ISC2 CCSP

CCSP: Overview of Domains [updated 2022]

The Certified Cloud Security Professional (CCSP) exam is a certification exam designed to test an applicant’s knowledge of the principles of securing cloud-based environments. The newest version of the test became effective on August 1, 2022. It was developed by the International Information Systems Security Certification Consortium, Inc., or (ISC)2, and the Cloud Security Alliance (CSA).

To earn a CCSP certification, an applicant must pass the exam and meet certain eligibility requirements: five years of cumulative paid work experience in information technology, including three years in information security and one year in one of the six domains of the CCSP CBK.

Earn your CCSP, guaranteed!

Save your spot for an upcoming CCSP Boot Camp and earn one of the most in-demand cloud security certifications — guaranteed!

Learn More

CCSP exam details

The CCSP exam now consists of 150 multiple-choice questions (100 operational items with 50 pretest items) to be answered in 4 hours. The exam contains 1,000 possible points, and passing requires a score of at least 700 points (70%).

Questions are not equally distributed among the six domains of the (ISC)² CCSP certification exam. The breakdown is as follows:

• Domain 1 - Cloud Concepts, Architecture and Design: 17%
• Domain 2 - Cloud Data Security: 20%
• Domain 3 - Cloud Platform and Infrastructure Security: 17%
• Domain 4 - Cloud Application Security: 17%
• Domain 5 - Cloud Security Operations: 16%
• Domain 6 - Legal, Risk and Compliance: 13%

The content of the exam has been refreshed (effective August 1, 2022), and as a result (ISC)² has updated only two of the domain weights from the previous version dated August 2019: Domain 2 went from 19% up to 20% and Domain 5 went from 17% down to 16%.

What is covered by the CCSP exam?

The exam is broken down into six domains covering the (ISC)² CCSP Common Body of Knowledge (CBK®) that includes areas relevant to the roles and responsibilities of today’s practicing information security professionals focusing on cloud technologies.

The next section provides a brief introduction to each of the domains and subdomains included in the CCSP exam. This review might help you identify areas of study within the (ISC)² CCSP Certification Exam Outline that may need additional attention.

Domain 1: Cloud Concepts, Architecture, and Design

The first domain of the CCSP covers a lot of ground. Each of its five subdomains focuses on a very different aspect of cloud computing.

1.1 Understand cloud computing concepts. This exam section is designed to evaluate the test taker’s knowledge of fundamental cloud computing concepts. To prepare for this section, brush up on the definitions in ISO/IEC 17788, role descriptions within cloud computing (Customer, Provider, Partner), its characteristics (multi-tenancy, resource pooling and so forth), and the technology used (virtualization, databases, orchestration and more).

1.2 Describe cloud reference architecture. The cloud reference architecture section of the CCSP exam focuses on the differentiating features of various cloud-based offerings. You should know the difference between Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), and  Platform-as-a-Service (PaaS); what the difference is between public and community cloud models, and cloud service capabilities and aspects that transcend these classifications.

1.3 Understand security concepts relevant to cloud computing. This section of the CCSP exam includes a review of common cybersecurity concepts. It covers the basics of cryptography, access control, media sanitization, network security and virtualization security. You should also know about common security threats and how to apply these concepts to different cloud types.

1.4 Understand design principles of secure cloud computing. The design principles section introduces the business aspects, including cloud-based Business Continuity/Disaster Recovery (BC/DR) planning, cost-benefit analysis, and functional security considerations like portability and vendor lock-in. This section also covers the cloud secure data lifecycle.

1.5 Evaluate cloud service providers. The final section of Domain 1 discusses how to evaluate cloud service providers. This includes verification against criteria and being familiar with product certifications for systems and subsystems.

Domain 2: Cloud Data Security

2.1 Describe cloud data concepts. The cloud data lifecycle is guidance provided by the Cloud Security Alliance (CSA), one of the two creators of the CCSP. Test takers should be familiar with the phases of the cloud data lifecycle, the data security technologies used to implement it, and the principle of data dispersion.

2.2 Design and implement cloud data storage architectures. This section of the CCSP deals with everything stored in a cloud environment. To be ready, you need to know the different types of storage (long-term, ephemeral and raw disk), potential threats to the different types of storage (reference ISO/IEC 27040) and how to manage these threats using encryption and other technology.

2.3 Design and apply data security technologies and strategies. In this section, the CCSP tests knowledge of the different tools available for protecting data and their use. Most of these are cryptography-related, including encryption, masking, key management, tokenization and obfuscation.

