Exam Atlas

Syllabus · Cybersecurity

CCSP Domains Explained: Weights & Coverage

expert

The six ISC2 CCSP domains explained in plain English with official weights: cloud concepts, data security, platform and infrastructure, applications, operations and compliance.

By The Exam Atlas Editorial Team · Verified 2026-06-06

CCSP is organised into six vendor-neutral domains. This is a plain-English summary with the official weights; the ISC2 exam outline is authoritative. ISC2 has stated it will introduce a revised exam outline from 1 August 2026, so confirm the current version on the ISC2 site before you rely on these weights.

#DomainWeight
1Cloud Concepts, Architecture and Design17%
2Cloud Data Security20%
3Cloud Platform and Infrastructure Security17%
4Cloud Application Security17%
5Cloud Security Operations16%
6Legal, Risk and Compliance13%

Domain 1 - Cloud Concepts, Architecture and Design (17%)

Cloud reference architecture, the shared responsibility model, service models (IaaS, PaaS, SaaS) and deployment models (public, private, hybrid, community), plus secure-design principles and the concepts that the later domains build on.

Domain 2 - Cloud Data Security (20%)

The largest domain. The cloud data lifecycle (create, store, use, share, archive, destroy), data classification and discovery, encryption, tokenization and masking, key management, and data retention, archiving and secure deletion.

Domain 3 - Cloud Platform and Infrastructure Security (17%)

Cloud infrastructure components, risk analysis of the platform, security controls for compute, storage and networking, and business continuity and disaster recovery for cloud workloads.

Domain 4 - Cloud Application Security (17%)

The secure software development lifecycle in the cloud, application security testing (SAST and DAST), identity and access management for applications, and cloud application architecture including APIs and sandboxing.

Domain 5 - Cloud Security Operations (16%)

Operating and managing physical and logical cloud infrastructure, logging, monitoring and SIEM, incident and change management, and communicating with relevant stakeholders.

Domain 6 - Legal, Risk and Compliance (13%)

The smallest domain by weight: legal and regulatory requirements, privacy (including data residency and sovereignty), audit processes and assurance reports, and vendor and supply-chain risk.

FAQ

How many domains are in the CCSP exam?
Six: Cloud Concepts, Architecture and Design (17%), Cloud Data Security (20%), Cloud Platform and Infrastructure Security (17%), Cloud Application Security (17%), Cloud Security Operations (16%) and Legal, Risk and Compliance (13%).
Which CCSP domain is the largest?
Cloud Data Security at 20%. It covers the cloud data lifecycle, classification, encryption, tokenization, key management and secure deletion, so it deserves the most study time.

Sources