CCSP Domain 5: Cloud security operations [updated 2022]

September 5, 2022 by Mosimilolu Odusanya

This section covers the requirements for developing, planning, implementing, running and managing the physical and logical cloud infrastructure, as per the “Official (ISC)2 Guide to the CCSP CBK.” The CCSP covers six domains, and  Domain 5 represents 16% of the CCSP certification exam. 

Mastering this domain means you have the knowledge and skills to conduct and manage security operations in the cloud, collect digital evidence after an incident and communicate with partners.

Domain 5 — Cloud security operations

Each of the six subdomains covers a specific aspect of managing security operations in a cloud environment with proper controls and standards.

5.1 Build and implement physical and logical infrastructure for the cloud environment

Candidates must understand the requirements for implementing and building a physical and logical infrastructure with security in mind.

Hardware-specific security configuration requirements

Candidates need to know the various hardware components (and corresponding configuration requirements and settings) needed in a cloud data center infrastructure, such as basic input-output systems (BIOS), virtualization, hardware security module (HSM) and trusted platform module (TPM).

Installation and configuration of management tools

Candidates must know how to install and configure management tools required to secure a virtual and cloud-based installation.

Virtual hardware-specific security configuration requirements

Candidates need to understand the various configuration settings and requirements for maintaining virtual hardware security (e.g., network, storage, memory, central processing unit (CPU) and Hypervisor types 1 2).

Installation of guest operating system virtualization toolsets

Candidates need to understand the toolsets that enable installing operating systems in the virtualization environment.

5.2 Operate and maintain physical and logical infrastructure for cloud environment

Candidates need to understand access control mechanisms, physical and virtual network configurations and OS hardening baselines and how to ensure the availability of physical and virtual hosts and resources in a cloud environment.

Access control for local and remote access

Candidates need to understand protocols for supporting remote administration, such as secure shell (SSH), remote desktop protocol (RDP), virtual network computing (VPC), console-based access mechanisms, jump boxes, etc.

Secure network configuration

Candidates need to understand protocols, technologies, services and concepts for securing networks and the data transmitted, such as virtual local area network (VLAN), transport layer security (TLS), dynamic host configuration protocol (DHCP), domain name system security extensions (DNSSEC), a virtual private network (VPN), and so forth.

Network security controls

Candidates need to understand network security controls and technologies, such as firewalls, intrusion detection/prevent systems (IDS/IPS), honeypots, etc.

Operating system hardening through the application of baselines

Candidates need to understand baselines in hardening operating systems (e.g., Windows, Linux, VMware). The baseline and corresponding documentation may be achieved via customer-defined VM images, NIST checklists, CIS benchmarks, etc.

Patch management

Candidates need to understand the patch management process for finding, testing and applying patches to a cloud environment.

Availability of clustered hosts

Candidates need to understand clustered hosts (e.g., distributed resource scheduling, dynamic optimization, storage clusters, maintenance mode, high availability) and their use.  

Performance and capacity monitoring

Candidates must understand the tools and infrastructure elements (e.g., network, compute, response time, storage) that can be monitored.

Hardware monitoring

Candidates need to understand the tools and hardware elements (e.g., CPU temperature and fan speed) that require monitoring because they can fluctuate.

Configuration of host and guest operating system backup and restore functions

Candidates need to understand the three main types of backup technologies (i.e., snapshots, agent-based and agentless).

Management plane

Candidates need to understand the uses of a management plane in a cloud environment by the CSP. This includes knowing the activities related to scheduling and orchestration, as well as managing and maintaining the control plane.

5.3 Implement operational controls and standards (e.g., Information Technology Infrastructure Library (ITIL), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 20000-1)

Candidates need to understand the regulations and controls used to govern IT operations and processes in cloud environments. Such processes include:

  • Change management
  • Continuity management
  • Information security management
  • Continual service improvement management
  • Incident management
  • Problem management
  • Release management
  • Deployment management
  • Configuration management
  • Service level management
  • Availability management
  • Capacity management

5.4 Support digital forensics

Candidates need to understand how to conduct digital forensics in a cloud environment.

Forensics data collection methodologies

Candidates need to understand two standards (i.e., ISO 27050 and Cloud Security Alliance (CS) Security Guidance Domain 3 Legal Issues: Contracts and Electronic Discovery) related to e-discovery.

Evidence management

Candidates need to understand how to manage the chain of custody from evidence collection to trial during any digital forensics investigation.

Collect, acquire and preserve digital evidence

Candidates need to understand the phases of digital evidence handling and the challenges associated with evidence collection in a cloud environment.

5.5 Manage communication with relevant parties

Candidates need to understand how to communicate accurately, concisely and timely with vendors, customers (including the cloud shared responsibility model), partners, regulators and other stakeholders.

5.6 Manage security operations

Candidates need to understand how to manage security operations and provide continuous security support in a cloud environment.

Security operations center (SOC)

Candidates need to understand how a SOC works in a cloud environment and its responsibilities, such as threat prevention and detection, incident management, etc.

Intelligent monitoring of security controls

Candidates need to understand how to manage and monitor the security controls [e.g., firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), honeypots, network security groups, artificial intelligence (AI), etc.)] deployed to manage a cloud environment’s physical and logical components.

Log capture and analysis

Candidates need to understand the tools and processes required for log capture and analysis, such as the system information and event management (SIEM) tool and log management.

Incident management

Candidates need to understand the incident management and response procedures in a cloud environment and the three key elements: incident response plan, incident response team and root cause analysis.

Vulnerability assessments

Candidates need to understand the importance of cloud vulnerability assessments of the network and IT infrastructure to give visibility into the environment’s attack surface.

How to prepare for the CCSP exam

Studying suitable material is recommended by (ISC)2 before taking the CCSP exam. The official preparation material includes:

  • Official (ISC)² CCSP Study Guide, 2nd Edition
  • Official (ISC)² CCSP CBK Reference, 3rd Edition
  • Official (ISC)² CCSP Practice Tests, 2nd Edition
  • Official (ISC)² CCSP Flash Cards 
  • Official (ISC)² CCSP Study App

Need training? Design a learning path that best fits your needs and requirements to prepare for the CCSP certification. Start validating your cloud security knowledge by reviewing all the essential elements found in the fifth domain of the CCSP common body of knowledge (CBK) — Cloud Security Operations.

For more on the CCSP certification, check out our CCSP certification hub.


Posted: September 5, 2022
Mosimilolu Odusanya
View Profile

Mosimilolu (or 'Simi') works as a full-time cybersecurity consultant, specializing in privacy and infrastructure security. Outside of work, her passions includes watching anime and TV shows and travelling.