CCSP Domain 6: Legal, Risk and Compliance [updated 2022]

Mosimilolu Odusanya
September 12, 2022 by
Mosimilolu Odusanya

An important aspect InfoSec professionals need to consider is legal requirements and cloud implications for enterprise risk management. The following topics are included in this domain, per the “Official (ISC)² Guide to the CCSP CBK.”

This domain, which represents 13% of the CCSP certification exam, focuses on relevant jurisdictional laws, statutes, regulations and frameworks for data protection in cloud computing. Candidates must demonstrate a handle on the legal and compliance requirements that may impact cloud procurement, usage and security.

Earn your CCSP, guaranteed!

Earn your CCSP, guaranteed!

Save your spot for an upcoming CCSP Boot Camp and earn one of the most in-demand cloud security certifications — guaranteed!


Domain 6 — Legal, Risk and Compliance


Each of the five subdomains covers different aspects of the cloud's legal issues, risks, compliance and data privacy.


6.1 Articulate legal requirements and unique risks within the cloud environment


Candidates should know of cloud computing architectures' legal requirements and unique risks.


Conflicting international legislation


Candidates must know the multiple sets of laws and regulations and the risks introduced by conflicting legislation across jurisdictions and countries. Conflicts may include copyright and intellectual property law, data breaches (and breach notification), international import/export laws etc.


Evaluation of legal risks specific to cloud computing


Candidates must understand the legal risks (e.g., data residency vs. data localization vs. data sovereignty) of cloud computing.


Legal frameworks and guidelines


Candidates should have a handle on the various legal frameworks related to personal data protection and regulations that may affect cloud computing requirements for companies in various regions. Such frameworks include:

  • Organization for Economic Cooperation and Development (OECD) Privacy Guidelines
  • Asia Pacific Economic Cooperation Privacy Framework (APEC)
  • Cross-Border Privacy Rules (CBPR)
  • General Data Protection Regulation (GDPR)


Forensics and eDiscovery in the cloud


Candidates will need to understand the following:

  • The laws and regulations may apply to an organization and investigation while maintaining the chain of custody.
  • Standards from various bodies, such as the International organization for Standardization (ISO)/International Electrotechnical Commission (IEC) and the Cloud Security Alliance (CSA) Guidance are used in collecting digital evidence and conducting forensics investigations in cloud environments.
  • How to manage a chain of custody from evidence collection to trial during any digital forensics investigation.
  • The phases of digital evidence handling and the challenges associated with evidence collection in a cloud environment.


6.2 Understand privacy issues


Candidates should know the privacy risks and issues cloud environments or technologies pose.


Difference between contractual and regulated private data


Candidates need to understand the difference between private contractual data (e.g., data collected as part of normal business operations) and regulated private data (e.g., personal identifiable information (PII), protected health information (PHI) and payment data).


Country-specific legislation related to private data


Candidates must comprehend various privacy regulations in various jurisdictions (e.g., CCPA — United States, GDPR — European Union, etc.).


Jurisdictional differences in data privacy


Candidates must also understand and address jurisdictional differences/issues in privacy regulations.


Standard privacy requirements


Candidates should have a handle on the various standard privacy requirements (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27018, Generally Accepted Privacy Principles (GAPP). General Data Protection Regulation (GDPR), etc.)


Privacy Impact Assessments (PIA)


Candidates must understand how PIA can help identify and mitigate privacy risks when implementing new technology or programs.


6.3 Understand audit process, methodologies and required adaptations for a cloud environment


Candidates should know the unique considerations, processes and controls required to audit cloud environments.


Internal and external audit controls


Candidates must understand the importance of internal and external audits in meeting regulatory, contractual, security and privacy obligations.


Impact of audit requirements


Candidates should have a handle on the impact and challenges of the ever-changing nature of a cloud environment and how it impacts an audit.


Identity assurance challenges of virtualization and cloud


To obtain assurance, candidates must grasp how to perform multiple layers of auditing (of both the hypervisor and the virtual machines) in a cloud environment.


Types of audit reports


Candidates will need to understand the various audit reports that can describe their findings of the system examined. Examples of audit reports include:

  • Service Organization Controls (SOC)
  • Statement on Standards for Attestation Engagements (SSAE)
  • International Standard on Assurance Engagements (ISAE)


Restrictions of audit scope statements


Candidates should know the audit scope restrictions on what an auditor may or may not audit. Examples of scope statements include:

  • Statement on Standards for Attestation Engagements (SSAE)
  • International Standard on Assurance Engagements (ISAE)


Gap analysis


Candidates need to understand the impact of a gap analysis in identifying issues and gaps before an audit and against industry standards/frameworks.


Audit planning


Candidates must grasp the process required in planning for an audit to ensure financial reporting or compliance with a cloud environment.


