ISC2 · 2026 Edition
A complete preparation guide written by ISC2-certified engineers. Covers the exam format,all 6 blueprint domains, a week-by-week study plan, and proven tips for passing first time.
4–6 months
Prep time
Advanced
Difficulty
150
Exam questions
700/1000
Pass mark
Exam code
CCSP
Full name
CCSP
Vendor
ISC2
Duration
240 minutes
Questions
150 items
Passing score
700/1000 (scaled)
Domains covered
6 blueprint domains
Recommended experience
5 years of paid IT work experience including 3 in security and 1 in cloud security; CISSP holders waive the experience requirement
Typical prep time
4–6 months
CCSP is the leading cloud security certification. It validates deep knowledge of cloud architecture, data security, application security, cloud operations, and legal compliance — required or preferred at enterprises building cloud security programmes.
Job roles this opens
Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.
Month 1
Cloud Concepts, Architecture and Design: cloud reference architecture, security concepts, design principles
Tip: Know the cloud deployment models (public, private, community, hybrid) and service models (IaaS, PaaS, SaaS) cold — CCSP questions apply security controls differently based on the model. The shared responsibility matrix shifts with each service model: IaaS gives you the most control (and most responsibility), SaaS the least.
Month 2
Cloud Data Security: data lifecycle, classification, IRM, data discovery, privacy
Tip: The Cloud Security Alliance (CSA) data lifecycle has 6 phases: Create → Store → Use → Share → Archive → Destroy. Know what security controls apply at each phase. 'Destroy' is often the most tested phase because data on cloud provider infrastructure cannot be physically destroyed — know the cryptographic erase technique.
Month 3
Cloud Platform and Infrastructure Security: virtualisation security, identity management, network controls
Tip: Hypervisor security is a core CCSP topic. Know the difference between Type 1 (bare-metal, runs directly on hardware) and Type 2 (hosted, runs on top of an OS) hypervisors. VM escape attacks target the hypervisor layer — know what they are and how container isolation compares to VM isolation.
Month 4
Cloud Application Security and Security Operations: SDLC, API security, SOC, BCDR
Tip: CCSP questions on cloud operations focus on cloud-specific incident response. Know that forensic evidence collection in cloud environments is complicated by shared tenancy (you cannot seize physical hardware) and that chain of custody depends on contractual SLAs and provider cooperation.
Month 5–6
Legal, Risk and Compliance: jurisdiction issues, e-discovery, auditing, privacy regulations
Tip: Legal jurisdiction in cloud computing is a major CCSP topic. Know that data stored in another country's cloud region is subject to that country's laws (e.g. EU data in an EU region is subject to GDPR; data in a US cloud region may be subject to the CLOUD Act). Understand what data processing agreements (DPAs) and standard contractual clauses (SCCs) accomplish.
CCSP requires 5 years of paid work experience in IT including 3 years in information security and 1 year in cloud security. CISSP holders can waive the cloud security experience requirement. Candidates without experience can earn Associate of (ISC)² status after passing and then gain experience.
The CSA Cloud Controls Matrix (CCM) is the primary cloud security control framework referenced in CCSP. Know its structure: control domains (e.g. Application and Interface Security, Data Security and Privacy Lifecycle Management) and how it maps to ISO 27001, NIST, and PCI DSS.
Cloud access security brokers (CASBs) sit between cloud service users and providers to enforce security policies. Know the four pillars of CASB: Visibility (discover sanctioned and shadow IT), Compliance (enforce data governance policies), Data Security (apply DLP to cloud data), and Threat Protection (detect account compromise).
eDiscovery in the cloud requires working with the provider to produce relevant data. Know the Electronic Discovery Reference Model (EDRM): Identification → Preservation → Collection → Processing → Review → Analysis → Production → Presentation. Cloud challenges arise primarily at the Collection phase.
CCSP aligns closely with CISSP — if you hold CISSP, you share many of the concepts. The key difference is CCSP's depth in cloud-specific topics: multi-tenancy risks, cloud provider auditing, sovereignty issues, and cloud-native security controls.
Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.
Deep-dive explanations of the key topics tested on CCSP — with exam key points and common misconceptions.