- The CCAK is jointly issued by ISACA and the Cloud Security Alliance (CSA), making it unique among cloud audit credentials.
- Nine domains are tested; Cloud Compliance Program (21%) and Cloud Governance (18%) carry the heaviest combined weight.
- Registration requires an active ISACA or CSA account before you can access the exam portal and pay fees.
- The CCM (Cloud Controls Matrix) and CAIQ appear explicitly in Domain 3 and Domain 7-expect questions that test structural knowledge, not just awareness.
What Is the CCAK Certification?
The Certificate of Cloud Auditing Knowledge (CCAK) is a vendor-neutral, practitioner-level credential developed jointly by ISACA and the Cloud Security Alliance (CSA). That dual-body sponsorship is not cosmetic-it means the exam draws on ISACA's deep auditing and governance methodology and CSA's cloud-specific frameworks, particularly the Cloud Controls Matrix (CCM) and the Consensus Assessments Initiative Questionnaire (CAIQ).
The result is a certification that sits at a very specific intersection: candidates must understand both how to audit complex environments and how cloud-native concepts like shared responsibility, multi-tenancy, and continuous compliance reshape traditional audit practice. No other widely recognized credential occupies exactly that space, which is why hiring managers in cloud security, IT audit, and GRC roles treat it as a credible differentiator.
Who Should Register for the CCAK?
The CCAK is deliberately positioned for practitioners who already have some grounding in either auditing or cloud security-it is not an entry-level awareness certificate. The following roles are the primary target audience:
- IT and internal auditors who are increasingly assigned cloud environments and need a structured framework for evaluating cloud controls.
- Cloud security engineers and architects who want to understand how their environments will be assessed and how to build audit-ready infrastructure.
- GRC (Governance, Risk, and Compliance) professionals managing cloud vendor relationships and third-party assurance programs.
- Compliance officers at organizations subject to regulations that extend into cloud environments-financial services, healthcare, and critical infrastructure sectors in particular.
- External auditors and consultants who perform cloud audits on behalf of clients and need a credential their clients recognize.
Organizations hiring for these roles increasingly list the CCAK alongside the CISA (Certified Information Systems Auditor) and the CCSP (Certified Cloud Security Professional) as preferred or required credentials. If your day-to-day work touches cloud compliance assessments, cloud vendor due diligence, or CSA STAR evaluations, the CCAK is worth pursuing before those adjacent certifications-or in parallel with them.
Step-by-Step Registration Process
Step 1 - Create or Verify Your ISACA Account
Registration for the CCAK is administered through ISACA's exam portal. If you already hold a CISA, CISM, or CRISC, you have an existing account-use those credentials. If you are new to ISACA, create a free account at isaca.org before attempting to register. Your account is the anchor for your exam eligibility record, score report, and any future continuing education submissions.
Step 2 - Review Eligibility Requirements
Unlike ISACA's experience-gated certifications (the CISA requires five years of audit experience), the CCAK does not mandate a formal experience prerequisite before sitting. You register, pay, and test. That said, ISACA and CSA recommend that candidates have a working familiarity with cloud concepts and audit principles. Attempting the exam with no background in either discipline is inadvisable given the depth of the domain content.
Step 3 - Select Your Exam Delivery Option
The CCAK is available through two channels:
- In-person proctored testing at authorized testing centers (Pearson VUE network).
- Online proctored testing from your own location, subject to system and environment requirements set by the proctor provider.
Online proctoring offers scheduling flexibility but requires a stable internet connection, a supported browser, and a testing environment free of secondary monitors and disallowed materials. Check the current technical requirements on the ISACA exam portal at the time you register-requirements are updated periodically.
Step 4 - Pay Exam Fees
ISACA membership status affects the fee you pay. ISACA members receive a discounted rate compared to non-members. If the fee difference is greater than the annual ISACA membership cost, joining before registering can save money. CSA membership may also carry fee implications-check both organizations' current fee schedules, as these are subject to annual revision and specific figures should be verified directly on the registration portal rather than relying on third-party sources.
Step 5 - Schedule Your Exam Window
After payment, you receive an authorization window during which you must schedule and sit the exam. Do not wait until the end of your window to schedule-popular time slots at testing centers fill quickly, and online proctoring demand surges around common study program completion dates. Schedule within the first week of receiving your authorization, even if your target exam date is six to eight weeks out.
