ISC2 · Advanced

ISC2 CCSP — Certified Cloud Security Professional (CCSP) practice exam & study guide

The CCSP (Certified Cloud Security Professional) is ISC2’s advanced certification for securing cloud environments, co-created with the Cloud Security Alliance (CSA). It validates the ability to design, operate, and govern cloud security across six domains — from cloud architecture and data security to operations, legal, and compliance.

CCSP is a vendor-neutral, cloud-model-aware credential: questions reason about IaaS, PaaS, and SaaS and the shared responsibility model rather than any single provider’s console. The live exam uses Computerized Adaptive Testing (CAT).

This free hub gives you everything you need to prepare: a syllabus breakdown by exam domain, realistic practice questions with teacher-style explanations, a glossary of the cloud-security concepts the exam relies on, and full-length timed mock exams that mirror the real testing experience.

100
Questions
180 min
Time limit
70%
Mock pass %
6
Domains

Start studying CCSP

New here? Follow the three steps below in order. Everything is free and needs no account.

  1. 1
    Learn the plan

    See all 6 domains in exam-weight order.

    Open study path
  2. 2
    Drill by domain

    Practice one topic at a time with explained answers.

    Start with the first domain
  3. 3
    Sit a timed mock

    100 questions · 180 min · 70% to pass our mock.

    Take the mock exam

All CCSP study resources

CCSP exam domains

The CCSP exam is weighted across 6 domains. Pick any domain below to drill it — or read the full breakdown in the FAQ.

Exam domainExam weightPractice
Cloud Concepts, Architecture and Design17%Practice this topic
Cloud Data Security20%Practice this topic
Cloud Platform and Infrastructure Security17%Practice this topic
Cloud Application Security17%Practice this topic
Cloud Security Operations16%Practice this topic
Legal, Risk and Compliance13%Practice this topic

Sample CCSP questions

A sample of the CCSP questions on this hub. Each links through to the full question, the correct answer, and an explanation of why every other option is wrong.

Key CCSP terms

Start with these terms, then explore the full glossary. Each links to a plain-English definition written for the CCSP exam.

CCSP frequently asked questions

What is the CCSP certification?+

CCSP is widely regarded as the leading vendor-neutral cloud-security certification and is often paired with CISSP for practitioners who have moved into cloud security.

It is broad across the cloud lifecycle rather than tied to one platform, so success rewards understanding cloud concepts and controls that apply across AWS, Azure, and Google Cloud alike.

What topics are on the CCSP exam?+

The CCSP exam is organised into six weighted domains. The percentages below are ISC2’s official weightings for scored content, so bias your study toward the heavier domains — Cloud Data Security is the single largest slice of the exam.

Cloud Concepts, Architecture and Design (17%)

Covers cloud computing concepts and roles, the cloud reference architecture, deployment models (public/private/hybrid/community) and service models (IaaS/PaaS/SaaS), the shared responsibility model, and secure cloud design principles.

Cloud Data Security (20%)

The largest domain. Covers the cloud data lifecycle, data security technologies (encryption, key management, tokenization, masking), data discovery and classification, information rights management (IRM), and retention, deletion, and auditability.

Cloud Platform and Infrastructure Security (17%)

Covers cloud infrastructure components (compute, network, storage, virtualization, management plane), the risks of cloud infrastructure, business continuity and disaster recovery (BCDR), and securing the management plane and hypervisor.

Cloud Application Security (17%)

Covers secure SDLC for cloud apps, common application vulnerabilities (OWASP) and threat modeling, secure software configuration and supply-chain/API security, and identity and access management including federated identity and secrets management.

Cloud Security Operations (16%)

Covers building and operating cloud infrastructure securely, operational controls and standards (change/configuration management, patching), the SOC and its monitoring, logging, and incident management, and managing digital evidence in the cloud.

Legal, Risk and Compliance (13%)

Covers legal requirements and unique cloud risks (eDiscovery, forensics, cross-border data), privacy issues such as GDPR, audit processes and assurance frameworks (SOC reports, ISO 27017/27018), and outsourcing, vendor, and SLA management.

Is the CCSP hard?+

CCSP is a hard exam because it combines advanced security judgment with cloud-specific nuance: you must apply the shared responsibility model correctly and choose the best control for a given service model and threat.

The six domains span the whole cloud lifecycle and the adaptive format adjusts to your performance. The challenge is breadth plus cloud-specific reasoning, not single-provider trivia.

How many questions are on the CCSP exam and how long is it?+

The live CCSP exam is a Computerized Adaptive Test (CAT) of 100–150 items in 3 hours, using multiple choice and advanced item types.

Our full-length practice mock uses a fixed 100-question, 180-minute session so you can rehearse pacing across all six domains before test day.

What score do you need to pass the CCSP?+

CCSP is scored on a scale of 0 to 1000, and you need a scaled score of 700 to pass. Because the live exam is adaptive, questions are not all worth the same and there is no penalty for guessing, so answer everything. Our practice mock uses a 70% threshold as a study checkpoint; aim comfortably beyond it before test day.

How much does the CCSP exam cost?+

The CCSP exam fee is set by ISC2 and varies by region — check the ISC2 site for current pricing. Certification also requires meeting the experience requirement and paying an annual maintenance fee. Everything on this hub is free.

Who should take the CCSP?+

CCSP is aimed at experienced security and IT professionals working in or moving into cloud security — security architects, cloud engineers, and security consultants.

ISC2 requires five years of cumulative paid IT experience, including three years in information security and one year in one or more of the six CCSP domains. Holding CISSP satisfies the entire CCSP experience requirement.

What jobs and salaries can the CCSP lead to?+

CCSP maps to roles such as cloud security architect, cloud security engineer, security consultant, and security operations lead.

How much any certification affects pay depends heavily on geography, seniority, and hands-on experience, so treat any single salary figure with caution. CCSP is best viewed as validation of advanced, vendor-neutral cloud-security competence.

How long does it take to study for the CCSP?+

Experienced candidates often need two to three months of steady study, especially to internalize the shared responsibility model and cloud data security controls.

Review every explanation, including for questions you answered correctly, because CCSP distractors are built from plausible but sub-optimal cloud choices. Use the per-domain results here to find your weakest area, then finish with full-length timed mocks.

How should you prepare for the CCSP?+

Study the six domains above, giving the heaviest weight to Cloud Data Security, then drill scenario questions domain by domain. Every MockAPI question reveals a full explanation and tells you why each wrong answer is wrong.

When you can reason to the best cloud control comfortably, move to full-length timed mocks. Use the glossary to keep concepts like the shared responsibility model, tokenization, and BCDR straight, and aim to score consistently above the checkpoint before you book.

Can you take the CCSP exam online?+

ISC2 delivers CCSP exclusively at Pearson VUE test centers — there is currently no at-home online-proctored option, so you sit the exam in person at a scheduled testing center. Bring government-issued photo ID; the center provides a secure, monitored environment.

If you do not pass, ISC2 enforces a retake policy with a waiting period between attempts and a cap on attempts per year — check the current policy before rebooking.

What certification should you take after the CCSP?+

After CCSP, many pair it with CISSP for a broad-plus-cloud security profile, or specialize further with provider-specific security certifications from AWS, Azure, or Google Cloud.

For many, the real next step is leading cloud-security design and operations in production. Pairing CCSP with hands-on cloud work is what turns the certificate into a career.