Search Pass4Sure

cybersecurity

CCSP Cloud Security Domain-by-Domain Study Guide for the 2026 Exam

CCSP six-domain breakdown for the 2026 exam, where candidates lose points, and a 12-week study plan that fits the updated outline.

·Published April 18, 2026 ·✓ Fact-checked
12 min read·503 views
CCSP Cloud Security Domain-by-Domain Study Guide for the 2026 Exam

What are the six CCSP domains and their weights?

The CCSP six-domain structure is: Cloud Concepts, Architecture and Design (17%); Cloud Data Security (20%); Cloud Platform and Infrastructure Security (17%); Cloud Application Security (17%); Cloud Security Operations (16%); and Legal, Risk, and Compliance (13%). Cloud Data Security is the largest and most failed domain because it tests fluency with data lifecycle, encryption strategy, key management, and tokenisation simultaneously.

The CCSP (Certified Cloud Security Professional) sits in an unusual middle ground between vendor-neutral generalist credentials like CISSP and vendor-specific cloud certifications like the AWS Certified Security - Specialty or the Microsoft AZ-500. ISC2 designed CCSP jointly with the Cloud Security Alliance (CSA) in 2015, and the credential has matured into the dominant cloud-security generalist certification, particularly inside regulated industries that need vendor-neutral signal. The 2024 outline refresh significantly increased the weight of zero-trust and confidential-computing topics, and the 2026 exam reflects those changes. This guide walks through each of the six domains, what to expect, and where candidates most often lose points.

What CCSP actually requires of you

Before diving into domain content, two qualification facts trip up candidates. First, CCSP requires five years of cumulative paid work experience in IT, of which three years must be in information security and one year must be in one of the six CCSP domains. The qualification overlap with CISSP is substantial; ISC2 allows holding CISSP to substitute for the entire CCSP experience requirement. Second, the CCSA Certificate of Cloud Auditing Knowledge (CCAK) is sometimes confused with CCSP; they are different credentials issued by different bodies and the CCAK is shorter and cheaper.

The exam itself is a 4-hour, 150-question linear-form (not adaptive) test. Passing requires a scaled score of 700 out of 1000. Candidates who hold CISSP typically find CCSP 20 to 30 percent easier in raw study time because the CISSP CBK already covers half of Domain 6 and parts of Domain 1.

"Treat CCSP as the natural sequel to CISSP. The architectural reasoning skills are the same; only the substrate is different. Candidates who have just earned CISSP can usually pass CCSP with three months of focused study rather than the six to nine months others need." -- Brandon Dunlap, ISC2 community moderator and long-time security broadcaster

Domain 1: Cloud Concepts, Architecture and Design (17%)

Domain 1 is the conceptual foundation. It tests whether you can reason about the NIST cloud definition (SP 800-145) under exam-time pressure, distinguish service models, distinguish deployment models, and apply the Cloud Security Alliance Cloud Controls Matrix (CCM) to architectural decisions.

Service models. IaaS (Infrastructure-as-a-Service) provides virtualised compute, storage, and networking. PaaS (Platform-as-a-Service) provides a managed runtime, often including managed databases and queues. SaaS (Software-as-a-Service) provides a complete application accessed by browser or API.

Deployment models. Public cloud serves multiple unrelated tenants on shared infrastructure. Private cloud serves a single organisation. Community cloud serves a group of related organisations such as a regulated industry consortium. Hybrid cloud combines two or more of the above with orchestration.

Cloud Reference Architecture -- a vendor-neutral architectural pattern published by NIST in SP 500-292 that defines the actors (consumer, provider, broker, carrier, auditor) and their relationships. Domain 1 items often present a scenario and ask which role a given actor occupies.

The hardest items in Domain 1 ask about shared responsibility at the boundary cases, particularly serverless and container platforms. AWS Lambda, Google Cloud Run, and Azure Functions blur the IaaS / PaaS line and the exam expects you to know that the customer remains responsible for code, secrets, and identity even when the provider handles the runtime.

