CCSP exam domains
The CCSP exam is weighted across 6 domains. Pick any domain below to drill it — or read the full breakdown in the FAQ.
| Exam domain | Exam weight | Practice |
|---|---|---|
| Cloud Concepts, Architecture and Design | 17% | Practice this topic |
| Cloud Data Security | 20% | Practice this topic |
| Cloud Platform and Infrastructure Security | 17% | Practice this topic |
| Cloud Application Security | 17% | Practice this topic |
| Cloud Security Operations | 16% | Practice this topic |
| Legal, Risk and Compliance | 13% | Practice this topic |
Sample CCSP questions
A sample of the CCSP questions on this hub. Each links through to the full question, the correct answer, and an explanation of why every other option is wrong.
- A development team exposes a REST API for a multi-tenant cloud SaaS. During a security review, a tester finds that by changing the numeric 'accountId'…View question
- A financial services company exposes internal microservices to trusted partner banks through a cloud API gateway. Security requires that both the call…View question
- A financial services company is designing its BCDR strategy for a customer-facing transaction platform hosted in a single cloud region. Business leade…View question
- A hospital is evaluating a new cloud-based scheduling application. The CISO requires that clinicians be able to access the application from hospital w…View question
- A cloud operations team runs a customer-facing SaaS platform on autoscaling IaaS. Over three consecutive months, month-end batch processing has caused…View question
- A cloud forensics investigator at a financial services firm is collecting log data from a CSP-managed SIEM to support an anticipated fraud lawsuit. To…View question
- A cloud operations engineer discovers that a critical authentication microservice is failing intermittently in production due to an expired configurat…View question
- A financial services company is preparing for its annual ISO 27001 certification audit of its cloud-hosted trading platform. The compliance manager wa…View question
- A financial services firm is negotiating a contract with a large public IaaS provider. The firm's internal audit team insists on including a tradition…View question
- A financial services firm is being audited against its own controls, many of which now depend on a SaaS provider that hosts customer transaction data.…View question
Key CCSP terms
Start with these terms, then explore the full glossary. Each links to a plain-English definition written for the CCSP exam.
CCSP frequently asked questions
What is the CCSP certification?+
CCSP is widely regarded as the leading vendor-neutral cloud-security certification and is often paired with CISSP for practitioners who have moved into cloud security.
It is broad across the cloud lifecycle rather than tied to one platform, so success rewards understanding cloud concepts and controls that apply across AWS, Azure, and Google Cloud alike.
What topics are on the CCSP exam?+
The CCSP exam is organised into six weighted domains. The percentages below are ISC2’s official weightings for scored content, so bias your study toward the heavier domains — Cloud Data Security is the single largest slice of the exam.
Cloud Concepts, Architecture and Design (17%)
Covers cloud computing concepts and roles, the cloud reference architecture, deployment models (public/private/hybrid/community) and service models (IaaS/PaaS/SaaS), the shared responsibility model, and secure cloud design principles.
Cloud Data Security (20%)
The largest domain. Covers the cloud data lifecycle, data security technologies (encryption, key management, tokenization, masking), data discovery and classification, information rights management (IRM), and retention, deletion, and auditability.
Cloud Platform and Infrastructure Security (17%)
Covers cloud infrastructure components (compute, network, storage, virtualization, management plane), the risks of cloud infrastructure, business continuity and disaster recovery (BCDR), and securing the management plane and hypervisor.
Cloud Application Security (17%)
Covers secure SDLC for cloud apps, common application vulnerabilities (OWASP) and threat modeling, secure software configuration and supply-chain/API security, and identity and access management including federated identity and secrets management.
Cloud Security Operations (16%)
Covers building and operating cloud infrastructure securely, operational controls and standards (change/configuration management, patching), the SOC and its monitoring, logging, and incident management, and managing digital evidence in the cloud.
Legal, Risk and Compliance (13%)
Covers legal requirements and unique cloud risks (eDiscovery, forensics, cross-border data), privacy issues such as GDPR, audit processes and assurance frameworks (SOC reports, ISO 27017/27018), and outsourcing, vendor, and SLA management.
Is the CCSP hard?+
CCSP is a hard exam because it combines advanced security judgment with cloud-specific nuance: you must apply the shared responsibility model correctly and choose the best control for a given service model and threat.
The six domains span the whole cloud lifecycle and the adaptive format adjusts to your performance. The challenge is breadth plus cloud-specific reasoning, not single-provider trivia.
How many questions are on the CCSP exam and how long is it?+
The live CCSP exam is a Computerized Adaptive Test (CAT) of 100–150 items in 3 hours, using multiple choice and advanced item types.
Our full-length practice mock uses a fixed 100-question, 180-minute session so you can rehearse pacing across all six domains before test day.
What score do you need to pass the CCSP?+
CCSP is scored on a scale of 0 to 1000, and you need a scaled score of 700 to pass. Because the live exam is adaptive, questions are not all worth the same and there is no penalty for guessing, so answer everything. Our practice mock uses a 70% threshold as a study checkpoint; aim comfortably beyond it before test day.
How much does the CCSP exam cost?+
The CCSP exam fee is set by ISC2 and varies by region — check the ISC2 site for current pricing. Certification also requires meeting the experience requirement and paying an annual maintenance fee. Everything on this hub is free.
Who should take the CCSP?+
CCSP is aimed at experienced security and IT professionals working in or moving into cloud security — security architects, cloud engineers, and security consultants.
ISC2 requires five years of cumulative paid IT experience, including three years in information security and one year in one or more of the six CCSP domains. Holding CISSP satisfies the entire CCSP experience requirement.
What jobs and salaries can the CCSP lead to?+
CCSP maps to roles such as cloud security architect, cloud security engineer, security consultant, and security operations lead.
How much any certification affects pay depends heavily on geography, seniority, and hands-on experience, so treat any single salary figure with caution. CCSP is best viewed as validation of advanced, vendor-neutral cloud-security competence.
How long does it take to study for the CCSP?+
Experienced candidates often need two to three months of steady study, especially to internalize the shared responsibility model and cloud data security controls.
Review every explanation, including for questions you answered correctly, because CCSP distractors are built from plausible but sub-optimal cloud choices. Use the per-domain results here to find your weakest area, then finish with full-length timed mocks.
How should you prepare for the CCSP?+
Study the six domains above, giving the heaviest weight to Cloud Data Security, then drill scenario questions domain by domain. Every MockAPI question reveals a full explanation and tells you why each wrong answer is wrong.
When you can reason to the best cloud control comfortably, move to full-length timed mocks. Use the glossary to keep concepts like the shared responsibility model, tokenization, and BCDR straight, and aim to score consistently above the checkpoint before you book.
Can you take the CCSP exam online?+
ISC2 delivers CCSP exclusively at Pearson VUE test centers — there is currently no at-home online-proctored option, so you sit the exam in person at a scheduled testing center. Bring government-issued photo ID; the center provides a secure, monitored environment.
If you do not pass, ISC2 enforces a retake policy with a waiting period between attempts and a cap on attempts per year — check the current policy before rebooking.
What certification should you take after the CCSP?+
After CCSP, many pair it with CISSP for a broad-plus-cloud security profile, or specialize further with provider-specific security certifications from AWS, Azure, or Google Cloud.
For many, the real next step is leading cloud-security design and operations in production. Pairing CCSP with hands-on cloud work is what turns the certificate into a career.