Exam Format and Domain Breakdown
The CCAK is a multiple-choice examination. Questions are scenario-based rather than purely definitional-expect to read a short situation and select the most appropriate action, control, or framework reference. This format rewards candidates who can apply knowledge, not just recall terminology.
The nine domains and their official weightings are:
| Domain | Topic | Weight |
|---|---|---|
| 1 | Cloud Governance | 18% |
| 2 | Cloud Compliance Program | 21% |
| 3 | CCM and CAIQ: Goals, Objectives, and Structure | 12% |
| 4 | A Threat Analysis Methodology for Cloud Using CCM | 5% |
| 5 | Evaluating a Cloud Compliance Program | 9% |
| 6 | Cloud Auditing | 15% |
| 7 | CCM: Auditing Controls | 8% |
| 8 | Continuous Assurance and Compliance | 7% |
| 9 | STAR Program | 5% |
Domains 1 and 2 together account for 39% of the exam. A candidate who underperforms in those two areas faces a steep mathematical challenge regardless of how well they do elsewhere. Domain 6 (Cloud Auditing at 15%) is the third-heaviest and demands practical knowledge of audit procedures adapted for cloud environments-not just awareness that cloud auditing exists.
What to Master Before You Sit
The CCAK's question style means rote memorization is insufficient. Here is what each high-weight domain actually demands from candidates:
Domain 1: Cloud Governance (18%)
Candidates must understand governance frameworks as they apply to cloud adoption-roles and responsibilities under shared responsibility models, board-level accountability structures, and how governance frameworks translate into measurable controls. Questions often present a scenario where a governance gap exists and ask candidates to identify the most appropriate corrective action.
- Shared responsibility model across IaaS, PaaS, and SaaS
- Cloud governance frameworks and their components
- Accountability structures for cloud risk ownership
Domain 2: Cloud Compliance Program (21%)
This is the heaviest domain and covers the design, implementation, and management of a cloud compliance program. Candidates should be able to evaluate whether a compliance program is structured to meet regulatory requirements and CSA guidance-not just describe what a compliance program contains.
- Regulatory requirements affecting cloud environments
- Mapping compliance obligations to cloud controls
- Managing third-party and supply chain compliance in cloud contexts
Domain 3: CCM and CAIQ: Goals, Objectives, and Structure (12%)
This domain is technical and framework-specific. You need to know the CCM's control domains, how they are structured, what the CAIQ is and how it is used, and why these tools exist. Expect questions that reference specific CCM control areas and ask you to identify which one applies to a described situation.
- CCM control domain taxonomy and structure
- CAIQ purpose and format
- Relationship between CCM and other standards (ISO 27001, SOC 2, etc.)
Domain 6: Cloud Auditing (15%)
Candidates must understand how traditional audit methodologies adapt when the environment is cloud-based. This includes evidence collection in cloud environments, log management, and the use of cloud-native audit tools. Questions test whether candidates can design or evaluate an audit approach, not merely describe one.
- Cloud audit planning and scoping
- Evidence gathering using cloud-native tools and APIs
- Audit reporting considerations for cloud environments
For Domains 4, 8, and 9-which carry 5%, 7%, and 5% respectively-focused study is still necessary, but these areas reward candidates who understand how they connect to the heavier domains. Domain 9 (STAR Program), for example, directly extends the CCM knowledge from Domain 3, so strong performance in Domain 3 provides a foundation for Domain 9 questions.
Using a quality CCAK practice test platform to simulate exam conditions across all nine domains is one of the most effective ways to identify which domains are genuinely weak versus which simply feel unfamiliar.
