Certified Cloud Security Practitioner (CCSP) is a certification focused on cloud security and issued by American non-profit organization ISC(2)
CCSP certification is more detailed than CCSK certificate, that is issued by Cloud Security Alliance (CSA). Some recommend to obtain CCSK before passing to CCSP. You can read a specific post about how to get the CCSK v4 certification.
This post answers to questions like “how to get certified in CCSP”, “how to earn the CCSP certification” or “how to become a CCSP”.
The information provided here corresponds to 2024, and it is not planned to be updated. Though the information may be still valid or be valuable, please always check its topicality.
CCSP Certification
CCSP is focused on cloud security, and it is complementary to other ISC2 certifications.
I strongly recommend to get CISSP certification before CCSP. For instance, many questions and concepts that are studied in detailed in CISSP are also questioned in CCSP. Though the CCSP preparation material may seems lighter, it is additional to CISSP rather that a subgroup or simplified version of it.
The relationship between CISSP and CCSP would be similar in some ways to CISA and CISM certifications.
CCSP Content
CCSP domains:
- Domain 1. Cloud Concepts, Architecture and Design
- Domain 2. Cloud Data Security
- Domain 3. Cloud Platform & Infrastructure Security
- Domain 4. Cloud Application Security
- Domain 5. Cloud Security Operations
- Domain 6. Legal, Risk and Compliance
The CCSP domains are detailed and expanded in a document called the CCSP Common Body of Knowledge. The content of the exam matches the topics covered within this document.
CCSP Certification Requirements
CCSP requirements:
- Passing the CCSP exam
- Specific professional experience
- Abide to the ISC2 principles
Required professional experience (if no exception cases apply to you):
- 3-year experience in IT
- 1-year experience in any of the 6 CCSP domains
If you are a holder of the CISSP certification, you do not need to fulfill the professional experience requirement.
If you are a holder of the CCSK certification, you do not need to fulfill the 1-year experience in any of the 6 CCSP domains.
In case you passed the exam but didn’t have the experience, you can become a ISC2 associate and submit the professional experience within 6 years after passing the exam.
You can read CCSP required professional experience on this external link.
CCSP Cost
As of 2024, CCSP exam fee is 399 USD.
You need to add the maintenance costs, that should be paid annually. As of 2024, it is 125 USD per year, covering the renewal of all ISC2 certification, e..g, if you have CISSP and CCSP, you just pay 125 USD per year.
CCSP Exam
CCSP Exam Characteristics
CCSP exam characteristics:
- Exam type: 4-option multichoice
- Number of questions: 150
- Time limit: 4 hours
- Maximum score: 1,000
- Passing score: 700
- Scoring type: scaled
- Presentiality: on-site in-person
Take into account that because of the scaled score not every question worth the same number of points, and answering correctly the 70% of questions doesn’t imply necessarily to pass the exam.
CCSP Preparation Material
I used this book:
- Mike Chapple, David Seidl; “CCSP Official Study Guide Third Edition”; Sybex, 2021
I know there is also a CCSP All-in-one book by McGraw Hill, but I have not used it.
CCSP Test Practice
I used the official one:
- Mike Chapple, David Seidl; “CCSP Official Test Practice”; Sybex, 2021
There is also the Sybex Test Preparation Software.
Topics to prepare in CCSP Exam
Study guide content you need to memorize, as they appear in the CCSP OTP Third Edition book:
- Chapter 1 “Architectural Concepts”
- Cloud characteristics (broad network access, on-demand self-service, resource pooling, rapid elasticity and scalability, measured service) (p. 3)
- Cloud models (private, public, hybrid, multi-cloud, community) (p. 13)
- Multitenancy situations (oversubscription, undersubscription, overprovisioning, underprovisioning) (p. 15)
- Horizontal/vertical scaling
- Chapter 2 “Data Classification”
- Data discovery methods (label-based, metadata-based, content-based) (pp. 43-44)
- Data Structure Types (structured, semi-structured, unstructured) (pp. 44-45)
- Legal hold concept (p. 52)
- Chapter 3 “Cloud Data Security”
- Data Lifecycle Stages (Create, Store, Use, Share, Archive, Destroy) (pp. 66-68)
- Storage Types (long-term, ephemeral, raw) (pp. 71-72)
- Volume storage types (file, block, object-based) (pp. 72-73)
- Data obfuscation techniques (masking, tokenization, anonymization…) (pp. 78-79)
- Chapter 4 “Security in the Cloud”
- Models for cloud BC/DR activities (private architecture, cloud backup; cloud provider, backup from same provider; cloud provider, backup from another cloud provider)
- Chapter 5 “Cloud Platform, Infrastructure, and Operational Security”
- Management plane features (scheduling, orchestration, maintenance) (pp. 138-139)
- Chapter 6 “Cloud Application Security”
- Secure Coding Practices and Standards (SANS/CEW Top 25, OWASP ASVS, SAFECode) (pp. 170-171) (post)
- SANS/CEW Top 25
- ASVS 3 levels (Level 1 “low assurance level” to level 3 “critical applications security validation”)
- SAFECode
- Threat Modeling (STRIDE, DREAD, ATASM, PASTA) (pp. 172-174) (post)
