The CCSP exam throws 125 questions at you in 3 hours — a mix of scenario-based problems that test not just what you know, but how you apply it under pressure. The only way to build that muscle is to practice.
Below you'll find 25 free CCSP practice questions mapped to all six domains, complete with the correct answers and detailed explanations. These aren't brain dump questions — they're the style of thinking the real exam demands.
⚠️ August 2026 Exam Update
ISC2 is updating the CCSP exam outline in August 2026. These questions are based on the current (pre-August) exam blueprint. If you're testing after August, check our CCSP 2026 exam changes guide for what's shifting.
📋 Table of Contents
- CCSP Exam Format at a Glance
- Domain 1: Cloud Concepts, Architecture & Design (4 Questions)
- Domain 2: Cloud Data Security (5 Questions)
- Domain 3: Cloud Platform & Infrastructure Security (4 Questions)
- Domain 4: Cloud Application Security (4 Questions)
- Domain 5: Cloud Security Operations (4 Questions)
- Domain 6: Legal, Risk & Compliance (4 Questions)
- How to Score Yourself
- What to Do After This Quiz
CCSP Exam Format at a Glance
Before you dive into the questions, a quick refresher on what you're preparing for:
CCSP Exam Essentials
- Total Questions 125 scored + 25 unscored (pretest)
- Time Limit 3 hours
- Passing Score 700 out of 1000
- Question Format Multiple choice + advanced innovative items
- Exam Delivery Pearson VUE (in-person or online proctored)
- Cost $599 USD
The 25 pretest questions are randomly mixed in with the scored questions — you won't know which are which. Answer every question as if it counts, because it might.
💡 How This Quiz Works
Each question below shows four answer choices. The correct answer is marked with a checkmark. Read every explanation — understanding why an answer is right (or wrong) is worth more than getting it right by luck.
Domain 1: Cloud Concepts, Architecture & Design
This domain covers 17% of the exam. Focus on cloud service models (IaaS, PaaS, SaaS), deployment models, shared responsibility, and cloud reference architecture.
Domain 1 — Cloud Concepts
Question 1 of 25
A company is migrating a customer-facing web application to the cloud. The security team wants to ensure that the cloud provider is responsible for patching the underlying operating system. Which service model best satisfies this requirement?
Why B is correct: In PaaS, the cloud provider manages the underlying infrastructure including the OS, middleware, and runtime. The customer only manages the application and data. In IaaS, the customer is responsible for OS patching. SaaS is correct but goes further — the customer controls nothing below the application level. FaaS (serverless) is a subset of PaaS and also qualifies, but PaaS is the canonical answer on the CCSP exam.
Domain 1 — Cloud Concepts
Question 2 of 25
An organization needs a cloud deployment model that provides complete control over infrastructure while leveraging cloud economics. Data must never traverse the public internet. Which deployment model should they choose?
Why C is correct: A private cloud gives a single organization exclusive use of cloud infrastructure, which can be on-premises or hosted by a third party. The key distinguisher here is "data must never traverse the public internet" — a hybrid cloud would include a public component, and a community cloud is shared among multiple organizations. Private cloud provides both complete control and network isolation.
Domain 1 — Cloud Concepts
Question 3 of 25
Which of the following BEST describes the shared responsibility model in cloud computing?
Why C is correct: The shared responsibility model divides security obligations between the CSP (cloud service provider) and the cloud customer, with the exact division depending on the service model. In IaaS, the customer manages more; in SaaS, the provider manages more. The model applies across all three major service models. This is a foundational CCSP concept — expect to see it applied in scenario questions throughout the exam.
Domain 1 — Cloud Concepts
Question 4 of 25
A security architect is designing a multi-tenant cloud environment. Which isolation mechanism is MOST effective at preventing a "noisy neighbor" from affecting other tenants' workloads?
Why C is correct: The "noisy neighbor" problem is a performance and resource contention issue, not an access control or encryption problem. Hypervisor-enforced resource quotas (CPU, memory, I/O) and VM isolation at the hypervisor layer directly address compute and storage contention between tenants. Network segmentation handles network-level separation but doesn't prevent compute resource exhaustion. RBAC controls access, not resource consumption.