Scheduling Strategy Tied to Domain Weight
A structured study plan that respects domain weights is significantly more efficient than reading study material in chapter order. The following timeline reflects the weighting of the nine domains:
Domain 2 (Cloud Compliance Program) + Domain 1 (Cloud Governance)
- Front-load the two heaviest domains while cognitive bandwidth is highest
- Map compliance obligations to real cloud scenarios you have encountered professionally
- Take a diagnostic practice test to establish a baseline score
Domain 6 (Cloud Auditing) + Domain 3 (CCM and CAIQ)
- Study Domain 3 before Domain 7 so CCM structure is internalized first
- Read the actual CCM documentation-exam questions reference its structure directly
- Complete scenario-based practice questions for Domain 6 auditing procedures
Domain 5 (Evaluating a Cloud Compliance Program) + Domain 7 (CCM: Auditing Controls) + Domain 8 (Continuous Assurance)
- Domain 5 builds directly on Domain 2-revisit compliance program concepts
- Domain 7 applies CCM structure from Domain 3 to auditing scenarios
- Domain 8 concepts connect to DevSecOps and CI/CD pipeline audit considerations
Domain 4 (Threat Analysis) + Domain 9 (STAR Program) + Full Review
- Complete a full-length timed practice exam and review every incorrect answer
- Focus final review sessions on domains where practice scores remain below target
- Verify your exam appointment logistics-location, ID requirements, arrival time
This timeline is elaborated in detail in the CCAK Study Schedule: How to Prepare in 8 Weeks, including specific resource recommendations for each phase. The domain sequencing above is the key principle: study by weight and by conceptual dependency, not by domain number.
Key Takeaway
Domain 3 (CCM and CAIQ structure) is the conceptual foundation for both Domain 7 (CCM: Auditing Controls) and Domain 9 (STAR Program). Studying these three domains out of order costs time and causes confusion. Sequence matters.
Exam Day Logistics
For In-Person Testing
Arrive at the Pearson VUE testing center at least 30 minutes before your scheduled appointment. You will need two forms of valid identification-your primary ID must be government-issued and include a signature. No study materials, electronic devices, or personal items are permitted in the testing room. Lockers are provided at most centers.
For Online Proctored Testing
Run the system compatibility check at least 48 hours before your exam, not the morning of. Your testing space must be free of secondary monitors, unauthorized people, and materials that could be used for reference. The proctor will ask you to pan your webcam around the room before the exam begins. Failure to meet environment requirements can result in your session being terminated.
During the Exam
The scenario-based question format means some questions are intentionally long. Read each scenario carefully before looking at the answer choices-the distractor options are designed to be plausible. When a question references a specific CCM control domain or CAIQ element, that specificity is a signal: the correct answer will align with that framework's structure, not just general security best practice.
After completing all questions, use any remaining time to review flagged items. Do not second-guess answers you felt confident about on first pass-change answers only when you have a clear reason to do so based on re-reading the question.
When you receive your score, ISACA provides a domain-level performance breakdown. Even if you pass, that breakdown is valuable for planning continuing education and understanding where your knowledge depth is strongest for professional practice. If you need additional preparation before retesting, revisiting CCAK practice exams with a focus on your weakest domain areas is the most targeted approach available.
Frequently Asked Questions
No. The CCAK does not require you to hold any prior certification or to meet a formal experience threshold before registering. You can register and sit the exam without holding a CISA, CCSP, or any other credential. However, both ISACA and CSA recommend a working background in cloud technology and audit or compliance practice before attempting the exam, given the depth of content tested across all nine domains.
Candidates should verify the current question count and time allocation directly on the ISACA exam page at the time of registration, as these parameters can be updated when the exam blueprint is revised. The exam is multiple-choice and scenario-based. Allocating roughly 90 seconds per question as a pacing benchmark is a reasonable starting point during practice testing.
Domain 3 covers the goals, objectives, and structure of the CCM and CAIQ as frameworks-what they are, how they are organized, and why they exist. Domain 7 applies that structural knowledge to auditing: how an auditor uses the CCM to evaluate whether specific controls are implemented and operating effectively. Domain 3 is foundational; Domain 7 is applied. Study Domain 3 before Domain 7.
ISACA and Pearson VUE allow rescheduling subject to their cancellation and rescheduling policies, which include deadlines and potential fees if you reschedule within a short window before your appointment. Review the current rescheduling policy on the ISACA exam portal at the time of registration. Scheduling your exam early in your authorization window gives you the most flexibility if you need to adjust your date later.
The CSA Security, Trust, Assurance, and Risk (STAR) Program is the public registry through which cloud service providers document their compliance with the CCM. Domain 9 tests your understanding of STAR's levels, how organizations submit to the registry, and how auditors and procurement teams use STAR documentation. It connects directly to Domains 3, 6, and 7-a solid understanding of the CCM structure and cloud auditing principles makes Domain 9 material significantly easier to absorb.