(ISC)2 CCSP: Requirements, Exam Format and Study Path

  • Certified Cloud Security Professional certification
  • Published by: André Hammer on Feb 01, 2024
Group classes

Many teams assume the (ISC)2 CCSP is simply a cloud version of CISSP for anyone who works with hosted services. That view misses the point: CCSP is aimed at experienced IT and security professionals who need to secure cloud architecture, data, applications, operations and compliance across service models and providers.

The Certified Cloud Security Professional certification is a vendor-neutral credential from (ISC)2. It is designed for people who already understand information security and now need to show that they can apply those principles in cloud environments, where responsibilities are shared, architectures are distributed and legal requirements often depend on where data is processed.

Last updated: 2026. Candidates should always check the current (ISC)2 CCSP exam outline, certification handbook and Pearson VUE registration pages before booking, because exam policies, fees and delivery options can change.

What the CCSP certification signals

CCSP is most useful when a role involves evaluating or securing cloud environments beyond a single product console. A cloud security architect may use the knowledge to review landing zone designs, key management, identity boundaries and network segmentation. A security engineer may apply it when implementing logging, encryption, workload protection and incident response controls. A governance, risk and compliance professional may use it to translate privacy, audit and contractual requirements into technical controls that can be verified.

Hiring teams often treat CCSP as evidence that a candidate can reason across cloud security domains rather than recite one provider’s service names. That matters in architecture reviews, supplier assessments and RFP responses, where the question is rarely whether a feature exists and more often whether the control design is appropriate for the risk, jurisdiction and service model.

The certification is not a substitute for hands-on platform skill. Someone responsible for day-to-day Azure, AWS or Google Cloud configuration may need a provider-specific security certification first, especially if the immediate work involves conditional access, security posture management, native key services or cloud-native detection rules in one ecosystem. By contrast, CCSP becomes more valuable when the role spans multiple clouds, SaaS risk, shared responsibility, legal requirements and architecture governance. CISSP remains broader across information security leadership and management, while CCSP goes deeper into cloud security across six domains.

Eligibility and experience requirements

To become fully certified, a candidate needs five years of cumulative paid work experience in information technology. Within that total, three years must be in information security, and one year must be in one or more of the six CCSP domains. A candidate may sit the exam before meeting the experience requirement, but full certification is awarded only after the experience and endorsement requirements are satisfied.

The experience requirement should be interpreted through the work performed, not just the job title. Designing secure cloud landing zones, implementing KMS or HSM-backed key management, defining cross-border data controls, assessing SaaS risk, building cloud logging and incident response processes, or mapping ISO/IEC 27001 and NIST SP 800-53-style controls to cloud services are all examples of work that may be relevant. Helpdesk-only work, basic account provisioning or general infrastructure support with no security or cloud responsibility usually does not provide enough evidence on its own.

(ISC)2 recognises some substitutions and waivers. Holding CISSP can satisfy the full CCSP experience requirement. The CCSK certificate can count toward one year of experience in the CCSP domains. A relevant degree or approved credential may also reduce part of the required experience, subject to the current (ISC)2 rules. Candidates who pass the exam without the required experience can become an Associate of (ISC)2 while they continue building the required work history.

Exam format and domain weighting

The CCSP exam is delivered through Pearson VUE. The current exam format is four hours with 150 items, and the passing score is 700 out of 1000. The exam is available in multiple languages, but candidates should confirm the available language options in the current (ISC)2 exam outline and Pearson VUE booking flow for their location.

The exam is organised around six domains. The weightings are important because they should influence study time. A candidate who spends most of the preparation window memorising cloud architecture definitions but gives little attention to legal, operational and application security topics is likely to feel underprepared for scenario-based questions.

CCSP domain Weight What it means in practice
Cloud Concepts, Architecture and Design Cloud characteristics, service models, deployment models, reference architectures and design principles.
Cloud Data Security Data classification, encryption, tokenisation, masking, lifecycle management, retention and data location issues.
Cloud Platform and Infrastructure Security Virtualisation, compute, network security, storage, resilience, secure baselines and infrastructure risk.
Cloud Application Security Secure development, identity-aware application design, APIs, threat modelling, software assurance and DevSecOps concepts.
Cloud Security Operations Monitoring, logging, vulnerability management, incident response, forensics, change management and operational controls.
Legal, Risk and Compliance Regulatory obligations, audit, contracts, privacy, eDiscovery, jurisdiction and risk management.

The highest-weighted domain is cloud data security, which reflects a practical reality: many cloud breaches and compliance failures are rooted in weak data governance rather than exotic attacks. Candidates should be comfortable with the full data lifecycle, including where data is created, processed, stored, archived, replicated and destroyed.

Scheduling, retakes and endorsement

Registration is handled through the official (ISC)2 process and Pearson VUE. In practice, candidates create or use their (ISC)2 account, select the CCSP exam, review the current exam agreement and policies, then schedule through Pearson VUE based on available test centre or online proctoring options where offered. Fees, taxes and rescheduling rules should be checked at the point of booking rather than assumed from third-party summaries.

Retake rules are also governed by (ISC)2 policy. Candidates who do not pass should review the current waiting periods and attempt limits before scheduling again. A useful retake plan starts with the domain performance feedback, then rebuilds preparation around weak domains instead of simply repeating the same practice questions.

After passing, candidates complete the endorsement process. This is where preparation can save time. Before submission, candidates should gather job titles, dates, manager or endorser details, project descriptions and clear mappings between their work and the CCSP domains. The descriptions do not need to be long, but they should be specific enough to show cloud security responsibility rather than general IT participation.

