CCSP: The (ISC)2 Cloud Security Certification
In 2015 the Cloud Security Alliance and ISC2 announced a new cloud security certification: Certified Cloud Security Professional, or CCSP.
According to the Cloud Securiy Alliance “CCSP represents the advanced skills required to secure the cloud, while establishing an international standard for professional-level knowledge in the design, implementation and management of cloud environments.”
The certification is ideal for IT and cloud security professionals and builds upon other certifications like CCSK.
The CCSP certification
CCSP has six domains that cover cloud computing and its risks.
Unsurprisingly, the first domain is about cloud architectural concepts and its impact on risk. Second is about data security, arguably the pivotal dimension in cloud computing. The third domain elaborates on the cloud infrastructure stack, which covers business continuity as well. The fourth domain covers application security and identity management, while the fifth domain is about operations in a cloud world. Finally, the last domain is about legal and compliance.
You will find more details about the six domains further down this page.
CCSP is supposed to be a more extensive certification than CCSK with a more formal exam and a requirement for five years in IT; at least three of which must have been spent in security, and at least one year in cloud computing.
Are you looking for an extensive comparison between CCSK and CCSP? Read more about CCSP vs. CCSK.
The CCSP exam and getting certified
I was one of the first to do the exam (and pass it).
My overall impression is that the exam covers the field of cloud computing and cloud security pretty broadly with significant detail, though little attention is given to cloud applications such as Big Data and DevOps.
The questions are clear, by and large, and mostly relevant to cloud computing. I have seen other so-called cloud exams that are more like classical technical IT security exams.
From my own courses I know how hard it is to make good questions, and this set of questions is pretty decent. Of course, there are some questions that have weird language, and I did file an incident report against them.
At 125 questions this is a significant exam. It took me more than an hour to answer them all, and I took the rest of the two hours reviewing my answers. You are allowed to use four hours in total.
Learning path for CCSP
An official book is available: the Official (ISC)2 Guide to the CCSP CBK (that is an affiliate link, by the way). And in 2018, (ISC)2 published an official practice test set.
CCSP is designed to be a five day course, but I currently think that it is very dependent on the background of the attendants. I am not sure if this format is a good way to study for CCSP. In any case there is also a lot of reading to be done.
I still think CCSK is a good basis for working your way to CCSP, as CCSP is more extensive in coverage. It is also a more formal exam that you have to take in a controlled testing center.
In contrast, CCSK is an open-book on-line exam. This does not make it easier though, as is witnessed by that fact that it is failed regularly by students.
While ISC2 (who also run CISSP; arguably the most relevant IT security certification) coming to the game underlines the relevance and maturity of cloud security, there will be some questions left for people who either have or are pursuing CCSK certification.
If you are currently thinking of getting CCSK, should this be a moment to reconsider? It does make sense to evaluate your options. If you spend time on a certification, you might as well spend it wisely.
Getting to CCSP is a path with a lot of unknowns at this time. So here is one thing to consider: participants in my CCSK training report that it helps them in their day jobs now, even more so if they take it as a team.
That makes CCSK a safe bet to become familiar with cloud computing and security.
I only offer in-company CCSP trainings at the moment. Contact me for details.
Click “see prices” for more information about the CCSK trainings. These are also available as online courses.
CCSP Body Of Knowledge: six domains
If you decide to start with CCSP, here is the body of knowledge, according to (ISC)2.
The CCSP CBK consists of the following six domains:
Architectural Concepts & Design Requirements
Cloud computing concepts & definitions based on the ISO/IEC 17788 standard; security concepts and principles relevant to secure cloud computing.
- Understand Cloud Computing Concepts
- Describe Cloud Reference Architecture
- Understand Security Concepts Relevant to Cloud Computing
- Understand Design Principles of Secure Cloud Computing
- Identify Trusted Cloud Services
Cloud Data Security
Concepts, principles, structures, and standards used to design, implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity, and availability in cloud environments.
