Comprehensive guide to ISC2 CCSP domains (2025)

The cloud has transformed from a buzzword into the backbone of modern business. As organizations migrate more workloads and sensitive data to cloud environments, the need for skilled cloud security professionals continues to grow. The Certified Cloud Security Professional (CCSP) certification is one of the most respected credentials for proving your expertise in securing cloud environments. 

But what exactly does the CCSP cover? At its core, the certification is built around six key domains forming the Common Body of Knowledge (CBK). Each domain focuses on critical aspects of cloud security, from fundamental concepts to practical implementation and compliance requirements. 

Read on to learn more about the CCSP domain, or navigate directly to the section you're interested in:

• Understanding the CCSP domains
• Deep dive into CCSP topics and domains
  • Domain 1: Cloud Concepts, Architecture and Design
  • Domain 2: Cloud Data Security
  • Domain 3: Cloud Platform and Infrastructure Security
  • Domain 4: Cloud Application Security
  • Domain 5: Cloud Security Operations
  • Domain 6: Legal, Risk, and Compliance
• Preparing for the CCSP exam

For additional information on CCSP salary, download our Cybersecurity salary guide, and for more information on other cloud certifications, download our emerging trends infographic.

Earn your CCSP, guaranteed!

Save your spot for an upcoming CCSP Boot Camp and earn one of the most in-demand cloud security certifications — guaranteed!

Learn More

Understanding the CCSP domains 

The CCSP exam tests your knowledge across six distinct domains, each weighted differently to reflect the relative importance of cloud security practice: 

1. Cloud Concepts, Architecture and Design (17%) covers topics including foundational concepts and models, security considerations in cloud architecture and design principles for secure cloud services.
2. Cloud Data Security (20%) covers topics including protecting data throughout its lifecycle, storage architecture security and data rights management. 
3. Cloud Platform and Infrastructure Security (17%) covers topics including physical and virtual components, risk analysis and mitigation, and business continuity in the cloud.
4. Cloud Application Security (17%) covers topics including secure software development, identity and access management, and cloud-specific application risks.
5. Cloud Security Operations (16%) covers topics including managing cloud infrastructure, incident response, and security monitoring and analysis.
6. Legal, Risk and Compliance (13%) covers topics including legal requirements across jurisdictions, privacy considerations, and audit processes and frameworks.

In this episode of the Cyber Work Podcast, Infosec Skills author Joseph South discusses the duties and qualifications of a cloud security engineer.

The CCSP exam is typically updated every three years to ensure it aligns with current industry trends and practices. To learn about the most recent change in August 2024, visit our article on CCSP exam changes. 

The exam now comprises 125 multiple-choice questions you must complete within 3 hours. To pass, you'll need to score at least 700 out of 1,000 points. The CCSP exam is available in English, Chinese, Japanese and German. 

What makes the CCSP particularly valuable is its focus on practical, real-world cloud security challenges. Rather than just testing theoretical knowledge, the exam scenarios reflect situations you will likely encounter when securing cloud environments. This practical emphasis helps explain why the CCSP has become such a sought-after certification among employers looking for proven cloud security expertise. 

Deep dive into CCSP topics and domains 

Now that you have an overview of the six domains, let's examine the CCSP exam details in depth. We will explore each subdomain and highlight critical focus areas. We hope you grasp how these elements work together in actual cloud security practice.

You can also view the CCSP exam outline for more details. 

CCSP Domain 1: Cloud Concepts, Architecture and Design 

This section of the test encompasses basic concepts of cloud computing, design principles and the evaluation of cloud service providers. It accounts for 17% of the CCSP certification exam. Each of its five subdomains covers a different aspect of cloud computing. 

1.1 Understand cloud computing concepts 

Candidates will need to understand cloud computing fundamentals and actual terminologies. NIST Special Publication 800-145, published in 2011, defined cloud computing as "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction." According to NIST, this cloud model comprises: 

Five essential characteristics: 

• On-demand self-service 
• Broad network access 
• Resource pooling 
• Rapid elasticity or expansion 
• Measured service 

Three service models: 

• Software 
• Platform 
• Infrastructure 

Four deployment models: 

• Private 
• Community 
• Public 
• hybrid 

Test takers need to review each of these concepts and the way they have evolved in recent years. 

