Most CCSP study materials give you everything. That sounds helpful until you're three weeks out from your exam and still not sure which concepts actually matter. The six domains cover a lot of ground, and not all of it carries the same weight on exam day.
The CCSP covers six domains of cloud security, and the exam asks you to apply those concepts in scenarios. If you're not clear on the core ideas in each domain, you'll spend time reviewing things that won't show up and miss the ones that will.
This CCSP cheat sheet breaks down the essential concepts across all six domains. Use it to confirm what you know, spot your gaps, or do a fast review before exam day. We’ll also give you a free PDF that you can use while studying.
What the CCSP Exam Covers (And How It's Structured)
The CCSP is ISC2's cloud security certification, and the exam is scenario-based. You're not being asked to define terms. You're being asked to make a security decision in a cloud context. That distinction matters a lot for how you prepare.
The exam covers six domains: Cloud Concepts, Architecture, and Design; Cloud Data Security; Cloud Platform and Infrastructure Security; Cloud Application Security; Cloud Security Operations; and Legal, Risk, and Compliance. Each domain carries a different weight, so knowing which areas matter most helps you allocate your study time.
The CCSP also builds on a lot of CISSP knowledge, but it goes deeper into cloud-specific frameworks, shared responsibility, and CSP contracts. Your existing security knowledge is useful. It won't carry you through the cloud-specific depth this exam requires without dedicated preparation.
Before you get too deep into your prep, it's worth knowing the common traps that trip up CCSP candidates. Download our free guide, 5 Mistakes to Avoid on the CCSP, so you don't waste study time on the wrong things.
Domain 1: Cloud Concepts, Architecture, and Design
Domain 1: Cloud Concepts, Architecture, and Design builds the foundation that the rest of the exam depends on. Know the three cloud service models (IaaS, PaaS, SaaS) and the four deployment models (public, private, community, hybrid) well enough to apply them in scenarios, not just name them.
The shared responsibility model is one of the most tested concepts across the entire exam. Responsibility shifts depending on which service model is in use, and a common exam trap is applying the wrong responsibility assumptions to a given scenario. Treating an IaaS deployment the way you'd treat SaaS is exactly the kind of mistake the exam is designed to catch.
Other concepts to lock in: the NIST SP 800-145 definition of cloud computing, the five essential cloud characteristics (on-demand self-service, broad network access, resource pooling, rapid elasticity, measured service), virtualization fundamentals, and the cloud reference architecture roles (cloud service customer, cloud service provider, cloud service partner).
Design principles like availability, confidentiality, and resiliency also appear here, usually in scenarios asking you to evaluate an architecture against a specific risk profile.
Looking for some exam prep guidance and mentoring?
Learn about our personal mentoring
Domain 2: Cloud Data Security
Domain 2: Cloud Data Security is among the most heavily weighted domains on the exam. The data security lifecycle (creation, storage, use, sharing, archiving, and destruction) is the core framework that ties this entire domain together. Every concept here connects back to it in some way.
Data classification drives access controls, encryption choices, and retention policies. Know the major storage types: object, volume, and database storage, along with the risks unique to each. Key management is a significant focus. You must understand BYOK (Bring Your Own Key) and HYOK (Hold Your Own Key), and know when each is appropriate based on the scenario's risk requirements.
Round out this domain with data loss prevention (DLP), data rights management (DRM), and data discovery in cloud environments. The exam tests the application of these controls, not just their definitions. If a scenario describes a compliance requirement and asks which control best addresses it, you need to know which tool fits and why.
Domain 3: Cloud Platform and Infrastructure Security
Domain 3: Cloud Platform and Infrastructure Security covers the physical and virtual infrastructure that cloud environments run on. Virtualization security is a core topic: know the difference between Type 1 and Type 2 hypervisors, understand VM sprawl, and be prepared for scenarios involving VM escape attacks. Container security concepts, including Docker and Kubernetes basics, also appear in this domain.
Network security in cloud contexts is heavily tested. Virtual networks, software-defined networking (SDN), and microsegmentation are all in scope. The CCSP won't ask you to configure a device. It will ask whether a proposed network design is appropriate for a given scenario.
Business continuity and disaster recovery also fall within this domain. You must know RTO and RPO, and understand how CSP agreements affect your ability to meet those targets. Physical infrastructure topics (data center design, environmental controls, and multi-tenancy risks) round out the domain.
Domain 4: Cloud Application Security
The CCSP approaches Domain 4: Cloud Application Security from a management and architecture standpoint. You don't need to write code to pass this domain. You need to evaluate cloud application architectures for security risk and understand what secure development looks like in a cloud context.
The software development lifecycle (SDLC) is a central topic. You should be aware of the key security activities at each phase and where cloud-specific risks appear. Threat modeling frameworks, including STRIDE and DREAD, also come up in this domain.
IAM is one of the most tested areas here. You must understand federated identity, single sign-on (SSO), OAuth, OpenID Connect, and SAML, and know when each is the right fit for the scenario. API security matters too: know the risks of RESTful APIs and the controls used to secure them. Software assurance and supply chain security, particularly around third-party components, round out the domain.
Domain 5: Cloud Security Operations
Domain 5: Cloud Security Operations covers how you run a secure cloud environment day to day. Change management, configuration management, and patch management all behave differently in cloud environments (faster, more dynamic, and harder to audit without the right tooling). The exam tests whether you understand those differences.
