CISSP.app Blog
In This Article
- What CISSP Gives You (and What It Doesn’t)
- The Experience Waiver: How It Actually Works
- Domain-by-Domain Knowledge Transfer Matrix
- The Real Gap: What CISSP Doesn’t Cover
- The 6-Week Accelerated Prep Plan for CISSP Holders
- 4 Traps CISSP Holders Fall Into on the CCSP Exam
- Exam Format Differences to Know
- Is the CCSP Add-On Worth It After CISSP?
- FAQ
Most articles about CCSP are written for candidates who haven’t yet earned CISSP. If you already hold CISSP in good standing, those articles are describing a longer, harder path than you actually need to take. Your situation is structurally different in three ways that change the math entirely: your experience requirement is waived, roughly a third of the CCSP content is material you’ve already studied, and your manager-mindset exam skills directly transfer.
This guide is written exclusively for CISSP holders making the transition to CCSP. It covers what you actually need to know — the precise knowledge gap, the registration mechanics, and a realistic prep timeline — without padding it with content aimed at candidates who don’t share your starting point.
Experience requirement waived entirely. Approximately 30–40% of CCSP content already covered by your CISSP prep. Typical prep time reduced from 3–4 months (standalone candidate) to 6–8 weeks for most CISSP holders.
What CISSP Gives You (and What It Doesn’t)
The CISSP credential is the broadest senior security certification in the market. Its 8-domain structure covers risk management, cryptography, identity & access management, network security, security operations, and software security — which collectively overlap with roughly a third of the CCSP exam content.
But CCSP is emphatically not a cloud-flavored version of CISSP. The credentials were designed to stack, not to duplicate. The CCSP presupposes that you already understand security fundamentals (which CISSP proves) and builds on top of them with cloud-specific depth that has no meaningful CISSP preparation behind it. Understanding exactly where the overlap ends is the most important thing you can know going into CCSP prep.
Candidates who pass CISSP with confidence sometimes underestimate the CCSP because they assume domain overlap means content overlap. It doesn’t. Cloud Data Security (Domain 2, 20% of the exam) and Cloud Application Security (Domain 4, 17%) contain material that is entirely new regardless of how thoroughly you prepared for CISSP. Plan your study time accordingly — more on this below.
The Experience Waiver: How It Actually Works
The CCSP normally requires five years of cumulative paid IT experience, with at least three years in information security and one year specifically in a CCSP domain (cloud security work). This is a genuine barrier for many candidates who have broad security backgrounds but limited cloud-specific roles on their CV.
For active CISSP holders, the entire experience requirement is waived. Not reduced — waived. You do not need to separately document cloud security experience. You do not need a supervisor endorsement for cloud-specific work. You need only your current, in-good-standing CISSP.
Registration Steps for CISSP Holders
- Log in to your (ISC)² candidate portal at isc2.org. Verify your CISSP is listed as active and your AMF is current.
- Initiate a new CCSP exam application through the portal. When prompted for experience documentation, select the CISSP waiver option.
- No endorsement required for the waiver. Unlike the standard path (which requires a second (ISC)² member to endorse your experience), the CISSP waiver is verified automatically against your existing credential record.
- Schedule your exam at a Pearson VUE test center or via online proctored delivery. The CCSP exam fee is $599.
- Prepare and sit. Upon passing, your CCSP is added to your (ISC)² account. Both CISSP and CCSP are maintained under the same $125/year annual membership fee — you do not pay twice.
A commonly missed detail: CISSP and CCSP are maintained under a single (ISC)² membership. The $125/year AMF covers both certifications. CPE credits earned in cloud security domains count simultaneously toward both the CISSP and CCSP renewal requirements. The ongoing cost of holding both is the same as holding one.