Domain 2: Cloud Data Security
This domain accounts for 20% of the exam — the largest single domain. Expect questions on data lifecycle, classification, DLP, encryption, key management, and data residency.
Domain 2 — Cloud Data Security
Question 5 of 25
An organization stores customer PII in a cloud database. They want to ensure the data is protected if the cloud provider's storage media is decommissioned and disposed of. Which control BEST addresses this risk?
Why C is correct: Encryption with customer-managed keys (BYOK — Bring Your Own Key) ensures that even if storage media is disposed of improperly, the encrypted data is unreadable without the keys — which the customer controls and retains. Data masking and tokenization are at-rest protection techniques but don't address disposal. ACLs control access, not physical media exposure. Crypto-shredding (deleting keys) is the gold standard for cloud data destruction.
Domain 2 — Cloud Data Security
Question 6 of 25
What is the PRIMARY purpose of data discovery in a cloud environment?
Why B is correct: Data discovery is the process of finding and identifying where sensitive data resides across cloud environments. You can't protect what you don't know about. Discovery feeds into classification, which then determines what controls (encryption, DLP, access restrictions) to apply. Encryption, monitoring, and replication may all follow discovery, but they are not its primary purpose.
Domain 2 — Cloud Data Security
Question 7 of 25
A company processes credit card transactions through a SaaS application. Which standard MOST directly governs the security requirements for this data?
Why C is correct: PCI DSS (Payment Card Industry Data Security Standard) specifically governs the storage, processing, and transmission of cardholder data. ISO 27001 is a general information security management framework. SOC 2 is an auditing framework for service organizations. HIPAA covers protected health information (PHI). On the CCSP exam, you must know which regulation applies to which data type — cardholder data = PCI DSS, every time.
Domain 2 — Cloud Data Security
Question 8 of 25
Which data lifecycle phase presents the GREATEST risk of unauthorized access to sensitive data in a multi-tenant cloud environment?
Why D is correct: The six phases of the cloud data lifecycle are: Create, Store, Use, Share, Archive, and Destroy. The Share phase introduces the greatest multi-tenancy risk because data crosses organizational or application boundaries, potentially exposing it to other tenants, partners, or external parties. Controls like DRM, access controls, and encryption become critical during sharing. The CCSP exam frequently tests data lifecycle knowledge — memorize all six phases.
Domain 2 — Cloud Data Security
Question 9 of 25
An organization wants to allow analytics teams to work with production customer data without exposing actual PII. Which technique BEST achieves this while preserving data utility?
Why C is correct: Data masking (replacing sensitive values with realistic but fictional data) and anonymization (irreversibly stripping identifying information) allow analytics teams to work with data that has the same structure and statistical properties as production data, without exposing actual PII. Full encryption would prevent analytics work entirely. Deletion removes the data. Network isolation doesn't change the data itself — an authorized analyst would still see real PII.
Domain 3: Cloud Platform & Infrastructure Security
This domain covers 17% of the exam. Expect questions on virtualization security, risk analysis, physical infrastructure, and cloud security controls design.
Domain 3 — Platform & Infrastructure
Question 10 of 25
A security team discovers that a virtual machine in their cloud environment is communicating with a known command-and-control server. The VM is part of a production application with active users. What is the FIRST action the security team should take?
Why C is correct: The incident response priority is: contain first, preserve evidence, then eradicate. Isolating the VM from the network stops the C2 communication and prevents lateral movement while preserving the VM state (memory, logs, disk) for forensic analysis. Immediate termination destroys forensic evidence. Notifying users is a later step. Re-imaging eradicates the threat but loses evidence and should happen after forensics. This mirrors the CISSP/CCSP incident response framework.
Domain 3 — Platform & Infrastructure
Question 11 of 25
Which attack targets the hypervisor layer with the goal of gaining access to other virtual machines on the same physical host?
Why C is correct: VM escape is a virtualization-specific attack where malicious code inside a virtual machine exploits a hypervisor vulnerability to break out and interact with the host OS or other VMs on the same hardware. It's one of the most severe threats in multi-tenant cloud environments. Side-channel attacks (like Spectre/Meltdown) can also affect VMs but work differently — they infer information through timing or cache behavior rather than escaping the VM boundary directly.
Domain 3 — Platform & Infrastructure
Question 12 of 25
What is the PRIMARY security benefit of immutable infrastructure in cloud deployments?