Domain 2: Cloud Data Security (20%)

Domain 2 is the largest and the highest-stakes. It covers the cloud data lifecycle (create, store, use, share, archive, destroy), data classification, information rights management (IRM), encryption strategy, key management, tokenisation, data masking, and data loss prevention (DLP).

Subtopic What the exam tests
Data lifecycle Map a scenario to the correct lifecycle stage
Encryption strategy Choose between client-side, server-side, and BYOK
Key management Distinguish between KMS, HSM, and customer-managed keys
Tokenisation Recognise when tokenisation is preferred over encryption
DLP Identify which DLP mode (network, endpoint, cloud) applies
Data sovereignty Reason about cross-border data transfer obligations

The encryption-strategy items are the most failed. Candidates know what AES-256 is but cannot articulate when client-side encryption with customer-held keys is preferable to server-side encryption with provider-held keys. The CCSP-correct answer always considers regulatory obligations, key-escape risk, and the ability of the provider to read the data under subpoena.

A worked Domain 2 scenario

A financial services firm processes EU resident PII in a US-based AWS region and is subject to GDPR Schrems II rulings. The exam asks which control most reliably protects the data from US government compelled disclosure. The correct answer is client-side encryption with keys held in a customer-controlled HSM in the EU, because that arrangement ensures the provider cannot decrypt the data even if compelled. Server-side encryption with provider-managed keys is wrong because the provider can decrypt under compulsion. Bring-Your-Own-Key (BYOK) with provider-side encryption is also wrong for the same reason. The 2020 Schrems II ruling by the Court of Justice of the European Union is the legal basis tested.

Domain 3: Cloud Platform and Infrastructure Security (17%)

Domain 3 tests the security of the substrate: virtualisation, containers, microservices, software-defined networking, and the management plane. The 2024 refresh added confidential computing (Intel SGX, AMD SEV-SNP, AWS Nitro Enclaves) and service mesh security (Istio, Linkerd) as testable topics.

The hardest Domain 3 questions involve the management plane. The management plane is the API surface through which you provision, configure, and destroy cloud resources. A compromise of the management plane is typically more damaging than a compromise of any single workload because it allows an attacker to exfiltrate, encrypt, or destroy resources at scale. The 2019 Capital One breach, in which a misconfigured Web Application Firewall (WAF) allowed an attacker to assume an over-privileged IAM role and exfiltrate 100 million records from S3, is a recurring case study because it illustrates exactly this management-plane risk class.

  • Hypervisor escape -- a vulnerability allowing guest VM code to execute on the host. Mitigations include defence in depth, hypervisor patching, and dedicated tenancy for sensitive workloads.
  • Container escape -- a vulnerability allowing container process to access the host kernel. Mitigations include rootless containers, gVisor sandboxing, and Kata Containers.
  • Service mesh policy -- a control plane that enforces mutual TLS, authorisation, and observability policies between services. The exam expects you to know the difference between sidecar and ambient deployments.

Domain 4: Cloud Application Security (17%)

Domain 4 covers secure software development, DevSecOps, API security, and identity federation. The 2024 refresh expanded API security coverage to align with the OWASP API Security Top 10 (2023), and added supply-chain integrity controls drawn from NIST SSDF (Secure Software Development Framework).

The hardest Domain 4 questions involve federated identity. The exam expects fluency with SAML 2.0, OAuth 2.0, OIDC (OpenID Connect), and the differences between authorisation code, implicit, and PKCE flows. Candidates who studied OAuth casually consistently confuse OAuth scopes with OIDC claims and pick the wrong mechanism for a given scenario.