Domain-by-Domain Knowledge Transfer Matrix
The CCSP has six domains. Here is a precise breakdown of how much your CISSP preparation carries into each one — and where you need to build from near-zero.
| CCSP Domain | Exam Weight | CISSP Transfer | What Transfers |
|---|---|---|---|
| D1: Cloud Concepts, Architecture & Design | 17% | Partial | Security architecture principles, design patterns; cloud deployment models and shared responsibility are new |
| D2: Cloud Data Security | 20% | Mostly New | Cryptography fundamentals transfer; cloud data lifecycle, CASB, and cloud key management (BYOK/HYOK) are new |
| D3: Cloud Platform & Infrastructure Security | 17% | Partial | Network security concepts transfer; cloud-specific networking (SDN, micro-segmentation, VPCs) and CSP hardening require new study |
| D4: Cloud Application Security | 17% | Mostly New | IAM fundamentals transfer; container security, serverless functions, DevSecOps pipelines, and cloud-native SDLC are new |
| D5: Cloud Security Operations | 16% | High Transfer | Security operations, incident response, and BCP/DR concepts transfer well; cloud forensics chain-of-custody challenges require additional focus |
| D6: Legal, Risk & Compliance | 13% | Partial | Risk management frameworks and legal/regulatory fundamentals transfer; cloud-specific angles (right-to-audit clauses, data sovereignty, e-discovery in cloud, CSA STAR) are new |
The practical implication of this matrix: focus the majority of your study hours on Domains 1, 2, and 4. Domain 5 is largely a translation exercise from CISSP knowledge into cloud context. Domain 6 is familiar territory with specific cloud-law additions. For a full domain-weighted breakdown and recommended study-hour allocation, see our CCSP domains weighting guide.
Know Your CCSP Weak Areas Before You Start
cissp.app’s adaptive question engine includes full CCSP domain coverage. Take a diagnostic session to find out exactly which domains you need to focus on — most CISSP holders are surprised by how much is genuinely new in Domain 2 and Domain 4.
Find Your CCSP Weak Areas →Free 7-day trial · No credit card required · Covers CISSP, CCSP, and CISM
The Real Gap: What CISSP Doesn’t Cover
This section is the most important in the guide. These are the specific topic areas where CISSP preparation gives you no meaningful head start — the material you need to treat as genuinely new.
Cloud Data Lifecycle (Domain 2 — 20%)
The CCSP tests the six-phase cloud data lifecycle: Create, Store, Use, Share, Archive, Destroy. Each phase has specific security controls, access considerations, and compliance obligations that are cloud-specific and not covered in CISSP. Know the controls at each phase cold.
CASB Deployment Modes (Domain 2)
Cloud Access Security Brokers (CASBs) are a CCSP-specific topic with no CISSP equivalent. The exam tests the three deployment architectures — forward proxy, reverse proxy, and API-based — including when each is appropriate and their respective trade-offs. This is a heavily tested area.
Cloud Key Management: BYOK and HYOK (Domain 2)
Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) are cloud-era key management models. CISSP covers cryptography fundamentals, but the cloud-specific implementations — including HSM-backed key management in multi-tenant environments and CSP key management service architectures — are new territory.
Shared Responsibility Models (Domain 1)
The CCSP maps security responsibilities across IaaS, PaaS, and SaaS deployment models in precise detail. The exam tests not just which responsibilities shift to the customer vs. the CSP, but how they shift at each service model layer. CISSP covers general security architecture but not this specific framework.
Container and Serverless Security (Domain 4)
Container orchestration security (Kubernetes hardening, registry scanning, runtime isolation), serverless function security (Lambda/function-as-a-service attack surfaces), and secure CI/CD pipeline design are covered in CCSP Domain 4 and have no CISSP preparation behind them for most candidates.
Cloud-Specific Legal Frameworks (Domain 6)
Right-to-audit clauses in cloud service agreements, cross-border data sovereignty regulations, e-discovery obligations in cloud-hosted environments, and frameworks like CSA STAR and FedRAMP are tested in Domain 6. CISSP covers general legal and compliance concepts, but the cloud-specific legal landscape requires dedicated study.
The 6-Week Accelerated Prep Plan for CISSP Holders
This plan assumes 1.5 hours on weekdays and 3 hours on weekend days — approximately 90–100 hours total. CISSP holders with hands-on cloud security experience can compress this further. Candidates who haven’t worked directly in cloud roles should consider extending to 8–10 weeks.