2.4 Implement data discovery. This section discusses how to discover both structured and unstructured data within an organization’s cloud environment.

2.5 Plan and implement data classification. This section of the exam describes how to appropriately classify data, including mapping, labeling, and handling sensitive data.

2.6 Design and implement Information Rights Management (IRM). This section of the CCSP exam covers the theory, practice and technology for managing user access to various data.

2.7 Plan and implement data retention, deletion and archiving policies.  Most corporate and legally-protected data have strict policies on data retention, deletion, and archiving. Cloud environments can make these policies more difficult to enforce due to the lack of physical control of the hardware where the data is stored. This section covers policies, procedures and mechanisms for data retention, deletion and archiving.

2.8 Design and implement auditability, traceability and accountability of data events. Focuses on everything to do with event management, including identifying event sources, logging events, event storage, and continuous improvement. The section also discusses the chain of custody and ensuring non-repudiation of collected data.

Earn your CCSP, guaranteed!

Save your spot for an upcoming CCSP Boot Camp and earn one of the most in-demand cloud security certifications — guaranteed!

Learn More

Domain 3: Cloud Platform and Infrastructure Security

The third domain of the CCSP exam focuses on the infrastructure side of cloud computing. This includes the basics of infrastructure, analyzing and controlling risk and integrating cloud computing into the organizational BC/DR  strategy.

3.1 Comprehend cloud infrastructure and platform components. The first section of the third domain is focused on confirming that the test-taker has a clear understanding of the basic components of cloud infrastructure. This includes knowledge of the physical environment, network and communications, computational resources, virtualization technology, storage and the management plane.

3.2 Design a secure data center. Secure data center design consists of logical design (access control, etc.), physical design (where/how to build), and environmental design (infrastructure to support the data center such as HVAC).

3.3 Analyze risks associated with cloud infrastructure and platforms.  The risk assessment section of the infrastructure domain focuses on identifying common cloud attack vectors and risks of virtualization. It also covers common countermeasures like access controls and proper design.

3.4 Plan and implementation of security controls. This section complements the previous one by exploring different security controls designed to manage cloud-related risk. This includes protection of physical assets, systems and communication and virtualization systems. Also covered are access control management (identification, authentication and authorization) in the cloud and audit mechanisms.

3.5 Plan business continuity (BC) and disaster recovery (DR). Cloud computing can be a valuable part of an organization’s BC/DR effort. This section involves developing and implementing a cloud BC/DR plan based on business requirements, risks, and overall strategy.

Domain 4: Cloud Application Security

Data storage is not the only use of cloud computing. This domain of the exam evaluates the test taker’s knowledge of application development for the cloud.

4.1 Advocate training and awareness for application security.  Development for the cloud can be very different from development for on-premises systems. This section tests knowledge of some of the basics of cloud development and common pitfalls and vulnerabilities when developing cloud applications.

4.2 Describe the Secure Software Development Life Cycle (SDLC) process. The SDLC integrates security into every phase of the software development lifecycle. This includes defining requirements needed to integrate security into other phases.

4.3 Apply the Secure Software Development Life Cycle (SDLC). This section builds on the previous one by putting the theory of the SDLC into practice. This includes performing threat modeling, risk assessments, and vulnerability detection.

4.4 Apply cloud software assurance and validation. Once an application is on the cloud, it may be subject to reduced oversight, since it is not running on systems controlled by the organization. In this section of the exam, the test-taker is expected to demonstrate knowledge of techniques for ensuring that applications are secure before they are uploaded. From secure testing methodologies to quality assurance.

4.5 Use verified secure software. Depending on the cloud computing environment used, a developer may not control the software packages and utilities available to their programs. This section discusses the principles of ensuring that developers only use approved APIs, appropriately manage the supply chain, and how to use validated open-source software.

4.6 Comprehend the specifics of cloud application architecture. The architecture of the cloud environment can have a significant impact on cloud security. A CCSP is expected to know about security-related technology, cryptography, sandboxing and application virtualization.

4.7 Design appropriate identity and access management (IAM) solutions. Managing access to data and resources is an important security measure in and out of the cloud. This section covers common IAM solutions, including Federated Identity, Identity Providers (IdP), Single Sign-On (SSO), Multi-Factor Authentication (MFA) and Cloud access security broker (CASB).

Domain 5: Cloud Security Operations

The fifth domain of the CCSP exam is probably the most detail-oriented. It covers every aspect of the cloud’s physical and digital infrastructure, the collection of digital evidence after an incident, and the communication with partners.

