Companies continue to rapidly migrate workloads from datacenters to the cloud, utilizing new technologies such as serverless, containers, and machine learning to benefit from increased efficiency, better scalability, and faster deployments from cloud computing. Cloud security concerns remain high as the adoption of public cloud computing continues to surge, especially in the wake of the 2020 COVID crisis and the resulting accelerated shift to remote work environments. For more information about cloud security concerns, I highly encourage you to read the latest Cloud Security Report published by Cybersecurity Insiders here, and the impact of COVID-19 on Enterprise IT Security Teams Report sponsored on by (ISC)².
In this article, I will share with you how to prepare and pass the Certified Cloud Security Professional (CCSP) exam by (ISC)² successfully.
Contents of this Article
Information Security (IS) is currently making a serious contribution to business development by ensuring not only reliable operations but also new opportunities for qualitative differentiation. It is increasingly seen as a value creator or facilitator of operations in new business models. As the cloud comes into the picture, this raises new questions to the board of directors, is our data secure up there? do we have control? I heard that if we move to the cloud we are secure, is that true? What about privacy, compliance, and data regulation? Cloud security is a shared responsibility, what does that mean? the list of questions goes on and on… For this reason, it is imperative that before adopting cloud computing, organizations must first understand the security considerations that are inherited by the cloud computing model. These considerations must be revised before adopting—ideally during the planning process.
Security in the realm of information technology has been fascinating to me for a long time. After passing the Swiss federal exam as an ICT Security Expert with an academic diploma, I decided to gain more experience with Cloud Security. Starting this journey, I decided to go with neutral vendor certifications for Cloud Security which is the Certificate of Cloud Security Knowledge (CCSK) by Cloud Security Alliance (CSA), and the Certified Cloud Security Professional (CCSP) certification by the International Information System Security Certification Consortium (ISC)². I believe in vendor-neutral certifications, and I don’t trust marketing. The good news is, the knowledge that you acquire by attaining any of these certifications will help you to apply and secure your cloud workloads whether it’s running on Microsoft Azure, Google GCP, or Amazon AWS.
After 6 months of intense preparation, I am so happy and grateful now that I passed the CCSP exam on the first attempt. In this article, I will share with you how to prepare and pass the Certified Cloud Security Professional (CCSP) exam by (ISC)² successfully.
About the CCSP Certification
The CCSP is the premier cloud security certification from (ISC)². This vendor-neutral certification validates IT and information security professional’s knowledge and competency to apply best practices to cloud security architecture, design, operations, and service orchestration. It shows you are at the forefront of cloud security.
(ISC)² is a global nonprofit organization that maintains the Common Body of Knowledge (CBK) for information security professionals. The CCSP certification was first released back in 2015 and requires 5 years of experience in IT. CCSP is harder compare to CCSK, so if you want to follow this path, I recommend you to start first with CCSK and then with CCSP because by attaining the CCSK certification, you can request a one-year experience waiver by submitting documentation of your Cloud Security Alliance CCSK certificate to (ISC)² towards earning your CCSP certification. If you are interested to learn more about the CCSK and how to prepare and pass the exam, I highly encourage you to check my previous guide here.
The big difference between both certifications is the following: CCSK does not require to collect continuing professional education (CPE) points to keep your certification active, and you don’t have to pay renewal/membership fees as required for CCSP ($125/year, 90 CPE/3 years). If you are interested to have more details about both CCSK and CCSP, then I highly recommend checking the comparison article details here.
The Payment of Membership Fees ($125) for CCSP/CISSP is required at the beginning of each year of your 3 years certification cycle. The certification cycle is 3 years. The certification cycle does not run on a calendar year from January to December. It is based on when you earned your first certification. For example, if you got certified for CCSP on 15/03/2018, you will have a 3 years certification cycle that runs like this:
- Year 1) April 01, 2018, to March 31, 2019
- Year 2) April 01, 2019, to March 31, 2020
- Year 3) April 01, 2020, to March 31, 2021
The experience required for the CCSP credential is summarized below:
- Associate of (ISC)² – If you do not yet possess the professional experience required for certification, you can request to be an Associate of (ISC)². You are only required to pass the credential examination.
