If you're planning to take the CCSP exam in 2026, there's a date circled on ISC2's calendar that should be circled on yours too: August 1, 2026. That's when an entirely new CCSP exam outline takes effect, updating the blueprint against which every candidate is measured.
This isn't just a minor tweak. ISC2 periodically refreshes the CCSP exam through a formal Job Task Analysis (JTA) process, surveying thousands of cloud security practitioners to identify what skills actually matter on the job. The August 2026 outline reflects what's changed in cloud security since the last major content update in 2022 — and a lot has changed.
📋 Table of Contents
The CCSP Exam Change Timeline
To understand where we're headed, it helps to know where we've been. The CCSP exam has gone through several updates in recent years — it's worth understanding each one so you don't confuse the August 2026 content changes with the format changes that already happened.
📅 CCSP Exam Update History
- August 2022 Content/Domain refresh. Domain 2 weight went from 19% → 20%; Domain 5 from 17% → 16%. New cloud security concepts added to reflect DevSecOps, containerization, and modern architecture trends.
- August 2024 Format change. Exam shortened from 4 hours / 150 questions to 3 hours / 125 questions. The six domains and their weights remained unchanged.
- October 1, 2025 Computer Adaptive Testing (CAT) introduced. The CCSP joined CISSP in switching from a fixed linear exam to an adaptive format. Questions now range 100–150 items. Domain content and weights unchanged.
- August 1, 2026 New exam outline takes effect. Updated content, revised domain weights, and new topic areas reflecting the current cloud security landscape. This is the change this article covers.
The August 2026 update is the first true content overhaul since 2022. Everything between 2022 and 2026 was structural (format, timing, delivery method). August 2026 is where what you need to know changes.
What's Changing in the New Outline
ISC2 published a preview of the new August 2026 exam outline in January 2026. While the six-domain structure remains intact, the content within those domains has been substantially revised to reflect how cloud security has evolved:
Why ISC2 Updates the Outline
ISC2 uses a rigorous Job Task Analysis (JTA) process to keep the CCSP relevant. They survey thousands of practicing cloud security professionals worldwide to identify which tasks they actually perform, and how critical those tasks are to the job. The exam outline is then built around this real-world data.
The last JTA that produced a content update was completed in 2022. Since then, cloud security has been reshaped by several forces:
- AI and machine learning workloads moving into production cloud environments at scale
- Zero-trust architecture becoming the default design philosophy, not an optional add-on
- Cloud-native threats — supply chain attacks, misconfigured SaaS, shadow IT — growing more sophisticated
- Regulatory expansion — NIS2, DORA, AI Act, and evolving data residency requirements adding compliance complexity
- DevSecOps maturation — security-as-code, policy-as-code, and automated compliance becoming industry norms
- Multi-cloud and hybrid architectures becoming the default enterprise posture
The new outline reflects all of these. If your study materials were published before 2026, they may not adequately cover these areas.
The Six Domains: Then vs. Now
The six CCSP domains remain in place — but their internal structure, specific topics, and weightings have been updated. Here's a snapshot of the current (pre-August 2026) domain weights, followed by what's shifting:
Current Domain Weights (October 2025 – July 2026)
| Domain | Name | Weight |
|---|---|---|
| 1 | Cloud Concepts, Architecture and Design | 17% |
| 2 | Cloud Data Security | 20% |
| 3 | Cloud Platform & Infrastructure Security | 17% |
| 4 | Cloud Application Security | 17% |
| 5 | Cloud Security Operations | 16% |
| 6 | Legal, Risk and Compliance | 13% |
What We Know About Domain Changes
Based on ISC2's published preview and the JTA methodology, here's what's expected to shift across the domains. Note that the six domain names remain, but their subtopics and relative emphasis are evolving:
Domain 1: Cloud Concepts, Architecture & Design
- StrengthenedZero-trust architecture principles
- AddedAI/ML workload architecture security
- AddedServerless and edge computing security
- UpdatedCloud reference architectures for modern patterns
Domain 2: Cloud Data Security
- AddedAI training data governance and protection
- ExpandedData residency and sovereignty requirements
- UpdatedEncryption approaches for modern cloud-native apps
- StrengthenedData loss prevention in SaaS environments
Domain 3: Cloud Platform & Infrastructure Security
- ExpandedContainer and Kubernetes security
- AddedSupply chain security for cloud workloads
- UpdatedInfrastructure-as-code security testing
- StrengthenedMulti-cloud and hybrid environment controls
Domain 4: Cloud Application Security
- AddedAI application security (LLM threats, prompt injection)
- UpdatedAPI security standards and OAuth/OIDC
- ExpandedSecure software supply chain (SBOM, SLSA)
- StrengthenedDevSecOps pipeline controls
Domain 5: Cloud Security Operations
- AddedAI-driven threat detection and response
- UpdatedCloud-native SIEM and SOAR integration
- ExpandedIncident response for cloud-specific attack vectors
- StrengthenedContinuous monitoring and automation
Domain 6: Legal, Risk and Compliance
- AddedEU AI Act and AI governance frameworks
- AddedNIS2 / DORA regulatory requirements
- UpdatedCross-border data transfer mechanisms post-Schrems
- StrengthenedThird-party risk and vendor management
For the definitive, authoritative domain weights and subtopics, always refer to the official ISC2 exam outline PDF — what's above is directional based on ISC2's published preview and JTA methodology.