Maintaining the certification

CCSP is maintained through continuing professional education and annual maintenance requirements. The certification requires 90 CPE credits over a three-year cycle, and an annual maintenance fee applies. Candidates should confirm the current AMF amount directly with (ISC)2 because fees can vary by membership status and may change over time.

The most sustainable approach is to plan CPE around real work rather than treat it as an administrative task at the end of the cycle. Architecture reviews, threat modelling workshops, incident response exercises, formal training, conference sessions, policy work and security research can all support continuing development when they align with the CPE rules. Calendar reminders for annual AMF payment, CPE submission and cycle deadlines reduce the risk of a preventable lapse.

How to prepare without overfitting to one cloud

A strong CCSP study plan follows the exam blueprint rather than the learner’s favourite platform. Many candidates over-index on one provider’s services and then struggle when the exam asks about shared responsibility, control selection or legal obligations in provider-neutral terms. Memorising service names without mapping them to security controls is a weak preparation strategy.

Hands-on practice still matters. Labbing across two cloud providers helps candidates separate general security concepts from product-specific implementation details. For example, configuring encryption, identity boundaries, centralised logging and network segmentation in more than one environment makes it easier to understand what changes between platforms and what remains conceptually stable.

A practical schedule should weight study time according to the domain percentages, while leaving room near the end for cross-domain scenarios. Legal and compliance acronyms deserve concise notes because small distinctions can create last-mile errors. Security operations also deserves attention: cloud incident response, forensics readiness, logging scope and evidence preservation frequently expose whether a candidate understands how cloud security works under operational pressure.

Structured training can help when it follows the official outline and leaves time for independent practice. Readynez offers a CCSP course for candidates who want guided preparation; this article is educational content from a training provider, so readers should still validate exam facts against (ISC)2 before booking.

CCSP compared with CISSP and provider-specific certifications

CISSP and CCSP overlap in security thinking, but they are not interchangeable. CISSP covers broad information security across eight domains and is often associated with security leadership, governance and enterprise risk. CCSP narrows the lens to cloud security and expects candidates to apply security principles to cloud architecture, data, platforms, applications, operations and legal risk.

A provider-specific cloud security certification is usually better when the immediate goal is to operate or secure a defined environment. A security engineer responsible for Azure-native controls, for instance, may need platform depth before a vendor-neutral credential. CCSP is better suited when the role requires comparing architectures, setting security requirements across providers, assessing SaaS and cloud contracts, or advising on controls that must survive changes in vendor tooling.

Professionals who already hold CISSP may find CCSP useful when their work has moved into cloud architecture, cloud risk or cloud governance. Professionals without CISSP should choose based on scope: broad security leadership points toward CISSP, while cloud-specialist responsibilities point toward CCSP. The better choice is the one that matches the work being done in the next year, not the one that sounds more senior.

References to verify before booking

The most reliable sources for final exam decisions are the official (ISC)2 CCSP exam outline, the (ISC)2 certification handbook, the (ISC)2 continuing education guidance and Pearson VUE scheduling information. Standards such as ISO/IEC 27001 and NIST SP 800-53 are also useful reference points when studying governance, control selection and assurance, but the exam should be prepared against the CCSP outline rather than any single standard.

FAQ

What is the (ISC)2 CCSP certification?

The (ISC)2 Certified Cloud Security Professional certification validates cloud security knowledge across architecture, data security, platform and infrastructure security, application security, operations, legal risk and compliance. It is vendor-neutral, so it focuses on principles and control decisions rather than one cloud provider’s product names.

What are the CCSP experience requirements?

Candidates need five years of cumulative paid IT experience, including three years in information security and one year in one or more CCSP domains. CISSP can satisfy the experience requirement, CCSK can count toward one year, and candidates who pass the exam before meeting the requirement may follow the Associate of (ISC)2 path.

What is the CCSP exam format?

The current CCSP exam is four hours long and contains 150 items. The passing score is 700 out of 1000. Candidates should confirm language availability, delivery options and booking rules through (ISC)2 and Pearson VUE before scheduling.

How should candidates prepare for CCSP?

Preparation should follow the official domain weighting, include hands-on work across more than one cloud where possible, and cover legal, compliance and incident response topics as seriously as architecture. Common mistakes include memorising provider services without understanding the underlying control, ignoring differences between SaaS, PaaS and IaaS responsibility models, and leaving cloud logging and forensics until the end.

Is CCSP better than CISSP?

Neither certification is inherently better. CISSP is broader across information security leadership and management, while CCSP is more focused on cloud security. The right choice depends on role scope, current responsibilities and whether the candidate needs broad security coverage, cloud-specialist depth or platform-specific implementation skill.

Building a realistic CCSP path

The strongest reason to pursue CCSP is alignment with real cloud security responsibility. Candidates who regularly review architectures, protect cloud data, assess SaaS risk, design logging strategies or map compliance obligations to technical controls are likely to gain more from the certification than candidates who only need basic cloud familiarity.

Readers comparing structured options can also review the broader (ISC)2 training catalogue. Readynez also includes CCSP preparation within Unlimited Security Training for professionals planning several security certifications, and questions about fit or scheduling can be raised through the contact team.

Two people monitoring systems for security breaches

Unlimited Security Training

Get Unlimited access to ALL the LIVE Instructor-led Security courses you want - all for the price of less than one course. 

  • 60+ LIVE Instructor-led courses
  • Money-back Guarantee
  • Access to 50+ seasoned instructors
  • Trained 50,000+ IT Pro's

Basket

{{item.CourseTitle}}

Price: {{item.ItemPriceExVatFormatted}} {{item.Currency}}