The Certified Cloud Security Professional (CCSP) certification is an information technology certification that tests applicants’ knowledge of cloud security topics. It is administered by the International Information System Security Certification Consortium, (ISC)2, and was developed in partnership with the Cloud Security Alliance (CSA).
The CCSP is designed as a certification for mid-level security professionals who want to demonstrate their proficiency in the field of cloud security. It is similar to the (ISC)2 CISSP exam in choice of topics and difficulty but focuses on cloud security.
How Does the CCSP Certification Differ From Other IT Certifications?
The CCSP certification is one of the few certifications focusing specifically on cloud security. Many other IT certifications take a generalist approach to security topics or have a deep level of focus in another area within the domain of information security (digital forensics, reverse engineering and so on). In contrast, the CCSP exam is designed to test knowledge of the application of cybersecurity tools, techniques and procedures to cloud computing. A fair amount of focus is placed on drawing attention to the points where the use of cloud computing requires a different approach to security.
The CCSP is far from the only cloud-focused certification available. Several other certifications have been developed by cloud vendors and other certification organizations to test candidates’ knowledge of cloud computing concepts and technology. However, the CCSP’s focus on cloud security helps to differentiate it from these other certifications.
The most similar certification to the CCSP is the Cloud Security Alliance’s Certificate of Cloud Security Knowledge (CCSK). The CSA partnered with (ISC)2 to create the CCSP exam. According to the CSA blog, the CCSP covers much of the same content covered by the CCSK but also tests knowledge of governance, traditional security, and user privacy in cloud environments.
The CSSP is probably the most comprehensive certification available on the topic of cloud security. It is designed to test knowledge of cloud security topics at a level similar to that of the Certified Information Systems Security Professional (CISSP) certification.
What Does the CCSP Exam Cover?
The CCSP exam is designed to test an applicant’s knowledge of everything to do with cloud security. The exam is a 125-question multiple-choice test with a four-hour time limit. There are a total of 1000 possible points and a passing score requires a minimum of 70% of these. The questions are broken into six different domains with the following ratios:
Domain 1: Architectural Concepts and Design Requirements (19%) Domain 2: Cloud Data Security (20%) Domain 3: Cloud Platform and Infrastructure Security (19%) Domain 4: Cloud Application Security (15%) Domain 5: Operations (15%) Domain 6: Legal and Compliance (12%)
The rest of this section is devoted to providing a brief overview of the topics covered in each domain of the CCSP exam.
Domain 1: Architectural Concepts and Design Requirements (19%)
The first domain of the CCSP exam covers the background knowledge necessary to secure cloud computing systems. This includes basic cloud computing concepts, the different types of cloud architectures, security concepts relevant to cloud computing, principles of secure cloud computing and how to identify trusted cloud services.
Domain 2: Cloud Data Security (20%)
This domain is focused on everything to do with protecting data on the cloud. Relevant knowledge includes the Cloud Security Alliance (CSA) Cloud Data Lifecycle, security considerations of cloud data storage, tools and techniques for data security, how to find and classify data on the cloud, protecting personal data based on jurisdictional requirements, managing access to data, implementation of data retention, deletion and archiving processes and data event management.
Domain 3: Cloud Platform and Infrastructure Security (19%)
The third CCSP domain focuses on the security aspects of cloud infrastructure. A CCSP applicant should know the basic components of cloud infrastructure, be able to perform a risk assessment, design and implement security controls for the cloud and know how to integrate cloud computing into their organization’s business continuity/disaster recovery (BC/DR) plan.
Domain 4: Cloud Application Security (15%)
This section of the CCSP exam is focused on developing and securing cloud applications. On the development side, applicants should be aware of the unique challenges of developing for the cloud, familiar with software assurance and validation for cloud applications, practice good supply chain management and understand the Software Development Lifecycle (SDLC). The security side of this domain covers the Secure Software Development Lifecycle, cloud-specific security technology and management of identity and access in the cloud.