New Topics You'll Need to Master
Several technology areas are entering the CCSP exam outline for the first time, or being significantly elevated. If you've been studying from older materials, these are the gaps most likely to catch you off guard.
1. AI and Machine Learning Security in the Cloud
With AI workloads now running on every major cloud platform, security professionals are expected to understand the unique risks they introduce. The new CCSP outline incorporates:
- Training data security: How to classify, protect, and govern datasets used for model training, including poisoning attack mitigation
- LLM/GenAI security: Prompt injection, jailbreaking, and output manipulation as threat vectors
- AI model governance: Access controls, versioning, and auditability for deployed models
- Regulatory alignment: How EU AI Act and emerging AI governance frameworks intersect with cloud security operations
2. Zero-Trust Architecture
Zero-trust has graduated from buzzword to exam requirement. Expect questions on:
- NIST SP 800-207 zero-trust architecture principles and components
- Identity-centric security design in cloud environments
- Micro-segmentation strategies for cloud workloads
- Continuous verification models and their implementation in major cloud platforms
3. Software Supply Chain Security
After high-profile supply chain attacks (SolarWinds, Log4Shell, XZ Utils), ISC2 has significantly elevated this topic:
- SBOM (Software Bill of Materials): Creation, management, and use in vulnerability assessment
- SLSA framework: Supply chain levels for software artifacts
- Container image security: Signed images, trusted registries, and runtime controls
- Third-party component risk: Dependency scanning and open-source risk management
4. Modern Regulatory Landscape
The compliance domain is seeing its biggest update in years, reflecting a wave of new regulations:
- EU AI Act: Risk classification for AI systems and compliance obligations for cloud-hosted AI
- NIS2 Directive: Expanded scope from NIS1, incident reporting obligations, and supply chain requirements
- DORA (Digital Operational Resilience Act): Financial sector cloud resilience and ICT third-party risk requirements
- Updated data transfer frameworks: EU-US Data Privacy Framework and its implications for cloud storage decisions
Candidates who have worked in Europe or with European clients will have an advantage here. For others, this is an area requiring dedicated study time.
Don't Forget: The CAT Format Is Already Live
While the August 2026 content changes are the focus of this article, it's worth briefly recapping the format changes that took effect October 1, 2025 — because they affect every candidate right now, regardless of the August 2026 date.
Since October 2025, the CCSP has used Computer Adaptive Testing (CAT):
- Variable question count: 100–150 questions (not a fixed 125)
- 3-hour time limit (unchanged from post-2024 format)
- Adaptive difficulty: The exam adjusts in real time based on your answers
- No going back: You cannot skip questions or return to previous ones
- ~25 unscored pretest items scattered throughout (you won't know which ones)
- Exam ends early if confident: If the system reaches 95% statistical confidence in your result, the exam stops
For a deeper dive into CCSP study strategy under the CAT format, see our CCSP 90-day study plan.
Should You Test Before or After August 2026?
This is the question every current CCSP candidate is asking. There's no universal right answer — it depends on where you are in your preparation. Here's how to think through it:
✅ Test Before August 1, 2026 If...
- You're 60–80%+ ready right now
- Your study materials are from 2022–2025
- You want to avoid updating your study plan
- You're already enrolled and have a test date scheduled
- The new AI/regulatory topics feel unfamiliar
📅 Test After August 1, 2026 If...
- You're early in your prep (< 50% ready)
- You work in AI, DevSecOps, or cloud-native environments
- Your practical experience aligns with the new topics
- You prefer studying from fresh 2026-aligned materials
- You have a natural test window after August anyway
One thing is clear: candidates testing after August 2026 who use materials published before the new outline should do a deliberate gap analysis. The new topic areas (AI security, supply chain, NIS2/DORA) are not optional — they'll appear on the exam.