Why B is correct: Immutable infrastructure means that once a server is deployed, it is never modified — no patching, no configuration changes, no manual logins. When an update or fix is needed, a new image is built and deployed, and the old instance is terminated. This eliminates configuration drift and dramatically limits the blast radius of a compromise, since attackers can't persist on a system that gets destroyed and rebuilt. It's a key DevSecOps concept the CCSP exam tests.
Domain 3 — Platform & Infrastructure
Question 13 of 25
A cloud customer is concerned about the security of physical hardware shared with other tenants in a public cloud. Which cloud provider assurance mechanism BEST addresses this concern?
Why C is correct: In a public cloud, customers cannot inspect the physical data center themselves. Third-party audits (SOC 2 Type II, ISO 27001, FedRAMP, CSA STAR) provide independent, structured verification that the provider's security controls are in place and operating effectively. An SLA covers availability, not security. Whitepapers are marketing — they describe intended controls, not verified ones. Bug bounty programs cover application vulnerabilities, not physical infrastructure. Independent audit = evidence.
Domain 4: Cloud Application Security
This domain covers 17% of the exam. Key topics include secure SDLC, OWASP threats, API security, identity federation, and software supply chain.
Domain 4 — Application Security
Question 14 of 25
Which approach to application security integrates security testing and review throughout the entire software development lifecycle rather than only at release?
Why C is correct: DevSecOps integrates security practices (SAST, DAST, dependency scanning, threat modeling, code review) into every stage of the CI/CD pipeline — from design through deployment. Penetration testing and vulnerability scanning are point-in-time activities, not continuous processes. SIEM is a monitoring and detection tool, not a development practice. The CCSP exam emphasizes shift-left security — finding and fixing vulnerabilities early, when they're cheapest to fix.
Domain 4 — Application Security
Question 15 of 25
A cloud application exposes REST APIs to third-party partners. Which security control is MOST critical for protecting these APIs?
Why B is correct: An API gateway provides a centralized control point for authentication (OAuth 2.0, API keys), rate limiting (abuse prevention), input validation (injection prevention), and logging. While TLS encryption is essential for data in transit and a WAF provides additional protection, neither addresses the full spectrum of API-specific risks like authentication bypass, broken object level authorization, or excessive data exposure. A well-configured API gateway is the single most critical control for third-party API security.
Domain 4 — Application Security
Question 16 of 25
An organization is implementing single sign-on (SSO) for its cloud applications. Which standard enables identity federation between their identity provider (IdP) and cloud service providers?
Why C is correct: SAML 2.0 and OpenID Connect (OIDC) are the dominant standards for federated identity in cloud environments. SAML uses XML-based assertions and is widely used for enterprise SSO. OIDC is built on OAuth 2.0 and uses JSON/JWT — preferred for modern web and mobile applications. LDAP and Kerberos are on-premises directory and authentication protocols that don't natively support internet-scale federation. RADIUS is used for network access authentication, not application SSO.
Domain 4 — Application Security
Question 17 of 25
Which OWASP Top 10 vulnerability occurs when an application includes user-supplied input in a query to a backend database without proper sanitization?
Why A is correct: SQL injection occurs when untrusted user input is concatenated into a database query, allowing an attacker to alter the query's logic — extracting data, bypassing authentication, or even executing OS commands. The fix is parameterized queries (prepared statements) and input validation. On the CCSP exam, knowing the OWASP Top 10 is table stakes. The exam frequently presents scenarios where you must identify the vulnerability type and the appropriate mitigation.
Domain 5: Cloud Security Operations
This domain covers 16% of the exam. Topics include monitoring, incident response, change management, digital forensics in cloud environments, and business continuity.
Domain 5 — Security Operations
Question 18 of 25
A cloud security operations team wants to ensure they can detect unauthorized changes to cloud infrastructure configurations. Which tool BEST supports this objective?
Why C is correct: CSPM tools continuously monitor cloud infrastructure configurations against security policies and compliance frameworks, alerting on drift (e.g., a storage bucket being made public, a security group rule being changed). IDS detects network-level attacks. DLP focuses on data movement. WAFs protect web applications. CSPM is the go-to tool for configuration compliance monitoring in cloud environments — it's tested repeatedly in the CCSP exam.
