Cybersecurity
CCSP (ISC2)
Certified Cloud Security Professional
Free CCSP practice questions 30 questions with full answer explanations. No sign-up. Start practice →Overview
CCSP (Certified Cloud Security Professional) is ISC2's senior, vendor-neutral cloud security certification. It sits at the intersection of cloud architecture and information security: the six domains cover cloud concepts and design, data security, platform and infrastructure security, application security, security operations, and legal, risk and compliance.
CCSP is not an entry-level exam. Full certification requires five years of cumulative paid IT experience, including three years in information security and at least one year in a CCSP domain. Holding CISSP waives the whole experience requirement; candidates without the experience can pass first and become an Associate of ISC2 while they earn it. The exam is 100 to 150 questions over three hours, scored 700 out of 1000 to pass.
✓ Who it is for
- Experienced security professionals taking on cloud responsibility
- Cloud and enterprise architects who must secure cloud workloads
- CISSP holders who want a vendor-neutral cloud credential
✕ Who it is not for
- Newcomers to security or cloud - CCSP needs five years of paid IT experience to certify (you can pass first as an Associate of ISC2).
- People wanting deep, single-vendor tooling skills rather than vendor-neutral cloud security breadth.
- Anyone needing a quick, cheap credential - this is a senior, costly exam with ongoing maintenance.
Exam structure
| Cloud Concepts, Architecture and Design | 17% |
|---|---|
| Cloud Data Security | 20% |
| Cloud Platform and Infrastructure Security | 17% |
| Cloud Application Security | 17% |
| Cloud Security Operations | 16% |
| Legal, Risk and Compliance | 13% |
How the exam is weighted
- Cloud Concepts, Architecture and Design 17%
- Cloud Data Security 20%
- Cloud Platform and Infrastructure Security 17%
- Cloud Application Security 17%
- Cloud Security Operations 16%
- Legal, Risk and Compliance 13%
What each domain covers
- Cloud Concepts, Architecture and Design
- Cloud concepts & reference architecture · Shared responsibility model · Secure cloud design principles · Service & deployment models
- Cloud Data Security
- Data lifecycle in the cloud · Data classification & discovery · Encryption, tokenization & masking · Data retention, deletion & archiving
- Cloud Platform and Infrastructure Security
- Cloud infrastructure components · Risk analysis of the cloud platform · Security controls for compute, storage & network · Business continuity & disaster recovery
- Cloud Application Security
- Secure software development lifecycle · Application security testing · Identity & access management for apps · Cloud application architecture (APIs, sandboxing)
- Cloud Security Operations
- Operating & managing physical/logical infrastructure · Logging, monitoring & SIEM · Incident management & change control · Communication with stakeholders
- Legal, Risk and Compliance
- Legal & regulatory requirements · Privacy in the cloud · Audit processes & assurance · Vendor & supply-chain risk
Realistic study time
- CISSP holder / experienced security pro 50-90 hours over 6-10 weeks
- Security pro, newer to cloud 100-160 hours over 2-4 months
- Cloud engineer, newer to security 150+ hours; shore up security fundamentals first
Bars show relative effort, not a guarantee. Your time depends on background and study method.
Turn this into a week-by-week schedule with the Study Plan Generator.
What it really costs
Fees change and vary by region. Confirm the current amount on the official site before you register.
Want your full out-of-pocket figure? Try the Cost Calculator.
Salary & career value
Indicative ranges for orientation only - not surveyed data, and not financial or career advice. Sources and date below.
CCSP is among the higher-paid security credentials because it targets senior cloud security roles. In the US, roles that list it commonly report roughly US$120k-180k, with cloud security architect roles higher. Outside the US the absolute figures are lower, but holders consistently report a premium over non-certified peers.
Pass rate: Not published. ISC2 does not release official pass rates for the CCSP, so any percentages circulating online are third-party estimates rather than verified figures. What ISC2 does state is the passing standard: a scaled score of 700 out of 1000.
Indicative annual pay (USD), each role's typical band on a shared scale.
Other markets (indicative)
| United Kingdom | ~£60k-95k |
|---|---|
| Canada | ~CA$110k-160k |
| Australia | ~AU$130k-180k |
Jobs that often ask for it:
- Cloud Security Engineer
- Cloud Security Architect
- Information Security Manager
- Security Consultant
- GRC / Compliance Lead
Is it worth it?
For security professionals who own cloud risk, CCSP is high signal: it is vendor-neutral, recognised globally, and pairs naturally with hands-on provider certifications such as AWS, Azure or Google Cloud security tracks. It is not worth rushing into early. Without the five years of experience you can only hold Associate status, and the material assumes you already understand both information security and how cloud platforms work.
Not sure this is the right exam for you? Compare your options with the Exam Finder.
Compare CCSP with other exams
Independent, like-for-like comparisons to help you choose the right one.
What to do next
Already hold CISSP? CCSP adds a vendor-neutral cloud specialism on top of it. Pair CCSP with a hands-on provider security track (AWS, Azure or Google Cloud) to match cloud-architect roles. See the Cybersecurity Analyst career path.
On exam day
Delivered at Pearson VUE test centres: 100-150 multiple-choice and advanced-format questions in up to 3 hours, scored 700 out of 1000 to pass. Bring valid ID and arrive about 30 minutes early.
Keeping your certification
Maintained on a 3-year cycle: earn 90 CPE credits and pay the ISC2 annual maintenance fee. Let it lapse and you may have to re-sit.
FAQ
- Can I take CCSP without experience?
- You can sit and pass the exam, then become an Associate of ISC2 and earn the required experience (five years cumulative IT, including three in information security and one in a CCSP domain) within six years. Full CCSP status requires that experience, unless you already hold CISSP, which waives it.
- Is CCSP harder than Security+?
- Yes, considerably. Security+ is entry level; CCSP is an expert, cloud-focused exam across six domains and assumes existing security and cloud knowledge. Most candidates study two to four months.
- Does CISSP help with CCSP?
- A great deal. Holding CISSP in good standing waives the entire CCSP experience requirement, and the two share foundations in risk, governance and security architecture. Many people take CCSP after CISSP to add a cloud specialism.
- How do I keep CCSP valid?
- Earn 90 Continuing Professional Education (CPE) credits over the three-year cycle and pay the ISC2 annual maintenance fee. Let it lapse and you may have to re-sit.
- Is CCSP worth it in 2026?
- For experienced security professionals who own cloud risk, yes. It is vendor-neutral, globally recognised and frequently listed for cloud security architect and engineer roles. For beginners it is premature; build security and cloud fundamentals first.
- Is the CCSP exam changing?
- Yes. ISC2 has stated it will introduce a revised CCSP exam outline from 1 August 2026. The domains and weights here reflect the current outline; confirm the latest version on the ISC2 site before you book.
- How much does CCSP cost in total?
- Budget around US$599 for the exam (approximate; it varies by region, currency and tax), optional study materials from free outlines up to paid courses, and the ISC2 annual maintenance fee to keep the credential active.
Related exams
- CISSP (ISC2) - ISC2
- CISM (ISACA) - ISACA