CCAK logo
Focused certification exam prep
Start practice
Home / Study Resources / Core Study Guides / CCAK Exam Prerequisites and Eligibility

CCAK Exam Prerequisites and Eligibility Requirements 2026

Updated 12 min read CCAK Exam Prep
Table of Contents
TL;DR
  • CCAK has no strict prerequisite, but candidates without cloud auditing or compliance experience will face a steep knowledge gap across nine domains.
  • Domain 2 (Cloud Compliance Program, 21%) and Domain 1 (Cloud Governance, 18%) together account for nearly 40% of the exam - prioritize them first.
  • The CCM and CAIQ are not just reference materials - they are tested directly in Domains 3, 4, and 7, totaling 25% of the exam.
  • The STAR Program (Domain 9) carries only 5% weight, but questions often appear in context of the broader compliance narrative, so don't skip it.

What the CCAK Certification Actually Tests

The Certificate of Cloud Auditing Knowledge (CCAK) is a vendor-neutral, globally recognized credential developed jointly by ISACA and the Cloud Security Alliance (CSA). Unlike broad cloud security certifications, the CCAK is deliberately narrow in scope: it focuses on the knowledge and skills an auditor, compliance analyst, or cloud governance professional needs to evaluate cloud environments against structured frameworks - specifically the CSA Cloud Controls Matrix (CCM) and the Consensus Assessments Initiative Questionnaire (CAIQ).

Understanding what the CCAK tests is the first step to understanding whether you're eligible, how long to prepare, and what your study time should actually look like. The exam does not ask you to configure cloud infrastructure or write security policy from scratch. It asks you to demonstrate that you understand how cloud auditing works, how compliance programs are structured, and how specific control frameworks are applied in real cloud auditing scenarios.

What Makes CCAK Unique: The CCAK is the only certification that directly tests knowledge of the CSA Cloud Controls Matrix (CCM) as an auditing tool. Candidates are expected to understand the CCM's architecture, apply it to threat analysis scenarios, and use it to evaluate control effectiveness - not just know it exists.

The exam is divided across nine domains, each with a defined percentage weight. Those weights are not arbitrary - they reflect the depth of knowledge and volume of questions you will face on each topic. Treating all nine domains equally is one of the most common preparation mistakes. Before exploring how to prepare, it's worth understanding exactly who the exam is designed for.

Official Eligibility and Prerequisites

Is There a Formal Prerequisite?

The CCAK does not publish a mandatory work experience requirement the way some other auditing credentials do. There is no prerequisite certification you must hold before registering, and no minimum years of experience that will block you from sitting the exam. In that sense, the door is technically open to a wide range of candidates.

However, that openness is somewhat deceptive. The exam's content assumes a baseline of practical familiarity with cloud environments, audit methodologies, and compliance frameworks. Candidates who have never worked in cloud governance, IT audit, or a compliance function will find the material difficult to absorb in isolation. The knowledge gaps aren't impossible to close - but they require deliberate, structured study rather than a quick cram session.

Who Is the Ideal Candidate?

ISACA and CSA describe the CCAK's target audience clearly in their published guidance. The credential is designed for:

  • IT auditors who are moving into cloud-focused audit engagements and need a structured framework for cloud control evaluation
  • Cloud compliance analysts responsible for maintaining and reporting on compliance posture in cloud-hosted environments
  • Cloud security professionals who work alongside audit and governance teams and want a shared credential language
  • Risk managers and GRC professionals who oversee cloud risk programs and need to evaluate third-party cloud providers
  • Cloud architects and consultants who advise clients on cloud governance and need to demonstrate auditing competence

If your daily work involves any combination of cloud risk assessment, vendor compliance evaluation, control testing in cloud environments, or reporting to a board or audit committee about cloud exposure, the CCAK is squarely aimed at you.

Practical Experience Matters More Than Credentials: Candidates with hands-on experience conducting IT audits or working within a GRC function will find the CCAK material more intuitive. The exam tests applied judgment - not memorization - so experiential context accelerates comprehension significantly.

Who Pursues This Certification - and Who Hires for It

The CCAK sits at an interesting intersection of two professional communities that are increasingly converging: the cloud security world and the audit/compliance world. Organizations that operate significant cloud infrastructure - and almost all enterprise organizations do - face a recurring challenge: their traditional IT auditors often lack cloud-specific knowledge, while their cloud engineers often lack audit methodology fluency. The CCAK is designed to produce professionals who can bridge that gap.