Adjusting Your Study Plan
Whether you're testing before or after August 2026, here's how to adapt your preparation:
If Testing Before August 2026
- Don't panic. Current study materials (2022–2025) are valid for exams taken before August 1, 2026.
- Book your exam now to lock in a date before August if you're nearly ready. Pearson VUE availability can be limited.
- Focus on CAT preparation: Practice with adaptive-style questions and strict 3-hour time limits.
- Don't study new outline topics at the expense of current outline mastery — it's not what you'll be tested on.
If Testing After August 2026
- Download the new outline PDF from ISC2 and study it carefully. Build your study plan around its structure.
- Add AI security study time. Dedicate at least 2–3 weeks specifically to AI/ML security in cloud environments — it's new and under-covered by existing resources.
- Update your compliance knowledge. If you're unfamiliar with NIS2, DORA, or the EU AI Act, these need dedicated study blocks.
- Verify your study materials are 2026-aligned. Ask publishers and course providers explicitly whether their materials cover the August 2026 outline.
- Use practice questions built for the new outline. Generic CCSP practice sets from 2024 may not reflect new topic areas.
For Everyone: The CAT Preparation Mindset
Regardless of which outline you're testing on, the CAT format requires a different psychological approach than traditional linear exams:
- Don't track question difficulty as a success signal. Harder questions can mean you're doing well — not that you're failing.
- Commit to each answer before moving on. There's no going back.
- Practice under realistic conditions: Timed, no-skip, adaptive-feeling question sets.
- Don't count questions to predict your result. The exam ending at 100 questions can mean you passed convincingly — or failed definitively. You don't know until you see the result.
For more on building a structured preparation approach, see our guide to the CCSP exam domains and our complete CCSP study plan.
Ready to Start Preparing?
Practice with thousands of expert-verified CCSP and CISSP questions. AI-powered gap analysis tells you exactly where to focus — whether you're targeting the current outline or the new August 2026 version.
Start Free 7-Day Trial →Frequently Asked Questions
When exactly does the new CCSP exam outline take effect?
The new CCSP exam outline takes effect on August 1, 2026. If your exam date is July 31, 2026 or earlier, you'll be tested against the current outline (effective October 2025). If your exam date is August 1, 2026 or later, the new outline applies.
Will the domain names change in the new CCSP outline?
The six domain names remain the same in the August 2026 outline. What changes is the content, subtopics, and weights within those domains — particularly an increased emphasis on AI security, zero-trust architecture, supply chain security, and expanded regulatory content.
Do I need to buy new study materials for the August 2026 outline?
If you're testing after August 1, 2026, yes — you should verify that your study materials cover the new outline. The core cloud security fundamentals don't change dramatically, but new topic areas (AI security, NIS2/DORA, supply chain) require current coverage. Ask your provider explicitly whether they've updated for the 2026 outline.
Is the CCSP still using CAT after the August 2026 outline change?
Yes. The CAT format (100–150 questions, 3 hours, adaptive difficulty) was introduced in October 2025 and remains in place after August 2026. The August change is to the content outline, not the delivery format.
Can I still pass the CCSP if I fail to study the new topics?
If you're testing on the new outline (August 2026+), the new topics will appear in your exam. The domain weights determine how many questions come from each area — so a domain with a higher weight represents more exam questions. Skipping any domain's content is risky; skipping high-weight domains is very risky.
How does the CCSP compare to the CISSP for 2026?
The CCSP is a cloud-specialist credential that goes deep on cloud-specific security architecture, data protection, and compliance. The CISSP is broader, covering all eight domains of information security. They're complementary, not competing — and an active CISSP credential can substitute for the entire CCSP experience requirement. Learn more in our CCSP vs. CISSP comparison. If you also hold AWS certifications, see our CCSP vs. AWS Security Specialty guide.
Where can I download the new CCSP exam outline?
The official August 2026 CCSP exam outline PDF is available directly from ISC2 at isc2.org/certifications/ccsp/ccsp-certification-exam-outline. It's free to download in English, Chinese, Japanese, and German. Download it before you build your study plan — it's the ground truth for what will appear on your exam.
Is the CCSP exam getting harder with the new outline?
Not harder per se — more current. The new topics (AI security, supply chain, modern regulatory frameworks) reflect what cloud security professionals actually deal with in 2026. Candidates with hands-on cloud security experience will likely find the new outline more natural than those who are purely book-studying older materials. The CAT format also calibrates difficulty to your skill level, so in practice each candidate faces questions matched to their ability.