CCSP: Overview of Domains [updated 2021]

December 22, 2021 by Howard Poston

The Certified Cloud Security Professional (CCSP) exam is a certification exam designed to test an applicant’s knowledge of the principles of securing cloud-based environments. It was developed by the International Information Systems Security Certification Consortium, Inc. or (ISC)2 and the Cloud Security Alliance (CSA).

To earn a CCSP certification, an applicant must pass the exam and meet certain eligibility requirements (five years in information technology, three years in information security and one year in cloud security).

CCSP exam details

The CCSP exam is a 125-question, multiple-choice exam with a four-hour time limit (consider bringing a snack). The exam has 1,000 possible points, and passing requires a score of at least 700.

Questions are not equally distributed among the six domains of the exam. The breakdown of the exam is as follows:

  • Domain 1: 17%
  • Domain 2: 19%
  • Domain 3: 17%
  • Domain 4: 17%
  • Domain 5: 17%
  • Domain 6: 13%

What is covered by the CCSP exam?

The CCSP exam is broken into six domains and numerous subdomains. This section provides a brief introduction to each of the subdomains included in the CCSP exam.

Domain 1: Cloud Concepts, Architecture, and Design

The first domain of the CCSP covers a lot of ground. Each of its five subdomains covers a very different aspect of cloud computing.

Understand Cloud Computing Concepts

This exam section is designed to evaluate the test taker’s knowledge of fundamental cloud computing concepts. To prepare for this section, brush up on the cloud computing definitions in ISO/IEC 17788, role descriptions within cloud computing (Customer, Provider, Partner), cloud computing characteristics (multi-tenancy, resource pooling and so forth), and the technology used in cloud computing (virtualization, databases and more).

Describe Cloud Reference Architecture

The cloud reference architecture section of the CCSP exam focuses on the differentiating features of different cloud-based offerings. You should know the difference between Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS), what the difference is between public and community cloud models, and cloud service capabilities and aspects that transcend these classifications.

Understand Security Concepts Relevant to Cloud Computing

The security concepts section of the CCSP exam is a review of common cybersecurity concepts. Included are the basics of cryptography, access control, media sanitization, network security and virtualization security. You should also know about common security threats and how to apply these concepts to different cloud types.

Understand Design Principles of Secure Cloud Computing

The Design Principles section introduces the business aspects, including cloud-based Business Continuity/Disaster Recovery (BC/DR) planning, cost-benefit analysis, and functional security considerations like portability and vendor lock-in. This section also covers the Cloud Secure Data Lifecycle.

Evaluate Cloud Service Providers

The final section of Domain 1 discusses how to evaluate cloud service providers. This includes certification against criteria and being familiar with product certifications for systems and subsystems.

Domain 2: Cloud Data Security

Describe Cloud Data Concepts

The Cloud Data Lifecycle is guidance provided by the Cloud Security Alliance (CSA), one of the two creators of the CCSP. CCSP takers should be familiar with the phases of the Cloud Data Lifecycle, the data security technologies used to implement it, and the principle of data dispersion.

Design and Implement Cloud Data Storage Architectures

This section of the CCSP deals with everything stored in a cloud environment. To be ready, you need to know the different types of storage (long-term, ephemeral and raw disk), potential threats to the different types of storage (reference ISO/IEC 27040) and how to manage these threats using encryption and other technology.

Design and Apply Data Security Technologies and Strategies

In this section, the CCSP tests knowledge of the different tools available for protecting data and use them. Most of these are cryptography-related, including encryption, masking, key management, tokenization and obfuscation.

Implement Data Discovery

This section discusses how to discover both structured and unstructured data within an organization’s cloud environment.

Implement Data Classification

This section of the exam describes how to appropriately classify data, including mapping, labeling, and handling sensitive data.

Design and Implement Information Rights Management (IRM)

This section of the CCSP exam covers the theory, practice and technology for managing user access to various data.

Design and Implement Data Retention, Deletion and Archiving Policies

Most corporate and legally-protected data have strict policies on data retention, deletion, and archiving. Cloud environments can make these policies more difficult to enforce due to the lack of physical control of the hardware where the data is stored. This section covers policies, procedures and mechanisms for data retention, deletion and archiving.

