ISC2 has confirmed it on the official Certified Cloud Security Professional exam page. Starting August 1, 2026, the CCSP exam moves to a new exam outline. If your test date falls on or after that day, you sit the new version. Land on or before July 31 and you sit the outline that has been in place since the 2022 content revision. That single line on the ISC2 site changes how anyone preparing right now should think about scheduling.
A new exam outline is not a cosmetic change. ISC2 builds these outlines from a Job Task Analysis, a structured review where working credential holders confirm what the certification should actually test. When that review finishes, domain emphasis shifts, topics get added or retired, and the question bank gets rewritten to match. The good news for candidates is that it’s a content refresh, not a format overhaul. The six domain structure stays, and so does the adaptive testing format. What moves underneath is the weighting and the specific subject matter you will be tested on.
What Is Changing on August 1, 2026?
The headline is the new exam outline. ISC2 ran its periodic Job Task Analysis for the cloud security role, and the result is an updated description of what a competent CCSP holder needs to know in 2026. Cloud practice has moved since the last content revision. Managed services have replaced a lot of self managed infrastructure, identity has become the primary control plane, and AI and machine learning workloads now sit on the same platforms security teams already protect. The refreshed outline reflects that. What hasn’t moved is the definitional baseline. The essential characteristics and the service and deployment models that NIST set out in its definition of cloud computing are still the vocabulary the exam speaks.
Three things aren’t changing, and that matters as much as what is. You still face six domains. The format is still computerized adaptive testing, which means between 100 and 150 items over a three hour window, with each question’s difficulty adjusting to your performance. Passing still takes a scaled score of 700 out of 1000. Sitting the exam in August will feel the same as it does today. What gets rebuilt is the question bank underneath.
One detail is worth pulling out here. ISC2 has signaled across its credentials that AI and machine learning topics are being folded into the body of knowledge rather than carved out as a separate domain. The same direction shows up in the entry level Certified in Cybersecurity update later in 2026 and in the April 2026 guidance confirming AI concepts already live inside the CISSP. For the CCSP, expect cloud workload protection, model and data pipeline exposure, and the shared responsibility questions that come with managed AI services to carry more weight than they did under the older outline.
The Current CCSP Domains and Weights (Through July 31, 2026)
If you are testing before the change, this is the blueprint that matters. The current outline organizes cloud security into six domains, and they are not weighted equally. Cloud Data Security is the heaviest and the one most candidates find hardest. Legal, Risk and Compliance is the lightest by percentage but is the domain that separates the CCSP from a purely technical cloud certification. Here is the full breakdown as it stands today.
A note on where these weights came from, because it matters for the new outline too. The numbers above reflect the outline in effect through July 31, 2026. Its successor will publish its own weights inside the official outline document. I would not trust a thirdhand percentage breakdown of the new exam from a forum post or a video thumbnail. Pull the official CCSP exam outline straight from ISC2 and read it yourself. When I build practice questions, the published outline is the only source I weight against, because that is the document the exam itself is mapped to.
Should You Take the CCSP Before or After August 1, 2026?
This is the question that actually decides what you do this summer, and the answer depends on where you are in your preparation. The principle I give every candidate facing an outline change is the same. A known exam is easier to prepare for than a new one. The current outline has years of published study material, practice questions, and candidate experience behind it. A brand new outline has none of that on day one, and the early question bank tends to behave a little differently while it settles.
If You Are Already Deep Into Prep
Finish on the current outline and schedule your exam before August 1. Your materials map to the version you are studying, your practice scores mean what they are supposed to mean, and you avoid relearning anything that gets reweighted. Book the date now rather than late in July, because testing centers and online proctoring slots compress hard in the final weeks before any ISC2 outline change. People wait, then scramble for a seat. Don’t be one of them.
If You Are Just Getting Started
Most candidates need two to four months for the CCSP, and CISSP holders usually need less because the foundational material overlaps heavily. Run that math against the calendar. If you are starting in June with a realistic three month runway, you are pointed at the new outline whether you like it or not, so build your plan around it. Download the new outline the moment you start, treat the AI and current cloud practice topics as core rather than optional, and do not buy a stack of older material that maps to the version going away. Study toward the exam you will actually sit.
