Cloud security

The Ultimate Guide to CCSP Certification

March 5, 2018 by

If you work in the IT field, you’re obviously familiar with the cloud. What was once a bit of a novelty has now become commonplace, meaning every company and government is making use of it. This also means that most cloud professionals are feeling a bit crowded in the job market.

Can you relate?

Learn Cloud Security

Learn Cloud Security

Get hands-on experience with cloud service provider security, cloud penetration testing, cloud security architecture and management, and more.

If so, consider becoming a CCSP. Below is all the information it should take to convince you.

What Is a CCSP?

CCSP stands for Certified Cloud Security Professional. It’s a designation that was created as a natural response to both the rise in popularity of the cloud and the corresponding security concerns that have developed alongside it.

Unfortunately, the vast majority – if not all – of legacy approaches are simply inadequate. Organizations must have experienced, competent professionals equipped with the latest knowledge about cloud security and the type of skills required to implement the kind of approaches required to keep such a vast infrastructure safe.

The Cloud Security Alliance, in concert with (ISC)², are two of the world’s foremost nonprofits dedicated to cloud and information security. Both of these groups back CCSP, which should give you some idea of how much weight this title carries within the industry.

Someone who is a CCSP is automatically seen as an individual with a deep understanding of security as it relates not just to cloud computing but also software, information and cyber environments.

Furthermore, unlike many other designations and certificates, earning the CCSP title proves that the individual actually has hands-on experience, not just theoretical competency.

Even in light of the cloud’s relatively recent arrival as a mainstream option, the CCSP designation remains a fairly new one, which also speaks to its value as a title that represents cutting edge capabilities.

It is also meant to complement two other certifications. CSA’s Certificate of Cloud Security Knowledge (CCSK) and (ISC)²’s Certified Information Systems Security Professional. The CCSP dovetails and builds from both of these quite well.

Who Is the CCSP For?

Recall that we mentioned that one of the reasons CCSP has become so popular in such a short amount of time is because it represents experience. This is due in large part to the fact that the only way you can earn this certification is if you have at least five years of experience in the field.

These five years must include three working in information security and one in the field of cloud computing. Furthermore, the individual must have spent one year working in one of the six CCSP domains, which we’ll get into a bit later.

This requirement isn’t an arbitrary one. It’s to ensure that CCSPs have been exposed to functioning IT environments. Again, the hands-on approach truly means something. The knowledge that comes from this kind of experience is invaluable. Amongst other things, people who work for their CCSPs necessarily understand practical approaches and not just the theoretical kind.

As we mentioned a moment ago, the CCSP designation is meant to build off of CSA’s CCSK. However, the CISSP can be substituted for it.

How to Become a CCSP

If you’ve decided that it’s worth exploring the process further, let’s now look at what it takes to become a CCSP.

Remember, the basics are:

  • Five years of combined, IT experience in a paid, full-time capacity
  • Three years of working in information security
  • One year working in one of the six domains we’re about to list

You can also substitute that last requirement for earning the CCSK certification. All of these requirements are also unnecessary if you already have the (ISC)²’s CISSP credential.

Those who feel they’re ready for the exam but don’t have the required experience yet can also become an associate of (ISC)²’s. They are allowed to take the CCSP exam now and can then go about working on the requirements going forward to receive the actual certification.

The Six CCSP Domains

Before we continue with the “how” of becoming a CCSP, it’s important that you understand the six domains that it covers. It’s not just a prerequisite that you have a year of experience with one of them; you’ll also need to understand all six for the actual exam.

These six domains are:

  • Cloud Data Security (20%)
  • Architecture and Design (19%)
  • Operations (15%)
  • Infrastructure Security (19%)
  • Application Security (15%)
  • Compliance (12%)

You may sometimes see these listed with slightly different names. Those percentages next to the titles are the weight they carry in the actual exam.

While each of these topics is expansive, we’re going to now summarize them for you to give you a better understanding of why they’re part of the CCSP exam and what they cover.

Cloud Data Security

Given the nature of the CCSP designation, it should come as no surprise that cloud data security is given such priority. This subject is concerned with the principles, standards, concepts and structures used to design, secure and monitor:

  • Networks
  • Equipment
  • Applications

They can also be used in service of any controls required to enforce various levels of integrity, confidentiality and availability in the cloud environments.

To this end, you will need to have a strong knowledge of the following:

  • Designing and implementing cloud data storage architectures
  • Understanding cloud data lifecycle
  • Designing and applying data security strategies
  • Understanding and implementing data discovery and classification techniques
  • Designing and implementing appropriate data protections for personally identifiable information (PII) based on jurisdictional demands
  • Planning and implementing data retention, deletion and archiving policies
  • Designing and implementing data rights management
  • Designing and implementing traceability, accountability, auditability of data events

Architecture and Design

Next, you must be competent in all definitions and concepts related to cloud computing based on the ISO/EIC 17788 standard; security concepts and principles relevant to secure cloud computing.

This will involve:

  • Understanding cloud computing concepts
  • Understanding security concepts relevant to cloud computing
  • Describing cloud reference architecture
  • Identifying trusted cloud services
  • Understanding design principles of secure cloud computing


A big part of being a CCSP is being able to identify critical information and execute specific measures that will reduce or altogether eliminate the risk of adversary exploitation of it. You must understand what’s required for cloud architecture to run and manage it. Your competency must extend to the definition of controls over media, hardware and the operators who have been granted access privileges. The auditing and monitoring of tools, mechanisms and facilities is part of operations, as well.

