CCSP: Certified Cloud Security Professional

(ISC)² developed the Certified Cloud Security Professional (CCSP) credential to ensure that cloud security professionals have the required knowledge, skills, and abilities in cloud security design, implementation, architecture, operations, controls, and compliance with regulatory frameworks. A CCSP applies information security expertise to a cloud computing environment and demonstrates competence in cloud security architecture, design, operations, and service orchestration. This professional competence is measured against a globally recognized body of knowledge.

The topics included in the CCSP Common Body of Knowledge (CBK) ensure its relevancy across all disciplines in the field of cloud security. Successful candidates are competent in the following 6 domains:

  • Cloud Concepts, Architecture and Design
  • Cloud Data Security
  • Cloud Platform & Infrastructure Security
  • Cloud Application Security
  • Cloud Security Operations
  • Legal, Risk and Compliance

Audience profile

The CCSP credential is designed for experienced information security professionals with at least five years of full-time IT experience, including three years of information security and at least one year of cloud security experience. The CCSP credential is suitable for mid-level to advanced professionals involved with IT architecture, web and cloud security engineering, information security, governance, risk and compliance, and even IT auditing.

CCSP is most appropriate for those whose day-to-day responsibilities involve procuring, securing and managing cloud environments or purchased cloud services. In other words, CCSPs are heavily involved with the cloud. Many CCSPs will be responsible for cloud security architecture, design, operations, and/or service orchestration.

Example job functions include, but are not limited to:

Enterprise Architect, Security Administrator, Systems Engineer, Security Architect, Security Consultant, Security Engineer, Security Manager, Systems Architect

Prerequisites 

Candidates must have a minimum of 5 years cumulative paid work experience in information technology, of which 3 years must be in information security and 1 year in 1 or more of the 6 domains of the CCSP CBK. Earning CSA’s CCSK certificate can be substituted for 1 year of experience in 1 or more of the 6 domains of the CCSP CBK. Earning (ISC)²’s CISSP credential can be substituted for the entire CCSP experience
requirement.

A candidate that doesn’t have the required experience to become a CCSP may become an Associate of (ISC)² by successfully passing the CCSP examination. The Associate of (ISC)² will then have 6 years to earn the 5 years required experience. You can learn more about CCSP experience requirements and how to account for part-time work and internships at www.isc2.org/Certifications/CCSP/experience-requirements.

Learning Outcomes

You will learn how to:

  • Identify and explain the five characteristics required to satisfy the NIST definition of cloud computing
  • Differentiate between various as-a-service delivery models and frameworks that are incorporated into the cloud computing reference architecture
  • Explain strategies for protecting data at rest and data in motion
  • Discuss strategies for safeguarding data, classifying data, ensuring privacy, assuring compliance with regulatory agencies, and working with authorities during legal investigations
  • Contrast between forensic analysis in corporate data center and cloud computing environments

Course outline

On August 1, 2022, (ISC)² refreshed the CCSP credential exam. These updates are the result of the Job Task Analysis (JTA), which is an analysis of the current content of the credential evaluated by (ISC)² members on a triennial cycle.

The current CCSP Domains Weight is:

  • Cloud Concepts, Architecture and Design 17%
  • Cloud Data Security 20%
  • Cloud Platform & Infrastructure Security 17%
  • Cloud Application Security 17%
  • Cloud Security Operations 16%
  • Legal, Risk and Compliance 13%

The CCSP draws from a comprehensive, up-to-date, global common body of knowledge that ensures security leaders have a deep knowledge and understanding of new threats, technologies, regulations, standards, and practices relating to the security & protection of the cloud.

The CCSP exam tests ones competence in the 6 domains of the CCSP CBK, which cover: 

Domain 1: Cloud Concepts, Architecture and Design

  • Understand Cloud Computing Concepts
  • Describe Cloud Reference Architecture
  • Understand Security Concepts Relevant to Cloud Computing
  • Understand Design Principles of Secure Cloud Computing
  • Evaluate Cloud Service Providers
  • Describe Cloud Data Concepts
  • Design and Implement Cloud Data Storage ArchitecturesDesign and Apply Data
  • Security Technologies and Strategies
  • Implement Data Discovery
  • Implement Data Classification
  • Design and Implement Information Rights Management (IRM)


Domain 2: Cloud Data Security

  • Encryption and Key Management
  • Hashing
  • Masking
  • Tokenization
  • Data Loss Prevention (DLP)
  • Data Obfuscation
  • Data De-identification (e.g., anonymization)
  • Mapping
  • Labelling
  • Sensitive data (e.g., Protected Health Information (PHI), Personally Identifiable
  • Information (PII), card holder data)
  • Plan and Implement Data Retention, Deletion and Archiving Policies
  • Data Retention Policies
  • Data Deletion Procedures and Mechanisms
  • Data Archiving Procedures and Mechanisms
  • Legal Hold
  • Design and Implement Auditability, Traceability and Accountability of Data
  • Events
  • Comprehend Cloud Infrastructure Components
  • Design a Secure Data Center
  • Analyze Risks Associated with Cloud Infrastructure
  • Design and Plan Security Controls
  • Plan Disaster Recovery (DR) and Business Continuity (BC)