Cloud computing roles 

Candidates need to understand the roles and responsibilities of all parties involved in a cloud computing environment and how the various roles work together to keep cloud data secure: 

• Cloud service customer 
• Cloud service provider 
• Cloud service partner 
• Cloud service broker 
• Regulator 

Key cloud computing characteristics 

Candidates also need to understand the six key cloud computing characteristics that must be present for a service or offering to be considered part of the cloud: 

• On-demand self-service 
• Broad network access 
• Rapid elasticity and scalability 
• Resource pooling 
• Measured service 
• Multitenancy 

Building-block technologies 

Candidates need to understand the five building block technologies that make the cloud possible. A combination of these technologies allows better resource utilization and improves the cost structure of technology. Depending on the type of cloud service model, the customer may have more or fewer responsibilities for these technologies: 

• Virtualization 
• Storage 
• Networking 
• Databases 
• Orchestration 

1.2 Describe cloud reference architecture 

Candidates need to understand the various components required to develop and manage a cloud environment and how services are delivered, configured and managed. 

Cloud computing activities 

Candidates need to understand the number of activities (and roles) to be performed by several parties to build, secure and manage a cloud environment: 

• Cloud consumer 
• Cloud provider 
• Cloud auditor 
• Cloud broker 
• Cloud carrier 

Cloud service capabilities 

Candidates need to understand the three cloud service models that provide different capabilities: 

• Application capability types 
• Platform capability types 
• Infrastructure capability types 

Cloud service models 

Candidates need to understand the differences among the various cloud service models and their functions. 

• Software-as-a-service (SaaS): The cloud provider manages all aspects of the application environment, such as virtual machines, networking resources, data storage and applications. The cloud customer is responsible only for the data. 
• Platform-as-a-service (PaaS): The cloud provider manages the virtual machines and networking resources, and the cloud customer is responsible for deploying their applications in the cloud environment. 
• Infrastructure-as-a-service (IaaS): The cloud provider is responsible for the underlying infrastructure in the cloud environment. The operating system selection and configuration, patching and software tools and applications are controlled by the cloud customer. 

Deployment models 

Candidates need to understand the four deployment models (public, private, community and hybrid models), how cloud services are hosted, who controls and operates them and what customers have access to. 

Cloud shared considerations 

Candidates need to understand the various factors customers must consider before starting their journey to the cloud: 

• Interoperability 
• Portability and reversibility 
• Availability 
• Security and privacy 
• Resiliency 
• Performance 
• Governance 
• Maintenance and versioning 
• Service levels (agreements) 
• Auditability 
• Regulatory compliance 

Impact of related technologies 

Candidates need to understand some of the critical and emerging technologies representing the fastest-growing applications of cloud computing: 

• Machine learning 
• Artificial intelligence 
• Blockchain 
• Internet of things 
• Containers 
• Quantum computing 
• DevSecOps 

1.3 Understand security concepts relevant to cloud computing 

Candidates need to understand various security concepts relevant to cloud computing: 

• Cryptography and key management 
• Access control 
• Data and media sanitization (e.g., overwriting, cryptographic erase) 
• Network security (e.g., network security groups) 
• Virtualization security (e.g., hypervisor security and container security) 
• Security hygiene 

Common threats 

Candidates need to understand various threats organizations face and risks inherent in utilizing cloud computing environments, such as data breaches, misconfiguration, inadequate change control and more. 

1.4 Understand design principles of secure cloud computing 

Candidates need to understand the six phases in the secure cloud data lifecycle: create, store, use, share, archive and destroy. 

They also need to review the difference between disaster recovery (DR) and business continuity planning (BCP) in a cloud environment. 

Candidates need to understand when, why and how cost-benefit analysis is carried out to determine whether the features offered by the cloud provider justify the costs associated with the cloud environment. 

Functional security requirements 

Candidates need to understand the various security concerns (e.g., portability, interoperability and vendor lock-in) that must be evaluated, some of which are unique to the cloud service and shared responsibility models. 

1.5 Evaluate cloud service providers 

Candidates need to understand some factors used to evaluate cloud service providers, their service offerings and their systems' security: 

• Cloud service evaluation criteria: Candidates need to understand the role "certification against criteria" plays in identifying trusted cloud services, such as ISO/IEC 27017, payment card industry data security standard (PCI DSS), etc. 
• Cloud certification scheme: Candidates need to understand some system/subsystem product certifications, such as common criteria (CC) and federal information processing standard (FIPS) 140-2. 

CCSP Domain 2: Cloud Data Security 

Domain 2 of the CCSP exam contains eight subdomains representing 20% of the exam. It assesses your level of mastery of the most critical aspects of cloud data security. 

2.1 Describe cloud data concepts 

Candidates need to understand the following: 

• Cloud data lifecycle phases from creation to storage, usage, sharing, archiving and destruction 
• Data flows 
• Data dispersion and its importance for data resiliency and availability 

2.2 Design and implement cloud data storage architectures 

Candidates need to understand the storage types and options and the threats and countermeasures applicable to the various cloud service models. 

