exactly where to focus.
Start Free 7-Day Trial →