5.1 Build and implement physical and logical infrastructure for cloud environment. A cloud environment includes both physical and logical infrastructure. On the physical side, the CCSP tests knowledge of the secure configuration of hardware-specific requirements (BIOS settings for virtualization and TPMs, storage controllers and network controllers) and installing and configuring virtualization management tools on the hosts.

Building the logical infrastructure of the cloud environment focuses on virtualization technology. Test-takers should know how to securely configure virtual hardware and install guest OS virtualization toolsets.

5.2 Operate and maintain physical and logical infrastructure for cloud environment. The second section of the operations domain focuses on the steps necessary to start running the physical and logical infrastructure of the cloud environment. Tested topics include configuring local access controls, securing communications, applying hardened OS baselines and ensuring the availability of standalone and clustered hosts and the guest OS.

Management of the physical and logical infrastructure is one of the most detail-rich subdomains in the CCSP exam. This section could test knowledge on configuring remote access controls, monitoring and remediating deviations from OS baselines, patch management, performance and hardware monitoring, host configuration backup and restoration, network security control implementation, capture and analysis of logs, and anything to do with the management plane.

5.3 Implement operational controls and standards (e.g., Information Technology Infrastructure Library (ITIL), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 20000-1). The CCSP’s topics regarding regulations and controls draw heavily from ITIL and ISO/IEC 20000-1. The required knowledge includes change management, continuity, information security, continual service improvement, incidents, problems, releases, deployment, configuration, service levels, availability and capacity.

5.4 Support digital forensics. In an incident, a cloud security practitioner should know how to properly collect and manage forensic evidence from a cloud environment.

5.5 Manage communication with relevant parties. Communication is key when operating in a cloud environment. The CCSP exam focuses on keeping lines of communication open with vendors, customers, partners, regulators and other stakeholders in the system.

5.6 Manage security operations. Like all IT environments, cloud-based infrastructure requires ongoing security support. This section tests knowledge regarding security operations centers (SOCs) and their activities, including security control monitoring, capture and analysis of log data, and incident response.

Domain 6: Legal, Risk, and Compliance

The last domain of the CCSP exam tests an applicant’s knowledge of the laws and regulations that may apply to the data stored in their cloud environment and how cloud computing may require a distinct set of policies and procedures from on-premises systems.

6.1 Articulate legal requirements and unique risks within the cloud environment. An aspect of cloud computing significant to legal and regulatory compliance is that an organization’s data is not under their control and that they may not know its physical location at any time. The CCSP tests knowledge of international legislation conflicts, cloud-specific risks, legal controls, the eDiscovery process and requirements for forensic analysis.

6.2 Understand privacy issues. This section of the exam focuses on the details and regulations regarding the protection of Personally Identifiable Information (PII). A test-taker should know the difference between contractual and regulated PII, be familiar with major country-specific privacy regulations, and define confidentiality, integrity, availability, and privacy.

6.3 Understand audit process, methodologies, and required adaptations for a cloud environment. This section of the exam tests knowledge of all aspects of the audit process and the differences caused by cloud computing.

6.4 Understand implications of cloud to enterprise risk management. The use of cloud computing causes some traditional risk management procedures to be inapplicable (like controlling physical access to a device). A CCSP applicant should be familiar with cloud-specific risk terminology, regulatory impacts and risk mitigations, frameworks, metrics and assessments.

6.5 Understand outsourcing and cloud contract design. The use of cloud technology makes outsourcing business functions essential. This section tests knowledge of outsourcing business requirements, vendor management, and contract management.

Earn your CCSP, guaranteed!

Save your spot for an upcoming CCSP Boot Camp and earn one of the most in-demand cloud security certifications — guaranteed!

Learn More

Preparing for the CCSP exam

The Official (ISC)² Guide to the CCSP CBK, 3rd Edition, can provide candidates with a starting point for their studies in each of the six domains. However, the number of topics that this book covers means that working through it might seem like a daunting task. If you prefer a more hands-on approach to learning, perhaps a CCSP training course would be a better choice to help you prepare for and pass your CCSP exam.

For more on the CCSP certification, check out our CCSP certification hub.

Sources:

• CCSP, (ISC)2
• CCSP Webcast Series, (ISC)2
• The Ultimate Guide to the CCSP, (ISC)2
• Certification Exam Outline, (ISC)2
• CCSP Domain Refresh FAQ, (ISC)2