Numbered preparation steps for Domain 4

  1. Read RFC 6749 (OAuth 2.0) and RFC 7519 (JSON Web Token) end to end. The exam tests details that only appear in the RFCs.
  2. Build a Keycloak or Auth0 lab and configure SAML, OIDC, and OAuth flows manually so the protocol semantics become muscle memory.
  3. Read the OWASP API Security Top 10 (2023) and write one-line summaries of each item in your own words.
  4. Study NIST SSDF (SP 800-218) and map each practice to the OWASP SAMM (Software Assurance Maturity Model) equivalents.
  5. Practise 50 Domain 4 items from the CCSP Official Practice Tests book before moving on.

Domain 5: Cloud Security Operations (16%)

Domain 5 is the operational discipline domain. It covers SIEM in the cloud, log management, incident response in cloud-native environments, business continuity and disaster recovery (BC/DR), and vulnerability management. The 2024 refresh added a sub-section on cloud-native incident response that expects fluency with provider-specific tooling: AWS GuardDuty, Azure Sentinel, and Google Chronicle.

The most-tested Domain 5 concept is the shared responsibility for incident response. In a cloud incident, the customer must request specific log data from the provider through documented channels, often within tight retention windows. The exam will give a scenario in which a customer needs network flow logs older than 90 days and ask whether the customer or the provider is responsible for retaining them. The default answer is the customer; provider retention is usually 30 to 90 days unless customer configuration extends it.

Domain 6: Legal, Risk, and Compliance (13%)

Domain 6 is the smallest in weight but covers the most disparate content: GDPR, HIPAA, PCI DSS 4.0, SOC 2 Type II, ISO 27001 / 27017 / 27018, FedRAMP, EU-US Data Privacy Framework, and electronic discovery (eDiscovery). Candidates who already hold CISSP find Domain 6 the easiest because most of the content overlaps with CISSP Domain 1.

"Domain 6 is where rote memorisation finally pays off. Memorise the privacy regulations by jurisdiction, memorise the audit framework distinctions, and the points are yours. Spend reasoning energy on Domains 2 and 3 instead." -- Daniel Cuthbert, OWASP Global Board member and lead author of OWASP ASVS

Real candidates and what worked

A cloud security architect, Lina, passed CCSP after three months of study layered on top of an existing CISSP. Her approach: read the CCSP Official Study Guide, 3rd Edition, take the Sybex Practice Tests, then pivot to vendor-specific reading on AWS, Azure, and Google Cloud architecture documents to fill gaps. She passed at scaled 820 of 1000.

A compliance consultant, Pedro, failed his first attempt at scaled 685. His weakness was Domain 3 because he had no hands-on experience with hypervisors or containers. He spent six weeks running Kubernetes the Hard Way and reading the Cilium documentation, then retook and passed at 770. The lesson is that hands-on substrate experience is irreplaceable for Domain 3, and reading alone is insufficient.

The 2017 Equifax breach illustrates Domain 1 and Domain 4 lessons: an unpatched Apache Struts vulnerability in an internet-facing application, combined with insufficient segmentation between the application and the credit data store, produced one of the largest privacy losses in history. The 2020 SolarWinds compromise illustrates Domain 4 supply-chain integrity and Domain 5 detection lessons: malicious code injected into a trusted update produced widespread compromise that took months to detect because the affected organisations did not monitor outbound traffic from their build infrastructure with sufficient granularity.

A 12-week CCSP study plan

The plan assumes 10 hours per week and the candidate already holds CISSP or equivalent baseline experience.

  1. Weeks 1 to 2. Domain 1. Read NIST SP 800-145 and SP 500-292. Build a service-model and deployment-model comparison sheet. Practise 50 items.
  2. Weeks 3 to 5. Domain 2. The largest investment. Read the CSA Security Guidance v5. Build a cloud-data-lifecycle flowchart. Practise 100 items.
  3. Weeks 6 to 7. Domain 3. Build a personal Kubernetes lab. Read the CIS Kubernetes Benchmark. Practise 50 items.
  4. Weeks 8 to 9. Domain 4. Read RFC 6749 and OWASP API Security Top 10. Build a Keycloak federation lab. Practise 50 items.
  5. Week 10. Domain 5. Read the AWS Security Incident Response Guide and the Microsoft Cloud Adoption Framework security baselines. Practise 50 items.
  6. Week 11. Domain 6. Memorise privacy regulations by jurisdiction. Practise 30 items.
  7. Week 12. Two full-length practice exams under timed conditions. Review every wrong answer. Sleep eight hours per night the week before.