- CCSP – A minimum of five years of cumulative work experience in information technology, of which three years must be in information security and one year must be in one of the six (6) domains of the (ISC)² CCSP CBK®. Alternatively as mentioned above, a Cloud Security Alliance CCSK certificate may be substituted for one year of experience, or having the CISSP credential may be substituted for the entire CCSP experience requirement.
- Part-time experience cannot be less than 20 hours a week and no more than 34 hours a week.
- 1040 hours of part-time = 6 months of full-time experience
- 2080 hours of part-time = 12 months of full-time experience
- Internship: Paid or unpaid internship is acceptable. You will need documentation on company/organization letterhead confirming the applicant’s position as an intern. If they are interning at a school, the document can be on the registrar’s stationery. Interns may be gaining valuable experience without monetary compensation.
CCSP exam overview
In this exam, you will receive 125 multiple-choice questions, and the total time for this exam is 180 minutes (3 hours), so you might think that you have enough time to finish it. However, this is not the case, the exam is very tough! I finished the exam in 2h.50min to go quietly over all the 125 questions. The minimum passing score for this exam is 700 out of 1,000, so you should answer at least 88 questions right to pass it.
The exam price cost is €555, equivalent to $599, or 600 Swiss francs. If you don’t pass the exam on your first attempt, you may retest after 30 test-free days. If you don’t pass the exam on your second attempt, you may retest after 60 test-free days from your most recent exam attempt. If you don’t pass the exam on your third attempt and for all subsequent retakes, you may retest after 90 test-free days from your most recent exam attempt.
I highly recommend preparing very well prior to taking the real exam!!!
After completing the CCSP preparation and pass the exam, you will be able to:
- Understand the legal frameworks and guidelines that affect cloud services.
- Recognize the fundamentals of data privacy regulatory/legislative mandates.
- Assess risks, vulnerability, threats, and attacks in the cloud environment.
- Evaluate the design and plan for cloud infrastructure security controls.
- Evaluate what is necessary to manage security operations.
- Understand what operational controls and standards to implement.
- Describe the types of cloud deployment models in the types of “as a service” cloud models currently available today.
- Identify key terminology and associated definitions related to cloud technology. Be able to establish a common terminology for use within your team or workgroup.
- Build a business case for cloud adoption and be able to determine with business units the benefits of the cloud and cloud migration strategies.
Skills measured on this exam
This exam measures your ability to know and understand the 6 domains listed below based on the latest updates from the (ISC)² CCSP, Common Body of Knowledge (4th Edition).
Below is the information that how I received the examination questions across these domains, but of course this may vary slightly case by case. The questions do pretty much match the list of domains and skills measured below with their weights:
DOMAIN 1: Cloud Concepts, Architecture, and Design (17%)
- Understand Cloud Computing Concepts
- Describe Cloud Reference Architecture
- Understand Security Concepts Relevant to Cloud Computing
- Understand the Design Principles of Secure Cloud Computing
- Evaluate Cloud Service Providers
DOMAIN 2: Cloud Governance – Legal, Risk, and Compliance (13%)
- Articulate Legal Requirements and Unique Risks Within the Cloud Environment
- Support Digital Forensics
- Understand Privacy Issues
- Understand Audit Process, Methodologies, and Required Adaptations for a Cloud Environment
- Understand the Implications of Cloud to Enterprise Risk Management
- Understand Outsourcing and Cloud Contract Design
DOMAIN 3: Cloud Data Security (19%)
- Cloud Data Security Concepts
- Design and Implement Cloud Data Storage Architectures
- Design and Apply Data Security Technologies and Strategies
- Understand and Implement Data Discovery and Classification Technologies
- Design and Implement Information Rights Management (IRM)
- Plan and Implement Data Retention, Deletion, and Archival Policies
- Design and Implement Auditability, Traceability, and Accountability of Data Events
DOMAIN 4: Cloud Platform and Infrastructure Security (17%)
- Comprehend Cloud Infrastructure Components
- Secure Cloud Data Center Design
- Analyze Risks Associated with Cloud Infrastructure
- Design and Plan Security Controls for Physical and Logical Cloud Infrastructure
- Design Appropriate Identity and Access Management (IAM) Solutions
- Plan Disaster Recovery (DR) and Business Continuity (BC)
DOMAIN 5: Cloud Application Security (17%)
- Discuss Training and Awareness for Application Security
- Describe the Secure Software Development Lifecycle (SDLC) Process
- Apply the Secure Software Development Lifecycle (SDLC)
- Apply Cloud Software Assurance and Validation
- Use Verified Secure Software
- Explain the Specifics of a Cloud Application Architecture
DOMAIN 6: Cloud Security Operations (17%)
- Operate and Manage Physical and Logical Infrastructure for Cloud Environment
- Implement Operational Controls and Standards
- Manage Communication with Relevant Parties
- Manage Security Operations
Exam Target Audience
The CCSP is intended for experienced cloud security professionals looking to validate their knowledge and background. As you can see from the domains listed above, there are technical and non-technical elements that are examined. CCSP is considered a top-tier certification by most in the industry, so it will usually attract security engineers and architects, as well as security managers and security officers.
