ISC2 CCSP

CCSP Domain 6: Legal, Risk and Compliance [updated 2022]

An important aspect InfoSec professionals need to consider is legal requirements and cloud implications for enterprise risk management. The following topics are included in this domain, per the “Official (ISC)² Guide to the CCSP CBK.”

This domain, which represents 13% of the CCSP certification exam, focuses on relevant jurisdictional laws, statutes, regulations and frameworks for data protection in cloud computing. Candidates must demonstrate a handle on the legal and compliance requirements that may impact cloud procurement, usage and security.

Earn your CCSP, guaranteed!

Save your spot for an upcoming CCSP Boot Camp and earn one of the most in-demand cloud security certifications — guaranteed!

Learn More

Domain 6 — Legal, Risk and Compliance

Each of the five subdomains covers different aspects of the cloud's legal issues, risks, compliance and data privacy.

6.1 Articulate legal requirements and unique risks within the cloud environment

Candidates should know of cloud computing architectures' legal requirements and unique risks.

Conflicting international legislation

Candidates must know the multiple sets of laws and regulations and the risks introduced by conflicting legislation across jurisdictions and countries. Conflicts may include copyright and intellectual property law, data breaches (and breach notification), international import/export laws etc.

Evaluation of legal risks specific to cloud computing

Candidates must understand the legal risks (e.g., data residency vs. data localization vs. data sovereignty) of cloud computing.

Legal frameworks and guidelines

Candidates should have a handle on the various legal frameworks related to personal data protection and regulations that may affect cloud computing requirements for companies in various regions. Such frameworks include:

• Organization for Economic Cooperation and Development (OECD) Privacy Guidelines
• Asia Pacific Economic Cooperation Privacy Framework (APEC)
• Cross-Border Privacy Rules (CBPR)
• General Data Protection Regulation (GDPR)

Forensics and eDiscovery in the cloud

Candidates will need to understand the following:

• The laws and regulations may apply to an organization and investigation while maintaining the chain of custody.
• Standards from various bodies, such as the International organization for Standardization (ISO)/International Electrotechnical Commission (IEC) and the Cloud Security Alliance (CSA) Guidance are used in collecting digital evidence and conducting forensics investigations in cloud environments.
• How to manage a chain of custody from evidence collection to trial during any digital forensics investigation.
• The phases of digital evidence handling and the challenges associated with evidence collection in a cloud environment.

6.2 Understand privacy issues

Candidates should know the privacy risks and issues cloud environments or technologies pose.

Difference between contractual and regulated private data

Candidates need to understand the difference between private contractual data (e.g., data collected as part of normal business operations) and regulated private data (e.g., personal identifiable information (PII), protected health information (PHI) and payment data).

Country-specific legislation related to private data

Candidates must comprehend various privacy regulations in various jurisdictions (e.g., CCPA — United States, GDPR — European Union, etc.).

Jurisdictional differences in data privacy

Candidates must also understand and address jurisdictional differences/issues in privacy regulations.

Standard privacy requirements

Candidates should have a handle on the various standard privacy requirements (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27018, Generally Accepted Privacy Principles (GAPP). General Data Protection Regulation (GDPR), etc.)

Privacy Impact Assessments (PIA)

Candidates must understand how PIA can help identify and mitigate privacy risks when implementing new technology or programs.

6.3 Understand audit process, methodologies and required adaptations for a cloud environment

Candidates should know the unique considerations, processes and controls required to audit cloud environments.

Internal and external audit controls

Candidates must understand the importance of internal and external audits in meeting regulatory, contractual, security and privacy obligations.

Impact of audit requirements

Candidates should have a handle on the impact and challenges of the ever-changing nature of a cloud environment and how it impacts an audit.

Identity assurance challenges of virtualization and cloud

To obtain assurance, candidates must grasp how to perform multiple layers of auditing (of both the hypervisor and the virtual machines) in a cloud environment.

Types of audit reports

Candidates will need to understand the various audit reports that can describe their findings of the system examined. Examples of audit reports include:

• Service Organization Controls (SOC)
• Statement on Standards for Attestation Engagements (SSAE)
• International Standard on Assurance Engagements (ISAE)

Restrictions of audit scope statements

Candidates should know the audit scope restrictions on what an auditor may or may not audit. Examples of scope statements include:

• Statement on Standards for Attestation Engagements (SSAE)
• International Standard on Assurance Engagements (ISAE)

Gap analysis

Candidates need to understand the impact of a gap analysis in identifying issues and gaps before an audit and against industry standards/frameworks.

Audit planning

Candidates must grasp the process required in planning for an audit to ensure financial reporting or compliance with a cloud environment.

