- What the CCAK Certification Actually Tests
- Exam Format: Structure, Question Types, and Time
- Domain-by-Domain Weight Analysis
- How CCAK Questions Are Written
- Mastering the High-Weight Domains
- Smaller Domains That Still Require Depth
- A Domain-Sequenced Preparation Schedule
- Registration and Eligibility Mechanics
- Frequently Asked Questions
- The CCAK exam covers nine domains, with Cloud Compliance Program (21%) and Cloud Governance (18%) carrying the most weight.
- All questions are scenario-based multiple-choice; there are no essay or lab components.
- Domain 4 (Threat Analysis) is only 5% of the exam but requires understanding CCM-specific threat methodologies, not generic risk frameworks.
- Domain 9 (STAR Program) is also 5% - small weight but highly specific; a dedicated study guide is essential before exam day.
What the CCAK Certification Actually Tests
The Certificate of Cloud Auditing Knowledge (CCAK) is a joint credential from ISACA and the Cloud Security Alliance (CSA). It is designed specifically for auditors, compliance professionals, and cloud security practitioners who need to evaluate cloud environments against structured control frameworks - most notably the CSA Cloud Controls Matrix (CCM) and the CAIQ (Consensus Assessments Initiative Questionnaire).
Unlike generalist cloud certifications that ask you to configure services or design architectures, the CCAK is entirely focused on audit methodology, governance, compliance program management, and assurance. If your job involves reviewing whether a cloud provider or cloud-consuming organization meets its obligations, this exam was built for your work.
Understanding the exam format is not just an administrative task - it directly shapes how you should allocate study time. A domain worth 21% of the exam deserves considerably more preparation than one worth 5%, and the types of questions asked demand a different kind of mastery than simple recall.
Exam Format: Structure, Question Types, and Time
Core Exam Structure
The CCAK is a proctored examination consisting of 76 multiple-choice questions with a time limit of 2 hours (120 minutes). That works out to roughly 95 seconds per question, which is comfortable for straightforward recall items but tight for scenario-based questions that require you to apply CCM control logic to a specific cloud audit finding.
The exam is available in both online-proctored and in-person testing center formats. Candidates who choose online proctoring should test their system requirements in advance - technical interruptions during a timed exam are costly and stressful.
Question Format in Detail
All 76 questions follow a standard four-option multiple-choice format with one correct answer. There are no partial-credit items, drag-and-drop questions, or performance-based labs. This matters because it means your preparation should be oriented toward:
- Selecting the best answer - not necessarily the only correct-sounding one, but the most defensible given CCM and CCAK framework logic
- Eliminating distractors - CCAK questions frequently include options that are accurate in a generic IT audit context but wrong within the CCM or CSA STAR framework specifically
- Interpreting scenarios - many questions present a brief audit scenario and ask what a cloud auditor should do next, or which control domain applies
| Exam Attribute | Detail |
|---|---|
| Total Questions | 76 multiple-choice |
| Time Limit | 120 minutes (2 hours) |
| Question Format | Single best answer (4 options) |
| Delivery Options | Online proctored or testing center |
| Language | English |
| Domains Covered | 9 |
Domain-by-Domain Weight Analysis
The CCAK exam is divided into nine domains. The weights below are official and should drive your study prioritization directly. Converting percentages to approximate question counts (out of 76) helps make the stakes concrete.
Domain 1: Cloud Governance - 18%
Approximately 14 questions. Covers how organizations structure governance over cloud environments, including roles and responsibilities, risk appetite, and accountability frameworks. Expect questions on how governance models differ in IaaS, PaaS, and SaaS contexts.
- Shared responsibility matrix interpretation
- Cloud governance frameworks and their audit implications
- Escalation paths and oversight structures for cloud programs
Domain 2: Cloud Compliance Program - 21%
The highest-weighted domain at approximately 16 questions. Tests your ability to design, evaluate, and manage a cloud-specific compliance program. This includes mapping regulations to cloud controls, handling third-party assessments, and maintaining ongoing compliance posture.
- Compliance program lifecycle in cloud environments
- Mapping regulatory requirements to CCM control domains
- Evidence collection and audit trail considerations for cloud
Domain 3: CCM and CAIQ - Goals, Objectives, and Structure - 12%
Roughly 9 questions. This domain expects deep familiarity with the CCM architecture itself - its control domains, how they are numbered, and how the CAIQ is used as a questionnaire tool by cloud customers assessing providers.