Employers hiring for CCAK-relevant roles include large enterprises with internal audit functions, cloud-native companies building compliance programs from the ground up, consulting and advisory firms providing cloud governance services, financial institutions and regulated industries managing third-party cloud risk, and government contractors subject to cloud-specific compliance mandates.

Job titles where CCAK holders commonly appear include Cloud Auditor, Cloud Compliance Manager, GRC Analyst (Cloud), Cloud Risk Advisor, and Senior IT Auditor (Cloud). The credential signals to employers that the holder understands not just cloud security concepts, but how to systematically evaluate a cloud environment against a recognized control framework - a skill set that is meaningfully different from general cloud knowledge.

Domain Breakdown: What You Must Actually Know

This is where eligibility and preparation intersect most critically. The nine CCAK domains vary substantially in weight and in the type of knowledge they demand. Review each carefully - not just their names, but what the content actually requires of you.

Domain 1: Cloud Governance (18%)

The highest single domain by weight alongside Domain 2. Candidates must understand governance frameworks as they apply specifically to cloud environments, including accountability structures, policy hierarchies, and how governance intersects with cloud service and deployment models.

  • Cloud governance models and their organizational implications
  • Roles and responsibilities in shared responsibility models
  • How governance structures enable or constrain audit activity

Domain 2: Cloud Compliance Program (21%)

The single largest domain on the exam. This is where candidates must demonstrate deep understanding of how cloud compliance programs are built, managed, and measured. This isn't abstract - expect scenario-based questions requiring you to evaluate a compliance program's structure and identify gaps.

  • Compliance program design and lifecycle management
  • Regulatory and contractual requirements in cloud contexts
  • Mapping compliance obligations to cloud control frameworks

Domain 3: CCM and CAIQ - Goals, Objectives, and Structure (12%)

This domain tests whether you actually understand the Cloud Controls Matrix as a document and tool - not just that it exists. You must know its control domains, how controls are structured, and what the CAIQ is designed to accomplish in third-party assessment scenarios.

  • CCM control domain architecture and naming conventions
  • CAIQ purpose, format, and use in vendor assessments
  • Relationship between CCM controls and other frameworks (ISO, SOC 2, etc.)

Domain 4: A Threat Analysis Methodology for Cloud Using CCM (5%)

A smaller domain by weight, but conceptually demanding. Candidates must understand how to apply the CCM as a lens for threat analysis - connecting specific threats to the control areas designed to mitigate them.

  • Cloud-specific threat categories and their relationship to CCM control domains
  • Applying CCM in structured threat analysis exercises

Domain 5: Evaluating a Cloud Compliance Program (9%)

Where Domain 2 covers building compliance programs, Domain 5 tests your ability to evaluate one. Expect questions that require you to assess maturity, identify weaknesses, and recommend improvements to a cloud compliance program.

  • Compliance program evaluation methodologies
  • Maturity models and their application in cloud auditing
  • Identifying gaps between stated controls and actual practices

Domain 6: Cloud Auditing (15%)

The core of the credential's identity. This domain covers audit planning, execution, evidence collection, and reporting in cloud environments. Candidates must understand how traditional audit principles adapt - and where they break down - in dynamic, multi-tenant cloud architectures.

  • Audit planning and scoping for cloud engagements
  • Evidence collection in cloud environments where traditional access is limited
  • Audit reporting and communication of cloud-specific findings

Domain 7: CCM - Auditing Controls (8%)

Bridges Domains 3 and 6 by testing how CCM controls are actually audited. Candidates must demonstrate they can design audit procedures for specific CCM control areas and evaluate control effectiveness.

  • Designing test procedures for CCM controls
  • Evaluating control design versus operating effectiveness
  • Documenting CCM-based audit findings

Domain 8: Continuous Assurance and Compliance (7%)

Tests understanding of how compliance monitoring evolves from periodic audits to continuous control monitoring in cloud environments. If you're studying this domain, the CCAK Domain 8: Continuous Assurance and Compliance Study Guide offers targeted preparation support.