Storage types 

• Infrastructure as a service (IaaS): Ephemeral, raw, long-term, volume and object 

• Platform as a service (PaaS): Disk, databases, binary large object (blob) 

• Software as a service (SaaS): Information storage and management, content and file storage and content delivery network (CDN) 

Threats to storage types 

Candidates need to understand threats to cloud storage and appropriate countermeasures, such as unauthorized access, regulatory noncompliance, jurisdictional issues, malware and ransomware. 

2.3 Design and apply data security technologies and strategies 

Candidates need to understand various security technologies and strategies that consumers can use to protect data stored in a cloud environment: 

• Encryption and key management 
• Hashing 
• Tokenization 
• Data loss prevention 
• Data obfuscation 
• Keys, secrets and certificates management 

2.4 Implement data discovery 

Candidates need to know how to find data in the cloud environment before it can be classified and protected. Having data distributed at more locations increases the attack surface area: 

• Structured data 
• Unstructured data 
• Semi-structured data 
• Data location 

2.5 Plan and implement data classification 

Candidates need to understand how to map, label and classify data to indicate the value or sensitivity of the content. This process helps determine appropriate policies and controls to ensure compliance and determine encryption needs, approved use of data, authorized access and proper retention and disposal: 

• Data classification policies 
• Data mapping 
• Data labeling 

2.6 Design and implement information rights management (IRM) 

Candidates need to understand how IRM works, its importance and its pitfalls in cloud environments, especially regarding the security and privacy of an organization's sensitive data. The two categories of IRM are consumer-grade IRM, also known as digital rights management (DRM), and enterprise-grade IRM: 

• Objectives (e.g., data rights, provisioning, access models): Candidates need to understand the various attributes of an IRM system, such as persistence, dynamic policy control, expiration and continuous audit trail. 
• Appropriate tools (e.g., issuing and revocation of certificates): Candidates need to understand the critical capabilities of IRM tools and solutions and features to look out for when incorporating IRM into a cloud security architecture. 

2.7 Plan and implement data retention, deletion and archiving policies 

Candidates need to understand data protection strategies (retention, deletion and archiving) and compliance obligations (i.e., legal, regulatory and contractual): 

• Data retention policies: Candidates must understand data retention policies and features required to ensure the cloud consumers meet internal and compliance requirements (e.g., storage costs and access requirements, specified legal and regulatory retention periods and data retention practices). 
• Data deletion procedures and mechanisms: Candidates need to understand the data deletion procedures required to securely remove data from information systems when they are no longer required. There are three categories of deletion actions for various media types to achieve defensible destruction — clear, purge and destroy. 
• Data archiving procedures and mechanisms: Candidates must understand the data archiving procedures required to meet an organization's retention requirements and optimize storage resources in a live production cloud environment. 

Legal hold 

Candidates need to understand legal holds, electronic discovery and their importance during a legal investigation, as well as legal hold roles and responsibilities when negotiating cloud contracts and SLAs. 

2.8 Design and implement auditability, traceability and accountability of data events 

Candidates must understand the various stages of data moving in cloud environments and the critical methods used to protect data throughout the entire lifecycle. In addition, you should know how to identify, track and analyze data events to ensure security in the cloud environment: 

• Defining event sources and requirements of identity attribution (Identity, Internet Protocol, address, geolocation): Candidates must understand the various key event sources, event data and event attributes available for the cloud service models — IaaS, PaaS and SaaS. 
• Logging, storing and analyzing data events: Candidates need to understand how to collect, verify, store and analyze data collected in a cloud environment. 
• Chain of custody and nonrepudiation: Candidates need to understand the process of maintaining the chain of custody to ensure data integrity while conducting forensic analysis and incident response. 

Earn your CCSP, guaranteed!

Save your spot for an upcoming CCSP Boot Camp and earn one of the most in-demand cloud security certifications — guaranteed!

Learn More

CCSP Domain 3: Cloud Platform and Infrastructure Security 

The third domain of the CCSP CBK tests candidates' understanding of cloud security strategies, risks and responsibilities, storage and business continuity programs. It represents 17% of the exam. 

3.1 Comprehend cloud infrastructure and platform components 

Candidates need to recognize the various unique components of the cloud infrastructure (both physical and virtual) and their roles. In addition, it is essential to understand the roles of the cloud customer and the cloud service provider based on the shared responsibility model. A typical cloud infrastructure consists of the following components: 

• Physical environment: This typically includes the server rooms, data centers and other physical locations of the cloud service provider. This is the sole responsibility of the cloud service provider. 
• Network and communications: The physical network is the cloud service provider's responsibility, while components housed at the cloud customer's facility are their responsibility. 
• Compute: This typically consists of the infrastructure components that deliver resources, such as the virtual machines, disk, processor, memory and network resources. The maintenance and security of the physical components are the cloud service provider's responsibility. 
• Virtualization: The security of the hypervisor (Type 1 or Type 2) is the sole responsibility of the cloud service provider. 
• Storage: The cloud service provider is responsible for the physical protection of the data center. In contrast, the cloud customer is responsible for the security, privacy and customer data, as applicable. 
• Management plane: This provides the tools (web interface and APIs) necessary to configure, monitor and control a cloud environment. 