- CCM control domain taxonomy and hierarchy
- CAIQ structure and how responses are evaluated
- Relationship between CCM and standards like ISO 27001 and SOC 2
Domain 6: Cloud Auditing - 15%
Approximately 11 questions. Addresses cloud-specific audit planning, fieldwork, and reporting. Focuses on how traditional audit techniques must be adapted for cloud environments, including considerations for multi-tenancy, API-based evidence, and audit log integrity.
- Cloud audit planning and scoping
- Fieldwork techniques for IaaS, PaaS, and SaaS audits
- Reporting cloud audit findings to governance bodies
The remaining five domains - Domain 4 (5%), Domain 5 (9%), Domain 7 (8%), Domain 8 (7%), and Domain 9 (5%) - account for about 34% of the exam combined, but several of them contain highly specific content that trips up candidates who treat them as minor.
How CCAK Questions Are Written
Understanding the question-writing philosophy behind the CCAK is one of the most underutilized preparation strategies. The exam is developed jointly by ISACA and CSA, and it reflects both organizations' emphasis on judgment over recall.
Most questions follow one of these three structural patterns:
- Scenario + Best Next Action: A cloud auditor discovers an anomaly during fieldwork. Which action best aligns with CCM auditing principles?
- Framework Application: A CSP's CAIQ response claims full implementation of a control. What should an auditor do to validate this assertion?
- Governance/Compliance Judgment: A cloud compliance program lacks a specific element. Which gap is most significant from an audit perspective?
In each case, the wrong answers are carefully constructed to be plausible in a general IT audit context. The correct answer is almost always the one that best reflects CCM logic, CSA STAR program principles, or cloud-specific audit considerations - not generic audit methodology.
You can accelerate this pattern recognition significantly by working through scenario-based practice questions on the CCAK Exam Prep practice test platform, which is built around the same applied-judgment format as the real exam.
Mastering the High-Weight Domains
Domain 2: Cloud Compliance Program (21%)
Because this single domain represents more than one-fifth of the exam, treating it superficially is a significant risk. The key to mastering it is understanding that a cloud compliance program is not simply a policy document - it is a living system of controls, monitoring, reporting, and remediation that must function across a shared responsibility boundary.
Topics to master specifically include how compliance obligations are inherited or not inherited from cloud service providers, how organizations use the CAIQ to gather evidence from providers, and how a compliance program must evolve when the underlying cloud infrastructure changes (new services adopted, new regions activated, new vendor relationships created).
Domain 1: Cloud Governance (18%)
Cloud governance questions frequently test whether you understand that governance structures in cloud environments must account for the diffuse nature of accountability. Traditional IT governance assumes clear ownership of hardware and software; cloud governance must explicitly address what happens at the boundaries between customer and provider responsibility.
Pay particular attention to how governance frameworks interact with cloud deployment models. A governance structure appropriate for a private cloud deployment will look materially different from one that oversees a multi-cloud environment using SaaS applications from several vendors simultaneously.
Domain 6: Cloud Auditing (15%)
This domain is where candidates with traditional IT audit backgrounds sometimes overestimate their readiness. Cloud auditing requires a recalibration of standard techniques - log-based evidence may be held by the CSP and subject to retention limitations, sampling strategies must account for ephemeral resources, and the audit trail for automated deployments may span multiple orchestration tools.
Review how audit programs are scoped when the auditee relies heavily on third-party cloud infrastructure, and understand when a STAR attestation or certification can substitute for direct auditor testing versus when independent validation is still required.
Smaller Domains That Still Require Depth
Domain 4: A Threat Analysis Methodology for Cloud Using CCM (5%)
Only approximately four questions, but they are among the most specific on the exam. This domain covers how the CCM is used as a lens for cloud threat analysis - not generic threat modeling, but specifically how CCM control domains map to threat categories in cloud environments. Candidates who skip this domain entirely because of its low weight often miss every question in it, which is an unnecessary loss.
Domain 9: STAR Program (5%)
Another five-percent domain with highly specialized content. The CSA STAR program has multiple tiers - self-assessment, third-party certification, and continuous monitoring - each with specific implications for auditors and compliance professionals. The exam tests whether you understand not just what STAR is, but how its different assurance levels affect audit reliance decisions.
Given how specifically the STAR program is tested, working through the CCAK Domain 9: STAR Program Complete Study Guide 2026 before your exam date is strongly recommended. The tiers, their requirements, and the audit implications of each level are exactly the kind of detail the exam probes.
Key Takeaway
Do not dismiss the five-percent domains. On a 76-question exam, missing every question in a small domain because you deprioritized it can be the difference between passing and failing. Allocate at least a focused review session to Domain 4 and Domain 9 regardless of their weights.
