Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Career Paths

The CCSP Exam Changes on August 1, 2026: What Is New and When to Test

M
Mark Sabo Training Camp
Published
Read Time 11 min read
The CCSP Exam Changes on August 1, 2026: What Is New and When to Test

ISC2 has confirmed it on the official Certified Cloud Security Professional exam page. Starting August 1, 2026, the CCSP exam moves to a new exam outline. If your test date falls on or after that day, you sit the new version. Land on or before July 31 and you sit the outline that has been in place since the 2022 content revision. That single line on the ISC2 site changes how anyone preparing right now should think about scheduling.

A new exam outline is not a cosmetic change. ISC2 builds these outlines from a Job Task Analysis, a structured review where working credential holders confirm what the certification should actually test. When that review finishes, domain emphasis shifts, topics get added or retired, and the question bank gets rewritten to match. The good news for candidates is that it’s a content refresh, not a format overhaul. The six domain structure stays, and so does the adaptive testing format. What moves underneath is the weighting and the specific subject matter you will be tested on.

In short, the CCSP keeps its six domains and its adaptive format on August 1, 2026. The content gets refreshed to match current cloud security practice, including more attention to AI and machine learning. If you are deep into prep with current materials, finish and test before August 1. If you are just starting, build your plan around the new outline.


What Is Changing on August 1, 2026?

The headline is the new exam outline. ISC2 ran its periodic Job Task Analysis for the cloud security role, and the result is an updated description of what a competent CCSP holder needs to know in 2026. Cloud practice has moved since the last content revision. Managed services have replaced a lot of self managed infrastructure, identity has become the primary control plane, and AI and machine learning workloads now sit on the same platforms security teams already protect. The refreshed outline reflects that. What hasn’t moved is the definitional baseline. The essential characteristics and the service and deployment models that NIST set out in its definition of cloud computing are still the vocabulary the exam speaks.

Three things aren’t changing, and that matters as much as what is. You still face six domains. The format is still computerized adaptive testing, which means between 100 and 150 items over a three hour window, with each question’s difficulty adjusting to your performance. Passing still takes a scaled score of 700 out of 1000. Sitting the exam in August will feel the same as it does today. What gets rebuilt is the question bank underneath.

One detail is worth pulling out here. ISC2 has signaled across its credentials that AI and machine learning topics are being folded into the body of knowledge rather than carved out as a separate domain. The same direction shows up in the entry level Certified in Cybersecurity update later in 2026 and in the April 2026 guidance confirming AI concepts already live inside the CISSP. For the CCSP, expect cloud workload protection, model and data pipeline exposure, and the shared responsibility questions that come with managed AI services to carry more weight than they did under the older outline.


The Current CCSP Domains and Weights (Through July 31, 2026)

If you are testing before the change, this is the blueprint that matters. The current outline organizes cloud security into six domains, and they are not weighted equally. Cloud Data Security is the heaviest and the one most candidates find hardest. Legal, Risk and Compliance is the lightest by percentage but is the domain that separates the CCSP from a purely technical cloud certification. Here is the full breakdown as it stands today.

📊 CCSP Domain Weights (Current Outline)
20%

Cloud Data Security. The heaviest domain. Data classification, the cloud data lifecycle, storage architecture, encryption and key management, and information rights management. This is where most candidates lose the most points.

17%

Cloud Concepts, Architecture and Design. Service and deployment models, the shared responsibility model, and secure design principles. The conceptual foundation the rest of the exam builds on.

17%

Cloud Platform and Infrastructure Security. Physical and virtual components, the management plane, risk analysis, and business continuity and disaster recovery in cloud environments.

17%

Cloud Application Security. The secure software development lifecycle, identity and access management for applications, and the application risks specific to cloud delivery.

16%

Cloud Security Operations. Running cloud infrastructure day to day, incident response, logging and monitoring, forensics, and the automation that ties it together.

13%

Legal, Risk and Compliance. The regulatory side of cloud, vendor risk, audit processes, and how cloud operations meet compliance frameworks. Light on percentage, heavy on judgment.

A note on where these weights came from, because it matters for the new outline too. The numbers above reflect the outline in effect through July 31, 2026. Its successor will publish its own weights inside the official outline document. I would not trust a thirdhand percentage breakdown of the new exam from a forum post or a video thumbnail. Pull the official CCSP exam outline straight from ISC2 and read it yourself. When I build practice questions, the published outline is the only source I weight against, because that is the document the exam itself is mapped to.


Should You Take the CCSP Before or After August 1, 2026?

This is the question that actually decides what you do this summer, and the answer depends on where you are in your preparation. The principle I give every candidate facing an outline change is the same. A known exam is easier to prepare for than a new one. The current outline has years of published study material, practice questions, and candidate experience behind it. A brand new outline has none of that on day one, and the early question bank tends to behave a little differently while it settles.

If You Are Already Deep Into Prep

Finish on the current outline and schedule your exam before August 1. Your materials map to the version you are studying, your practice scores mean what they are supposed to mean, and you avoid relearning anything that gets reweighted. Book the date now rather than late in July, because testing centers and online proctoring slots compress hard in the final weeks before any ISC2 outline change. People wait, then scramble for a seat. Don’t be one of them.