Lessons Learned and Exam Preparation
To prepare and pass this exam successfully on the first attempt, I highly recommend the following approach based on my experience in passing this exam.
The first choice that I highly recommend is to get instructor-led training if possible, you can find the list of all (ISC)² partners here.
If you are based in Switzerland, then I highly recommend getting in contact with PSYND here, the only (ISC)² official academy in Switzerland. They prepare the experts of tomorrow to achieve their CISSP and CCSP certifications.
I personally started by taking the instructor-led training with PSYND and then worked over the self-study resources noted below to complement my knowledge.
If you prefer self-study training, then you can choose one of the premium quality resource listed in the section below:
CCSP on Cybrary
Cybrary learning offers the following complete CCSP preparation course over 12 hours:
CCSP on LinkedIn
LinkedIn Learning offers the following complete CCSP certification preparation course over 14 hours:
- CCSP Cert Prep 1: Cloud Concepts Architecture and Design
- CCSP Cert Prep 2: Cloud Data Security
- CCSP Cert Prep 3: Cloud Platform and Infrastructure Security
- CCSP Cert Prep 4: Cloud Application Security
- CCSP Cert Prep 5: Cloud Security Operations
- CCSP Cert Prep 6: Legal Risk and Compliance
CCSP on Pluralsight
Pluralsight offers the following complete CCSP certification preparation course:
- CCSP: Cloud Architecture and Concepts
- CCSP: Cloud Data and Security Lifecycle
- CCSP: Cloud Platform Security
- CCSP: Cloud Application and Security Components
- CCSP: Cloud Security Operations Controls
- CCSP: Cloud Risk and Compliance
- CCSP: Cloud Governance, Data Privacy, and Audit
- CCSP: Cloud Infrastructure Security
- CCSP: Cloud Physical and Logical Infrastructure
CCSP on (ISC)²
(ISC)² offers online self-paced training which is a great companion to prepare you for the CCSP exam.
Tools you will need
In addition to all the resources and the preparation that I mentioned above, you also need some additional materials you want to be familiar with. There is no magic formula for passing this exam, and no single particular book or source with all the answers to the exam exists. I recommend the following professional resources that you should be familiar with while preparing for this exam. You can download them for free:
- The Cloud Security Alliance’s Notorious Nine.
- The OWASP’s Top 10 – 2017.
- The OWASP’s XSS (Cross-Site Scripting) Prevention Cheat Sheet.
- The OWASP’s Testing Guide (v4.1).
- The OWASP Top 10 Proactive Controls v3.0.
- NIST SP 500-292, NIST Cloud Computing Reference Architecture.
- The CSA’s Security Guidance v4.0.
- ENISA’s Cloud Computing Risk Assessment.
- The Uptime Institute’s Tier Standard: Tier Standard and Topology – Operational Sustainability. The link page includes download options for the documents.
- The ultimate guide to the CCSP. Be a leader in the field of Cloud Security.
I highly recommend getting the following books to supplement your knowledge and help you prepare for this exam:
- CCSP Certified Cloud Security Professional All-in-One Exam Guide, Second Edition.
- (ISC)² CCSP Certified Cloud Security Professional Official Practice Tests, 2nd Edition.
- (ISC)² CCSP Certified Cloud Security Professional Official Study Guide, 2nd Edition.