Incident response in the cloud introduces complications that don't exist in traditional environments. Evidence collection, chain of custody, and forensic investigations all change when your infrastructure is virtual and partially managed by a third party. You should know your incident response steps and where the cloud model complicates each one.
The exam also tests log management and monitoring closely. Know what you can and can't collect in different cloud service models, and why visibility gaps matter from a security operations perspective. SLA management and what to include in CSP contracts to protect your operational security requirements are also in scope here.
Domain 6: Legal, Risk, and Compliance
Domain 6: Legal, Risk, and Compliance tests applied judgment, not memorization. Candidates who treat it as a recall exercise tend to struggle with scenario-based questions. The concepts here require you to reason through legal and compliance situations, not just recognize the terminology.
Jurisdictional issues are a major focus. Cloud data often crosses borders, and different countries have different data protection requirements. You must be familiar with the basics of General Data Protection Regulation (GDPR), privacy frameworks, and how data residency requirements affect cloud architecture decisions. eDiscovery in cloud environments is also tested: understand your obligations and the challenges of collecting evidence from a Cloud Service Provider (CSP) when you don't control the underlying infrastructure.
CSP contractual obligations rank among the most practical and heavily tested concepts in this domain. Know what to look for in a cloud service agreement, including right-to-audit clauses, data portability provisions, and exit strategies. Audit frameworks also receive significant coverage: know what ISO 27001, SOC 1, SOC 2, and SOC 3 cover and what each one means from a CSP evaluation standpoint.
Certification in 1 Week
Study everything you need to know for the CCSP exam in a 1-week bootcamp!
How to Use This CCSP Study Cheat Sheet Effectively
A cheat sheet is a review tool, not a study plan. Use it after you've worked through your primary materials, not instead of them. Cover each domain in depth first, then come back to this CCSP quick reference to test your recall and identify what still needs work.
Run through each section and ask yourself whether you can explain the concepts in plain language. If you can't, that's your gap. Go back to your primary materials and close them before exam day. The CCSP rewards candidates who understand how concepts connect across domains, so isolated definition-level knowledge won't take you far.
If you want to see those cross-domain connections laid out visually, our free CCSP MindMaps are a strong companion to this cheat sheet. They map out the key concepts across all six domains and show how they relate to each other, which is exactly the kind of thinking the exam rewards.
Frequently Asked Questions
No, a cheat sheet won't get you through the CCSP on its own. The exam is scenario-based, which means you need to apply concepts, not just recall them. Use this as a review tool alongside a full study program.
Domain 6 (Legal, Risk, and Compliance) tends to be the most challenging because it requires applied judgment rather than memorization. Domain 2 (Cloud Data Security) also presents difficulty due to its depth on key management and the data security lifecycle.
Two to four months is a common preparation range, but your timeline depends on your existing cloud security experience and how many hours per week you can dedicate. A structured study program with an adaptive learning system can help you find the most efficient path to exam readiness.
No, the CISSP is not a prerequisite for the CCSP. You need five years of paid work experience in IT, with three years in information security and one year in one or more of the six CCSP domains. If you already hold your CISSP, it satisfies the entire CCSP experience requirement.
Ready to Go Beyond This Cheat Sheet?
A cheat sheet confirms what you know. Passing the CCSP requires you to apply those concepts under real exam pressure, scenario after scenario. That takes structured preparation, not just a list of concepts.
If you want to see what our instruction looks like before committing to a full course, start with our free CCSP Cheat Sheet PDF. It will give you an overview of what to expect before the big day.
When you're ready to go all in, the CCSP MasterClass gives you everything you need to pass on your first attempt. It uses an adaptive learning system that identifies your specific knowledge gaps across all six domains and adjusts your study plan to match. The course includes expert video lessons from Rob Witcher and John Berti, who co-developed the official ISC2 CCSP certification materials, along with practice questions, mindmaps, flashcards, and weekly live Q&A calls.
If you'd rather cover everything in one intensive week, the CCSP online Bootcamp runs Monday through Friday with live online sessions led by Rob Witcher and John Berti. Nine hours a day, five days, with real-time Q&A and full access to the CCSP MasterClass included for your final review.
Whichever path fits your schedule, both options are built around the same goal: passing the CCSP on your first attempt.
John is a major force behind the Destination Certification CISSP program's success, with over 25 years of global cybersecurity experience. He simplifies complex topics, and he utilizes innovative teaching methods that contribute to the program's industry-high exam success rates. As a leading Information Security professional in Canada, John co-authored a bestselling CISSP exam preparation guide and helped develop official CISSP curriculum materials. You can reach out to John on LinkedIn.
Rob is the driving force behind the success of the Destination Certification CISSP program, leveraging over 15 years of security, privacy, and cloud assurance expertise. As a seasoned leader, he has guided numerous companies through high-profile security breaches and managed the development of multi-year security strategies. With a passion for education, Rob has delivered hundreds of globally acclaimed CCSP, CISSP, and ISACA classes, combining entertaining delivery with profound insights for exam success. You can reach out to Rob on LinkedIn.
The easiest way to get your CCSP Certification
Learn about our CCSP MasterClass
