Introduction 

Since August 1, 2019, (ISC)² has introduced changes to its Certified Cloud Security Professional (CCSP) certification. The purpose of these enhancements is to establish the CCSP domains’ relevancy with rapidly growing cloud computing technologies and methodologies. With the updated CCSP exam, CCSP-certified professionals will be able to deal with the latest trends in cloud computing, including the newly emerging, fast and sophisticated threats in the face of cloud platforms.

In this article, we will discuss the new changes to the CCSP exam in greater detail.


What changes are made to CCSP domains and their weight?

Some new cloud security concepts have been added and some previous content has been removed. The difference in the exam percentage for each concept was also introduced to each domain. The following sections delve deeper into these changes to the CCSP Common Body of Knowledge (CBK).

CCSP old domains and their percentage   CCSP new domains and their percentage  
Architectural Concepts & Design Requirements 19% Cloud Concepts, Architecture and Design 17%
Cloud Data Security 20% Cloud Data Security 19%
Cloud Platform and Infrastructure Security 19% Cloud Platform and Infrastructure Security 17%
Cloud Application Security 15% Cloud Application Security 17%
Operations 15% Cloud Security Operations 17%
Legal & Compliance 12% Legal, Risk and Compliance 13%

Below are the details of the CCSP domain changes. For the purposes of clarity:

  • Green text represents a new addition to content
  • Red text represents deleted content
  • Yellow text represents renamed content

Changes to CCSP domains

Old Domain 1

  • 1.1 Understand Cloud Computing Concepts
  • 1.2 Describe Cloud Reference Architecture
  • 1.3 Understand Security Concepts Relevant to Cloud Computing
  • 1.4 Understand the Design Principles of Secure Cloud Computing
  • 1.5 Identify Trusted Cloud Services

New Domain 1

The title of the first domain has been changed from “Architectural Concepts & Design Requirements” to “Cloud Concepts, Architecture and Design.” The details of the content are given below:

  • 1.1 Understand Cloud Computing Concepts
  • 1.2 Describe Cloud Reference Architecture
  • New addition: Impact of related technologies
    • “Impact of related technologies” adds new content to this subdomain, incorporating machine learning, artificial intelligence, blockchain, Internet of Things (IoT), containers and quantum computing to the curriculum. These topics are totally new to the CCSP CBK and represent crucial technologies that CCSP candidates need to learn to stay on top of the latest and fastest growing cloud technologies. In January of 2019, Forbes reported that “Machine learning platforms are one of the fastest growing services of the public cloud.”
  • 1.3 Understand Security Concepts Relevant to Cloud Computing
  • Removed: Security Considerations for Different Cloud Categories
  • 1.4 Understand the Design Principles of Secure Cloud Computing
  • New addition: Security Considerations for Different Cloud Categories
    • These topics have been relocated from the previous subdomain (1.3)
  • 1.5 Identify Trusted Cloud Services
  • Just renamed: Evaluate Cloud Service Providers 

Old Domain 2

  • 2.1 Understand Cloud Data Lifecycle (CSA Guidance)
  • 2.2 Design and Implement Cloud Data Storage Architectures
  • 2.3 Design and Apply Data Security Strategies
  • 2.4 Understand and Implement Data Discovery and Classification Technologies
  • 2.5 Design and Implement Relevant Jurisdictional Data Protections for Personally Identifiable Information (PII)
  • 2.6 Design and Implement Data Rights Management
  • 2.7 Plan and Implement Data Retention, Deletion and Archiving Policies