- (ISC)² CCSP Common Body of Knowledge (CBK), 3rd Edition.
- CCSP for Dummies with Online Practice.
I highly recommend practicing a large number of questions to get a sense of how the questions might show up during the actual exam. I personally practiced more than 2,000 questions. Here is the list of exam practice resources that I used to prepare for this exam:
- Official CCSP Study App. This study app is based on the Official CCSP Study Guide and includes flashcards, study questions, and practice tests – covering all of the domains in the CCSP CBK.
- (ISC)² CCSP Certified Cloud Security Professional Official Practice Tests, 2nd Edition. With over 1,000 practice questions, this book gives you the opportunity to test your level of understanding and gauge your readiness for the Certified Cloud Security Professional (CCSP) exam long before the big day.
As soon as you submit your exam and pass it, you will receive provisional examination results with the following message:
Congratulations! We are pleased to inform you that you have provisionally passed the Certified Cloud Security Professional (CCSP®) examination. By passing this examination, you have completed the first of two steps toward earning your CCSP credential!
The next step is to complete the endorsement process, which you should do within nine (9) months of your passing exam date. If you currently possess the number of years of experience you need, you are ready to submit your online endorsement application here.
Once the endorsement process is complete, you will earn your CCSP certification. You will get notified and receive via mail your membership package which will contain your credential certificate, member ID card, welcome letter and CCSP, lapel pin similar to below.
Please note that the endorsement process may take up to four (4) to six (6) weeks to complete.
Once your endorsement application has been approved by (ISC)². You’re now one step closer to certification. You will receive an email with the instructions to pay your first Annual Maintenance Fees (AMFs) $125 to complete your membership. AMFs are used by (ISC)² to support the costs of maintaining the (ISC)² certifications and related support systems. Certified members and Associates of (ISC)² also gain access to a wide array of valuable, rewarding professional development opportunities and member benefits that deliver a robust return on this annual investment. Please check the official page to learn more about AMFs.
Once you have paid the Annual Maintenance Fee (AMF), you will receive a welcome email to (ISC)².
Congratulations! Based on your examination results, application review and acceptance of your endorsement, the (ISC)² Board of Directors has awarded you the CCSP certification.
Your welcome kit (including your ID card and certificate) will be shipped to your address within 8 – 12 weeks. You will also receive your Acclaim Badge link to your primary email address within 2 weeks of full membership. Read more about (ISC)² digital badges from Acclaim here.
Certification is just the beginning… To maintain your certification, you should continue your professional education (CPE).
These CPE activities must be completed during your certification cycle which starts on the first day of the month after you receive the welcome email. For example, if you receive the welcome email on April 15th, your certification cycle start date will be May 1st. You may not claim CPE credits for activities that occurred prior to your certification cycle start date.
If you want to learn more about Continuing Professional Education (CPE), then I highly recommend you to download and read the (ISC)² Continuing Professional Education (CPE) Handbook here.
Continue your professional growth
As an (ISC)² member, you have access to a growing array of enriching CPE opportunities from the Professional Development Institute. If you are already an (ISC)² member, I highly encourage you to check the Professional Development Institute (PDI).
The Professional Development Institute (PDI) is your go-to resource for timely and relevant continuing education opportunities to help keep your skills sharp and curiosity piqued. Each course is designed with input from leading industry experts and based on proven learning techniques. And best of all, these courses are free to members and count for CPE credits.
Last but not least, I highly encourage you to connect with cybersecurity professionals in your community by joining a local (ISC)² Chapter. If you are based in Switzerland, then you might be interested to join the (ISC)² local chapter here. You can Network with peers and experts in the industry while learning about hot topics and earning valuable CPEs. Locate an (ISC)² Chapter near you by visiting the (ISC)² Chapter Directory or start a chapter if none exists in your area.
The CCSP credential has emerged as an industry standard for advanced cloud security practitioners looking to validate their skills and enhance their careers. Please note that this is NOT a beginner’s certification. You must demonstrate 5 years of experience and a deep understanding of the domains presented in the Common Body of Knowledge (CBK). If this sounds like something that could elevate your career, then this may be the credential that you want to pursue.
If you are planning to take this exam… I wish you all the best and Happy Studying!!!
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.