Domain 5: Operations (15%)
In this domain, an applicant needs to prove knowledge of how to design, implement, build, run, maintain and assess the risks of both physical and logical cloud infrastructure. This section also tests knowledge of related regulations like ITIL and ISO/IEC 20000-1, collection of digital evidence in the event of an incident and how to manage communication with all stakeholders in the cloud environment.
Domain 6: Legal and Compliance (12%)
The final domain of the CCSP is focused on any cloud-specific laws and regulations not covered in earlier domains. This includes how the cloud affects regulatory compliance, jurisdiction-specific privacy regulations, auditing and risk management. Also covered are management of the supply-chain, outsourcing and vendor contracts.
What Do I Need for the CCSP Certification?
The minimum requirements for taking the CCSP exam are enough knowledge of cloud security to earn 700 out of the possible 1000 points. However, the CCSP exam also has some experience requirements.
In order to be eligible to become a full CCSP, you need to meet three experience requirements. First, you need to demonstrate five years of experience in information technology (IT). Of those five years, three of them need to be focused on information security. Finally, one year of experience in cloud security in any one of the six CCSP domains is required.
The CCSP exam has some exceptions for these rules. Anyone holding the CISSP certification automatically meets the eligibility requirements. If you have the information technology and information security experience, you can waive the cloud security requirement by earning the Cloud Security Alliance (CSA) Certificate of Cloud Security Knowledge.
If you don’t have the experience, you can still take the exam. If you achieve a passing grade on the exam, you become a CCSP Associate until you accumulate the relevant experience to be a full CCSP. Once you have a CCSP certificate, it is good for three years without renewal. To recertify at the three-year mark, you’ll need to have completed 90 CPE credits in those three years and pay an annual maintenance fee of $100.
Should I Take the CCSP Exam?
The CCSP exam is designed to allow cloud security practitioners to demonstrate their knowledge and skill sets in that specific field. The content of the exam is narrowly focused on cloud computing and the knowledge of theory, tools, and techniques necessary to properly secure it.
The experience requirements of the CCSP exam mean that it’s not a great choice for those fresh out of college and looking to specialize in cloud computing. The five-year information technology requirement shows that the exam is targeting mid-level rather than entry-level security professionals.
On the other hand, if you want to break into the cloud security field, this exam may be a good fit for you. If you are already a CISSP, then you automatically meet the eligibility requirements for the exam. If you have the experience except for the clouds security background, consider pursuing the Certificate of Cloud Security Knowledge (CCSK) and then the CCSP. This allows you to waive the requirement for cloud security experience for the CCSP and use the certification to help get a job in the field.
If you are interested in cloud security and have the experience, taking the CCSP exam might not be a bad idea. According to CertMag, average salaries for a CCSP are around $138,000 in the U.S. With the popularity of cloud technology and the upsurge in data breaches, having the skills to protect an organization’s data is a great marketing tool.
How Do I Prepare for the CCSP Exam?
The CCSP exam covers several different topics, so preparation is key for making sure that you are prepared to earn a passing grade. A couple of potential options are available for training, including self-study, online training and in-person bootcamp-style training.
If you decide to go the self-study route, (ISC)2 has published an official guide to the CCSP exam. The guide is extremely detailed, being over five hundred pages in the current version. By going through the guide in-depth and taking a few practice tests, an applicant can prepare themselves for the CCSP exam.
If this seems a bit daunting, maybe a training course would be a better choice. InfoSec Institute offers both in-person and online training options for the CCSP exam. Taking this training route gives you the advantage of having access to a CCSP expert throughout the training process, ensuring that all of your questions will be answered.
Getting Started on a CCSP Certification
The CCSP certification is a highly-respected certification that demonstrates knowledge and proficiency at securing cloud environments. The exam material is divided into six different domains and requires a 70% score on the 125 questions to pass. Both online and in-person bootcamp-style training is available to help you prepare for your exam.