A point I make to candidates who get anxious about outline changes. The CCSP body of knowledge is stable from one revision to the next. Encryption is still encryption. The shared responsibility model did not get rewritten. A Job Task Analysis adjusts emphasis and adds current topics. It does not throw out the discipline. If you understand cloud security as a working skill rather than a list of memorized facts, an outline change is a reweighting exercise, not a reason to start over.
What the Outline Change Does Not Touch
Eligibility rules are unaffected by the August update, and candidates confuse this constantly. To sit the CCSP you still need five years of cumulative paid work experience in information technology, of which three years must be in information security and at least one year must be in one or more of the six CCSP domains. That requirement is the same on July 31 as it is on August 1.
Two paths around the experience requirement also stay in place. Holding the CISSP satisfies the entire CCSP experience requirement, which turns the CCSP into a pure knowledge exam for CISSP holders and is the single biggest reason the two credentials get paired. If you have neither the experience nor the CISSP, you can still sit the exam and become an Associate of ISC2, then earn the required experience within six years. When you are weighing the CISSP and CCSP together, our breakdown of CCSP versus CISSP covers when each one makes sense, and the question of whether you need both comes up often enough that we gave it its own piece.
Maintenance is unchanged as well. The CCSP requires 90 continuing professional education credits across a three year cycle, with a per year minimum, plus the annual maintenance fee that applies to all ISC2 credentials. None of that moves with the outline.
How to Adjust Your Study Plan
Start by confirming which outline your test date lands on, then study only against that one. Mixing a current study guide with a new outline is how candidates end up over preparing for retired material and under preparing for new topics. Pick your version and commit.
For anyone aiming at the August outline, give Cloud Data Security and Cloud Security Operations extra attention. Data protection has been the heaviest domain for years and there’s no signal that changes, and operations is where the AI and automation topics are most likely to land given how cloud teams actually run AI workloads. Practice the adaptive format too. Because difficulty shifts with your answers, you can’t flag a hard question and circle back the way you might on a linear exam. You commit to an answer and move on. That changes pacing, and candidates who’ve only practiced on fixed length tests feel it on exam day. If cloud operations is your weak spot, our piece on cloud incident response skills is a useful companion to the operations domain.
Frequently Asked Questions
When exactly does the new CCSP exam outline take effect?
The new CCSP exam outline takes effect on August 1, 2026, according to ISC2. Any exam scheduled on or after that date uses the new outline, and any exam on or before July 31, 2026 uses the current outline.
Is the CCSP exam format changing in August 2026?
No. The format stays the same. You keep the six domains, the computerized adaptive testing format of 100 to 150 items over three hours, and the scaled passing score of 700 out of 1000. What changes in August 2026 is the content of the outline, not how the exam is delivered.
Should I take the CCSP before or after the August 2026 update?
Test before August 1, 2026 if you are already well into your preparation with current materials, so your study guide matches the exam. Candidates who are just starting, with a runway of three months or more, should plan around the new outline instead, since that is the version they will sit.
Will my current CCSP study materials still be valid after the change?
Most of what you learn stays relevant, because the core cloud security concepts carry over. Where candidates get caught is emphasis and new topics. Materials built for the current outline may under cover the AI and current cloud practice content the new outline adds, so verify any study resource against the published outline for your test date.
Are the CCSP experience requirements changing in 2026?
No. The outline change does not affect eligibility. You still need five years of cumulative paid IT experience, including three years in information security and one year in one or more of the six CCSP domains. Holding the CISSP still waives the full experience requirement.
Where can I find the official new CCSP exam outline?
ISC2 publishes the CCSP exam outline on its official certification site, including the version that takes effect August 1, 2026. Download it directly from ISC2 rather than relying on secondhand summaries, since the published outline is the document the exam is mapped to.
Director, Educational Services | Training Camp
Mark Sabo is the Director of Educational Services at Training Camp, where he oversees the training team, course design, and certification program development. He holds a B.S. in Information Sciences and Technology from Penn State University and more than 50 industry certifications. Mark joined Training Camp in 2005, became a Technical Trainer in 2007, and assumed his current leadership role in 2015. His specialty is practice exam development and exam preparation strategy, built from years of teaching students in the classroom and studying how certification exams are constructed. His writing focuses on the technical details that matter most to professionals preparing for high stakes exams.
