Last week I posted about the CCSK exam, my tips for how to pass it and why it is a great entry cert if you want to get into cloud security. In this post lets take a look at the next most popular vendor-agnostic, cloud security cert which is the Certified Cloud Security Professional ( CCSP ). The CCSP is a very popular cert as it comes from (ISC)2; the same body who created the world famous CISSP exam which is well respected within the industry. So lets take a detailed look at the CCSP and how to pass it.

Who is the CCSP for ?

The CCSP is not an entry level cert like the CCSK ( although you can attempt it if you want ) but it has been made for information security leaders, cloud security managers and experienced professionals who have a few years under their belt. It proves that you have an in-depth understanding of cloud security and how to secure applications on it.

Unlike the CCSK it has an experience requirement of 5 years of which 3 must be in information security and one in the six domains on the CCSP syllabus ( also called the common body of knowledge). If you are a junior engineer new to the cloud then I would recommend going for the CCSK exam instead.

Below is the official quote from (ISC)2:


To qualify for the CCSP, candidates must pass the
exam and have at least five years of cumulative, paid
work experience in information technology,
of which three years must be in information security
,
and one year in one or more of the six domains of the
(ISC)2 CCSP Common Body of Knowledge (CBKยฎ).
A candidate who doesnโ€™t yet have the required
experience to become a CCSP may become an
Associate of (ISC)2 after successfully passing the
CCSP exam. The Associate of (ISC)2 will then have
six years to earn the experience needed for the
CCSP certification

(ISC)2 guide to the CCSP

An important point to note that is the the CCSK cert can be substituted for one year experience in cloud security and CISSP holders automatically meet the experience requirements. So if you have invested time and effort in getting these certs then can you can reap the benefits of your hard work !

How to pass the CCSP exam โ€“ Exam structure

First step like the CCSK is to download the CCSP body of knowledge and fully understand the breakup of the domains on which you will be tested. If you pass the CCSP exam then this validates that you have expertise in these areas. The breakup as of the time of writing this is as follows :

Source:ISC2 guide to the CCSP

Keep that note that by August 2022 the exam outline will change and some of the weight-age of the domains will also be revised. If your exam date is after August 2022 then be sure to read the FAQ here

For the current outline you should be aware of the below topics per domain:

Domain 1: Cloud Concepts, Architecture and Design (17%)

  • Fully understand cloud characteristics and how it differs from on-prem (e.g. it is on-demand, self-service, multi-tenant etc.)
  • Different types of cloud service models such as SaaS, PaaS, IaaS and how the security model changes. Cloud deployments such as public, private, hybrid etc.
  • The different responsibilities of the customer and the cloud service provider. Understand how shared responsibility works
  • Building blocks of the cloud such as virtualization, hyper-visor etc.

Domain 2: Cloud Data Security (19%)

  • Lifecycle of data on the cloud
  • Data protection methods such as tokenization, encryption, hashing etc.
  • Structured and Unstructured data
  • Information Right Management (IRM) on the cloud

Domain 3: Cloud Platform and Infrastructure Security (17%)

  • Security of the logical and physical environment of the cloud
  • Data partitioning and compartmentalization on the cloud
  • Analyzing and securing risks on the cloud
  • Virtualization security

Domain 4: Cloud Application Security (17%)

  • Development security risks
  • Cloud application architecture
  • How to validate software on the cloud is secure
  • APIs
  • Supply chain security
  • Concepts such CASB and Single Sign On in the cloud

Domain 5: Cloud Security Operations (17%)

  • Building , Operating , Managing and Securing a physical / logical infrastructure for the Cloud
  • Quite a lot of topics in this domain so make sure you dive deep !
  • Base lining operational controls on OS and identity access
  • Conducting digital forensics on the cloud
  • Security Operations Center (SOC) and SIEM on the Cloud

Domain 6: Legal, Risk and Compliance (13%)

  • Understanding the Legal Requirements and Risks of the Cloud
  • Privacy requirements such as GDPR and ISO 27018
  • Standards such as PCI DSS and HIPAA
  • Audits on the cloud and standards such as ISAE / SOC2 Type 2
  • Lastly, understand Outsourcing and Cloud Contract Design

How to pass the CCSP exam โ€“ Study material

Buy the official guide for the CCSP, go through it religiously and make notes of the critical points to understand. Unlike the CISSP which is an inch deep and a mile wide, the CCSP is focused on cloud security and goes into much deeper detail on its concepts. I am recommending the official guide but you can look at other alternatives and keep in mind there is no single magic book that will make you pass the CCSP exam. It is all about studying and practicing and giving yourself enough time to be ready

IS2 Official Guide to the CCSP

Plan + Practise

The MOST important part for preparing for this exam is to practice like crazy. Most of the information you get from the study guide you will forget unless you apply it in practice exams. The official guide comes with sample questions but you should definitely invest in getting more practice questions to really build up your confidence in these areas which are available on sites like PluralSight and Whizlabs

Give yourself enough time and I would recommend setting aside at least one month of dedicated practice on these exams. A good resource is the ISC2 electronic flashcards for CCSP which you can get for free on their website.

ISc2 CCSP flash cards

MAINTAINING THE CCSP EXAM

Remember that ISC2 exams require you to prove that you are maintaining yourself to a high standard with regular submissions of Continuing Professional Education (CPE) credits over a three year period. There is also an Annual Maintenance Fee (AMF) to be paid every year. While the CCSP may seem more difficult and expensive than the CCSK ( and it is ), the benefits are tremendous to your career with the CCSP regularly showing up on the list of most in-demands certs.

I wish you all the best in your CCSP preparation and hope you ace the exam !