Domain 5 — Security Operations
Question 19 of 25
During a forensic investigation of a cloud incident, an investigator needs to collect volatile data from a running virtual machine. What is the correct order of evidence collection?
Why B is correct: Digital forensics follows the "order of volatility" — collect data from most volatile (ephemeral) to least volatile (persistent). RAM contents are lost the instant the system powers down or the VM is terminated. Running processes and network connections are next. Disk images are the least volatile and collected last. In cloud environments, this is especially critical because VMs can be terminated at any time, wiping memory entirely.
Domain 5 — Security Operations
Question 20 of 25
A cloud-hosted application experiences a sudden 10x increase in traffic, causing service degradation. The operations team determines it is not a legitimate traffic spike. What type of attack is MOST likely occurring?
Why C is correct: A sudden, massive, illegitimate traffic spike causing service degradation is the classic signature of a DDoS attack. The "distributed" aspect means traffic originates from many sources (often a botnet), making IP-based blocking ineffective. Cloud-native DDoS mitigation services (AWS Shield, Azure DDoS Protection, Cloudflare) and auto-scaling can help absorb and filter this traffic. MITM, SQL injection, and privilege escalation don't manifest as traffic volume spikes.
Domain 5 — Security Operations
Question 21 of 25
An organization's Recovery Time Objective (RTO) for a critical cloud application is 4 hours. Which disaster recovery strategy BEST meets this requirement?
Why C is correct: A 4-hour RTO requires a warm standby: a scaled-down but ready copy of the environment in a secondary region that can be scaled up quickly when needed. Cold sites and tape restores typically take 24-72 hours. A basic backup-and-restore from cloud storage often takes 8-12 hours depending on data size. A hot standby (active-active) would also meet the RTO but is more expensive. The CCSP exam tests your ability to match recovery strategies to RTO/RPO requirements.
Domain 6: Legal, Risk & Compliance
This domain covers 13% of the exam. Focus on privacy regulations (GDPR, CCPA), eDiscovery, contracts, audit, and third-party risk management.
Domain 6 — Legal, Risk & Compliance
Question 22 of 25
Under GDPR, a European company stores customer personal data in a U.S.-based cloud provider's data centers. What mechanism is MOST appropriate for legitimizing this cross-border data transfer?
Why C is correct: GDPR restricts transfers of personal data outside the EU/EEA to countries that provide "adequate" data protection. Standard Contractual Clauses (SCCs), approved by the EU, are the primary contractual mechanism for legitimizing such transfers when no adequacy decision exists. An NDA is a confidentiality agreement, not a data transfer mechanism. ISO 27001 demonstrates security practices but doesn't address cross-border transfer legality. Encryption is a security control, not a legal transfer mechanism.
Domain 6 — Legal, Risk & Compliance
Question 23 of 25
A cloud customer receives a legal hold notice requiring them to preserve all electronic communications related to a lawsuit. The relevant data is stored in a cloud SaaS application. What is the FIRST step the cloud customer should take?
Why A is correct: The first obligation under a legal hold is to preserve relevant data in place — immediately stopping any automated deletion, archiving, or rotation policies that might destroy evidence. Reviewing the CSP contract is equally critical, as it determines what eDiscovery capabilities the provider offers (legal hold features, chain of custody, metadata preservation). Downloading all data creates chain-of-custody issues and may not be feasible. Switching systems mid-litigation could destroy evidence.
Domain 6 — Legal, Risk & Compliance
Question 24 of 25
Which risk treatment strategy is being used when an organization purchases cyber liability insurance to cover potential cloud data breach costs?
Why C is correct: Purchasing insurance transfers the financial consequences of a risk to a third party (the insurer). The risk itself still exists, but the financial burden is shared or shifted. Risk avoidance eliminates the risk-creating activity entirely. Risk acceptance acknowledges the risk and does nothing about it. Risk mitigation reduces the probability or impact of the risk through controls. Memorize all four risk treatment strategies — they appear constantly in CCSP and CISSP exam questions.
Domain 6 — Legal, Risk & Compliance
Question 25 of 25
A cloud security assessor is reviewing a SaaS vendor. The vendor provides a SOC 2 Type I report. What is the MOST significant limitation of this report compared to a SOC 2 Type II?
