CCSP Certification: Overview and Career Path [updated 2021]

December 15, 2021 by Howard Poston

The Certified Cloud Security Professional (CCSP) certification is an information technology certification that tests applicants’ knowledge of cloud security topics. It is administered by the International Information System Security Certification Consortium (ISC)2 and was developed in partnership with the Cloud Security Alliance (CSA).

The CCSP is designed as a certification for mid-level security professionals who want to demonstrate their proficiency in the field of cloud security.

How does the CCSP certification differ from other IT certifications?

The CCSP certification is one of the few certifications focusing specifically on cloud security. Many other IT certifications take a generalist approach to security topics or have a deep level of focus in another area within the domain of information security (digital forensics, reverse engineering and so on). In contrast, the CCSP exam is designed to test knowledge of the application of cybersecurity tools, techniques and procedures to cloud computing. A fair amount of focus is placed on drawing attention to the points where cloud computing requires a different approach to security.

The CCSP is far from the only cloud-focused certification available. Cloud vendors and other certification organizations have developed several other certifications to test candidates’ knowledge of cloud computing concepts and technology. However, the CCSP’s focus on cloud security helps to differentiate it from these other certifications.

The most similar certification to the CCSP is the Cloud Security Alliance’s Certificate of Cloud Security Knowledge (CCSK). The CSA partnered with (ISC)2 to create the CCSP exam. According to the CSA blog, the CCSP covers much of the same content covered by the CCSK and tests knowledge of governance, traditional security, and user privacy in cloud environments.

The CSSP is probably the most comprehensive certification available on the topic of cloud security. It is designed to test cloud security topics at a level similar to that of the Certified Information Systems Security Professional (CISSP) certification.

What does the CCSP exam cover?

The CCSP exam is designed to test an applicant’s knowledge of everything to do with cloud security. The exam is a 125-question multiple-choice test with a three-hour time limit. There are 1000 possible points, and a passing score requires a minimum of 70% of these. The questions are broken into six different domains with the following ratios:

Domain 1: Cloud Concepts, Architecture and Design (17%)

Domain 2: Cloud Data Security (19%)

Domain 3: Cloud Platform and Infrastructure Security (17%)

Domain 4: Cloud Application Security (17%)

Domain 5: Cloud Security Operations (17%)

Domain 6: Legal, Risk and Compliance (13%)

The rest of this section is devoted to providing a brief overview of the topics covered in each domain of the CCSP exam.

Domain 1: Cloud Concepts, Architecture and Design (17%)

The first domain of the CCSP exam covers the background knowledge necessary to secure cloud computing systems. This includes basic cloud computing concepts, the different types of cloud architectures, security concepts relevant to cloud computing, principles of secure cloud computing and identifying trusted cloud services.

Domain 2: Cloud Data Security (19%)

This domain is focused on everything to do with protecting data on the cloud. Relevant knowledge includes the fundamental concepts of cloud data, security considerations of cloud data storage, tools and techniques for data security, finding and classifying data on the cloud, managing access to data, implementation of data retention, deletion and archiving processes and data event management.

Domain 3: Cloud Platform and Infrastructure Security (17%)

The third CCSP domain focuses on the security aspects of cloud infrastructure. A CCSP applicant should know the basic components of cloud infrastructure, be able to design a secure data center, know how to perform a risk assessment, design and implement security controls for the cloud and know how to integrate cloud computing into their organization’s business continuity/disaster recovery (BC/DR) plan.

Domain 4: Cloud Application Security (17%)

This section of the CCSP exam is focused on developing and securing cloud applications. On the development side, applicants should be aware of the unique challenges of developing for the cloud, familiar with software assurance and validation for cloud applications, practice good supply chain management and understand the Software Development Lifecycle (SDLC). The security side of this domain covers the Secure Software Development Lifecycle, cloud-specific security technology and management of identity and access in the cloud.

Domain 5: Cloud Security Operations (17%)

In this domain, an applicant needs to prove knowledge of designing, implementing, building, running, maintaining, and assessing the risks of physical and logical cloud infrastructure. This section also tests knowledge of related regulations like ITIL and ISO/IEC 20000-1, collection of digital evidence in an incident, security operations management and how to manage communication with all stakeholders in the cloud environment.