- Cloud data lifecycle: all 6 phases, controls at each phase
- Data discovery, classification, and DLP in cloud environments
- CASB: forward proxy, reverse proxy, API-based — architecture and use cases
- Cloud key management: BYOK, HYOK, HSM in multi-tenant environments
- Practice: 30 Domain 2 questions, review every wrong answer in detail
- Cloud service models (IaaS, PaaS, SaaS) and shared responsibility mapping at each layer
- Cloud deployment types: public, private, hybrid, community — security implications of each
- Cloud reference architectures: NIST, CSA Cloud Controls Matrix (CCM)
- Virtualization security: hypervisor types, VM isolation, container vs. VM trade-offs
- Practice: 30 Domain 1 questions, note which shared responsibility scenarios trip you up
- Container security: image scanning, registry hardening, runtime security, Kubernetes RBAC
- Serverless security: function isolation, event injection attacks, least-privilege execution roles
- Secure SDLC in cloud-native environments: DevSecOps pipeline integration, SAST/DAST in CI/CD
- IAM in cloud applications: federated identity, OAuth 2.0, SAML, OIDC flows (builds on CISSP IAM)
- Practice: 30 Domain 4 questions, focus on container and serverless scenarios
- Cloud networking: VPCs, security groups, network ACLs, SDN concepts
- Cloud storage security: object storage access controls, encryption at rest options, versioning
- Compute security: CSP hardening baselines, patch management in auto-scaling environments
- Physical and environmental security at hyperscale CSPs (CISSP knowledge translates here)
- Practice: 30 Domain 3 questions, particularly cloud-networking and storage scenarios
- Domain 5: Cloud incident response — evidence acquisition challenges, chain of custody in virtualized environments
- Domain 5: BCP/DR in cloud — RTO/RPO planning with CSP SLAs, multi-region failover strategies
- Domain 6: Cloud contracts — right-to-audit clauses, SLA negotiation, exit and data portability provisions
- Domain 6: Data sovereignty, jurisdictional conflicts, cross-border transfer mechanisms (SCCs, adequacy decisions)
- Domain 6: CSA STAR certification, FedRAMP authorization process, ISO 27017/27018
- Practice: 30 mixed Domain 5/6 questions
- Two full 150-question timed practice exams under exam conditions (3-hour limit, no breaks)
- Score analysis: identify any domain scoring below 75% and dedicate focused review sessions
- Review: CASB modes, BYOK/HYOK, shared responsibility edge cases, cloud forensics chain-of-custody
- Light review of all domains: do not introduce new material in the final week
- Confirm exam logistics: Pearson VUE appointment, ID requirements, test center or online proctored setup
For a longer timeline or if you prefer a more structured 90-day approach, our CCSP 90-day study plan includes a dedicated CISSP-holder track with a similar domain sequencing but more time per domain.
4 Traps CISSP Holders Fall Into on the CCSP Exam
Trap 1: Treating Domain 2 Like CISSP Cryptography
CISSP tests cryptography algorithms, key exchange protocols, and PKI. CCSP Domain 2 tests cloud-specific key management decisions: should this organization use BYOK or HYOK? What controls apply at the Archive phase of the cloud data lifecycle? The underlying cryptographic concepts carry over; the application layer is entirely new.
Trap 2: Skipping the Legal Content Because “It’s Like CISSP Legal”
Domain 6 is 13% of the exam. CISSP candidates know GDPR, HIPAA, and general compliance frameworks. CCSP Domain 6 tests cloud-specific legal content — right-to-audit provisions, how data sovereignty conflicts are resolved when a CSP operates across jurisdictions, and what an organization’s e-discovery obligations look like when data lives in a multi-tenant cloud. This material is genuinely new and well worth dedicated study time.
Trap 3: Assuming the (ISC)² Mindset Is Identical
The CISSP trains you to think like a security manager making decisions for an organization. The CCSP applies that same mindset but in a cloud-specific context where the correct answer often hinges on the shared responsibility model. When the CCSP asks “who is responsible for patching the hypervisor?” the answer depends on whether the deployment is IaaS, PaaS, or SaaS — and the CCSP tests the nuance, not just the concept.
Trap 4: Under-Preparing for the Linear Exam Format
The CISSP is adaptive (CAT) — you can exit as early as 125 questions if the algorithm reaches statistical confidence. The CCSP is linear: 150 questions, 3 hours, no early exit. The psychological difference is real. CISSP holders sometimes struggle with pacing on a fixed-length exam because the CAT format trained them to expect variable length. Practice under timed conditions with a full 150-question simulation before exam day.