Design and Implement Auditability, Traceability and Accountability of Data Events

This section discusses everything to do with event management, including identifying event sources, logging events, event storage, and continuous improvement. The section also discusses the chain of custody and ensuring non-repudiation of collected data.

Domain 3: Cloud Platform and Infrastructure Security

The third domain of the CCSP exam focuses on the infrastructure side of cloud computing. This includes the basics of infrastructure, analyzing and controlling risk and integrating cloud computing into the organizational business continuity/disaster recovery (BC/DR) strategy.

Comprehend Cloud Infrastructure Components

The first section of the third domain is focused on confirming that the test-taker has a clear understanding of the basic components of cloud infrastructure. This includes knowledge of the physical environment, network and communications, computational resources, virtualization technology, storage and the management plane.

Design a Secure Data Center

Secure data center design consists of logical design (access control, etc.), physical design (where/how to build), and environmental design (infrastructure to support the data center such as HVAC).

Analyze Risks Associated to Cloud Infrastructure

The risk assessment section of the infrastructure domain focuses on identifying common cloud attack vectors and risks of virtualization. It also covers common countermeasures like access controls and proper design.

Design and Plan Security Controls

This section complements the previous one by exploring different security controls designed to manage cloud-related risk. This includes protection of physical assets, systems and communication and virtualization systems. Also covered are access control management (identification, authentication and authorization) in the cloud and audit mechanisms.

Plan Disaster Recovery and Business Continuity Management

Cloud computing can be a valuable part of an organization’s business continuity/disaster recovery (BC/DR) strategy. This section involves developing and implementing a cloud BC/DR plan based on business requirements, risks, and overall BC/DR strategy.

Domain 4: Cloud Application Security

Data storage is not the only use of cloud computing. This domain of the exam evaluates the test taker’s knowledge of application development for the cloud.

Advocate Training and Awareness for Application Security

Development for the cloud can be very different from development for on-premises systems. This section tests knowledge of some of the basics of cloud development and common pitfalls and vulnerabilities when developing cloud applications.

Describe the Secure Software Development Life Cycle (SDLC) Process

The Secure Software Development Life Cycle (SDLC) integrates security into every phase of the software development lifecycle. This includes defining security-focused requirements and integrating security into other phases, such as developing security-focused test cases.

Apply the Secure Software Development Life Cycle (SDLC)

This section builds on the previous by putting the theory of the SDLC into practice. This includes performing threat modeling, risk assessments, vulnerability detection, and quality assurance.

Apply Cloud Software Assurance and Validation

Once an application is on the cloud, it may be subject to reduced oversight since it is not running on systems controlled by the organization. In this section of the exam, the test-taker is expected to demonstrate knowledge of techniques for ensuring that applications are secure before they are uploaded to the cloud-like functional testing, security testing and the Cloud Secure Development Life Cycle.

Use Verified Secure Software

Depending on the cloud computing environment used, a developer may not control the software packages and utilities available to their programs. This section discusses the principles of ensuring that developers only use approved APIs, appropriately manage the supply chain, and take community knowledge.

Comprehend the Specifics of Cloud Application Architecture

The architecture of the cloud environment can have a significant impact on cloud security. A CCSP is expected to know about security-related technology, cryptography, sandboxing and application virtualization.

Design Appropriate Identity and Access Management (IAM) Solutions

Managing access to data and resources is an important security measure in and out of the cloud. This section covers common IAM solutions, including Federated Identity, Identity Providers, Single Sign-On and Multi-Factor Authentication.

Domain 5: Cloud Security Operations

The fifth domain of the CCSP exam is probably the most detail-oriented. It covers every aspect of the cloud’s physical and digital infrastructure and collects digital evidence after an incident, and communicates with partners.

Implement and Build Physical and Logical Infrastructure for Cloud Environment

A cloud environment includes both physical and logical infrastructure. On the physical side, the CCSP tests knowledge of the secure configuration of hardware-specific requirements (BIOS settings for virtualization and TPMs, storage controllers and network controllers) and installing and configuring virtualization management tools on the hosts.

