This free CCSP study guide walks through every content domain the Certified Cloud Security Professional exam tests, organized to the current ISC2 exam outline (effective October 1, 2025).[1]
It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, flashcards, and practice questions, so you learn by doing — not just reading.
The CCSP tests six official domains (one Common Body of Knowledge), co-developed by ISC2 and the Cloud Security Alliance. We teach all six in six study modules — one per domain, in order — and lead with the heaviest-weighted content.
Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview that maps the official content — not a full cloud-security textbook.
CCSP is one of the 9 ISC2 certifications — explore our ISC2 study guides to compare and prep across the whole family.
CCSP Exam Snapshot
| Detail | CCSP Exam |
|---|---|
| Questions | 100–150 items (adaptive); 25 unscored pretest items in the minimum form |
| Format | Computerized Adaptive Testing (CAT); multiple choice + advanced items |
| Time | 3 hours maximum |
| Passing score | 700 out of 1000 (scaled) |
| Administered by | ISC2 (with the Cloud Security Alliance), delivered at Pearson VUE |
| Certifying body | ISC2 |
| Eligibility | 5 yrs IT (3 in security, 1 in a CCSP domain); CISSP satisfies it fully; or Associate of ISC2 |
| Cost | $599 USD (verify on-site; pricing varies) |
| Recertification | Every 3 years — 90 CPE credits (min 30/yr) + $135 annual maintenance fee |
| Outline version | Effective October 1, 2025 (CAT) |
The CCSP covers six domains. Unlike many exams the weights are fairly even, but Cloud Data Security is the largest at 20%, and Domains 1, 3, and 4 are each 17% — so most of the exam sits in the first four domains.[1] Study by weight:
Cloud Concepts, Architecture & Design
17% of the exam
Cloud Data Security
20% of the exam
Cloud Platform & Infrastructure Security
17% of the exam
Cloud Application Security
17% of the exam
Cloud Security Operations
16% of the exam
Legal, Risk & Compliance
13% of the exam
Module 1 · Cloud Concepts, Architecture & Design
One official domain, 17% of the exam. This domain is the vocabulary and mental model for everything else: what cloud actually is, the service and deployment models, how security duties are split, and the principles of secure cloud design. Get this right and the rest of the CCSP clicks into place.
1.1 Cloud Concepts & Service Models
NIST defines by five essential characteristics: , , , , and . All five must be present for a service to be true cloud — and resource pooling is what creates multi-tenancy, the source of most cloud isolation concerns.[4]
There are three service models — , , and — and the model decides how much you must secure (see 1.2). And four core deployment models: , , , and (plus ).
| Model | Provider manages | Customer manages | Example |
|---|---|---|---|
| IaaS | Hardware, network, virtualization | OS, runtime, apps, data | Raw VMs and storage |
| PaaS | Up to the runtime/platform | Application and data only | Managed app platform/database |
| SaaS | Everything but your data/settings | Data and limited settings | A finished web application |
1.2 Reference Architecture & Shared Responsibility
The is the most-tested concept in this domain. Security duties are split between the and the , and the boundary shifts by service model. The provider always secures the physical layer and ; the customer always secures its data and access — no matter the model.[5]
Other roles in the include the , the cloud partner, and the regulator. Secure design then layers in — granting no implicit trust by network location and verifying every request — which fits the cloud’s lack of a fixed perimeter.
1.3 Secure Design & Evaluating Providers
Secure cloud design starts with the (taught in Module 2), BCDR planning, cost-benefit analysis, and functional security requirements. It increasingly relies on newer technologies: , , , and (protecting data in use).
When you evaluate a cloud provider, you verify it against recognized criteria — for cloud controls, (ISO/IEC 15408) for product assurance, and for validated cryptographic modules — plus attestations like and the registry.
| Criterion | What it certifies |
|---|---|
| ISO/IEC 27017 | Cloud-specific information security controls |
| ISO/IEC 27018 | Protection of PII in public clouds (privacy) |
| Common Criteria (ISO/IEC 15408) | Security assurance of a product/system |
| FIPS 140-3 | Validation of cryptographic modules |
| SOC 2 | Controls for security, availability, integrity, confidentiality, privacy |
| CSA STAR / CCM | Cloud security posture (self-assessed or certified) |
Checkpoint · Cloud Concepts, Architecture & Design
Question 1 of 10
Which characteristic of cloud computing as defined by NIST allows a consumer to unilaterally provision computing capabilities such as server time and network storage without requiring human interaction with the service provider?