Internal information security management systems (ISMS)


Candidates should have a handle on designing and implementing an organization’s ISMS using an acceptable standard such as ISO 27001/2.


Internal information security controls system


To establish an ISMS, candidates will need to understand the security controls used in managing information security.




Candidates need to know the policies to govern an organization’s people, processes and systems. There are various types of policies required:

  • Organizational Policies
  • Functional Policies
  • Cloud Computing Policies


Identification and involvement of relevant stakeholders


Candidates will need to comprehend how to identify relevant stakeholders that need to be involved in the decision process, critical questions faced in identifying the stakeholders and the governance challenges that may occur when moving to a cloud environment.


Specialized compliance requirements for highly regulated industries


Candidates must understand the specialized compliance requirements for organizations in highly regulated industries such as healthcare, financial services and government organizations. Here are a few examples:

  • North American Electric Reliability Corporation / Critical Infrastructure Protection (NERC/CIP)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic and Clinical Health (HITECH) Act
  • Payment Card Industry (PCI)


Impact of distributed information technology models


Candidates must know of the distributed information technology models (e.g., diverse geographical locations and crossing over legal jurisdictions), realize the common issues caused by these models, and grasp how to mitigate the associated risks. 


6.4 Understand implications of cloud to enterprise risk management


Candidates will need to understand the implications using and maintaining a cloud environment has on an organization’s risk management program and how to mitigate the risks.


Assess providers' risk management programs


Candidates must know how to assess cloud service providers’ risk management programs (e.g., controls, methodologies, policies, risk profile, risk appetite) and align with an organization’s objectives.


Differences between data owner/controller vs. data custodian/processor


Candidates should have a handle on the difference between data owners (data controllers) and data custodians (data processors).


Regulatory transparency requirements


Candidates should know the regulatory transparency requirements imposed on data controllers (and data processors) by various regulations. Examples include breach notification, Sarbanes-Oxley (SOX) and General Data Protection Regulation (GDPR).


Risk treatment


Candidates must understand how to evaluate an organization’s vulnerabilities and threats that might exploit its weaknesses and determine the likelihood and impact of such exploits. Steps include the following: avoid, mitigate, transfer, share and acceptance.


Risk frameworks


Candidates must grasp the various risk frameworks that can apply to an organization:

  • ISO 31000:2018
  • European Network and Information Security Agency (ENISA) assessment guides
  • NIST 800-146


Metrics for risk management


Candidates must understand key cybersecurity metrics that can be tracked to present measurable data to relevant stakeholders.


Assessment of risk environment


Candidates must know how to assess a risk environment to cover the cloud environment (e.g., service, vendor, infrastructure and business).


6.5 Understand outsourcing and cloud contract design


Candidates should have a handle on business requirements, key contractual provisions and potential contractual implications of outsourcing to the cloud.


Business requirements


Candidates will need to comprehend key business requirements [e.g., service-level agreement (SLA), master service agreement (MSA), statement of work (SOW)] and how a cloud service provider helps to meet those obligations.


Vendor management


Candidates must understand how to manage vendors' risks (e.g., vendor assessments, vendor lock-in risks, vendor viability and escrow) and track service delivery via key performance indicators.


Contract management


Candidates need to understand the proceedings of contract management (e.g., right to audit, metrics, definitions, termination, litigation, assurance, compliance, access to cloud/data and cyber risk insurance) and how to succeed in negotiation, creation and execution. In addition, monitor contract terms, performance and violations of stated agreements.


Supply chain management


Candidates will need to understand the actions to manage the supply chain, vendors, dependencies, points of failure, etc., as per the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27036).

Earn your CCSP, guaranteed!

Earn your CCSP, guaranteed!

Save your spot for an upcoming CCSP Boot Camp and earn one of the most in-demand cloud security certifications — guaranteed!


How to prepare for the CCSP exam


Studying the right material is recommended by ISC2 to take the CCSP exam. The official preparation material include the following:

  • Official ISC2 CCSP Study Guide, 2nd Edition
  • Official ISC2 CCSP CBK Reference, 3rd Edition
  • Official ISC2 CCSP Practice Tests, 2nd Edition
  • Official ISC2 CCSP Flash Cards 
  • Official ISC2 CCSP Study App

Need training? Design your learning path that better fits your needs and requirements to prepare for the CCSP certification. Start validating your cloud security knowledge by reviewing all the key elements found in the sixth domain of the CCSP common body of knowledge (CBK) — Cloud Legal, Risk and Compliance Requirements.

For more on the CCSP certification, check out our CCSP certification hub.




Mosimilolu Odusanya
Mosimilolu Odusanya

Mosimilolu (or 'Simi') works as a full-time cybersecurity consultant, specializing in privacy and infrastructure security. Outside of work, her passions includes watching anime and TV shows and travelling.