3.2 Design a secure data center 

To scrutinize the physical and environmental controls for protecting assets (critical information and equipment), candidates need to understand the principles behind secure data center design and the logical, physical and environmental security controls to be implemented, as well as how to build resilience by design. These are the responsibility of the cloud service provider because they have physical control and ownership of the data center and the physical infrastructure. The following factors must be considered: 

• Logical design (i.e., tenant partitioning and access control) 
• Physical design (i.e., location, buy and hold) 
• Environmental design (i.e., heating, ventilation and air conditioning (HVAC), multi-vendor pathway connectivity) 
• Design resilience 

3.3 Analyze risks associated with cloud infrastructure and platforms 

Candidates must understand the various risks that may impact an organization when evaluating cloud infrastructures: 

• Risk assessment (e.g., identification, analysis): Candidates need to understand risks for the cloud service provider and the cloud customer. These may include organizational, compliance, legal, cloud infrastructure and virtualization risks. 
• Cloud vulnerabilities, threats and attacks: Candidates must understand the threats and vulnerabilities that may affect a cloud infrastructure, including attacks that malicious individuals may leverage. 
• Risk mitigation strategies: Candidates need to understand the countermeasures and controls that can be implemented to mitigate the risks in a cloud infrastructure. 

3.4 Plan and implement security controls 

Candidates need to understand the security controls that can mitigate risks when designing and planning their cloud infrastructure and applications at scale: 

• Physical and environmental protection: This covers the security of the data center, including the physical infrastructure (e.g., servers, networking equipment, HVAC systems, etc.) and the buildings that host it. 
• System, storage and communication protection: This involves the security of the system and communications. Controls may include: 
  • Policy and procedures 
  • Separation of system and user functionality 
  • Security function isolation 
  • Denial of service protection 
  • Boundary protection 
• Identification, authentication and authorization in cloud environments: This focuses on identity and access management to meet policy or regulatory requirements. 
• Audit mechanisms: This helps to ensure that IT systems in the cloud meet legal, regulatory and security requirements. Some audit mechanisms include log collection, correlation and packet capture. 

3.5 Plan business continuity (BC) and disaster recovery (DR) 

To ensure data availability, candidates must understand business continuity and disaster recovery in the cloud: 

• BC/DR strategies: The importance of suitable cloud-based disaster recovery and business continuity solutions for any organization. 
• Business requirements: The importance of these requirements during business continuity and disaster recovery planning: 
• Recovery time objective (RTO): The maximum amount of time in which a business process must be restored to a specific service level. 
• Recovery point objective (RPO): The amount of data an organization will lose if a disaster or other system stoppage occurs. 
• Recovery service level: The measure of computing resources needed to keep production environments running during a disaster. 
• Creation, implementation and testing: This deals with creating, implementing and testing a BC/DR plan to meet an organization's predetermined RPO/RTO requirements. 

CCSP Domain 4: Cloud Application Security 

Domain 4 of the CCSP CBK focuses on developing and securing cloud applications, representing 17% of the exam. 

4.1 Advocate training and awareness for application security 

• Cloud development basics: Candidates need to understand the basics of cloud application development, including: 
  • Security by design 
  • Shared security responsibility 
  • Security as a business objective 
• Common pitfalls and common cloud vulnerabilities: Candidates need to understand common pitfalls and vulnerabilities (e.g., Open Web Application Security Project (OWASP) Top-10, SANS Top-25) when migrating to or developing applications in the cloud. Such pitfalls include: 
  • Lack of guidelines and documentation 
  • Integration complexities 
  • Multi-tenancy challenges 
  • Third-party administrator challenges 

4.2 Describe the secure software development life cycle (SSDLC) process 

Candidates need to understand the phases under the SSDLC, which include security-focused steps that allow security by design. They also need to understand business requirements and know the application's business needs. 

Phases and methodologies 

The following phases are common across the various models of SDLCs, such as Waterfall, Agile, Development and Operations (DevOps): 

• Planning 
• Requirement analysis 
• Design 
• Development 
• Testing 
• Deployment 
• Operations and maintenance 

4.3 Apply the secure software development life cycle (SSDLC) 

Candidates need to understand cloud-specific risks and the use of threat modeling to assess the impact of those risks. 