Module 2 · Cloud Data Security
One official domain, 20% of the exam — the largest. Data is what you are ultimately protecting, so this domain is the heart of the CCSP: the data lifecycle, storage, encryption and key management, obfuscation, discovery, classification, rights management, retention, and auditability.
2.1 Data Lifecycle & Storage
Cloud data security is organized around the — six phases data passes through, each with its own controls. Storage types differ by service model: IaaS uses long-term, ephemeral, and raw-disk storage; PaaS and SaaS use structured and unstructured stores; object, file, volume, and database storage all appear.
- 1
Create
Data is generated or modified — by a user, an application, or a device. Classify and label it as early as possible.
- 2
Store
Data is committed to storage (object, volume, database). Apply encryption at rest and access controls.
- 3
Use
Data is viewed or processed. Protect data in use; enforce least privilege and rights management (IRM).
- 4
Share
Data is made available to others or other systems. Control egress with DLP and secure transit (TLS).
- 5
Archive
Data leaves active use for long-term retention. Apply retention policy, encryption, and integrity checks.
- 6
Destroy
Data is permanently removed — in the cloud this means crypto-shredding (destroying the keys), since physical destruction isn't possible.
2.2 Encryption, Keys & Obfuscation
is the backbone of cloud data protection — at rest, in transit, and (with ) in use. The hard part is the : who holds the keys decides who can read the data. lets the customer bring keys into the provider’s KMS; keeps keys entirely outside the provider’s reach.
Beyond encryption, data obfuscation hides sensitive values: , , and . For resilience and confidentiality, and spread data across locations.
Tokenization
Replaces sensitive data with a non-sensitive token; the real value lives in a separate secure vault. Reversible only via the vault — common for PCI/PAN data.
Encryption
Transforms data into ciphertext with a key. Reversible with the key — the strongest protection, but key management is the hard part.
Data masking
Substitutes or scrambles data while preserving its format (e.g., a fake but valid-looking SSN). Used for test/dev and non-production data.
Anonymization
Irreversibly strips identifying information so data can never be re-linked to an individual. Not reversible by design.
And when data must go, the cloud answer to data remanence is — destroy the keys and the ciphertext becomes useless, because you can’t physically shred a provider’s multi-tenant disks.[7]
| Model | Who holds the keys | Trade-off |
|---|---|---|
| Provider-managed | The cloud provider | Easiest; the provider can access plaintext |
| BYOK | Customer keys inside the provider's KMS | More control; provider still operates the KMS |
| HYOK | Customer, fully outside the provider | Most control and most operational burden |
2.3 Classification, IRM, Retention & Audit
You can’t protect what you can’t see. Data discovery finds sensitive data (structured, unstructured, and via real-time analytics); then labels it by sensitivity so the right controls, retention, and destruction rules apply. enforces those rules by discovering, monitoring, and blocking unauthorized exfiltration.
binds persistent usage rights to the data itself (so a file stays protected even after it leaves your environment). Finally, retention, deletion, and archiving policies — including legal hold — and auditability (logging data events, preserving , and ensuring ) round out the domain.
| Tool / concept | Purpose |
|---|---|
| Data discovery | Find and locate sensitive data across structured and unstructured stores |
| Data classification | Label data by sensitivity to drive handling and protection |
| DLP | Discover, monitor, and block unauthorized data exfiltration |
| IRM | Bind persistent access/usage rights to a data object |
| Retention / legal hold | Keep data for required periods; suspend deletion for litigation |
| Audit logging | Record data events for traceability, accountability, and nonrepudiation |
Checkpoint · Cloud Data Security
Question 1 of 10
In the cloud data lifecycle, which phase immediately follows the Create phase?
Module 3 · Cloud Platform & Infrastructure Security
One official domain, 17% of the exam. This domain secures the cloud’s foundations: the physical environment, network, compute, storage, virtualization, and the management plane — plus risk analysis, security controls, and business continuity for that infrastructure.
3.1 Infrastructure, Virtualization & Risk
Cloud infrastructure spans the physical environment, network and communications, compute, storage, and the layer that makes multi-tenancy possible — controlled through the , the single most valuable target in the environment. Know your vs .
