(ISC)² CCSP

CCSP exam and CBK changes in August 2021

October 6, 2021 by Fakhar Imam

Since August 1, 2019, (ISC)² has introduced changes to its Certified Cloud Security Professional (CCSP) certification. This is the first update that has been made since its inception in 2015. The purpose of these enhancements is to establish the CCSP domains’ relevancy with rapidly growing cloud computing technologies and methodologies. With the updated CCSP exam, CCSP-certified professionals will be able to deal with the latest trends in cloud computing, including the newly emerging, fast and sophisticated threats in cloud platforms.

This article explores the latest changes to the CCSP exam in greater detail. You’ll notice that the new six domains of the (ISC)² CCSP Common Body of Knowledge (CBK®) will encompass the topic areas relevant to the roles and responsibilities of today’s practicing cloud security professionals. After reading this piece, you might also identify areas of study that may need additional attention.

What changes are made to CCSP domains and their weight?

As a result of the CCSP domain refresh, some new cloud security concepts have been added, and some previous content has been removed. This section highlights changes that began on August 1, 2019, together with the Domains and Weightings (Percentage) changes to the CCSP Common Body of Knowledge (CBK).

CCSP old domains and their percentage   CCSP new domains and their percentage  
Architectural Concepts & Design Requirements 19% Cloud Concepts, Architecture and Design 17%
Cloud Data Security 20% Cloud Data Security 19%
Cloud Platform and Infrastructure Security 19% Cloud Platform and Infrastructure Security 17%
Cloud Application Security 15% Cloud Application Security 17%
Operations 15% Cloud Security Operations 17%
Legal & Compliance 12% Legal, Risk and Compliance 13%

Below are the details of the CCSP domain changes. For clarity:

  • The green text represents a new addition to content
  • The red text represents deleted content
  • The yellow text represents renamed content

Changes to CCSP domains

Old Domain 1

  • 1.1 Understand Cloud Computing Concepts
  • 1.2 Describe Cloud Reference Architecture
  • 1.3 Understand Security Concepts Relevant to Cloud Computing
  • 1.4 Understand the Design Principles of Secure Cloud Computing
  • 1.5 Identify Trusted Cloud Services

New Domain 1

The title of the first domain has been changed from “Architectural Concepts and Design Requirements” to “Cloud Concepts, Architecture and Design.” The details of the content are given below:

  • 1.1 Understand Cloud Computing Concepts
  • 1.2 Describe Cloud Reference Architecture
  • New addition: Impact of related technologies
    • “Impact of related technologies” adds new content to this subdomain, incorporating machine learning, artificial intelligence, blockchain, Internet of Things (IoT), containers and quantum computing to the curriculum. These topics are new to the CCSP CBK and represent crucial technologies that CCSP candidates need to learn to stay on top of the latest and fastest-growing cloud technologies. In January of 2019, Forbes reported that “Machine learning platforms are one of the fastest-growing services of the public cloud.”
  • 1.3 Understand Security Concepts Relevant to Cloud Computing
  • Removed: Security Considerations for Different Cloud Categories
  • 1.4 Understand the Design Principles of Secure Cloud Computing
  • New addition: Security Considerations for Different Cloud Categories
    • These topics have been relocated from the previous subdomain (1.3)
  • 1.5 Identify Trusted Cloud Services
  • Just renamed: Evaluate Cloud Service Providers 

Old Domain 2

  • 2.1 Understand Cloud Data Lifecycle (CSA Guidance)
  • 2.2 Design and Implement Cloud Data Storage Architectures
  • 2.3 Design and Apply Data Security Strategies
  • 2.4 Understand and Implement Data Discovery and Classification Technologies
  • 2.5 Design and Implement Relevant Jurisdictional Data Protections for Personally Identifiable Information (PII)
  • 2.6 Design and Implement Data Rights Management
  • 2.7 Plan and Implement Data Retention, Deletion and Archiving Policies