Domain 7: CCM - Auditing Controls (8%)
Approximately six questions testing how auditors evaluate specific CCM controls during an audit engagement. This domain pairs tightly with Domain 3 (CCM structure) and Domain 6 (cloud auditing). Candidates who understand the CCM taxonomy and general cloud audit techniques will find Domain 7 consolidates those skills into practical control-testing scenarios.
Domain 8: Continuous Assurance and Compliance (7%)
Cloud environments change constantly - new resources are provisioned, configurations drift, new services are enabled. Domain 8 addresses how assurance and compliance programs must shift from point-in-time assessments to continuous monitoring. Understand the tooling landscape conceptually (CSPM tools, automated compliance checks, real-time evidence collection) and how continuous assurance findings feed back into governance structures.
A Domain-Sequenced Preparation Schedule
Generic study templates that ignore domain weights waste preparation time. The following schedule sequences domains by weight and logical dependency - heavier domains get more time, and foundational domains (like CCM structure) are addressed before the domains that apply CCM knowledge.
CCM and CAIQ Foundation (Domain 3)
- Read CCM documentation end to end; map control domain abbreviations
- Review CAIQ structure and understand how responses are scored
- This foundational knowledge unlocks Domains 2, 6, and 7 - build it first
Cloud Compliance Program (Domain 2) - Heaviest Domain
- Study compliance program lifecycle, evidence management, third-party assessment mechanics
- Practice mapping regulations to CCM domains
- Work 20+ practice questions focused on Domain 2 scenarios
Cloud Governance and Cloud Auditing (Domains 1 and 6)
- Study governance frameworks and shared responsibility models
- Review cloud audit planning, evidence collection, and reporting
- Practice with scenario questions requiring governance judgment calls
Remaining Domains (4, 5, 7, 8, 9) + Full Practice Tests
- Dedicated sessions for Domain 9 (STAR Program) and Domain 4 (Threat Analysis)
- Review Domain 5 (Evaluating a Cloud Compliance Program) - pairs well with Domain 2 review
- Take two full timed practice exams on the CCAK Exam Prep platform and review every missed question
This schedule applies spaced repetition in a practical way: Domain 3 material resurfaces naturally when you study Domains 2, 6, and 7 in subsequent weeks, reinforcing the foundational concepts without requiring separate review sessions.
Registration and Eligibility Mechanics
The CCAK is administered through ISACA's testing infrastructure. Candidates register through the ISACA website, and the exam can be scheduled at Pearson VUE testing centers or via Pearson VUE online proctoring. ISACA membership affects the exam fee - member pricing is lower than non-member pricing - so candidates who are not already ISACA members should evaluate whether membership is cost-effective given the fee differential.
There are no formal prerequisites stated for the CCAK, meaning candidates are not required to hold another certification before registering. However, the exam assumes familiarity with cloud concepts and general audit or compliance principles. Candidates coming from a purely technical background with no audit exposure, or from a traditional IT audit background with no cloud experience, will typically need more preparation time to bridge their knowledge gap.
For a more complete picture of what the exam tests on a question-by-question basis - including how each domain's questions are structured - revisit the CCAK Exam Format 2026: Question Types and Time Limits overview as your exam date approaches. Reviewing format details a second time, after you have completed substantive domain study, often surfaces nuances that were not apparent during initial reading.
Candidates preparing for the exam consistently report that the combination of official CSA and ISACA study materials with scenario-based practice questions is the most effective preparation approach. The CCAK Exam Prep practice test platform offers question sets organized by domain so you can target your weakest areas directly rather than working through undifferentiated question banks.
Frequently Asked Questions
The CCAK exam consists of 76 multiple-choice questions with a two-hour (120-minute) time limit. All questions follow a single-best-answer format with four options each.
Start with Domain 3 (CCM and CAIQ: Goals, Objectives, and Structure). Understanding the CCM architecture is foundational - it underpins the questions in Domains 2, 6, 7, and 9. Building this knowledge first makes every subsequent domain easier to absorb.
Yes, absolutely. The STAR Program domain contains highly specific content about CSA STAR tiers, assurance levels, and their audit implications. Because the questions are so specialized, candidates who skip it often miss every question in the domain. Review the CCAK Domain 9: STAR Program Complete Study Guide 2026 to cover this material efficiently.
You do not need to memorize every CCM control identifier verbatim, but you must understand the CCM control domain taxonomy, the logic behind how controls are grouped, and how specific control areas map to compliance requirements and audit procedures. Questions test application, not pure memorization.
There are no formal prerequisites, but the exam assumes comfort with cloud service models (IaaS, PaaS, SaaS), shared responsibility concepts, and cloud risk landscape basics. Candidates without cloud exposure should plan for additional preparation time to build that foundational context before tackling the audit and compliance domains.