Type 1 — Bare-metal
Runs directly on hardware
- No host OS underneath — smaller attack surface
- Used in production cloud data centers (ESXi, Hyper-V, KVM, Xen)
- More secure and higher performance
Type 2 — Hosted
Runs atop a host OS
- Sits on a full host operating system — larger attack surface
- Used on desktops/labs (VirtualBox, VMware Workstation)
- More convenient, less secure
The big risks here are virtualization and container threats — most notably the , where a guest breaks isolation to reach the host — and a compromised management plane. Risk assessment identifies, analyzes, and mitigates these cloud-specific threats and vulnerabilities.[6]
3.2 Security Controls & BCDR
Protect the platform with layered controls: physical and environmental protection (HVAC, power, tiered data centers), system and communication protection, virtualization protection, cloud , and audit mechanisms (log collection, correlation, packet capture). Then plan for failure with .
BCDR starts from business requirements expressed as three metrics: (time to recover), (acceptable data loss), and (capacity needed while degraded). You then create, implement, and — critically — test the strategy.
| Metric | Measures | Drives |
|---|---|---|
| RTO — Recovery Time Objective | Max acceptable time to restore a process | Recovery design and failover speed |
| RPO — Recovery Point Objective | Max acceptable data loss (backward in time) | Backup/replication frequency |
| RSL — Recovery Service Level | Percent of full capacity needed in a disaster | Sizing of recovery resources |
Checkpoint · Cloud Platform & Infrastructure Security
Question 1 of 10
What is the primary purpose of a Trusted Platform Module (TPM) in cloud host hardware?
Module 4 · Cloud Application Security
One official domain, 17% of the exam. This domain is about building and validating secure cloud applications: training and awareness, the secure SDLC, software assurance and testing, cloud application architecture, and identity and access management for applications.
4.1 Secure SDLC & Testing
A builds security into every phase instead of bolting it on at the end. It begins with awareness and training and proceeds through design, build, test, and deploy — with threat modeling (, DREAD, PASTA) in design to surface what could go wrong before any code is written.
- 1
Requirements & training
Capture business, functional, and security requirements; train developers in secure coding and awareness.
- 2
Design
Threat-model the system (STRIDE, DREAD, PASTA) and design out common vulnerabilities before any code is written.
- 3
Develop (secure coding)
Write code to secure standards (OWASP ASVS, SAFECode); manage configuration and versioning.
- 4
Test & validate
Run SAST (static), DAST (dynamic), IAST, and software composition analysis (SCA); QA and abuse-case testing.
- 5
Deploy / verify
Use verified, approved APIs and components; manage the supply chain and third-party/open-source licensing.
- 6
Operate & maintain
Monitor in production, patch, and feed findings back — DevSecOps automates this in the CI/CD pipeline.
You validate software with complementary testing: (static, on the code), (dynamic, on the running app), (both, instrumented), and (open-source component risk). Use verified, approved APIs and watch for the and supply-chain risks.[1]
| Method | How it tests | Best at |
|---|---|---|
| SAST | Analyzes source/binary without running it | Catching code flaws early |
| DAST | Tests the running app from outside | Runtime/config flaws |
| IAST | Instruments the running app (static + dynamic) | Correlating code to runtime behavior |
| SCA | Inventories open-source components | Vulnerable dependencies / licensing |
4.2 Cloud App Architecture & IAM
Secure cloud application architecture adds supplemental security components: a to filter web traffic, an to govern APIs, database activity monitoring, and XML firewalls — plus and application virtualization/orchestration.
Identity is the new perimeter. Cloud relies on and an identity provider, , and , governed across SaaS by a . Know the federation standards — SAML, OAuth 2.0, and OpenID Connect (OIDC).
| Standard | What it does | Use |
|---|---|---|
| SAML | XML-based federated authentication | Enterprise web SSO |
| OAuth 2.0 | Delegated authorization (not identity) | Granting an app access to resources |
| OpenID Connect | Authentication layer on top of OAuth 2.0 | Federated login (who the user is) |
Checkpoint · Cloud Application Security
Question 1 of 10
Which secure software development practice integrates security testing automatically into the build and deployment pipeline?
Module 5 · Cloud Security Operations
One official domain, 16% of the exam. This is where security runs day to day: building and operating physical and logical cloud infrastructure, applying operational controls and standards, supporting digital forensics, managing communications, and running the security operations center.