Domain 3: Cloud Platform and Infrastructure Security

  • Physical Environment
  • Network and Communications
  • Compute
  • Virtualization
  • Storage
  • Management Plane
  • Risk Assessment and Analysis
  • Cloud Vulnerabilities, Threats and Attacks
  • Virtualization Risks
  • Counter-measure Strategies
  • Physical and Environmental Protection (e.g., on-premise)
  • System and Communication Protection
  • Virtualization Systems Protection
  • Identification, Authentication and Authorization in Cloud Infrastructure
  • Audit Mechanisms (e.g., log collection, packet capture)
  • Risks Related to the Cloud Environment
  • Business Requirements (e.g., Recovery Time Objective (RTO), Recovery Point Objective (RPO), Recovery Service Level (RSL))
  • Business Continuity/Disaster Recovery Strategy
  • Creation, Implementation and Testing of Plan

Domain 4:Cloud Application Security

  • Advocate Training and Awareness for Application Security
  • Describe the Secure Software Development Life Cycle (SDLC) Process
  • Apply the Secure Software Development Life Cycle (SDLC)
  • Apply Cloud Software Assurance and Validation
  • Use Verified Secure Software
  • Comprehend the Specifics of Cloud Application Architecture
  • Supplemental Security components (e.g., Web Application Firewall (WAF), Database Activity Monitoring
  • (DAM), Extensible Markup Language (XML) firewalls, Application Programming Interface (API) gateway)
  • Design Appropriate Identity and Access Management (IAM) Solutions
  • Implement and Build Physical and Logical Infrastructure for Cloud Environmet
  • Operate Physical and Logical Infrastructure for Cloud Environment
  • Manage Physical and Logical Infrastructure for Cloud Environment

Domain 5: Cloud Security Operations

  • Access Controls for Remote Access (e.g., Remote Desktop Protocol (RDP), Secure Terminal Access, Secure Shell (SSH))
  • Operating System (OS) Baseline Compliance
  • Monitoring and Remediation
  • Patch Management
  • Performance and Capacity Monitoring (e.g., network, compute, storage, response time)
  • Hardware Monitoring (e.g., Disk, Central Processing Unit (CPU), fan speed, temperature)
  • Configuration of Host and Guest Operating System (OS) Backup and Restore Functions
  • Network Security Controls (e.g., firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), honeypots, vulnerability assessments, network security groups)
  • Management Plane (e.g., scheduling, orchestration, maintenance)
  • Configure Access Control for Local and Remote Access (e.g., Secure Keyboard Video Mouse (KVM), console-based access mechanisms, Remote Desktop Protocol (RDP))
  • Secure Network Configuration (e.g., Virtual Local Area Networks (VLAN), Transport Layer Security (TLS), Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), Virtual Private Network (VPN))
  • Operating System (OS) Hardening Through the Application of Baselines (e.g., Windows, Linux, VMware)
  • Availability of Stand-Alone Hosts
  • Availability of Clustered Hosts (e.g., Distributed Resource Scheduling (DRS), Dynamic
  • Optimization (DO), storage clusters, maintenance mode, High Availability)
  • Availability of Guest Operating System (OS)
  • Change Management
  • Continuity Management
  • Information Security Management
  • Continual Service Improvement Management
  • Incident Management
  • Problem Management
  • Release Management
  • Deployment Management
  • Configuration Management
  • Service level Management
  • Availability Management
  • Capacity Management
  • Vendors
  • Customers
  • Partners
  • Regulators
  • Other Stakeholders
  • Implement Operational Controls and Standards (e.g., Information Technology
  • Infrastructure Library (ITIL), International Organization for Standardization/International
  • Electrotechnical Commission (ISO/IEC) 20000-1)
  • Support Digital Forensics
  • Manage Communication with Relevant Parties
  • Manage Security Operations
  • Articulate Legal Requirements and Unique Risks within the Cloud Environment
  • Understand Privacy Issues
  • Understand Audit Process, Methodologies, and Required Adaptations for a Cloud Environment

Domain 6: Legal, Risk and Compliance

  • Conflicting International Legislation
  • Evaluation of Legal Risks Specific to Cloud Computing
  • Legal Framework and Guidelines
  • eDiscovery (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27050, Cloud Security Alliance (CSA) Guidance)
  • Forensics Requirements
  • Internal and External Audit Controls
  • Impact of Audit Requirements
  • Identify Assurance Challenges of Virtualization and Cloud
  • Types of Audit Reports (e.g., Statement on Standards for Attestation Engagements (SSAE), Service Organization Control (SOC), International Standard on Assurance Engagement (ISAE))
  • Restrictions of Audit Scope Statements (e.g., Statement on Standards for Attestation Engagements (SSAE), International Standard on Assurance Engagements (ISAE))
  • Gap Analysis
  • Audit Planning
  • Internal Information Security Management System (ISMS)
  • Internal Information Security Controls System
  • Policies (e.g., organizational, functional, cloud computing)
  • Identification and Involvement of Relevant Stakeholders
  • Specialized Compliance Requirements for Highly-Regulated Industries (e.g., North American Electric Reliability Corporation/ Critical Infrastructure Protection (NERC/CIP), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI))
  • Impact of Distributed Information Technology (IT) Model (e.g., diverse geographical locations and crossing over legal jurisdictions)
  • Understand Implications of Cloud to Enterprise Risk Management
  • Understand Outsourcing and Cloud Contract Design

Certification

This course and materials, along with previous experience and rigorous self-study, will help prepare you to take the (ISC)2 CCSP certification exam.

Important! The CCSP exam voucher is NOT included in this CCSP training.