Avoid common vulnerabilities during development 

Candidates should know the vulnerabilities to address when developing for the cloud. 

The latest OWASP Top 10 identifies critical web application security risks, including: 

• Broken access control 
• Cryptographic failures 
• Injection 
• Insecure design 
• Security misconfiguration 
• Vulnerable and outdated components 
• Identification and authentication failures 
• Software and data integrity failures 
• Security logging and monitoring failures 
• Server-side request forgery 

Cloud-specific risks 

Candidates need to recognize the numerous security challenges and threats that the cloud has brought forth, from limited visibility into cloud usage to data breaches, account hijacking, malware, lack of cloud security architecture and strategy and misconfigurations. 

Secure coding 

Candidates must know best practices for securing applications in the cloud and ways to ensure software quality through validation and verification activities: 

• Application Security Verification Standard (ASVS) 
• Software Assurance Forum for Excellence in Code (SAFECode) 
• Open Web Application Security Project (OWASP) 

Threat modeling 

Candidates need to know how threat models work in identifying potential threats to applications and countermeasures that can be implemented. Four commonly used threat models are STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege), PASTA (process for attack simulation and threat analysis), DREAD (disaster, reproducibility, exploitability, affected users and discoverability) and ATASM (architecture, threats, attack surfaces and mitigations). 

Software configuration management (SCM) and versioning 

Candidates need to understand the importance of SCM and versioning in managing software assets, configuration management (including change management), and configuration management databases (CMDB) tools such as Chef, Puppet and Ansible. 

4.4 Apply cloud software assurance and validation 

Candidates need to understand the importance of testing and auditing in developing secure applications and various application security testing methodologies: 

• Functional and non-functional testing: Candidates need to understand the difference between functional and non-functional testing. 
  • Functional testing ensures that the functions and features of the application work correctly. 
  • Non-functional testing only looks at the performance or usability of these functions. 
• Security testing methodologies: Candidates need to understand the various software testing methodologies, such as black-box testing, white-box testing, static application security testing (SAST), dynamic application security testing (DAST), software composition analysis (SCA), and interactive application security testing (IAST). 
• Quality assurance and abuse case testing: Both are essential for the security testing of new applications. 

4.5 Use verified secure software 

Candidates must understand the significant components of secure software a security-conscious organization uses. These components include: 

• Approved APIs 
• Supply chain management 
• Third-party software management 
• Validated open-source software 

4.6 Comprehend the specifics of cloud application architecture 

Candidates need to understand the various security components and technologies required in a cloud application architecture: 

• Supplemental security components: Candidates need to understand how security components such as web application firewall (WAF), database activity monitoring (DAM), Extensible Markup Language (XML) firewalls, and application programming interface (API) gateway work in a cloud environment. 
• Cryptography: Candidates need to understand data encryption at rest and in motion in the cloud, using technologies/protocols such as transport layer security (TLS), a virtual private network (VPN) and the management of encryption keys in the cloud by the cloud service provider (CSP) and the cloud consumer. 
• Sandboxing, application virtualization and orchestration: Candidates need to understand how sandboxing, application virtualization and application orchestration (e.g., microservices, containers) work in a cloud environment. Popular cloud orchestration tools include AWS Cloud Formation, Terraform, Azure Automation, etc. 

4.7 Design appropriate identity and access management (IAM) solutions 

Candidates need to understand identification, authentication and authorization in the cloud and the components and protocols that make up an IAM solution: 

• Federated identity and single sign-on: Candidates need to understand federated identity (e.g., Security Assertion Markup Language (SAML), Open Authorization (OAuth), etc.) and single sign-on, the benefits of those protocols and how they work. 
• Identity providers (IdP): Candidates need to understand how identity providers such as Azure Active Directory, AWS IAM, Google Cloud Identity, Okta Identity Management, etc., interface with cloud applications. 
• Single sign-on (SSO) and multifactor authentication (MFA): Candidates need to understand the concepts of SSO and its ability to let users access all needed applications by authenticating themselves only once and MFA with its need for various authentication factors (i.e., something you know, something you have and something you are). 
• Cloud access security broker (CASB): Candidates need to understand how a CASB works to mitigate high-risk security events and manage user activities in the cloud. 
• Secrets management: Candidates need to be familiar with solutions that can help improve the IAM methods to control access to cloud assets. 

Earn your CCSP, guaranteed!

Save your spot for an upcoming CCSP Boot Camp and earn one of the most in-demand cloud security certifications — guaranteed!

Learn More

CCSP Domain 5: Cloud Security Operations 

The fifth domain of the CCSP CBK covers the requirements for developing, planning, implementing, running and managing the physical and logical cloud infrastructure. 