5.1 Building & Operating Infrastructure
Building secure infrastructure starts at the hardware: BIOS/UEFI and configuration, hardware monitoring, and to verify a host before trusting it. You then install and configure virtualization management tools and design for availability with high availability, clustering, and redundancy.
Operating it means hardening (OS baselines), patch management, infrastructure as code, and secure access for local and remote administration — RDP, SSH, jumpboxes, and secure consoles. Scalability and capacity keep the environment available.
| Area | Practices |
|---|---|
| Hardware trust | BIOS/UEFI hardening, TPM, host attestation, hardware monitoring |
| Availability | High availability, clustering, redundancy, capacity management |
| Hardening | OS baselines, patch management, infrastructure as code |
| Secure access | SSH, RDP, jumpboxes, secure console/terminal access |
5.2 Operational Controls, Forensics & SOC
Operational discipline comes from ITIL / ISO/IEC 20000-1 service-management controls: change, configuration, release and deployment, problem, incident, service-level, and availability/capacity management. Most cloud incidents trace back to weak change or configuration management.
When something goes wrong, the uses a to aggregate and correlate logs for detection and incident management, and supports digital forensics — evidence collection under , following ISO/IEC 27037–27050. Cloud forensics is hard because you don’t control the physical media. You also manage communication with vendors, customers, partners, regulators, and stakeholders.[9]
| Control | What it governs |
|---|---|
| Change management | Evaluating and approving changes (prevents most cloud incidents) |
| Configuration management | Tracking the state and relationships of assets |
| Incident & problem management | Handling events and eliminating root causes |
| Release & deployment management | Controlled, repeatable rollouts |
| Service-level management | Meeting and reporting on SLAs |
Checkpoint · Cloud Security Operations
Question 1 of 10
Which phase of incident response focuses on limiting the scope and magnitude of an incident?
Module 6 · Legal, Risk & Compliance
One official domain, 13% of the exam — the lightest, but dense with names. This domain covers the legal, privacy, audit, enterprise-risk, and contractual issues unique to the cloud. It is terminology-heavy, which makes it ideal for flashcards.
6.1 Legal, Privacy & Audit
The cloud crosses borders, so conflicting international legislation and data-location rules matter. Privacy law is central: in the EU, plus the distinction between regulated and contractual , the controller/processor roles, and standards like . A assesses privacy risk.
Auditing the cloud is different too: you usually can’t audit the provider directly, so you rely on audit reports — (and SOC 1/SOC 3), ISAE/SSAE attestations — plus gap analysis and a defined audit scope. follows ISO/IEC 27050.
| Report | Reports on | Audience |
|---|---|---|
| SOC 1 | Controls over financial reporting | Auditors / financial stakeholders |
| SOC 2 | Security, availability, integrity, confidentiality, privacy | Customers (under NDA) |
| SOC 3 | A public summary of the SOC 2 | General public |
6.2 Enterprise Risk & Cloud Contracts
Cloud changes enterprise risk: a distributed IT model spreads control across the provider, so you must assess the provider’s risk-management program, risk profile, and risk appetite. Apply a recognized framework — ISO 31000, the NIST RMF, or ENISA — and a decision (avoid, mitigate, transfer/share, or accept).
Because you depend on a third party, the contract is your primary control. Key clauses include the , and metrics, data access and location, termination and litigation terms, and protection against . Supply-chain management follows ISO/IEC 27036.
Checkpoint · Legal, Risk & Compliance
Question 1 of 10
Which document is most commonly used to evaluate the security and assurance posture of a cloud provider against a comprehensive control framework before signing a contract?
How to Use This CCSP Study Guide
This guide is built to be worked, not just read. The most efficient path to a pass:
- Lead with Cloud Data Security. It’s the largest domain (20%), and Domains 1, 3, and 4 are each 17% — so the first four domains are most of the exam.
- Think like a cloud architect, not a single-vendor admin. CCSP questions ask for the best answer across people, process, and technology — and they’re vendor-neutral.
- Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
- Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
- Drill the weak domain. Send your weak area into the flashcards and a practice test until your readiness climbs comfortably toward passing.
CCSP Concept Questions
Common CCSP concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.
CCSP Glossary
The high-yield CCSP terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.
