certification guide
ISC2 CCSP® — Certified Cloud Security Professional
The CCSP is ISC2’s flagship cloud security credential — the certification that says you can secure data, applications, and infrastructure in someone else’s data center, where you control the configuration but not the concrete. It sits a tier above vendor cloud certs: instead of testing which console button to click, it tests whether you understand shared responsibility, data sovereignty, cryptographic custody, and the legal machinery that follows data across borders. Most candidates arrive with CISSP-level security experience and real cloud scars; the exam rewards exactly that kind of judgment.
Two logistics notes worth knowing before you book. Since October 1, 2025 the CCSP is delivered as a Computerized Adaptive Test — the exam adjusts item difficulty to your performance, so the question count varies between 100 and 150 and there is no going back to review earlier answers. And effective August 1, 2026, ISC2 moves the CCSP to a refreshed exam outline from its latest Job Task Analysis, with deeper AI/ML security coverage folded into the existing six domains. Test on or before July 31, 2026 and you sit the current outline described below; test after and you should pull the new outline PDF from isc2.org and expect shifted domain weights.
Cloud Concepts, Architecture and Design
The vocabulary and blueprints everything else stands on: service categories and deployment models, the ISO cloud role cast (customer, provider, partner, broker), essential characteristics, and the shared responsibility line as it moves across IaaS, PaaS, SaaS — and now AI-as-a-Service. Expect design-principle questions on zero trust, secure data lifecycle, BC/DR strategy, cost-benefit thinking, and evaluating providers against ISO/IEC 27017, PCI DSS, Common Criteria, and FIPS 140 validation.
Cloud Data Security
The heaviest domain, and for most candidates the hardest. It covers the full data lifecycle in the cloud: discovery and classification, encryption architectures (BYOK vs. HYOK, envelope encryption), tokenization and masking, DLP placement, Information Rights Management, retention and legal hold, crypto-shredding, and the logging attributes that make data events accountable and non-repudiable. If you only over-prepare one domain, make it this one.
Cloud Platform and Infrastructure Security
The layer beneath the workloads: physical and environmental data center design, compute, storage, virtualization, and the management plane — the single most consequential thing to protect in any cloud estate. Risk analysis of multi-tenant infrastructure (side channels, VM escape), security control planning, audit mechanisms including packet capture, and BC/DR engineering against RTO, RPO, and recovery service level targets all live here.
Cloud Application Security
Secure software delivery at cloud speed: the secure SDLC, threat modeling methodologies (STRIDE, DREAD, PASTA, ATASM), the testing alphabet (SAST, DAST, IAST, SCA), abuse-case thinking, and supply-chain assurance for third-party code — including pre-trained ML models treated as software components. Architecture topics cover API gateways, WAFs, sandboxing, microservices trust boundaries, and the IAM stack: federation, IdPs, SSO, MFA, CASB, and secrets management.
Cloud Security Operations
Running the environment day to day: hardware roots of trust (TPM, HSM), bastion-mediated remote access, OS baselining and drift remediation, patching, IaC strategy, clustered-host availability mechanics, and monitoring across network, compute, storage, and response time. The ITIL/ISO 20000-1 process set — change, incident, problem, release, deployment, configuration — is tested directly, alongside cloud digital forensics, SOC operations, and SIEM/SOAR.
Legal, Risk and Compliance
The lightest domain by weight but the one that separates the CCSP from purely technical cloud certs: conflicting international legislation, GDPR roles and breach notification, contractual versus regulated data, eDiscovery under ISO/IEC 27050, PIAs, and the audit report taxonomy (SOC 1/2/3, Type I vs. II, SSAE/ISAE, carve-out scopes). Contract design closes it out — right to audit, SLAs and MSAs, vendor viability, escrow, and supply-chain security under ISO/IEC 27036.
Our practice exam mirrors the live experience where it matters: 125 scenario-driven questions weighted exactly to the official domain percentages, a three-hour clock, and — in keeping with how ISC2 actually writes items — distractors that are defensible, not dismissible. Most questions ask for the best answer among several plausible ones, and every explanation tells you why the winner beats the near-miss. ISC2 scores the live exam on a 700-out-of-1000 scale; we set the pass mark at 70% as the honest raw-score equivalent, so a passing run here means genuine coverage across all six domains — not luck in the heavy ones.
ISC2 CCSP - Practice Exam
125 original questions modeled on the ISC2 CCSP exam outline (effective October 1, 2025) and weighted to the official domain percentages: Cloud Concepts, Architecture and Design…
Subscribe to startTrademark notice & independence. ISC2®, CCSP®, CISSP®, CGRC®, and CBK® are registered marks of ISC2, Inc. Certifym.net is operated by Certifym Exam Services, LLC and is not affiliated with, endorsed by, or sponsored by ISC2, Inc. Certification names and marks are used solely to identify the certifications for which our independent practice materials are designed. The CCSP exam outline and its domain structure are the property of ISC2, Inc.; candidates should download the official, current exam outline directly from isc2.org.
All questions, answers, and explanations on Certifym are original content created for practice purposes. They are not actual ISC2 examination questions and are not represented as such. Practicing with these materials does not guarantee a passing result on any live certification exam. Exam format, domain weights, and eligibility criteria are set by ISC2 and may change — including the new exam outline effective August 1, 2026; always verify current details at isc2.org before scheduling your exam.
