CISSP.app Blog
In This Article
Most study guides stop at listing the CCSP domain names and their percentages. That’s useful for exactly five minutes. What you actually need is an answer to a harder question: given my background and available prep time, where should I spend my hours?
This guide does that. We cover every domain in detail, explain why (ISC)² weighted it the way they did, and give you a concrete study allocation framework — including a specific adjustment for CISSP holders who already have foundational overlap in some domains.
All domain weights in this article come from the official (ISC)² CCSP Exam Outline (2022 edition), which governs the exam as of mid-2026. (ISC)² updates the exam outline periodically through a Job Task Analysis process — verify current weights at the official exam outline page before sitting.
Domain Weights at a Glance
The CCSP is a 150-question exam (plus up to 25 unscored pretest items). Based on the domain weights, here’s how the approximately 150 scored questions distribute across each domain:
| Domain | Weight | ~Questions (of 150) | Priority Tier |
|---|---|---|---|
| 1. Cloud Concepts, Architecture and Design | 17% | ~26 | High |
| 2. Cloud Data Security | 20% | ~30 | Highest |
| 3. Cloud Platform and Infrastructure Security | 17% | ~26 | High |
| 4. Cloud Application Security | 17% | ~26 | High |
| 5. Cloud Security Operations | 16% | ~24 | High |
| 6. Legal, Risk and Compliance | 13% | ~20 | Do Not Skip |
The notable structural point: four of the six domains cluster tightly at 16–17%. Domain 2 stands alone as the single heaviest domain. Domain 6 sits noticeably lighter — but as we’ll explain, it is the most dangerous domain to underprepare.
All 6 Domains: What Each Tests and Why It’s Weighted That Way
This domain is the foundation of the entire exam. It covers cloud service models (IaaS, PaaS, SaaS), deployment models (public, private, hybrid, community), shared responsibility frameworks, cloud reference architectures, and design principles for secure cloud adoption.
Why 17%: Every other domain builds on the conceptual vocabulary here. (ISC)² weights it substantially because a candidate who can’t reason about shared responsibility cannot correctly answer security operations or data governance questions either.
- Cloud service models and shared responsibility matrices
- Cloud deployment and multi-tenancy risks
- Cloud reference architecture (SABSA, TOGAF in cloud context)
- Business continuity and resilience in cloud environments
- Security concepts relevant to cloud: cryptography, access controls, virtualization
The heaviest domain on the exam. Cloud data security covers the entire data lifecycle (Create, Store, Use, Share, Archive, Destroy), data discovery and classification, rights management, encryption strategies in cloud environments, data loss prevention, and privacy engineering.
Why 20%: Data is the primary asset cloud customers are trying to protect. Cloud architectures move data across jurisdictions, providers, and processing environments in ways that create novel security challenges. (ISC)² signals through the weight that the cloud security professional’s core job is protecting data — not just infrastructure.
- Cloud data lifecycle (CSA defined phases) and security controls at each phase
- Data discovery, classification, and labeling in cloud environments
- Encryption at rest, in transit, and in use (homomorphic, tokenization)
- Key management: BYOK, HYOK, provider-managed keys
- Data loss prevention (DLP) in cloud contexts
- Digital rights management and privacy engineering
This domain covers the security of the physical and virtual infrastructure that cloud services run on: data center security, virtualization and hypervisor threats, container security, network security in cloud environments, and management plane security.
Why 17%: Misconfigured cloud infrastructure is consistently the top cause of cloud breaches. (ISC)² weights this domain to ensure cloud security professionals understand the platform risks — not just the application-layer controls that sit on top of them.
- Physical and environmental security for cloud data centers
- Virtualization security: hypervisor attacks, VM isolation, escape risks
- Container and orchestration security (Kubernetes security posture)
- Network security: SDN, microsegmentation, cloud-native firewalls
- Management plane and control plane security
- Business continuity and disaster recovery planning for cloud
Domain 4 covers secure software development in cloud environments, identity and access management for cloud applications, API security, and cloud-specific application security testing approaches. This is where OWASP meets cloud architecture.
Why 17%: Cloud delivery shifts the application security perimeter. The SDLC, identity federation, and API exposure patterns in cloud applications require different controls and testing approaches than traditional on-premises software. (ISC)² weights this to ensure candidates can advise on secure cloud application design, not just network-layer controls.
- Secure SDLC and DevSecOps in cloud environments
- Identity federation, SSO, and OAuth 2.0 / OIDC in cloud applications
- API security: authentication, rate limiting, API gateways
- Cloud application security testing: SAST, DAST, IAST in CI/CD pipelines
- Supplemental security components: WAF, CASB, cloud-native application protection platforms
Domain 5 covers the operational security of cloud environments: implementing and building physical and logical infrastructure, operating and managing physical and logical infrastructure, managing access controls, and managing security operations.