5.1 Build and implement physical and logical infrastructure for the cloud environment 

Candidates must understand the requirements for implementing and building a physical and logical infrastructure with security in mind: 

• Hardware-specific security configuration requirements: Candidates need to know the various hardware components (and corresponding configuration requirements and settings) needed in a cloud data center infrastructure, such as basic input-output systems (BIOS), virtualization, hardware security module (HSM) and trusted platform module (TPM). 
• Installation and configuration of management tools: Candidates must know how to install and configure management tools required to secure a virtual and cloud-based installation. 
• Virtual hardware-specific security configuration requirements: Candidates must understand the various configuration settings and requirements for maintaining virtual hardware security (e.g., network, storage, memory, central processing unit (CPU) and Hypervisor types 1 and 2). 
• Installation of guest operating system virtualization toolsets: Candidates need to understand the toolsets that enable installing operating systems in the virtualization environment. 

5.2 Operate and maintain physical and logical infrastructure for the cloud environment 

Candidates need to understand access control mechanisms, physical and virtual network configurations and OS hardening baselines, and how to ensure the availability of physical and virtual hosts and resources in a cloud environment: 

• Access control for local and remote access: Candidates need to understand protocols for supporting remote administration, such as secure shell (SSH), remote desktop protocol (RDP), virtual network computing (VPC), console-based access mechanisms, jump boxes, etc. 
• Secure network configuration: Candidates need to understand protocols, technologies, services and concepts for securing networks and the data transmitted, such as virtual local area network (VLAN), transport layer security (TLS), dynamic host configuration protocol (DHCP), domain name system security extensions (DNSSEC), a virtual private network (VPN), and so forth. 
• Network security controls: Candidates need to understand network security controls and technologies, such as firewalls, intrusion detection/prevention systems (IDS/IPS), honeypots, etc. 
• Operating system hardening through the application of baselines: Candidates need to understand baselines in hardening operating systems (e.g., Windows, Linux, VMware). The baseline and corresponding documentation may be achieved via customer-defined VM images, NIST checklists, CIS benchmarks, etc. 
• Patch management: Candidates need to understand the patch management process for finding, testing and applying patches to a cloud environment. 
• Availability of clustered hosts: Candidates need to understand clustered hosts (e.g., distributed resource scheduling, dynamic optimization, storage clusters, maintenance mode, high availability) and their use. 
• Performance and capacity monitoring: Candidates must understand the tools and infrastructure elements (e.g., network, compute, response time, storage) that can be monitored. 
• Hardware monitoring: Candidates need to understand the tools and hardware elements (e.g., CPU temperature and fan speed) that require monitoring because they can fluctuate. 
• Configuration of host and guest operating system backup and restore functions: Candidates need to understand the three main types of backup technologies (i.e., snapshots, agent-based and agentless). 
• Management plane: Candidates need to understand the uses of a management plane in a cloud environment by the CSP. This includes knowing the activities related to scheduling and orchestration, as well as managing and maintaining the control plane. 

5.3 Implement operational controls and standards (e.g., Information Technology Infrastructure Library (ITIL), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 20000-1) 

Candidates need to understand the regulations and controls used to govern IT operations and processes in cloud environments. Such processes include: 

• Change management 
• Continuity management 
• Information security management 
• Continual service improvement management 
• Incident management 
• Problem management 
• Release management 
• Deployment management 
• Configuration management 
• Service level management 
• Availability management 
• Capacity management 

5.4 Support digital forensics 

Candidates need to understand how to conduct digital forensics in a cloud environment: 

• Forensics data collection methodologies: Candidates need to understand two standards (i.e., ISO 27050 and Cloud Security Alliance (CS) Security Guidance Domain 3 Legal Issues: Contracts and Electronic Discovery) related to e-discovery. 
• Evidence management: Candidates must understand how to manage the chain of custody from evidence collection to trial during any digital forensics investigation. 
• Collect, acquire and preserve digital evidence: Candidates need to understand the phases of digital evidence handling and the challenges associated with evidence collection in a cloud environment. 

5.5 Manage communication with relevant parties 

Candidates need to understand how to communicate accurately, concisely and timely with vendors, customers (including the cloud-shared responsibility model), partners, regulators and other stakeholders. 

5.6 Manage security operations 

Candidates need to understand how to manage security operations and provide continuous security support in a cloud environment: 

• Security operations center (SOC): Candidates need to understand how a SOC works in a cloud environment and its responsibilities, such as threat prevention and detection, incident management, etc. 
• Intelligent monitoring of security controls: Candidates need to understand how to manage and monitor the security controls [e.g., firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), honeypots, network security groups, artificial intelligence (AI), etc.)] deployed to manage a cloud environment's physical and logical components. 
• Log capture and analysis: Candidates need to understand the tools and processes required for log capture and analysis, such as the system information and event management (SIEM) tool and log management. 
• Incident management: Candidates need to understand the incident management and response procedures in a cloud environment and the three key elements: incident response plan, incident response team and root cause analysis. 
• Vulnerability assessments: Candidates need to understand the importance of cloud vulnerability assessments of the network and IT infrastructure to give visibility into the environment's attack surface. 