New Domain 2

  • 2.1 This subdomain renamed: Describe Cloud Data Concepts
  • New addition: Data Dispersion
  • 2.2 Design and Implement Cloud Data Storage Architectures
  • Removed: Technologies Available to Address Threats
    • These contents have been removed to avoid repetition. It is also worth noting that this topic mainly involves encryption techniques that are fully covered in the next subdomain
  • 2.3 Design and Apply Data Security Technologies and Strategies
  • New addition: Data Loss Prevention (DLP), Data Obfuscation and Data De-identification
    • Of these, Data Obfuscation is primarily derived from the deleted topic “Emerging Technologies”
  • Removed: Application of Technologies, Emerging Technologies
  • 2.4 Renamed: Implement Data Discovery
  • All old subsections have been removed
  • New addition: Structured Data and Unstructured Data
  • 2.5 Renamed: Implement Data Classification
    • Some old subsections have been removed, and two of them have been modified
  • New addition: Mapping, Labeling and Sensitive Data
    • Mapping and Sensitive Data have been derived and modified from the previous subdomain
  • 2.6 Just renamed: Design and Implement Information Rights Management (IRM)
  • 2.7 Plan and Implement Data Retention, Deletion and Archiving Policies
  • New addition: Legal Hold
  • 2.8 Design and Implement Auditability, Traceability and Accountability of Data Event
  • Removed: Storage and Analysis of Data Events and Continuous Optimizations
    • The new subsection, “Logging, Storage and Analysis of Data Events,” have been derived and modified from the previous subdomain

Old Domain 3

  • 3.1 Comprehend Cloud Infrastructure Components
  • 3.2 Analyze Risks Associated to Cloud Infrastructure
  • 3.3 Design and Plan Security Controls
  • 3.4 Plan Disaster Recovery and Business Continuity Management

New Domain 3

Domain 3 has added one new domain at position 3.2, while the rest of the domains have been moved forward to their subsequent positions. Below are the details of the change:

  • 3.1 Comprehend Cloud Infrastructure Components
  • 3.2 New addition: Design a Secure Data Center
    • This includes Logical Design, Physical Design and Environmental Design, along with their associated security controls
  • 3.3 Analyze Risks Associated with Cloud Infrastructure
  • 3.4 Design and Plan Security Controls
  • 3.5 Plan Disaster Recovery (DR) and Business Continuity (BC)

Old Domain 4

  • 4.1 Recognize the need for Training and Awareness in Application Security
  • 4.2 Understand Cloud Software Assurance and Validation
  • 4.3 Use Verified Secure Software
  • 4.4 Comprehend the Software Development Life Cycle (SDLC) Process
  • 4.5 Apply the Secure Software Development Life Cycle
  • 4.6 Comprehend the Specifics of Cloud Application Architecture
  • 4.7 Design Appropriate Identity and Access Management (IAM) Solutions

New Domain 4

Domain 4 mostly focused on changing the positions of the subdomains instead of adding or removing the content. See below to identify changes:

  • 4.1 Advocate Training and Awareness for Application Security
  • 4.2 Describe the Secure Software Development Life Cycle (SDLC) Process
  • 4.3 Apply the Secure Software Development Life Cycle (SDLC)
  • 4.4 Apply Cloud Software Assurance and Validation
  • 4.5 Use Verified Secure Software
  • 4.6 Comprehend the Specifics of Cloud Application Architecture
  • 4.7 Design Appropriate Identity and Access Management (IAM) Solutions

Old Domain 5

  • 5.1 Support the Planning Process for the Data Center Design
  • 5.2 Implement and Build Physical Infrastructure for Cloud Environment
  • 5.3 Run Physical Infrastructure for Cloud Environment
  • 5.4 Manage Physical Infrastructure for Cloud Environment
  • 5.5 Build Logical Infrastructure for Cloud Environment
  • 5.6 Run Logical Infrastructure for Cloud Environment
  • 5.7 Manage Logical Infrastructure for Cloud Environment
  • 5.8 Ensure Compliance with Regulations and Controls (e.g., ITIL, ISO/IEC 20000-1)
  • 5.9 Conduct Risk Assessment to Logical and Physical Infrastructure
  • 5.10 Understand the Collection, Acquisition and Preservation of Digital Evidence
  • 5.11 Manage Communication with Relevant Parties

New Domain 5

The name of this domain has been changed from “operations” to “Cloud Security Operations.” In addition, the names of a few subdomains have been modified, and total domains have been reduced from 5.11 to 5.7. Two new domains have been added, replacing the previous ones. Below are the details:

  • 5.1 Implement and Build Physical and Logical Infrastructure for Cloud Environment
  • 5.2 Operate Physical and Logical Infrastructure for Cloud Environment
  • 5.3 Manage Physical and Logical Infrastructure for Cloud Environment
  • 5.4 Implement Operational Controls and Standards 
  • 5.5 Support Digital Forensics (New addition)
    • This subdomain contains Forensic Data Collection Methodologies; Evidence Management; and Collect, Acquire and Preserve Digital Evidence
  • 5.6 Manage Communication with Relevant Parties
  • 5.7 Manage Security Operations (New addition)
    • The contents of this new subdomain include Security Operation Center (SOC); Monitoring of Security Controls; and Log Capture and Analysis, Incident Management

Old Domain 6

  • 6.1 Understand Legal Requirements and Unique Risks within the Cloud Environment
  • 6.2 Understand Privacy Issues, Including Jurisdictional Variation
  • 6.3 Understand Audit Process, Methodologies and Required Adaptations for a Cloud Environment
  • 6.4 Understand the Implications of Cloud to Enterprise Risk Management
  • 6.5 Understand Outsourcing and Cloud Contract Design
  • 6.6 Execute Vendor Management

New Domain 6

The name of this domain has been changed from “Legal and Compliance” to “Legal, Risk and Compliance.” Slight modifications have been made to naming the subdomains. The last domain, “6.6 Execute Vendor Management,” has been removed.