Building the logical infrastructure of the cloud environment focuses on virtualization technology. Test-takers should know how to securely configure virtual hardware and install guest OS virtualization toolsets.

Operate Physical and Logical Infrastructure for Cloud Environment

The second section of the operations domain focuses on the steps necessary to start running the physical and logical infrastructure of the cloud environment. Tested topics include configuring local access controls, securing communications, applying hardened OS baselines and ensuring the availability of standalone and clustered hosts and the guest OS.

Manage Physical Infrastructure for Cloud Environment

Management of the physical and logical infrastructure is one of the most detail-rich subdomains in the CCSP exam. This section could test knowledge on configuring remote access controls, monitoring and remediating deviations from OS baselines, patch management, performance and hardware monitoring, host configuration backup and restoration, network security control implementation, capture and analysis of logs, and anything to do with the management plane.

Implement Operational Controls and Standards (e.g., Information Technology Infrastructure Library (ITIL), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 20000-1)

The CCSP’s topics regarding regulations and controls draw heavily from ITIL and ISO/IEC 20000-1. The required knowledge includes change management, continuity, information security, continual service improvement, incidents, problems, releases, deployment, configuration, service levels, availability and capacity.

Support Digital Forensics

In an incident, a cloud security practitioner should know how to properly collect and manage forensic evidence from a cloud environment.

Manage Communication With Relevant Parties

Communication is key when operating in a cloud environment. The CCSP exam focuses on keeping lines of communication open with vendors, customers, partners, regulators and other stakeholders in the system.

Manage Security Operations

Like all IT environments, cloud-based infrastructure requires ongoing security support. This section tests knowledge regarding security operations centers (SOCs) and their activities, including security control monitoring, capture and analysis of log data, and incident response.

Domain 6: Legal, Risk, and Compliance

The last domain of the CCSP exam tests an applicant’s knowledge of the laws and regulations that may apply to the data stored in their cloud environment and how cloud computing may require a distinct set of policies and procedures from on-premises systems.

Articulate Legal Requirements and Unique Risks within the Cloud Environment

An aspect of cloud computing significant to legal and regulatory compliance is that an organization’s data is not under their control and that they may not know its physical location at any time. The CCSP tests knowledge of international legislation conflicts, cloud-specific risks, legal controls, the eDiscovery process and requirements for forensic analysis.

Understand Privacy Issues

This section of the exam focuses on the details and regulations regarding the protection of Personally Identifiable Information (PII). A test-taker should know the difference between contractual and regulated PII, be familiar with major country-specific privacy regulations, and define confidentiality, integrity, availability, and privacy.

Understand Audit Process, Methodologies and Required Adaptations for a Cloud Environment

This section of the exam tests knowledge of all aspects of the audit process and the differences caused by cloud computing.

Understand Implications of Cloud to Enterprise Risk Management

The use of cloud computing causes some traditional risk management procedures to be inapplicable (like controlling physical access to a device). A CCSP applicant should be familiar with cloud-specific risk terminology, regulatory impacts and risk mitigations, frameworks, metrics and assessments.

Understand Outsourcing and Cloud Contract Design

The use of cloud technology makes outsourcing business functions essential. This section tests knowledge of outsourcing business requirements, vendor management, and contract management.

Preparing for the CCSP exam

(ISC)² has endorsed an official study guide for the CCSP exam; however, the number of topics that it covers means that working through it might seem like a daunting task. If you prefer a more hands-on approach to learning, training is available to help you prepare for and pass your CCSP exam.



Posted: December 22, 2021
Articles Author
Howard Poston
View Profile

Howard Poston is a cybersecurity researcher with a background in blockchain, cryptography and malware analysis. He has a master's degree in Cyber Operations from the Air Force Institute of Technology and two years of experience in cybersecurity research and development at Sandia National Labs. He currently works as a freelance consultant providing training and content creation for cyber and blockchain security.

Leave a Reply

Your email address will not be published. Required fields are marked *