Why 16%: Cloud security is not a design-time-only discipline. Ongoing operations — monitoring, incident response, change management, capacity management — are where many cloud security failures actually manifest. The near-equal weight to the 17% domains reflects how operationally demanding cloud security management is in practice.
- Cloud monitoring and security event management (SIEM integration)
- Incident response, triage, and forensics in cloud environments
- Change and configuration management in cloud contexts
- Vulnerability assessment and penetration testing in cloud environments
- Service level management and vendor risk in cloud operations
The lightest domain by weight — and the one that catches the most underprepared candidates. Domain 6 covers international data privacy law, cross-border data transfer regulations, cloud audit rights, contract management, eDiscovery in cloud environments, and risk management frameworks applied to cloud.
Why 13%: Legal and compliance content is weighted lower partly because it overlaps more with CISSP preparation and partly because (ISC)² positions it as a knowledge layer on top of operational domains. But make no mistake: the cloud-specific legal angles here — data sovereignty, right-to-audit clauses, GDPR in multi-tenant environments — are entirely distinct from anything on the CISSP.
- International privacy law: GDPR, CCPA, and cross-border transfer mechanisms
- Cloud contract clauses: right-to-audit, data ownership, SLA remedies
- eDiscovery and digital forensics in cloud and multi-tenant environments
- Risk management frameworks applied to cloud: ISO 31000, NIST RMF
- Cloud audit frameworks: ISO 27001, SOC 2, CSA STAR
Translating Weights Into Study Hours
If you have a fixed prep window, domain weights give you a principled basis for time allocation. Here’s how to apply that math — and where to adjust based on your background.
Baseline Allocation (Weight-Proportional)
For a candidate with no strong background in any particular domain, the simplest approach is weight-proportional: allocate your total study hours in the same ratio as the exam weights. For a 120-hour prep window (a common benchmark for candidates with solid security backgrounds), that looks like this:
| Domain | Weight | Hours (of 120 total) |
|---|---|---|
| Domain 1: Cloud Concepts & Architecture | 17% | ~20 hours |
| Domain 2: Cloud Data Security | 20% | ~24 hours |
| Domain 3: Cloud Platform & Infrastructure | 17% | ~20 hours |
| Domain 4: Cloud Application Security | 17% | ~20 hours |
| Domain 5: Cloud Security Operations | 16% | ~19 hours |
| Domain 6: Legal, Risk & Compliance | 13% | ~16 hours |
Domain weights tell you the minimum proportion of the exam you need to be competent in each area. If practice tests reveal you’re scoring 55% on Domain 2 questions but 85% on Domain 5 questions, shift time toward Domain 2 regardless of the mechanical weight calculation. The goal is a passing score across all domains — not just proportional exposure.
CISSP Holders: Where Your Head Start Applies
If you’re approaching CCSP after earning your CISSP (the recommended sequence — see our CCSP vs CISSP strategy guide for why), you already have meaningful preparation in several CCSP domains. But the overlap is uneven. Misreading it is how CISSP holders fail the CCSP.
| CCSP Domain | CISSP Analogue | Real Overlap | Net Study Adjustment |
|---|---|---|---|
| D1: Cloud Concepts & Architecture | Domain 3 (Security Architecture) | Moderate — cloud-specific models are new | Reduce by 20–30% |
| D2: Cloud Data Security | Domain 2 (Asset Security) | Low — cloud data lifecycle is distinct | No reduction — full study required |
| D3: Cloud Platform & Infrastructure | Domain 4 (Network Security) | Low — virtualization and container depth is new | No reduction |
| D4: Cloud App Security | Domain 8 (Software Development) | Moderate — SDLC principles transfer; cloud-native IAM does not | Reduce by 15–25% |
| D5: Cloud Security Operations | Domain 7 (Security Operations) | Moderate — cloud-specific incident response is new | Reduce by 15–20% |
| D6: Legal, Risk & Compliance | Domain 1 (Security & Risk Mgmt) | Low — cloud-specific legal content is distinct | No reduction — GDPR / CCPA / cloud audit details require fresh study |
The strategic takeaway for CISSP holders: your prep time savings are concentrated in Domains 1, 4, and 5 — not Domains 2, 3, or 6. Many CISSP holders incorrectly assume that Domain 6 is covered by CISSP’s legal content. It isn’t — the cloud-specific angles around data sovereignty, e-discovery in multi-tenant environments, and right-to-audit contract clauses require dedicated study.
Know Which CCSP Domains You’re Actually Weak In
cissp.app’s adaptive practice engine identifies your weak domains by analyzing question-level performance patterns — not just your overall score. CCSP-specific domain analysis tells you exactly where to redirect your remaining prep time.