- Federation Identity Management (p. 180) (post)
- Federation roles (identity provider/IdP, relying party) (p. 181)
- Federation models (web-of-trust, trusted third-party model) (p. 181)
- Secrets Lifecycle (creation, rotation, revocation, expiration) (p. 182)
- Secure Coding Practices and Standards (SANS/CEW Top 25, OWASP ASVS, SAFECode) (pp. 170-171) (post)
- Chapter 7 “Operations Elements”
- Uptime Institute’s Tier Classifications (1, 2, 3, 4) (pp. 200-201) (post)
- Virtualization concepts (distributed resource scheduling, dynamic optimization, maintenance mode, high availability, containerization, ephemeral computing, serverless) (pp. 202-203)
- Immutable containerization
- Chapter 8 “Operations Management”
- IT Service Management processes (post)
- DevSecOps (p. 228)
- Business Continuity and Disaster Recovery (p. 231-239)
- BC/DR testing (tabletop, dry run, full test) (p. 238)
- Chapter 9 “Legal and Compliance Issues”
- Legal terms (subpoena, affidavit)
- Liability (criminal, civil)
- Elements of negligence (Duty of care, breach of duty, damages, causation) (p. 254)
- Invasion of privacy torts (invasion of solitude, disclosure of private facts, false light, appropriation) (p. 254)
- HIPAA (pp. 255-259)
- Business Associate Agreement (BSA)
- GLBA
- GDPR
- Encryption Standards (FIPS 140-2) (p. 327) (post) (the exam goes much deeper than the brief description in the OSG)
- FIPS 140-2 levels (1, 2, 3, 4) (p. 327)
- FEDRamp (p. 327) (post) (the exam goes much deeper than the brief description in the OSG)
- FEDRamp certified provider list
- FEDRamp provider requirements and obligations
- CSA STAR levels (1, 2)
- Cloud Standards (ISO 27017)
- Privacy Standards (GAPP, ISO/IEC 27701, ISO/IEC 27018 privacy for cloud) (post)
- GAPP Principles (p. 273)
- Cloud Forensic Standards (ISO/IEC 27037, 27041, 27042, 27043, 27050) (p. 281) (post)
- SOC Standards (ISSAE 3402, SSAE 18) (p. 288)
- Chapter 10 “Cloud Vendor Management”
- Standard contracting agreements (master service agreements, service-level agreements, memorandum of understanding, business partnership agreement, nondisclosure agreement) (p. 326) (post)
In addition, there are questions in the exam that addresses topics not covered in the CCSP OSG but in the CISSP OSG, as for example:
- Common Criteria (CC) levels
- Asymmetric encryption and PKI
- Web-based IAM protocols (OAuth, SAML, OpenID Connect)
- Shift-left approach
- A/B testing
- Transparent encryption
- DNS (post)
- DNSSEC, zone transfer and zone signing
- Content Delivery Network (CDN)
- Microservices
- Common TCP/UDP Ports
- Communications Assistance for Law Enforcement Act (CALEA)
- 3-2-1 backup strategy
- Water fire supression (wet pipe, dry pipe, preaction, inert gas)
- Due diligence and due care
- Access control models (RBAC, ABAC, etc.)
This list can be very useful to review the topics before taking the exam or by focusing in what to study before going to the test practice.
CCSP Exam Registration
You can register for the exam from this external link.
CCSP Exam Attendance
Please remind that two different valid ID needs to be shown the day of the exam. I have seen people losing their exam voucher because of this.
Remember to arrive at least 30 minutes in advanced to the scheduled time.
The time is limited and you have no breaks that stops the time, though you may take a break to go to the bathroom.
Once you finish the exam, it will ask you to go back to the exam holder responsible, that will print the provisional result.
The final result will be received in your mailbox in the next days. In my experience, it was received after a few hours.
CCSP Certification Application
In order to complete the CCSP certification application either as an Associate or Member, you need:
- Exam passed
- Abide by Code of Ethics and Privacy Policy
In case you want to be a Member, you need additionally:
- Required domain job experience
The certification application process starts with the CCSP endorsement application. You need that and ISC2 certification holder or ISC2 itself endorses you, unless you have already a CISSP certification.
It may take some weeks since you apply until you get the credential. In my case, it took me a month.
Sharing CCSP Certificate
There is no unique credential ID for the certification. The credential ID is the same as your ISC2 Member ID.
There is a ISC2 webpage to verify that a certification is legitimate.
CCSP Maintenance
You need to maintain the CCSP Certification by completing these tasks:
- Paying an Annual Maintenance Fee (AMF)
- Submitting Continuing Professional Education (CPE) credits
AMF must be paid once for all ISC2 certificates for the same person. As of 2024, AMF is 125 USD.
CPE requires to submit 90 CPE credits in a 3-year period. It is recommended, though it is not mandatory, to get 30 CPE credits per year.
CCSP Communities
CCSP Study Group at ISC2 Circle
CCSP Study Group at ISC2 Community
r/CCSP at Reddit
#ccsp at Certification Station at Discord
#ccsp at Certification Station at Discord discusses about CISSP.
Certification Station at Discord
You might also be interested in…
External References
- ClubCloudComputing; “CCSP Certification“; ClubCloudComputing
- Mike Chapple, David Seidl; “CCSP Official Study Guide Third Edition”; Sybex, 2021