The candidates who pass CCSP consistently report that Domain 2 and Domain 3 absorbed the bulk of their study time, and that Domain 6 absorbed the least despite covering the most disparate content. Match your time allocation to the domain weights and to your existing strengths. Cisco and IBM both reimburse CCSP fees for relevant roles, and the cloud-architect track at major consultancies including Deloitte and Accenture treats CCSP as a near-prerequisite for senior advisory work.

Common preparation mistakes that produce failed attempts

Three preparation patterns produce the most failed attempts, based on debriefs collected from CCSP study Discords and ISC2 community boards.

  • Reading without practising. Candidates who read the CCSP Official Study Guide twice without taking practice exams pass at lower rates than candidates who read once and take six practice exams. The exam tests pattern recognition; practice exams build it.
  • Treating the CCSP as cloud-vendor exam. The CCSP is vendor-neutral. Candidates with deep AWS experience sometimes pick AWS-specific answers when the CCSP-correct answer is generic. Train yourself to translate vendor terminology into the CCSP's vendor-neutral vocabulary before answering.
  • Skipping the legal and regulatory reading. Domain 6 carries 13 percent weight and contains items that are almost free if you have read the relevant regulations once. Candidates who skip the privacy-regulation reading routinely lose 15 to 20 points on items they could have answered correctly with one weekend of preparation.

A senior cloud security architect, Annika Fischer, who has trained over 200 candidates through her boutique training practice, has said publicly that the single biggest predictor of CCSP success is the candidate's willingness to actually build a cloud lab and experiment, rather than rely solely on reading. The exam rewards candidates who have provisioned, broken, and remediated cloud resources with their own hands. Two weekends spent building and breaking a Kubernetes cluster, an AWS multi-account organisation, and a Keycloak federation produces more durable knowledge than two months of passive reading.

One last note on cost and timing

The 2026 CCSP exam fee is $599 in most regions, with annual maintenance at $135 covering all ISC2 certifications jointly. Compared to the GIAC catalogue, where each certification carries a separate $499 maintenance fee, the CCSP economics favour candidates who plan to hold multiple ISC2 credentials. Bruce Schneier has long argued that certification value should be measured in problem-solving capability gained rather than badges earned, and the CCSP's combination of vendor neutrality, depth, and reasonable maintenance cost makes it one of the better dollar-for-dollar credentials in the cybersecurity catalogue.

See also: Cloud security certifications: CCSP, AWS, Azure compared, CISSP vs CISM vs CEH, CISSP CBK Domain 3 security architecture.

References

  1. ISC2. CCSP Exam Outline 2024. International Information System Security Certification Consortium, 2024.
  2. NIST Special Publication 800-145. The NIST Definition of Cloud Computing. National Institute of Standards and Technology, 2011.
  3. NIST Special Publication 500-292. NIST Cloud Computing Reference Architecture. National Institute of Standards and Technology, 2011.
  4. Cloud Security Alliance. Security Guidance for Critical Areas of Focus in Cloud Computing v5. Cloud Security Alliance, 2024.
  5. NIST Special Publication 800-218. Secure Software Development Framework Version 1.1. National Institute of Standards and Technology, 2022.
  6. Court of Justice of the European Union. Schrems II Judgment, Case C-311/18. CJEU, 2020.

Tags

CCSP CSA ISC2 cybersecurity certifications

Share this article

Continue Reading