See Your CCSP Weak Areas →Free 7-day trial · No credit card required · Covers CCSP, CISSP, and CISM
The Two Domains That Sink the Most Candidates
Domain 2: The Points You Leave on the Table
Domain 2 is 20% of the exam — the most of any single domain. Candidates who treat it as similar to CISSP’s Asset Security domain consistently underperform here because the CCSP’s version is far more specific. The exam tests concrete knowledge: the six phases of the CSA Cloud Data Lifecycle by name, the specific encryption models for different cloud deployment scenarios, and the operational mechanics of CASB deployment modes (API-based vs. proxy-based). These are not abstract concepts — they have specific right answers that must be memorized and applied.
Getting just 60% correct on Domain 2 (18 of 30 questions) when you needed 70% costs you 3 net questions — enough to shift a marginal pass to a fail. Treat this domain as the exam’s most important battleground. It’s also the domain best suited to drilling with targeted CCSP practice questions rather than reading comprehension alone.
Domain 6: The Quiet Failure Mode
Domain 6’s 13% weight makes candidates underinvest in it. The logic feels sound: it’s only 20 questions, and legal content seems softer than technical domains. Both assumptions are costly.
First, 20 wrong questions is a material failure margin on a 150-question exam. Second, Domain 6 content — cloud-specific privacy law, cross-border data transfer mechanisms, audit rights in cloud contracts — is tested in a way that requires specific knowledge, not just security management reasoning. You cannot bluff your way through GDPR Article 46 transfer mechanisms or the difference between a SOC 2 Type I and Type II report under examination conditions.
Think of Domain 6 as a separate, smaller exam within the CCSP — one you need to pass independently. Even if you ace every other domain, consistently poor performance on Domain 6 questions can drag your scaled score below the 700/1000 passing threshold. Budget at least two full weeks for this domain regardless of your legal background.
The Manager Mindset Still Applies
The CCSP tests your judgment as a cloud security professional, not just your technical recall. Just as the CISSP favors the “manager mindset” over the practitioner answer, the CCSP consistently rewards candidates who think about what a cloud security architect would recommend over candidates who answer from a sysadmin or developer perspective. When two answers both seem technically correct, the right CCSP answer is almost always the one that prioritizes security governance, risk-aware decision-making, and business alignment — not operational implementation.
This framing matters especially in Domains 1, 5, and 6, where scenario-based questions often present realistic cloud security decisions with no obviously wrong answer. If you’ve internalized the manager mindset for CISSP preparation, you’re already calibrated correctly for these questions. For more on applying that mindset in a cloud context, see also our piece on how CCSP and CISSP differ in what they actually test.
The credential payoff for getting this right is meaningful. As we cover in the CCSP salary guide for 2026, cloud security architects holding both CCSP and CISSP consistently earn $15,000–$25,000 above CISSP-only peers in equivalent seniority roles — making the exam preparation investment highly defensible. And if you’re still evaluating whether CCSP is the right move for your career, our CCSP ROI analysis breaks down when the credential genuinely pays and when it doesn’t.
FAQ: CCSP Domains and Weighting
What are the 6 CCSP domains and their exam weights?
The six CCSP domains and their exam weights per the (ISC)² 2022 Exam Outline are: Domain 1 — Cloud Concepts, Architecture and Design (17%); Domain 2 — Cloud Data Security (20%); Domain 3 — Cloud Platform and Infrastructure Security (17%); Domain 4 — Cloud Application Security (17%); Domain 5 — Cloud Security Operations (16%); Domain 6 — Legal, Risk and Compliance (13%). Total: 100%.
Which CCSP domain has the most exam questions?
Domain 2 (Cloud Data Security) carries the highest weight at 20%, translating to approximately 30 of the 150 scored questions on the CCSP exam. It covers encryption, data lifecycle management, data discovery and classification in the cloud, rights management, and privacy. Candidates who underweight this domain leave the most points on the table.
How should I allocate study time across CCSP domains?
A weight-proportional allocation is the baseline: spend 20% of your study hours on Domain 2, 17% each on Domains 1, 3, and 4, 16% on Domain 5, and 13% on Domain 6. Adjust based on your background. CISSP holders typically have a head start on Domains 1 and 4 but need full study time for Domains 2, 3, and 6. Let practice test results override mechanical allocation.
Is CCSP Domain 6 (Legal, Risk and Compliance) easy to skip?
No — and this is one of the most common CCSP exam mistakes. At 13% weight, Domain 6 represents roughly 20 questions. Its content is cloud-specific: data sovereignty, right-to-audit contract clauses, privacy law across jurisdictions, e-discovery in multi-tenant environments. None of this has a meaningful CISSP analogue. Candidates who skim this domain often fail by narrow margins.
Do CCSP domain weights change over time?
(ISC)² periodically revises the CCSP exam outline and domain weights through a Job Task Analysis process. Always verify the current weights at the official (ISC)² exam outline before finalizing your study plan. The weights in this article reflect the 2022 CCSP Exam Outline, which is current as of mid-2026.