CCSP is ISC²'s cloud-focused cert, positioned as the cloud sibling of CISSP. In practice, it is not one exam. It is two halves that happen to share a blueprint, and whether you pass depends on which half you study.

The split

CCSP has six domains:

  1. Cloud Concepts, Architecture and Design (17%)
  2. Cloud Data Security (20%)
  3. Cloud Platform and Infrastructure Security (17%)
  4. Cloud Application Security (17%)
  5. Cloud Security Operations (16%)
  6. Legal, Risk and Compliance (13%)

Domains 1–5 are predominantly technical. Domain 6 plus parts of Domain 2 (data residency, retention, legal discovery) are auditor-and-compliance territory. Roughly, the exam is 70% technical and 30% GRC — and the GRC 30% is concentrated enough to be its own distinct skill.

What engineers miss

Engineers come to CCSP from strong technical backgrounds (SAA, AZ-500, Security+) and blow through domains 1–5. Then they hit Domain 6 and lose 40% on a sub-section that represents 13% of the exam, which puts them right at the pass line.

The specific items engineers lose on:

  • eDiscovery requirements and data custody chains
  • Differences between regulatory frameworks: GDPR vs CCPA vs HIPAA vs PCI DSS at the clauses level
  • Data-residency requirements by jurisdiction
  • Cloud contract terms (SLA vs master services agreement vs DPA)
  • The right role of an auditor vs a regulator vs a certifying body

None of this is technical. All of it is the vocabulary of GRC work.

What auditors miss

Auditors come to CCSP from CISA, CRISC, or compliance work. They know Domain 6 cold. They lose points on the technical domains, specifically:

  • Hypervisor security and container isolation models
  • The shared-responsibility-model's actual boundaries (who patches what)
  • Key management architectures: KEK vs DEK, key hierarchy, HSM-backed vs software-backed
  • Cryptographic erasure vs physical destruction vs overwriting
  • Network security in specific cloud architectures (VPCs, NSGs, ACLs, service endpoints)

Same problem, opposite side of the exam.

The split study plan

My recommendation: look at yourself honestly and study the weak half twice as hard as the strong half. The ratios I give candidates:

If you are an engineer:

  • 60% of study time on Domain 6 + legal/compliance parts of Domain 2
  • 30% on domains 1–5 (you already know this, you are just filling gaps)
  • 10% on full-length mock exams

If you are an auditor:

  • 60% on domains 1, 3, and 4 (architecture, platform, application)
  • 30% on domains 2, 5, 6 (you already know the legal and operations context)
  • 10% on full-length mock exams

If you are neither (or both):

  • 25% Domain 6 + legal portions
  • 25% domains 3 and 4 (most technical-dense)
  • 25% domains 1, 2, 5
  • 25% mocks

What the Domain 6 content actually is

Since this is where most people are weak, here is the outline I use:

  1. Legal requirements, risks, and issues. GDPR, CCPA, HIPAA, SOX, PCI DSS, ISO 27001, SOC 2 (Type 1 vs Type 2), FedRAMP. Know what each one applies to and the main clauses.
  2. Privacy. PII definitions across jurisdictions (the US vs EU vs UK distinction matters), consent, data subject rights under GDPR.
  3. Audits. Internal vs external, attestation vs certification, SOC report types.
  4. Cloud contracts. SLAs, uptime clauses, data-return-on-termination, right-to-audit clauses, subcontractor notification.
  5. Outsourcing and vendor risk. Fourth-party risk, right to exit, data portability.
  6. Cross-border data transfers. Schrems II implications, standard contractual clauses (SCCs), adequacy decisions.

If none of that reads familiar, you have three to four weeks of study ahead of you for Domain 6 alone.

The CCSP vs other cert decisions

Candidates often ask whether to take CCSP, AWS Security Specialty, or Azure AZ-500. They are not substitutes:

  • AWS Security Specialty is 100% AWS-technical. If your job is AWS, take it.
  • AZ-500 is 100% Azure-technical. If your job is Azure, take it.
  • CCSP is cloud-vendor-neutral + GRC-aware. If your job involves multiple clouds, or compliance oversight, or vendor management across clouds, take it.

CCSP also carries ISC²'s ethics-and-CPE framework, which matters for some employers. AWS and Azure certs do not.

The experience requirement

CCSP requires five years of cumulative, paid work experience in IT, of which at least three years must be in information security and one year must be in one or more of the six CCSP domains. A CISSP in good standing waives the full experience requirement. That waiver is the strongest argument for CISSP-then-CCSP as a study sequence if you have the time.

Timing

CCSP is 125 questions in 4 hours, still linear format (not CAT like CISSP post-2024). Pass mark is 700/1000. Three hours is plenty once you know the material. The pacing issue is almost entirely in the first hour, where Domain 6 scenarios can eat 90 seconds each if you are reading them for the first time.

Budget 120 hours of study total across 10–12 weeks. Weight it by which half of the exam is your weak half. That is the right plan for CCSP — treating it like one exam is how people end up 680/1000 on their first sit.