- Anonymization
- Irreversibly removing identifying information so data can never be re-linked to an individual.
- API gateway
- A managed entry point that enforces authentication, rate limiting, and routing for APIs.
- BCDR
- Business Continuity and Disaster Recovery — plans to maintain and restore operations after a disruption.
- Bit splitting
- Dividing encrypted data into segments distributed across storage nodes so no single node holds usable data.
- Broad network access
- Cloud capabilities are available over the network and accessed through standard mechanisms across diverse client devices.
- BYOK
- Bring Your Own Key — the customer generates or imports its own keys into the provider's KMS.
- CAIQ
- Consensus Assessments Initiative Questionnaire — a CSP self-assessment aligned to the CCM.
- CASB
- Cloud Access Security Broker — a policy enforcement point between users and cloud services giving visibility, compliance, data security, and threat protection.
- Chain of custody
- The documented handling of evidence that preserves its integrity and legal admissibility.
- Cloud broker
- An intermediary that manages the use, performance, and delivery of cloud services and negotiates relationships between providers and customers.
- Cloud computing
- A model for on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort (NIST SP 800-145).
- Cloud reference architecture
- A conceptual model describing cloud roles, activities, and functions (NIST SP 500-292).
- Cloud secure data lifecycle
- The six phases data passes through in the cloud: Create, Store, Use, Share, Archive, Destroy.
- Cloud service customer (CSC)
- The entity that uses cloud services.
- Cloud service provider (CSP)
- The entity that offers and operates cloud services.
- Common Criteria
- ISO/IEC 15408 — an international standard for evaluating the security assurance of products.
- Community cloud
- Cloud infrastructure shared by several organizations with common concerns (mission, compliance).
- Confidential computing
- Protecting data while it is in use by processing it inside a hardware-based trusted execution environment.
- Container
- OS-level virtualization that packages an application with its dependencies and shares the host kernel — lighter than a VM.
- Crypto-shredding
- Cryptographic erasure — making data unrecoverable by destroying its encryption keys; the cloud way to 'destroy' data.
- CSA CCM
- The CSA Cloud Controls Matrix — a vendor-neutral cloud security control framework mapped to major standards.
- CSA STAR
- The CSA Security, Trust, Assurance and Risk registry — provider self-assessment (CAIQ) and third-party certification of cloud security.
- DAST
- Dynamic Application Security Testing — testing a running application from the outside for vulnerabilities.
- Data classification
- Categorizing data by sensitivity so the right protection, handling, and retention rules are applied.
- Data dispersion
- Splitting data into fragments stored across multiple locations (a cloud RAID-like technique) for resilience.
- Data masking
- Obscuring data by substituting or scrambling it while preserving its format, typically for non-production use.
- DevSecOps
- Integrating automated security into DevOps CI/CD pipelines so security keeps pace with continuous delivery.
- DLP
- Data Loss Prevention — tools and processes that discover, monitor, and block unauthorized exfiltration of sensitive data.
- eDiscovery
- The identification, collection, and production of electronically stored information for legal matters (ISO/IEC 27050).
- Encryption
- Transforming plaintext into ciphertext with an algorithm and key; reversible only with the key.
- Federated identity
- Linking a user's identity across multiple systems or organizations so one login works across services.
- FedRAMP
- A U.S. government program that standardizes the security assessment and authorization of cloud services for federal use.
- FIPS 140-3
- The current U.S. federal standard for validating cryptographic modules (succeeding FIPS 140-2).
- GDPR
- The EU General Data Protection Regulation governing the processing of personal data.
- Host attestation
- Verifying the integrity and trust state of a host before extending trust to it.
- Hybrid cloud
- A composition of two or more distinct clouds bound together by technology that enables data and application portability.
- HYOK
- Hold Your Own Key — the customer retains and controls keys entirely outside the provider's environment.
- IaaS
- Infrastructure as a Service — the provider supplies compute, storage, and networking; the customer manages the OS, runtime, and applications.
- IAM
- Identity and Access Management — the framework for managing digital identities and their access rights.
- IAST
- Interactive Application Security Testing — instrumenting a running app to combine static and dynamic analysis.
- IRM
- Information Rights Management — persistent access and usage controls bound to data objects wherever they travel.
- ISO/IEC 27001
- The international standard for an Information Security Management System (ISMS).