Examples of the tasks you must be able to perform include:

  • Supporting the planning process required for the design and building of a data center
  • Implementing and building physical infrastructures for cloud environments
  • Running and managing the physical infrastructure for cloud environments
  • Managing physical infrastructures for cloud environments
  • Building logical infrastructures for cloud environments
  • Running logical infrastructures for cloud environments
  • Managing logical infrastructures for cloud environments
  • Ensuring compliance with regulation and controls (e.g. ISO/IEC 20000-1, ITIL)
  • Conducting risk assessments of physical and logical infrastructures
  • Understanding how to acquire, collect and preserve digital evidence
  • Managing communication with and identifying relevant parties

Infrastructure Security

If you want to be a CCSP, you must understand cloud infrastructure components. This includes the virtual and the physical. You need knowledge of existing threats, which means being able to mitigate and develop plans for dealing with them.

To do these things, you must be able to:

  • Analyze risks associated with cloud infrastructures
  • Understand each piece of a cloud infrastructure
  • Design, plan, build and implement security controls
  • Create business continuity management and disaster recovery plans

Application Security

You will need to be able to use verified security software, but also know the processes involved in assurance and validation of cloud software. This important capability will require that you can:

  • Recognize the necessity of training and awareness for the sake of cloud application security
  • Understand the tasks related to cloud software assurance and validation
  • Properly use verified security software
  • Appreciate the whole of the SDLC (Software Development Lifecycle) Process
  • Leverage the SDLC
  • Understand the specifics related to cloud application architecture
  • Design suitable IAM (Identity and Access Management) solutions


Finally, it should go without saying that compliance is important when it comes to enterprise cloud solutions across all industries. Obviously, this will entail a number of legal issues in general, though the industry you go on to work in will add even more you must understand.

For the CSSP exam, you must be able to address ethical behavior and recognize what compliance entails inside of regulatory frameworks. As a CCSP, you will need to use investigative techniques and measures to gather evidence (e.g. forensics, eDiscovery and legal controls). You may be called upon to create methodologies regarding audit processes and privacy issues.

Your aptitude for enterprise compliance and risk management should also extend to specifics like:

  • Implications of risk management for the cloud environment
  • Outsourcing and contracts for cloud design
  • Execution of vendor management
  • Auditing methodologies, processes and necessary adaptations for the cloud environment
  • The cloud environment’s legal requirements and unique risks
  • Privacy issues related to jurisdictional variations

As you can probably see, the CCSP exam covers an extensive breadth of knowledge. This may seem intimidating, especially if you only have experience in or two areas, but keep in mind that there will be rewards for earning an internationally-recognized certification like this.

In fact, let’s take a look at some of those rewards next.

Why Earn Your CCSP?

Obviously, the main benefit we’ve mentioned so far in relation to the CCSP is that you will develop an unrivaled competence where cloud security is concerned. Just by meeting the prerequisites, you’ll have proven you’re someone with hands-on experience in this field.

Now, that being said, what good is this competency if it doesn’t translate into other benefits, like job opportunities and a better salary?

Here is a list of eight common job titles for CCSPs:

  • Enterprise Architect
  • Security Administrator
  • Security Architect
  • Security Consultant
  • Security Engineer
  • Security Manager
  • Systems Architect
  • Systems Engineer

This is by no means an exhaustive list. Any of these titles could represent dozens of different specific roles, too. For example, being a security consultant could entail working for any number of different companies on countless different projects.

As an article in CloudTech from last year pointed out:

“If you’re looking to develop cloud security skills, then (ISC)2’s Certified Cloud Security Professional (CCSP) credential should be your number one target. A collaborative effort between (ISC)2 and the Cloud Security Alliance, the credential builds skills incorporating data security, platform and infrastructure security and compliance, amongst others.”

Let’s now talk about salary.

It’s tough to put an objective number on how much a CCSP certification is worth. As we already mentioned, a lot of it depends on what kind of work you do. There’s also the matter of where you’re working from.

However, when looking at the UK, for example, 90% of the jobs posted for CCSP professionals across IT Jobs Watch paid at least $73,000. The other 10% started at $103,000.

That’s up 2.32% over the past year and more than 40% if you go back to 2015.

Of course, you need to keep in mind that these numbers include London, but if you’re not living there, you wouldn’t have the same standard of living to cover either.

Furthermore, the demand for these jobs is clearly on an upward trajectory, as well. Since 2016, this site shows 4.5x as many job postings. Looking a year back, the job postings have increased by 13.5x.

Becoming a CCSP requires a bare minimum of five years in the field, including specific forms of experience. Even then, you’ll have to work very hard to study for a very tough exam. However, as we hopefully showed with the above, demand for these jobs is also on the rise – and so is the amount these professionals get paid.

If you’re interested in job security and increasing your income, it makes sense to working toward becoming a CCSP.


Learn Cloud Security

Learn Cloud Security

Get hands-on experience with cloud service provider security, cloud penetration testing, cloud security architecture and management, and more.