- Understand Cloud Data Lifecycle
- Design and Implement Cloud Data Storage Architectures
- Design and Apply Data Security Strategies
- Understand and Implement Data Discovery and Classification Technologies
- Design and Implement Relevant Jurisdictional Data Protections for Personally Identifiable Information (PII)
- Design and Implement Data Rights Management
- Plan and Implement Data Retention, Deletion, and Archiving Policies
- Design and Implement Auditability, Traceability and Accountability of Data Events
Cloud Platform & Infrastructure Security
Knowledge of the cloud infrastructure components, both the physical and virtual, existing threats, and mitigating and developing plans to deal with those threats.
- Comprehend Cloud Infrastructure Components
- Analyze Risks Associated to Cloud Infrastructure
- Design and Plan Security Controls
- Plan Disaster Recovery and Business Continuity Management
Cloud Application Security
Processes involved with cloud software assurance and validation; and the use of verified secure software.
- Recognize the need for Training and Awareness in Application Security
- Understand Cloud Software Assurance and Validation
- Use Verified Secure Software
- Comprehend the Software Development Life-Cycle (SDLC) Process
- Apply the Secure Software Development Life-Cycle
- Comprehend the Specifics of Cloud Application Architecture
- Design Appropriate Identity and Access Management (IAM) Solutions
Identifying critical information and the execution of selected measures that eliminate or reduce adversary exploitation of it; requirements of cloud architecture to running and managing that infrastructure; definition of controls over hardware, media, and the operators with access privileges as well as the auditing and monitoring are the mechanisms, tools and facilities.
- Support the Planning Process for the Data Center Design
- Implement and Build Physical Infrastructure for Cloud Environment
- Run Physical Infrastructure for Cloud Environment
- Manage Physical Infrastructure for Cloud Environment
- Build Logical Infrastructure for Cloud Environment
- Run Logical Infrastructure for Cloud Environment
- Manage Logical Infrastructure for Cloud Environment
- Ensure Compliance with Regulations and Controls (e.g., ITIL, ISO/IEC 20000-1)
- Conduct Risk Assessment to Logical and Physical Infrastructure
- Understand the Collection, Acquisition and Preservation of Digital Evidence
- Manage Communication with Relevant Parties
Legal & Compliance
Addresses ethical behavior and compliance with regulatory frameworks. Includes investigative measures and techniques, gathering evidence (e.g., Legal Controls, eDiscovery, and Forensics); privacy issues and audit process and methodologies; implications of cloud environments in relation to enterprise risk management.
- Understand Legal Requirements and Unique Risks within the Cloud Environment
- Understand Privacy Issues, Including Jurisdictional Variation
- Understand Audit Process, Methodologies, and Required Adaptions for a Cloud Environment
- Understand Implications of Cloud to Enterprise Risk Management
- Understand Outsourcing and Cloud Contract Design
- Execute Vendor Management
Contact me for CCSP certification
I am an experienced trainer and authorized CSA training partner. My aim is to help people make better use of information technology and teach them about cloud computing and cloud security. Count on me for fundamental definitions, clear language, helpful insights, and valuable competence.
Are you ready to start your CCSP certification? Contact me for an in-company training.
Very grateful. Thank you!
I have appreciated very well most topics and particulary the Security Risk & compliance topics. Comparison on IT process on premise with those in the Cloud is quite good. But, it could be done deeper.
This class is great. Good balance between you talking, and us chatting. You keep control of the syllabus and the schedule, and we provide some information on what the facts mean to us and how we understand them in our context. Brilliant stuff.
Very professional domain, but very clear explained! Thanks
Most useful: Technical context, risk knowledge and exam approach
Experienced trainer. Reflects his experience well within the context
Peter is incredibly knowledgeable and takes the time to answer questions and actually work with his students. The course is also an amazing way to learn how AWS actually works and, by the end of the labs, you feel ready to manage your own cloud! The materials are easy to understand and yet technical enough to get real-life security implemented. This was a great course and far beyond most of the accreditation courses I have completed.
I attended Peter’s CCSK-training and found it very useful, because 1) the sessions gave me more insight on several other aspects of cloud computing than only security, 2) it “inspired” (/forced) me to study the CSA guide/ENISA more thorughly and not least 3) I manage to pass the exam 🙂
I had very little to no experience wit the CLOUD, so this training was incredibly valuable to me. My new professional responsibilities are becoming more and more cloud centric. I have a greatly improved level of confidence because I know I have a solid educational foundation that the training and exam preparation has provided for me. I cannot recommend it highly enough!