CCSP Domain 6: Legal, Risk and Compliance 

The final domain of the CCSP CBK, which represents 13% of the CCSP certification exam, focuses on relevant jurisdictional laws, statutes, regulations and frameworks for data collection in cloud computing. 

6.1 Articulate legal requirements and unique risks within the cloud environment 

Candidates should know of cloud computing architectures' legal requirements and unique risks: 

• Conflicting international legislation: Candidates must know the multiple sets of laws and regulations and the risks introduced by conflicting legislation across jurisdictions and countries. Conflicts may include copyright and intellectual property law, data breaches (and breach notification), international import/export laws, etc. 
• Evaluation of legal risks specific to cloud computing: Candidates must understand the legal risks (e.g., data residency vs. data localization vs. data sovereignty) of cloud computing. 
• Legal frameworks and guidelines: Candidates should have a handle on the various legal frameworks related to personal data protection and regulations that may affect cloud computing requirements for companies in various regions. Such frameworks include: 
  • Organization for Economic Cooperation and Development (OECD) Privacy Guidelines 
  • Asia Pacific Economic Cooperation Privacy Framework (APEC) 
  • Cross-Border Privacy Rules (CBPR) 
  • General Data Protection Regulation (GDPR) 
• Forensics and eDiscovery in the cloud: Candidates will need to understand the following: 
  • The laws and regulations may apply to an organization and investigation while maintaining the chain of custody. 
  • Standards from various bodies, such as the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) and the Cloud Security Alliance (CSA), are used in collecting digital evidence and conducting forensics investigations in cloud environments. 
  • How to manage a chain of custody from evidence collection to trial during any digital forensics investigation. 
  • The phases of digital evidence handling and the challenges associated with evidence collection in a cloud environment. 

6.2 Understand privacy issues 

Candidates should know the privacy risks and issues cloud environments or technologies pose: 

• Difference between contractual and regulated private data: Candidates need to understand the difference between private contractual data (e.g., data collected as part of normal business operations) and regulated private data (e.g., personally identifiable information (PII), protected health information (PHI) and payment data). 
• Country-specific legislation related to private data: Candidates must comprehend various privacy regulations in various jurisdictions (e.g., CCPA — United States, GDPR — European Union, etc.). 
• Jurisdictional differences in data privacy: Candidates must also understand and address jurisdictional differences/issues in privacy regulations. 
• Standard privacy requirements: Candidates should have a handle on the various standard privacy requirements (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27018, Generally Accepted Privacy Principles (GAPP). General Data Protection Regulation (GDPR), etc.) 
• Privacy Impact Assessments (PIA): Candidates must understand how PIA can help identify and mitigate privacy risks when implementing new technology or programs. 

6.3 Understand audit process, methodologies and required adaptations for a cloud environment 

Candidates should know the unique considerations, processes and controls required to audit cloud environments: 

• Internal and external audit controls: Candidates must understand the importance of internal and external audits in meeting regulatory, contractual, security and privacy obligations. 
• Impact of audit requirements: Candidates should have a handle on the impact and challenges of the ever-changing nature of a cloud environment and how it impacts an audit. 
• Identity assurance challenges of virtualization and cloud: To obtain assurance, candidates must grasp how to perform multiple layers of auditing (of both the hypervisor and the virtual machines) in a cloud environment. 
• Types of audit reports: Candidates will need to understand the various audit reports that can describe their findings of the system examined. Examples of audit reports include: 
  • Service Organization Controls (SOC) 
  • Statement on Standards for Attestation Engagements (SSAE) 
  • International Standard on Assurance Engagements (ISAE) 
• Restrictions of audit scope statements: Candidates should know the audit scope restrictions on what an auditor may or may not audit. Examples of scope statements include: 
  • Statement on Standards for Attestation Engagements (SSAE) 
  • International Standard on Assurance Engagements (ISAE) 
• Gap analysis: Candidates need to understand the impact of a gap analysis in identifying issues and gaps before an audit and against industry standards/frameworks. 
• Audit planning: Candidates must grasp the process required to plan for an audit to ensure financial reporting or compliance with a cloud environment. 
• Internal information security management systems (ISMS): Candidates should have a handle on designing and implementing an organization's ISMS using an acceptable standard such as ISO 27001/2. 
• Internal information security controls system: To establish an ISMS, candidates will need to understand the security controls used in managing information security. 
• Policies: Candidates need to know the policies to govern an organization's people, processes and systems. There are various types of policies required: 
  • Organizational Policies 
  • Functional Policies 
  • Cloud Computing Policies 
• Identification and involvement of relevant stakeholders: Candidates will need to comprehend how to identify relevant stakeholders that need to be involved in the decision process, critical questions faced in identifying the stakeholders and the governance challenges that may occur when moving to a cloud environment. 
• Specialized compliance requirements for highly regulated industries: Candidates must understand the specialized compliance requirements for organizations in highly regulated industries such as healthcare, financial services and government organizations. Here are a few examples: 
  • North American Electric Reliability Corporation/Critical Infrastructure Protection (NERC/CIP) 
  • Health Insurance Portability and Accountability Act (HIPAA) 
  • Health Information Technology for Economic and Clinical Health (HITECH) Act 
  • Payment Card Industry (PCI) 
• Impact of distributed information technology models: Candidates must know of the distributed information technology models (e.g., diverse geographical locations and crossing over legal jurisdictions), realize the common issues caused by these models, and grasp how to mitigate the associated risks. 