Domain 6: Legal, Risk, and Compliance (13%)

The final domain of the CCSP is focused on any cloud-specific laws and regulations not covered in earlier domains. This includes how the cloud affects regulatory compliance, jurisdiction-specific privacy regulations, auditing and risk management. Also covered are management of the supply chain, outsourcing and vendor contracts.

What do I need for the CCSP certification?

The minimum requirements for taking the CCSP exam are enough knowledge of cloud security to earn 700 out of the possible 1000 points. However, the CCSP exam also has some experience requirements.

To be eligible to become a full CCSP, you need to meet three experience requirements. First, you need to demonstrate five years of experience in information technology (IT). Of those five years, three of them need to be focused on information security. Finally, one year of experience in cloud security in any one of the six CCSP domains is required.

The CCSP exam has some exceptions to these rules. Anyone holding the CISSP certification automatically meets the eligibility requirements. If you have the information technology and information security experience, you can waive the cloud security requirement by earning the Cloud Security Alliance (CSA) Certificate of Cloud Security Knowledge.

If you don’t have the experience, you can still take the exam. If you achieve a passing grade on the exam, you become a CCSP Associate until you accumulate the relevant experience to be a full CCSP. Once you have a CCSP certificate, it is good for three years without renewal. To recertify at the three-year mark, you’ll need to have completed 90 CPE credits in those three years and pay an annual maintenance fee of $125.

Should I take the CCSP exam?

The CCSP exam is designed to allow cloud security practitioners to demonstrate their knowledge and skillsets in that specific field. The exam content is narrowly focused on cloud computing and the knowledge of theory, tools, and techniques necessary to secure it properly.

The experience requirements of the CCSP exam mean that it’s not a great choice for those fresh out of college and looking to specialize in cloud computing. The five-year information technology requirement shows that the exam is targeting mid-level rather than entry-level security professionals.

On the other hand, if you want to break into the cloud security field, this exam may be a good fit for you. If you are already a CISSP, then you automatically meet the eligibility requirements for the exam. If you have the experience except for the cloud security background, consider pursuing the Certificate of Cloud Security Knowledge (CCSK) and then the CCSP. This allows you to waive the requirement for cloud security experience for the CCSP and use the certification to help get a job in the field.

If you are interested in cloud security and have experience, taking the CCSP exam might not be bad. According to CertMag, average salaries for a CCSP are around $138,000 in the U.S. With the popularity of cloud technology and the upsurge in data breaches, having the skills to protect an organization’s data is a great marketing tool. According to CertMag, the CCSP is also the most common certification that IT professionals plan to pursue.

How do I prepare for the CCSP exam?

The CCSP exam covers several different topics, so preparation is key for preparing to earn a passing grade. A couple of potential options are available for training, including self-study, online training and in-person boot camp-style training.

If you decide to go the self-study route, (ISC)2 has published an official guide to the CCSP exam. The guide is extremely detailed, being over five hundred pages in the current version. By going through the guide in-depth and taking a few practice tests, applicants can prepare themselves for the CCSP exam.

If this seems a bit daunting, maybe a training course would be a better choice. Both in-person and online training options for the CCSP exam are available. Taking this training route gives you the advantage of having access to a CCSP expert throughout the training process, ensuring that all of your questions will be answered.

Getting started on a CCSP certification

The CCSP certification is a highly-respected certification that demonstrates knowledge and proficiency at securing cloud environments. The exam material is divided into six different domains and requires a 70% score on the 125 questions to pass. Both online and in-person boot camp-style training is available to help you prepare for your exam.



Posted: December 15, 2021
Howard Poston
View Profile

Howard Poston is a cybersecurity researcher with a background in blockchain, cryptography and malware analysis. He has a master's degree in Cyber Operations from the Air Force Institute of Technology and two years of experience in cybersecurity research and development at Sandia National Labs. He currently works as a freelance consultant providing training and content creation for cyber and blockchain security.

Leave a Reply

Your email address will not be published.