If You Are Just Getting Started

Most candidates need two to four months for the CCSP, and CISSP holders usually need less because the foundational material overlaps heavily. Run that math against the calendar. If you are starting in June with a realistic three month runway, you are pointed at the new outline whether you like it or not, so build your plan around it. Download the new outline the moment you start, treat the AI and current cloud practice topics as core rather than optional, and do not buy a stack of older material that maps to the version going away. Study toward the exam you will actually sit.

A point I make to candidates who get anxious about outline changes. The CCSP body of knowledge is stable from one revision to the next. Encryption is still encryption. The shared responsibility model did not get rewritten. A Job Task Analysis adjusts emphasis and adds current topics. It does not throw out the discipline. If you understand cloud security as a working skill rather than a list of memorized facts, an outline change is a reweighting exercise, not a reason to start over.


What the Outline Change Does Not Touch

Eligibility rules are unaffected by the August update, and candidates confuse this constantly. To sit the CCSP you still need five years of cumulative paid work experience in information technology, of which three years must be in information security and at least one year must be in one or more of the six CCSP domains. That requirement is the same on July 31 as it is on August 1.

Two paths around the experience requirement also stay in place. Holding the CISSP satisfies the entire CCSP experience requirement, which turns the CCSP into a pure knowledge exam for CISSP holders and is the single biggest reason the two credentials get paired. If you have neither the experience nor the CISSP, you can still sit the exam and become an Associate of ISC2, then earn the required experience within six years. When you are weighing the CISSP and CCSP together, our breakdown of CCSP versus CISSP covers when each one makes sense, and the question of whether you need both comes up often enough that we gave it its own piece.

Maintenance is unchanged as well. The CCSP requires 90 continuing professional education credits across a three year cycle, with a per year minimum, plus the annual maintenance fee that applies to all ISC2 credentials. None of that moves with the outline.


How to Adjust Your Study Plan

Start by confirming which outline your test date lands on, then study only against that one. Mixing a current study guide with a new outline is how candidates end up over preparing for retired material and under preparing for new topics. Pick your version and commit.

For anyone aiming at the August outline, give Cloud Data Security and Cloud Security Operations extra attention. Data protection has been the heaviest domain for years and there’s no signal that changes, and operations is where the AI and automation topics are most likely to land given how cloud teams actually run AI workloads. Practice the adaptive format too. Because difficulty shifts with your answers, you can’t flag a hard question and circle back the way you might on a linear exam. You commit to an answer and move on. That changes pacing, and candidates who’ve only practiced on fixed length tests feel it on exam day. If cloud operations is your weak spot, our piece on cloud incident response skills is a useful companion to the operations domain.

🎯 The Bottom Line

The August 1, 2026 CCSP update refreshes the content, not the machinery. Six domains, adaptive format, and the 700 passing standard all stay. What shifts is emphasis, with more weight on AI and current cloud practice. The decision in front of you is timing. Anyone close and studying on current materials should schedule before August 1 and book the seat early. Starting fresh with a few months to go means pointing your prep at the new outline, pulled straight from ISC2. Either way, the credential validates what it always has. You can secure the data, applications, and infrastructure that live in the cloud, and answer for it when an auditor asks.


Frequently Asked Questions

When exactly does the new CCSP exam outline take effect?

The new CCSP exam outline takes effect on August 1, 2026, according to ISC2. Any exam scheduled on or after that date uses the new outline, and any exam on or before July 31, 2026 uses the current outline.

Is the CCSP exam format changing in August 2026?

No. The format stays the same. You keep the six domains, the computerized adaptive testing format of 100 to 150 items over three hours, and the scaled passing score of 700 out of 1000. What changes in August 2026 is the content of the outline, not how the exam is delivered.

Should I take the CCSP before or after the August 2026 update?

Test before August 1, 2026 if you are already well into your preparation with current materials, so your study guide matches the exam. Candidates who are just starting, with a runway of three months or more, should plan around the new outline instead, since that is the version they will sit.

Will my current CCSP study materials still be valid after the change?

Most of what you learn stays relevant, because the core cloud security concepts carry over. Where candidates get caught is emphasis and new topics. Materials built for the current outline may under cover the AI and current cloud practice content the new outline adds, so verify any study resource against the published outline for your test date.

Are the CCSP experience requirements changing in 2026?

No. The outline change does not affect eligibility. You still need five years of cumulative paid IT experience, including three years in information security and one year in one or more of the six CCSP domains. Holding the CISSP still waives the full experience requirement.

Where can I find the official new CCSP exam outline?

ISC2 publishes the CCSP exam outline on its official certification site, including the version that takes effect August 1, 2026. Download it directly from ISC2 rather than relying on secondhand summaries, since the published outline is the document the exam is mapped to.

Mark Sabo

Director, Educational Services | Training Camp

Mark Sabo is the Director of Educational Services at Training Camp, where he oversees the training team, course design, and certification program development. He holds a B.S. in Information Sciences and Technology from Penn State University and more than 50 industry certifications. Mark joined Training Camp in 2005, became a Technical Trainer in 2007, and assumed his current leadership role in 2015. His specialty is practice exam development and exam preparation strategy, built from years of teaching students in the classroom and studying how certification exams are constructed. His writing focuses on the technical details that matter most to professionals preparing for high stakes exams.