- ISO/IEC 27017
- A code of practice for information security controls specific to cloud services.
- ISO/IEC 27018
- A code of practice for protecting personally identifiable information (PII) in public clouds acting as PII processors.
- Key management system (KMS)
- A system that generates, stores, rotates, and retires cryptographic keys.
- Management plane
- The centralized console/API used to provision and control cloud resources — a high-value target because of its broad reach.
- Measured service
- Resource usage is metered and reported, enabling pay-per-use billing and optimization.
- MFA
- Multi-Factor Authentication — verifying identity with two or more independent factors from different categories.
- Microsegmentation
- Fine-grained network isolation policies applied down to individual workloads, a building block of zero trust.
- Multi-cloud
- The use of cloud services from more than one provider, often to avoid lock-in or for resilience.
- Nonrepudiation
- Assurance that an actor cannot deny having performed an action.
- On-demand self-service
- A consumer can provision computing capabilities automatically, without human interaction with the provider — one of the five essential cloud characteristics.
- OWASP Top 10
- A community-maintained list of the most critical web application security risks.
- PaaS
- Platform as a Service — the provider supplies a managed platform/runtime; the customer manages only the deployed application and its data.
- PII
- Personally Identifiable Information — data that can identify an individual; 'regulated' vs 'contractual' PII is a tested distinction.
- Privacy Impact Assessment (PIA)
- A structured assessment of the privacy risks of a system or process.
- Private cloud
- Cloud infrastructure provisioned for the exclusive use of a single organization.
- Public cloud
- Cloud infrastructure provisioned for open use by the general public.
- Rapid elasticity
- Capabilities can be scaled out and in quickly, appearing unlimited to the consumer and matching demand.
- Resource pooling
- A provider's resources are pooled to serve multiple consumers in a multi-tenant model, dynamically assigned and reassigned.
- Right to audit
- A contract clause that lets the customer assess a provider's controls (often substituted by SOC 2 / ISO certifications).
- Risk treatment
- How an organization addresses a risk: avoid, mitigate, transfer/share, or accept it.
- RPO
- Recovery Point Objective — the maximum acceptable data loss measured backward in time; it drives backup frequency.
- RSL
- Recovery Service Level — the percentage of full compute capacity a process requires during a disaster.
- RTO
- Recovery Time Objective — the maximum acceptable time to restore a process after a disruption.
- SaaS
- Software as a Service — the provider delivers a fully managed application; the customer manages only its data and limited settings.
- Sandboxing
- Isolating execution so untrusted code cannot affect the wider system.
- SAST
- Static Application Security Testing — analyzing source or binary code without executing it.
- SCA
- Software Composition Analysis — identifying open-source components and their known vulnerabilities.
- Secure SDLC
- Building security into every phase of the software development life cycle rather than testing for it at the end.
- Serverless (FaaS)
- An execution model where the provider fully manages infrastructure and code runs in response to events (Function as a Service).
- Shared responsibility model
- The division of security duties between provider and customer; the boundary shifts by service model — most customer responsibility in IaaS, least in SaaS, with data and access always the customer's.
- SIEM
- Security Information and Event Management — aggregates and correlates logs and events for detection and investigation.
- SLA
- Service Level Agreement — a contractual commitment on service performance and availability metrics.
- SOC
- Security Operations Center — the team and function that monitors and responds to security events.
- SOC 2
- An AICPA report on a provider's controls against the Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy).
- SSO
- Single Sign-On — one authentication grants access to multiple systems.
- STRIDE
- A threat-modeling taxonomy: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
- Tokenization
- Replacing sensitive data with a non-sensitive token mapped to the real value in a separate secure vault.
- TPM
- Trusted Platform Module — a hardware chip that stores keys and supports host attestation.
- Type 1 hypervisor
- A bare-metal hypervisor that runs directly on hardware with no host OS — smaller attack surface; used in production cloud.
- Type 2 hypervisor
- A hosted hypervisor that runs atop a host operating system — larger attack surface; used for desktop labs.
- Vendor lock-in
- Difficulty migrating away from a provider because of proprietary dependencies.
- Virtualization
- Abstracting physical resources into virtual instances so one physical host can run many isolated workloads.
- VM escape
- An attack where code in a guest VM breaks isolation to reach the hypervisor or host, threatening multi-tenant isolation.