Exam Format Differences to Know
The passing score is 700 out of 1000, using the same scaled scoring methodology as CISSP. Unscored pretest questions are embedded in the 150 items but are not identified, so treat every question as if it counts. You have more time per question on CCSP (1.2 minutes) than CISSP’s effective rate under CAT — use that margin to read scenario questions carefully, particularly those involving shared responsibility or data sovereignty nuances.
Is the CCSP Add-On Worth It After CISSP?
For CISSP holders specifically, the ROI calculation for CCSP is favorable. The marginal cost is modest — a $599 exam fee, 6–8 weeks of focused study, and no additional ongoing maintenance cost. The salary premium in cloud-heavy roles is real and well-documented. As we cover in detail in our CCSP salary guide, Cloud Security Architects holding both credentials commonly earn $15,000–$25,000 above CISSP-only peers in equivalent seniority.
The premium is most pronounced in:
- Cloud-native organizations where cloud security expertise is a core competency, not a side responsibility
- Large enterprises in regulated industries (financial services, healthcare) undergoing cloud migration programs
- Managed security providers and consulting firms that staff cloud security advisory teams
- CSP ecosystem partners (AWS, Azure, GCP professional services networks)
The CCSP adds less incremental value for CISSP holders in roles where cloud security is incidental — general security operations, GRC-only positions, or DoD/federal environments where CISSP suffices under DoD 8140. If you’re deciding whether CCSP is worth it for your specific career trajectory, see our detailed ROI analysis in Is CCSP Worth It in 2026? For the full strategic comparison of how CCSP fits into a broader credential stack versus CISM and other alternatives, see our CCSP vs CISSP decision guide.
You already passed the harder exam. Your experience requirement is waived. The prep timeline is roughly half what a standalone candidate needs. The ongoing maintenance cost is zero marginal increase. For any CISSP holder moving toward cloud security roles, the CCSP is the highest-ROI credential add-on available — and the path from CISSP to CCSP is measurably easier than from anywhere else.
FAQ: CISSP to CCSP Transition
Do I need cloud security work experience to get CCSP if I hold CISSP?
No. (ISC)² waives the CCSP’s full experience requirement for active CISSP holders in good standing. You do not need to document cloud-specific work experience, and no endorsement from another (ISC)² member is required for the waiver. You are eligible to sit the CCSP exam as soon as your CISSP is active.
How long does it take to go from CISSP to CCSP?
Most CISSP holders with general security backgrounds need 6–8 weeks of focused study to pass the CCSP. Candidates with hands-on cloud security experience can often be ready in 4–6 weeks. The timeline is shorter than a standalone candidate because CISSP prep covers approximately 30–40% of CCSP content, particularly in risk management, cryptography fundamentals, IAM, and security operations.
Which CCSP domains are completely new to CISSP holders?
Cloud Data Security (Domain 2, 20% of the exam) is the biggest gap for most CISSP holders: cloud data lifecycle, CASB deployment modes, and cloud-specific key management (BYOK, HYOK) have no meaningful CISSP preparation behind them. Cloud Application Security (Domain 4, 17%) is also largely new: container security, serverless security, and DevSecOps pipeline design are distinct from the CISSP’s software security domain.
What is the CCSP exam format, and how is it different from CISSP?
The CCSP exam is 150 questions over 3 hours in a traditional linear format. Unlike the CISSP’s Computer Adaptive Testing (CAT) format, there is no adaptive difficulty adjustment and no early exit. Every question counts equally. CISSP holders sometimes find the psychological experience different from CAT — practice under timed conditions with a full 150-question simulation before exam day.
Does adding CCSP to CISSP increase your salary?
Yes, particularly in cloud-heavy roles. Cloud Security Architects holding both CISSP and CCSP commonly earn $15,000–$25,000 more than CISSP-only peers in equivalent positions. The premium is concentrated in cloud-native organizations, large enterprises with mature cloud programs, and managed security providers. For general security roles with minimal cloud exposure, the salary impact is more modest.