  • 6.1 Articulate Legal Requirements and Unique Risks within the Cloud Environment
  • 6.2 Understand Privacy Issues
  • 6.3 Understand Audit Process, Methodologies and Required Adaptations for a Cloud Environment
  • 6.4 Understand the Implications of Cloud to Enterprise Risk Management
  • 6.5 Understand Outsourcing and Cloud Contract Design

Comparison of old and new exam information

Exam information will remain the same except for the exam duration, which has been reduced from four hours to three hours. See the table below. 

  CCSP old exam CCSP new exam
Length of the exam 4 hrs. 3 hrs.
Number of questions 125 125
Type of questions Multiple choice Multiple choice
Passing score 700 points out of 1000 700 points out of 1000

The test length of 25 pretest items and 100 operational items will remain the same, and the new exam will be available in English only. The purpose of reducing the test time was to standardize the CCSP exam.

The refreshed exam does not affect the experience requirements. To qualify for the CCSP exam, you are required to have a minimum of five years’ cumulative work experience in one or more of the six domains of the CCSP CBK.

Can I appear for the refreshed CCSP exam with old CCSP material?

The CCSP exam includes performance-based questions that cannot be studied alone. To pass these, you will need proper training or practice time. However, you can take and pass the CCSP exam if you already have studied sufficiently and had experience with the CCSP CBK. 

Nevertheless, (ISC)² cannot guarantee that you will pass the exam merely with old material. To be safe, you should look for updated material to avoid risking failure. The updated training course has been available since October 1, 2019.

How do I prepare for the new CCSP exam?

First and foremost, you need to thoroughly examine the new topics and pay special attention to the recent changes, as they represent the most up-to-date concepts for the upcoming CCSP exam. Keeping these new changes in mind, you will need to adjust your exam strategies accordingly to the focus of these new topics to help you prepare for the new CCSP exam. 

Study resources

Begin by checking out the (ISC)² self-study resources webpage, where it’s possible to receive 50% off official textbooks as a member benefit. This allows CCSP exam candidates to learn at their own pace and spend extra time on the material to reinforce concepts.

There is available material by the vendor that reflects the new exam content comprehensively and thoroughly. Below are some details: 

  • Official (ISC)² Guide to the CCSP CBK, 3rd Edition – A comprehensive resource, providing cloud security professionals with an indispensable working reference to each of the six CCSP domains. 
  • Official (ISC)² CCSP Study Guide, Second Edition – This is a must-have reference on your journey to becoming CCSP-certified.
  • Official (ISC)² CCSP Practice Tests, 2nd Edition – A book that helps test your level of understanding and gauge your readiness for the CCSP exam. 

Community discussion

A quick search on the Web will reveal several discussion threads on preparing for and passing the CCSP test. The (ISC)² Community, for example, features a CCSP Study Group. It consists of discussion threads concerning users who have recently prepared for and then passed the CCSP exam. The following may be helpful to candidates: 

Appropriate training

You may need to receive the appropriate training in light of the new CCSP exam. (ISC)² accredited training providers are a good option with verified security experts authorized by (ISC)² to deliver the most relevant, up-to-date course content. However, many in-class and online courses are also available from other reputable training providers for professionals looking for training options better tailored to their needs.

Updates to the CCSP exam and CBK changes

As cloud services remain a challenge to secure, those with the CCSP certification, a vendor-neutral credential offered by the International Information System Security Certification Consortium, or (ISC)², are sought out for their knowledge and experience. More employers seek CCSP-certified professionals who possess hands-on experience and ample knowledge of cloud security architecture, design, operations and service orchestration, which this credential certifies

The exam material is divided into six different domains and requires a 70% score on the 125 questions to pass. The contents of the test align with the Common Body of Knowledge (CBK), which is a comprehensive framework of all the relevant subjects a security professional should be familiar with, so preparation is key to know what’s required in the field, including skills, techniques and up-to-date best practices in cloud security.

 

Sources

Posted: October 6, 2021
Author
Fakhar Imam
View Profile

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.

Leave a Reply

Your email address will not be published.