Why C is correct: SOC 2 Type I reports on the design of controls at a single point in time ("are the controls the right controls?"). SOC 2 Type II reports on both the design AND the operating effectiveness of controls over a period (typically 6-12 months) — "did those controls actually work, consistently, over time?" For vendor due diligence, Type II is significantly more meaningful because it shows sustained operational performance, not just a snapshot. Always prefer Type II when assessing third-party cloud providers.
How to Score Yourself
Count how many you answered correctly before reading the explanations, then check your domain-by-domain results:
Overall Score Guide (out of 25)
23–25 correct (92%+)
Excellent — you're exam ready
19–22 correct (76–88%)
Good — review weak domains
15–18 correct (60–72%)
Needs work — structured review required
Below 15 (under 60%)
Not ready — consider postponing your exam date
⚠️ Important context: The real exam passing score is 700/1000 (approximately 70%). This free quiz uses a straightforward multiple-choice format — the actual exam includes more complex scenario-based questions and innovative item types. A strong score here doesn't guarantee a passing score on exam day, and vice versa. Use this as a diagnostic, not a prediction.
Pay attention to your wrong answers by domain. If you missed both Domain 2 questions about data lifecycle, that's a signal — spend focused time on the cloud data security domain before exam day. If you missed the compliance questions, revisit GDPR, SOC 2, and eDiscovery concepts.
What to Do After This Quiz
25 questions gives you a directional signal, not a complete picture. Here's how to build from here:
1. Identify Your Weakest Domains
The CCSP exam weights domains unequally. Domain 2 (Cloud Data Security) is 20% of the exam — getting that domain wrong costs you more than getting Domain 6 (13%) wrong. Prioritize your review time accordingly.
CCSP Domain Weights (Current Exam)
- Domain 1 — Cloud Concepts, Architecture & Design 17%
- Domain 2 — Cloud Data Security 20%
- Domain 3 — Cloud Platform & Infrastructure Security 17%
- Domain 4 — Cloud Application Security 17%
- Domain 5 — Cloud Security Operations 16%
- Domain 6 — Legal, Risk & Compliance 13%
2. Build a Study Plan
If you don't already have a structured plan, our 90-day CCSP study plan breaks each domain into weekly study blocks with resource recommendations, practice exam milestones, and a final-week sprint strategy.
3. Deep-Dive the Domains
Our complete CCSP domains guide covers all six domains in depth — key concepts, exam weight, what to focus on, and the questions that trip people up most often. It's the fastest way to build a mental map of the full exam blueprint.
4. Practice at Volume
25 questions is a warmup. The real exam is 125-150 questions. You need to practice at volume — ideally 500+ questions across all domains — before exam day. Timed full-length mock exams are especially critical in the final 3-4 weeks, both to build stamina and to surface the specific sub-topics you're still weak on.
💡 Also Studying for CISSP or CISM?
Much of the Domain 6 content (risk management, compliance frameworks) overlaps with the CISSP exam. If you're planning to pursue CISSP alongside or after CCSP, that's a real efficiency gain. Security managers might also find value in the CISM certification — it focuses on enterprise risk governance and incident management.
5. Understand the Exam Is About Judgment, Not Memorization
The CCSP exam is not a memory test. It tests your ability to make sound security decisions in realistic cloud scenarios. The "best" answer is often not the most technically correct one — it's the one that a senior security professional with good judgment would choose, balancing risk, cost, and business requirements.
When you're unsure between two answers, ask yourself: "What would a senior CISO recommend?" Not "what's technically possible?" but "what's the right call for the organization?"
Ready to Practice at Full Scale?
These 25 questions are just the beginning. Access 1,000+ expert-verified CCSP practice questions with AI-powered gap analysis — so you know exactly which domains need more work before exam day.
Start Free 7-Day Trial →Related Guides
CCSP Domains Explained →
Complete breakdown of all 6 CCSP domains — key concepts, exam weights, and what to study in each area.
90-Day CCSP Study Plan →
Week-by-week study plan from first review to exam day, with resource recommendations and practice exam milestones.
CCSP vs CISSP: Which First? →
If you're deciding between CCSP and CISSP, this comparison covers experience requirements, career paths, and how to sequence your certifications.