Internal information security management systems (ISMS)

Candidates should have a handle on designing and implementing an organization’s ISMS using an acceptable standard such as ISO 27001/2.

Internal information security controls system

To establish an ISMS, candidates will need to understand the security controls used in managing information security.

Policies

Candidates need to know the policies to govern an organization’s people, processes and systems. There are various types of policies required:

• Organizational Policies
• Functional Policies
• Cloud Computing Policies

Identification and involvement of relevant stakeholders

Candidates will need to comprehend how to identify relevant stakeholders that need to be involved in the decision process, critical questions faced in identifying the stakeholders and the governance challenges that may occur when moving to a cloud environment.

Specialized compliance requirements for highly regulated industries

Candidates must understand the specialized compliance requirements for organizations in highly regulated industries such as healthcare, financial services and government organizations. Here are a few examples:

• North American Electric Reliability Corporation / Critical Infrastructure Protection (NERC/CIP)
• Health Insurance Portability and Accountability Act (HIPAA)
• Health Information Technology for Economic and Clinical Health (HITECH) Act
• Payment Card Industry (PCI)

Impact of distributed information technology models

Candidates must know of the distributed information technology models (e.g., diverse geographical locations and crossing over legal jurisdictions), realize the common issues caused by these models, and grasp how to mitigate the associated risks. 

6.4 Understand implications of cloud to enterprise risk management

Candidates will need to understand the implications using and maintaining a cloud environment has on an organization’s risk management program and how to mitigate the risks.

Assess providers' risk management programs

Candidates must know how to assess cloud service providers’ risk management programs (e.g., controls, methodologies, policies, risk profile, risk appetite) and align with an organization’s objectives.

Differences between data owner/controller vs. data custodian/processor

Candidates should have a handle on the difference between data owners (data controllers) and data custodians (data processors).

Regulatory transparency requirements

Candidates should know the regulatory transparency requirements imposed on data controllers (and data processors) by various regulations. Examples include breach notification, Sarbanes-Oxley (SOX) and General Data Protection Regulation (GDPR).

Risk treatment

Candidates must understand how to evaluate an organization’s vulnerabilities and threats that might exploit its weaknesses and determine the likelihood and impact of such exploits. Steps include the following: avoid, mitigate, transfer, share and acceptance.

Risk frameworks

Candidates must grasp the various risk frameworks that can apply to an organization:

• ISO 31000:2018
• European Network and Information Security Agency (ENISA) assessment guides
• NIST 800-146

Metrics for risk management

Candidates must understand key cybersecurity metrics that can be tracked to present measurable data to relevant stakeholders.

Assessment of risk environment

Candidates must know how to assess a risk environment to cover the cloud environment (e.g., service, vendor, infrastructure and business).

6.5 Understand outsourcing and cloud contract design

Candidates should have a handle on business requirements, key contractual provisions and potential contractual implications of outsourcing to the cloud.

Business requirements

Candidates will need to comprehend key business requirements [e.g., service-level agreement (SLA), master service agreement (MSA), statement of work (SOW)] and how a cloud service provider helps to meet those obligations.

Vendor management

Candidates must understand how to manage vendors' risks (e.g., vendor assessments, vendor lock-in risks, vendor viability and escrow) and track service delivery via key performance indicators.

Contract management

Candidates need to understand the proceedings of contract management (e.g., right to audit, metrics, definitions, termination, litigation, assurance, compliance, access to cloud/data and cyber risk insurance) and how to succeed in negotiation, creation and execution. In addition, monitor contract terms, performance and violations of stated agreements.

Supply chain management

Candidates will need to understand the actions to manage the supply chain, vendors, dependencies, points of failure, etc., as per the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27036).

Earn your CCSP, guaranteed!

Save your spot for an upcoming CCSP Boot Camp and earn one of the most in-demand cloud security certifications — guaranteed!

Learn More

How to prepare for the CCSP exam

Studying the right material is recommended by (ISC)2 to take the CCSP exam. The official preparation material include the following:

• Official (ISC)² CCSP Study Guide, 2nd Edition
• Official (ISC)² CCSP CBK Reference, 3rd Edition
• Official (ISC)² CCSP Practice Tests, 2nd Edition
• Official (ISC)² CCSP Flash Cards 
• Official (ISC)² CCSP Study App

Need training? Design your learning path that better fits your needs and requirements to prepare for the CCSP certification. Start validating your cloud security knowledge by reviewing all the key elements found in the sixth domain of the CCSP common body of knowledge (CBK) — Cloud Legal, Risk and Compliance Requirements.

For more on the CCSP certification, check out our CCSP certification hub.

Sources:

• CCSP, (ISC)²
• CCSP: Certification Exam Outline, (ISC)²
• CCSP Domain Refresh FAQ, (ISC)²