  • Continuous monitoring frameworks and tooling in cloud contexts
  • Automation of compliance evidence collection
  • How continuous assurance changes the auditor's role

Domain 9: STAR Program (5%)

The lowest-weighted domain, focused on CSA's Security, Trust, Assurance and Risk (STAR) program. Candidates must understand STAR's levels, what each level demonstrates, and how STAR registrations are used in third-party risk management.

  • STAR Level 1 (self-assessment), Level 2 (third-party audit), and Level 3 (continuous)
  • How STAR entries inform cloud vendor selection and audit decisions
Domain Weight Primary Skill Required Preparation Priority
Domain 2: Cloud Compliance Program 21% Program design and evaluation High - study first
Domain 1: Cloud Governance 18% Governance frameworks and accountability High - study early
Domain 6: Cloud Auditing 15% Audit planning and evidence in cloud High - core credential topic
Domain 3: CCM and CAIQ Structure 12% Framework architecture and purpose Medium-high - foundational for Domains 4 and 7
Domain 5: Evaluating Compliance Programs 9% Maturity assessment and gap analysis Medium
Domain 7: CCM Auditing Controls 8% Control testing and documentation Medium - study after Domain 3
Domain 8: Continuous Assurance 7% Continuous monitoring frameworks Medium
Domain 4: Threat Analysis Using CCM 5% Threat-to-control mapping Lower - study after Domain 3
Domain 9: STAR Program 5% STAR levels and their application Lower - study last

Registration and Exam Mechanics

The CCAK exam is administered through ISACA's testing infrastructure. Candidates register through ISACA's website, where exam scheduling, fee payment, and preparation resources are managed. The exam is available in both online proctored and in-person testing center formats, giving candidates flexibility in how and where they sit for it.

The exam itself is composed of multiple-choice questions. Questions are scenario-based - they describe a cloud governance situation, an audit engagement context, or a compliance challenge, and ask you to select the best course of action or the most accurate characterization of the scenario. This question style rewards applied knowledge over rote memorization. Knowing that Domain 6 covers cloud auditing isn't enough - you need to be able to work through a realistic audit scenario and select the response that best reflects sound auditing practice in a cloud context.

Scenario-Based Question Format: CCAK questions are not straightforward recall prompts. They typically present a realistic cloud auditing or compliance situation and require you to apply judgment - often eliminating two plausible answers to identify the most technically correct or contextually appropriate response. This is why passive reading of study materials is insufficient preparation.

Candidates who have previously sat for ISACA exams (CISA, CISM, CRISC) will find the question format familiar. Candidates coming from a pure cloud security background (AWS certifications, CCSP) will find the audit-centric framing of questions to be an adjustment that requires specific preparation. For a full overview of eligibility requirements and registration steps, the CCAK Exam Prerequisites and Eligibility Requirements 2026 page covers the most current details as published.

A CCAK-Specific Study Schedule

Generic study advice is not particularly useful for a credential as domain-specific as the CCAK. What follows is a structured approach that reflects the actual weight distribution of the exam and the interdependencies between domains.

Week 1

Foundation: Domains 2 and 1

  • Study Cloud Compliance Program design and lifecycle (Domain 2 - 21%)
  • Study Cloud Governance frameworks and accountability structures (Domain 1 - 18%)
  • Read the CSA CCM overview documentation to establish context
  • Take a baseline diagnostic practice test to identify starting knowledge gaps
Week 2

Framework Depth: Domains 3, 4, and 7

  • Study CCM structure, control domains, and CAIQ format in detail (Domain 3 - 12%)
  • Study threat analysis methodology using CCM (Domain 4 - 5%)
  • Study how CCM controls are audited and documented (Domain 7 - 8%)
  • These three domains are interconnected - studying them together reinforces comprehension
Week 3

Audit Practice: Domains 6 and 5

  • Study cloud audit planning, evidence collection, and reporting (Domain 6 - 15%)
  • Study compliance program evaluation and maturity assessment (Domain 5 - 9%)
  • Work through scenario-based practice questions for both domains
  • Review areas flagged as weak from Week 1 diagnostic
Week 4

Continuous Monitoring and Final Review: Domains 8 and 9

  • Study continuous assurance frameworks and automation in compliance (Domain 8 - 7%)
  • Study the STAR Program levels and their use in vendor risk management (Domain 9 - 5%)
  • Run full-length timed practice tests to simulate exam conditions
  • Focus final review sessions on the two highest-weight domains (1 and 2) as a closing reinforcement

The spaced repetition principle applies here with CCAK-specific purpose: revisiting Domains 1 and 2 at the end of Week 4 after studying all nine domains allows you to connect compliance program concepts to the audit and continuous assurance material you've since learned - making the earlier material stick more effectively and feel less abstract.