6.4 Understand the implications of cloud to enterprise risk management 

Candidates will need to understand the implications that using and maintaining a cloud environment has on an organization's risk management program and how to mitigate the risks: 

• Assess providers' risk management programs: Candidates must know how to assess cloud service providers' risk management programs (e.g., controls, methodologies, policies, risk profile, risk appetite) and align with an organization's objectives. 
• Differences between data owner/controller vs. data custodian/processor: Candidates should have a handle on the difference between data owners (data controllers) and data custodians (data processors). 
• Regulatory transparency requirements: Candidates should know the regulatory transparency requirements imposed on data controllers (and data processors) by various regulations. Examples include breach notification, Sarbanes-Oxley (SOX) and General Data Protection Regulation (GDPR). 
• Risk treatment: Candidates must understand how to evaluate an organization's vulnerabilities and threats that might exploit its weaknesses and determine the likelihood and impact of such exploits. Steps include the following: avoid, mitigate, transfer, share and acceptance. 
• Risk frameworks: Candidates must grasp the various risk frameworks that can apply to an organization: 
  • ISO 31000:2018 
  • European Network and Information Security Agency (ENISA) assessment guides 
  • NIST 800-146 
• Metrics for risk management: Candidates must understand key cybersecurity metrics that can be tracked to present measurable data to relevant stakeholders. 
• Assessment of risk environment: Candidates must know how to assess a risk environment to cover the cloud environment (e.g., service, vendor, infrastructure and business). 

6.5 Understand outsourcing and cloud contract design 

Candidates should have a handle on business requirements, key contractual provisions and potential contractual implications of outsourcing to the cloud: 

• Business requirements: Candidates will need to comprehend key business requirements [e.g., service-level agreement (SLA), master service agreement (MSA), statement of work (SOW)] and how a cloud service provider helps to meet those obligations. 
• Vendor management: Candidates must understand how to manage vendors' risks (e.g., vendor assessments, vendor lock-in risks, vendor viability and escrow) and track service delivery via key performance indicators. 
• Contract management: Candidates need to understand the proceedings of contract management (e.g., right to audit, metrics, definitions, termination, litigation, assurance, compliance, access to cloud/data and cyber risk insurance) and how to succeed in negotiation, creation and execution. In addition, contract terms, performance, and violations of stated agreements should be monitored. 
• Supply chain management: Candidates will need to understand the actions to manage the supply chain, vendors, dependencies, points of failure, etc., as per the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27036). 

Earn your CCSP, guaranteed!

Save your spot for an upcoming CCSP Boot Camp and earn one of the most in-demand cloud security certifications — guaranteed!

Learn More

Preparing for the CCSP exam 

Success on the CCSP exam requires a structured approach to studying and hands-on experience with cloud security concepts. The exam consists of 125 multiple-choice questions that you'll need to complete in 3 hours, with a passing score of 700 out of 1000 points. 

Before starting your CCSP journey, make sure you meet the experience requirements: 5 years of cumulative paid work experience in information technology, with 3 years in information security and 1 year in at least one of the six CCSP domains. If you hold a CISSP certification, this satisfies the entire experience requirement.

For a comprehensive, instructor-led preparation experience, consider Infosec's CCSP Boot Camp. This intensive training program helps you master the material through expert instruction, hands-on exercises and practice exams. 

For additional study resources, practice questions and certification guidance, visit our CCSP training hub. Here, you'll find everything you need to create a personalized study plan and prepare effectively for the exam.