New Domain 2

  • 2.1 This subdomain renamed: Describe Cloud Data Concepts
  • New addition: Data Dispersion
  • 2.2 Design and Implement Cloud Data Storage Architectures
  • Removed: Technologies Available to Address Threats
    • These contents have been removed to avoid repetition. It is also worth noting that this topic mostly involves encryption techniques that are fully covered the next subdomain
  • 2.3 Design and Apply Data Security Technologies and Strategies
  • New addition: Data Loss Prevention (DLP), Data Obfuscation and Data De-identification
    • Of these, Data Obfuscation is primarily derived from the deleted topic “Emerging Technologies”
  • Removed: Application of Technologies, Emerging Technologies
  • 2.4 Renamed: Implement Data Discovery
  • All old subsections have been removed
  • New addition: Structured Data and Unstructured Data
  • 2.5 Renamed: Implement Data Classification
    • Some old subsections have been removed and two of them have been modified
  • New addition: Mapping, Labeling and Sensitive Data
    • Mapping and Sensitive Data have been derived and modified from the previous subdomain
  • 2.6 Just renamed: Design and Implement Information Rights Management (IRM)
  • 2.7 Plan and Implement Data Retention, Deletion and Archiving Policies
  • New addition: Legal Hold
  • 2.8 Design and Implement Auditability, Traceability and Accountability of Data Event
  • Removed: Storage and Analysis of Data Events and Continuous Optimizations
    • The new subsection: “Logging, Storage and Analysis of Data Events” have been derived and modified from the previous subdomain

Old Domain 3

  • 3.1 Comprehend Cloud Infrastructure Components
  • 3.2 Analyze Risks Associated to Cloud Infrastructure
  • 3.3 Design and Plan Security Controls
  • 3.4 Plan Disaster Recovery and Business Continuity Management

New Domain 3

Domain 3 has added one new domain at position 3.2, while the rest of the domains have been moved forward to their subsequent positions. Below are the details of the change:

  • 3.1 Comprehend Cloud Infrastructure Components
  • 3.2 New addition: Design a Secure Data Center
    • This includes Logical Design, Physical Design and Environmental Design, along with their associated security controls
  • 3.3 Analyze Risks Associated with Cloud Infrastructure
  • 3.4 Design and Plan Security Controls
  • 3.5 Plan Disaster Recovery (DR) and Business Continuity (BC)

Old Domain 4

  • 4.1 Recognize the need for Training and Awareness in Application Security
  • 4.2 Understand Cloud Software Assurance and Validation
  • 4.3 Use Verified Secure Software
  • 4.4 Comprehend the Software Development Life Cycle (SDLC) Process
  • 4.5 Apply the Secure Software Development Life Cycle
  • 4.6 Comprehend the Specifics of Cloud Application Architecture
  • 4.7 Design Appropriate Identity and Access Management (IAM) Solutions

New Domain 4

Domain 4 mostly focused on changing the positions of the subdomains instead of adding or removing the content. See below to identify changes:

  • 4.1 Advocate Training and Awareness for Application Security
  • 4.2 Describe the Secure Software Development Life Cycle (SDLC) Process
  • 4.3 Apply the Secure Software Development Life Cycle (SDLC)
  • 4.4 Apply Cloud Software Assurance and Validation
  • 4.5 Use Verified Secure Software
  • 4.6 Comprehend the Specifics of Cloud Application Architecture
  • 4.7 Design Appropriate Identity and Access Management (IAM) Solutions

Old Domain 5

  • 5.1 Support the Planning Process for the Data Center Design
  • 5.2 Implement and Build Physical Infrastructure for Cloud Environment
  • 5.3 Run Physical Infrastructure for Cloud Environment
  • 5.4 Manage Physical Infrastructure for Cloud Environment
  • 5.5 Build Logical Infrastructure for Cloud Environment
  • 5.6 Run Logical Infrastructure for Cloud Environment
  • 5.7 Manage Logical Infrastructure for Cloud Environment
  • 5.8 Ensure Compliance with Regulations and Controls (e.g., ITIL, ISO/IEC 20000-1)
  • 5.9 Conduct Risk Assessment to Logical and Physical Infrastructure
  • 5.10 Understand the Collection, Acquisition and Preservation of Digital Evidence
  • 5.11 Manage Communication with Relevant Parties

New Domain 5

The name of this domain has been changed from “operations” to “Cloud Security Operations.” In addition, the names of few subdomains have been modified and total domains have been reduced from 5.11 to 5.7. Two new domains have been added replacing the previous ones. Below are the details:

  • 5.1 Implement and Build Physical and Logical Infrastructure for Cloud Environment
  • 5.2 Operate Physical and Logical Infrastructure for Cloud Environment
  • 5.3 Manage Physical and Logical Infrastructure for Cloud Environment
  • 5.4 Implement Operational Controls and Standards 
  • 5.5 Support Digital Forensics (New addition)
    • This subdomain contains Forensic Data Collection Methodologies; Evidence Management; and Collect, Acquire and Preserve Digital Evidence
  • 5.6 Manage Communication with Relevant Parties
  • 5.7 Manage Security Operations (New addition)
    • The contents of this new subdomain include Security Operation Center (SOC); Monitoring of Security Controls; and Log Capture and Analysis, Incident Management

Old Domain 6

  • 6.1 Understand Legal Requirements and Unique Risks within the Cloud Environment
  • 6.2 Understand Privacy Issues, Including Jurisdictional Variation
  • 6.3 Understand Audit Process, Methodologies and Required Adaptations for a Cloud Environment
  • 6.4 Understand the Implications of Cloud to Enterprise Risk Management
  • 6.5 Understand Outsourcing and Cloud Contract Design
  • 6.6 Execute Vendor Management

New Domain 6

The name of this domain has been changed from “Legal and Compliance” to “Legal, Risk and Compliance.” Slight modifications have been made to naming the subdomains. The last domain, “6.6 Execute Vendor Management,” has been removed.

  • 6.1 Articulate Legal Requirements and Unique Risks within the Cloud Environment
  • 6.2 Understand Privacy Issues
  • 6.3 Understand Audit Process, Methodologies and Required Adaptations for a Cloud Environment
  • 6.4 Understand the Implications of Cloud to Enterprise Risk Management
  • 6.5 Understand Outsourcing and Cloud Contract Design

Comparison of old and new exam information

Exam information will remain the same except for the duration of the exam, which has been reduced from four hours to three hours. See the table below.

CCSP old exam CCSP new exam
Length of the exam 4 hrs. 3 hrs.
Number of questions 125 125
Type of questions Multiple choice Multiple choice
Passing score 700 points out of 1000 700 points out of 1000

The test length of 25 pretest items and 100 operational items will remain the same and the new exam will be available in English only. The purpose of reducing the test time was to standardize the CCSP exam.

The refreshed exam does not affect the experience requirements. To qualify for the CCSP exam, you are required to have a minimum of five years’ cumulative work experience in one or more of the six domains of a CCSP CBK.

Can I appear for the refreshed CCSP exam with old CCSP material?

The CCSP exam includes performance-based questions that cannot be studied alone. To pass these, you will need proper training or practice time. However, you can take and pass the CCSP exam if you already have studied sufficiently and have experience with the CCSP CBK. 

Nevertheless, (ISC)² cannot guarantee that you will pass the exam merely with old material. To be safe, you should look for updated material to avoid risking failure. The updated training course will be available on October 1, 2019.

How do I prepare for the new CCSP exam?

First and foremost, you need to thoroughly examine the new topics and pay special heed to the changes, as they represent the most up-to-date concepts for the upcoming CCSP exam. As mentioned in previous sections, it’s highly recommended that you do not study the CCSP exam alone, as it involves performance-based questions. Keeping these new changes in mind, you will need to adjust your exam strategies accordingly to the focus of these new topics. 

The following sections show some exam strategies to help you best prepare for the new CCSP exam. 

Study resources

In addition to the old CCSP study resources, (ISC)² will soon offer new CCSP CBK material for pre-order. Such material reflects the new exam content comprehensively and thoroughly. Below are some details: 

Community discussion

Here are some community discussion threads concerning users who have recently passed the CCSP exam. They may be helpful to other candidates: 

Appropriate training

You need to receive appropriate training in the light of new CCSP exam. Below are two popular training options for CCSP candidates: 

Conclusion

The CCSP exam has been modified and updated as of August 1, 2019. The new contents of the exam cover best practices that cloud security professionals will use to mitigate cloud threats and vulnerabilities. Some of the topics have been merely realigned while others have been fully updated or modified. 

With the current exam, CCSP-certified professionals can boast hands-on experience and ample knowledge of cloud security architecture, design, operations and service orchestration.

 

Sources

  1. CCSP Domain Refresh FAQ, (ISC)²
  2. CCSP Certification Exam Outline (Old), (ISC)²
  3. CCSP Certification Exam Outline (Updated), (ISC)²
  4. An Executive’s Guide To Understanding Cloud-based Machine Learning Services, Forbes