How Practice Testing Fits Into CCAK Prep

The CCAK's scenario-based question format means that reading study materials and taking the exam are genuinely different cognitive activities. You can understand cloud compliance program design conceptually and still struggle with exam questions that require you to evaluate a flawed compliance program scenario and identify the most significant gap. Practice testing closes that gap.

The most effective approach is to run domain-specific practice sets early in your preparation - not just full-length tests at the end. When you finish studying Domain 6 (Cloud Auditing), immediately run a targeted set of Domain 6 questions through CCAK practice tests to verify your understanding before moving on. If you're scoring poorly in Domain 2 scenarios despite having studied the material, that's a signal to revisit the content rather than simply continue to the next domain.

Key Takeaway

Use practice tests diagnostically, not just as a final confidence check. After each domain study block, test your Domain-specific knowledge immediately. Domains 1 and 2 together account for nearly 40% of the exam - poor performance in either should trigger immediate remediation, not a note to revisit later. Visit our practice test platform to work through targeted domain questions at any stage of your preparation.

Candidates who have read about the CCAK Domain 8: Continuous Assurance and Compliance Study Guide often note that Domain 8 questions appear straightforward in isolation but become more nuanced when paired with Domain 5 and Domain 6 scenarios. Running cross-domain practice sets as you approach your exam date helps you develop the connective thinking the exam rewards.

Frequently Asked Questions

Do I need to hold a CISA or other ISACA certification before sitting the CCAK?

No. The CCAK does not require any prior ISACA certification. However, candidates who hold the CISA or CRISC will find significant content overlap in areas like audit methodology, compliance program management, and risk assessment - which reduces the preparation burden considerably. Candidates without an audit or compliance background should expect a steeper preparation curve regardless of other credentials held.

Which CCAK domains should I study first if I have limited time?

Prioritize Domain 2 (Cloud Compliance Program, 21%) and Domain 1 (Cloud Governance, 18%) first - together they represent nearly 40% of the exam. Domain 6 (Cloud Auditing, 15%) should come next. Study Domain 3 (CCM and CAIQ Structure, 12%) before attempting Domains 4 or 7, as Domain 3 provides the foundational framework knowledge those domains build on. Domains 9 and 4 carry 5% each and can be studied last without compromising your overall readiness.

Is the CCAK exam multiple-choice only?

Yes. The CCAK exam is composed entirely of multiple-choice questions. However, the questions are predominantly scenario-based, meaning they describe a realistic cloud auditing or compliance situation and ask you to select the best response. This format tests applied judgment rather than straightforward recall, so preparation through practice questions is essential alongside content study.

How does the CCAK differ from the CCSP?

The CCSP (Certified Cloud Security Professional) is a broad cloud security credential focused on cloud architecture, design, operations, and security management. The CCAK is specifically focused on cloud auditing and compliance evaluation - particularly through the lens of the CSA Cloud Controls Matrix and CAIQ. The CCAK is more relevant for audit, compliance, and GRC professionals; the CCSP is more relevant for cloud security engineers and architects. Some professionals hold both, but the target use cases are distinct.

How long should I plan to prepare for the CCAK exam?

Preparation time varies significantly based on your existing background. Candidates with active IT audit or cloud compliance experience typically need four to six weeks of structured study. Candidates newer to cloud governance or audit methodology may need eight to twelve weeks to build sufficient domain knowledge and practice with the scenario-based question format. The four-week study schedule outlined in this article assumes a foundation of relevant professional experience and focused daily study sessions.

Ready to Start Practicing?

Test your CCAK knowledge across all nine domains with scenario-based practice questions designed to mirror the real exam format. Identify your weak areas by domain, track your progress, and build the applied judgment the CCAK requires - before exam day.

Start Free Practice Test
Continue reading:

Ready to pass your CCAK exam?

Put this into practice with free CCAK questions across every exam domain.