A realistic ten-week plan at roughly 10 to 12 hours per week. CCSP is vendor-neutral, so focus on concepts rather than one provider’s console, but any hands-on cloud exposure will help the data-security and architecture domains stick. ISC2 has stated it will introduce a revised exam outline from 1 August 2026 - confirm the current version and align your materials before you start.
| Week | Focus | Checkpoint |
|---|---|---|
| 1 | Domain 1: cloud concepts, reference architecture, service & deployment models | You can explain the shared responsibility model for IaaS, PaaS and SaaS |
| 2 | Domain 1 finish + secure-design principles | You can pick a service and deployment model for a scenario |
| 3 | Domain 2: cloud data lifecycle, classification, discovery | You can list the six lifecycle stages and their controls |
| 4 | Domain 2: encryption, tokenization, masking, key management | You can choose encryption vs tokenization vs masking |
| 5 | Domain 3: infrastructure components, platform risk, BC/DR | You can identify the right control for compute/storage/network |
| 6 | Domain 4: secure SDLC, app testing (SAST/DAST), APIs, IAM for apps | You can place a security activity in the SDLC |
| 7 | Domain 5: operations, logging, monitoring, SIEM, incident & change management | You can outline incident response for a cloud workload |
| 8 | Domain 6: legal, privacy, data residency, audit, vendor risk | You can reason about GDPR and data sovereignty in the cloud |
| 9 | Cumulative review of weak domains + scenario drilling | You score consistently on mixed-domain questions |
| 10 | Full-length timed reviews | You consistently pass timed reviews |
Final-week tips
Weight your last days toward the heaviest domains: Cloud Data Security (20%) and the three 17% domains (Concepts/Architecture, Platform/Infrastructure, Application Security). Drill scenario judgement about who owns which control under the shared responsibility model. Avoid any “real questions” sites - they breach ISC2 policy and copyright.