- WAF
- Web Application Firewall — filters and monitors HTTP traffic to protect web applications.
- Zero trust
- A model that grants no implicit trust by network location; every request is authenticated, authorized, and continuously validated.
CCSP Study Guide FAQ
As of the October 1, 2025 update, the CCSP uses Computerized Adaptive Testing (CAT): 100 to 150 items with a maximum of 3 hours. The number varies because the test adapts to your performance, and the minimum-length form includes 25 unscored pretest items. Questions are multiple choice and advanced item types.
From the current ISC2 outline: Cloud Concepts, Architecture & Design (17%), Cloud Data Security (20%), Cloud Platform & Infrastructure Security (17%), Cloud Application Security (17%), Cloud Security Operations (16%), and Legal, Risk & Compliance (13%). Cloud Data Security is the heaviest domain.
You need a scaled score of 700 out of 1000 to pass. Because the exam is now adaptive (CAT), a pass/fail result is reported rather than a numerical score, and candidates who do not pass receive domain-level proficiency feedback to guide further study.
You need five years of cumulative, paid work experience in information technology, of which three years must be in information security and at least one year in one or more of the six CCSP domains. An active CISSP satisfies the entire requirement; a CSA CCSK waives one year. Without the experience, you can pass and become an Associate of ISC2, earning it within six years.
Study by weight. Cloud Data Security is the largest domain (20%), so invest there, but Domains 1, 3, and 4 are each 17% and closely connected. Read each module, take the checkpoint quiz, then drill weak spots with our free practice test and flashcards until your readiness climbs comfortably toward passing.
The standard exam fee is about $599 USD (verify on-site, as pricing varies by region and promotion). After certifying, you recertify every three years by earning 90 Continuing Professional Education (CPE) credits — at least 30 per year — and paying ISC2's $135 annual maintenance fee.
The CCSP is an advanced certification co-developed by ISC2 and the Cloud Security Alliance, focused entirely on securing data, applications, and infrastructure in the cloud. It is broad and scenario-heavy. CISSP is broader information security; CCSP goes deep on cloud, and holding a CISSP satisfies the CCSP experience requirement.
The CCSP is issued by ISC2, co-developed with the Cloud Security Alliance, and delivered at Pearson VUE test centers. This study guide, the checkpoints, the glossary, the practice test, and the flashcards are 100% free with no account required.
References
- 1.ISC2. “CCSP Certification Exam Outline (effective October 1, 2025).” isc2.org. ↑
- 2.ISC2. “CCSP — Certified Cloud Security Professional.” isc2.org. ↑
- 3.ISC2. “CCSP Experience Requirements.” isc2.org. ↑
- 4.National Institute of Standards and Technology. “SP 800-145: The NIST Definition of Cloud Computing.” csrc.nist.gov. ↑
- 5.National Institute of Standards and Technology. “SP 800-146: Cloud Computing Synopsis and Recommendations.” csrc.nist.gov. ↑
- 6.National Institute of Standards and Technology. “SP 800-53 Rev. 5: Security and Privacy Controls.” csrc.nist.gov. ↑
- 7.Cloud Security Alliance. “Security Guidance for Critical Areas of Focus in Cloud Computing v4.0.” cloudsecurityalliance.org. ↑
- 8.Cloud Security Alliance. “Cloud Controls Matrix (CCM).” cloudsecurityalliance.org. ↑
- 9.International Organization for Standardization. “ISO/IEC 27017 — Cloud information security controls.” iso.org. ↑
- 10.International Organization for Standardization. “ISO/IEC 27018 — Protection of PII in public clouds.” iso.org. ↑
- 11.FedRAMP (U.S. General Services Administration). “FedRAMP — Program overview.” fedramp.gov. ↑
- 101.National Institute of Standards and Technology (NIST). “SP 800-63: Digital Identity Guidelines.” csrc.nist.gov, accessed 19 June 2026. ↑
- 102.International Organization for Standardization (ISO/IEC). “ISO/IEC 27037 — Digital evidence identification, collection, acquisition and preservation.” iso.org, accessed 19 June 2026. ↑
- 103.Cloud Security Alliance (CSA). “CSA STAR Registry.” cloudsecurityalliance.org, accessed 19 June 2026. ↑

Career Employer
Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.
All PostsCareer Employer’s Editorial Process
Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.
