CCSP Exam preparation Guide - How to become a Certified Cloud Security Professional

What Does a Certified Cloud Security Professional Do?

Now, you might wonder what exactly a Certified Cloud Security Professional does. This is a hard question to answer since the CCSP certificate can help prepare you for many positions.

The (ISC)² suggests that the CCSP is ideal for “IT and information security leaders responsible for applying best practices to cloud security architecture, design, operations, and service orchestration.” It then lists common CCSP positions:

• Cloud Architect
• Cloud Engineer
• Cloud Consultant
• Cloud Administrator
• Cloud Security Analyst
• Cloud Specialist
• Auditor of Cloud Computing Services
• Professional Cloud Developer

The CCSP exam outline gives you an idea of what a typical CCSP must know and do. Here’s a full list of CCSP skills and tasks (organized by domain):

Domain 1: Cloud Concepts, Architecture, and Design

• Understand cloud computing concepts
• Describe cloud reference architecture
• Understand security concepts relevant to cloud computing
• Understand design principles of secure cloud computing
• Evaluate cloud service providers

Domain 2: Cloud Data Security

• Describe cloud data concepts
• Design and implement cloud data storage architectures
• Design and apply data security technologies and strategies
• Implement data discovery
• Plan and implement data classification
• Design and implement Information Rights Management (IRM)
• Plan and implement data retention, deletion and archiving policies
• Design and implement auditability, traceability and accountability of data events

Domain 3: Cloud Platform and Infrastructure Security

• Comprehend cloud infrastructure and platform components
• Design a secure data center
• Analyze risks associated with cloud infrastructure and platforms
• Plan and implement security controls
• Plan business continuity (BC) and disaster recovery (DR)

Domain 4: Cloud Application Security

• Advocate training and awareness for application security
• Describe the Secure Software Development Life Cycle (SDLC) process
• Apply the Secure Software Development Life Cycle (SDLC)
• Apply cloud software assurance and validation
• Use verified secure software
• Comprehend the specifics of cloud application architecture
• Design appropriate identity and access management (IAM) solutions

Domain 5: Cloud Security Operations

• Build and implement physical and logical infrastructure for cloud environment
• Operate and maintain physical and logical infrastructure for cloud environment
• Implement operational controls and standards (e.g., Information Technology Infrastructure Library (ITIL), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 20000-1)
• Support digital forensics
• Manage communication with relevant parties
• Manage security operations

Domain 6: Legal, Risk, and Compliance

• Articulate legal requirements and unique risks within the cloud environment
• Understand privacy issues
• Understand audit process, methodologies, and required adaptations for a cloud environment
• Understand the implications of cloud to enterprise risk management
• Understand outsourcing and cloud contract design

If any of the above sounds like something you’d enjoy, then you’ll love being a CCSP. In the next section, we’ll go over what you need to do to earn the CCSP certificate.

How to Become CCSP Certified

If you want to become CCSP Certified, there are a few steps you need to follow. Here they are in order:

1. Meet the experience requirement.

To qualify for the CCSP certification, you must have at least five years of paid work experience in IT, three of which must be in information security and one of which must be in one or more of the six CCSP domains (cloud concepts, architecture, and design; cloud data security; cloud platform and infrastructure security; cloud application security; cloud security operations; legal, risk, and compliance).

(ISC)² counts work experience by month. To earn one month of full-time work experience, you must have worked at least 35 hours per week for four consecutive weeks.

Part-time work counts, too. Any work experience in which you work for at least 20 hours per week but no more than 34 hours per week is considered part-time. 1040 hours of part-time work is equal to 6 months of full-time experience, and 2080 hours of part-time work is equal to 12 months of full-time experience.

Internships count, too (both paid and unpaid). All you need is documentation from a supervisor confirming your position and the number of hours you worked.

That said, you can sometimes waive part or all of the CCSP work experience requirements. For example, having the CCSK certificate counts toward one year of experience in a CCSP domain, and having the CISSP certificate fulfills the entire CCSP work experience requirement.

Still don’t have enough work experience? That’s okay. (ISC)² will let you take the CCSP exam anyway, and if you pass, they’ll award you an Associate of (ISC)². You’ll then have six years to earn the required five years of work experience to obtain the CCSP certificate.

2. Pass the CCSP exam

Once you’ve met the CCSP work experience requirements, you’re ready to take the CCSP exam. This is a four-hour-long test with 100 scored multiple-choice questions and 50 unscored pretest items. Please note the number of unscored pretest items increased from 25 to 50 on August 1, 2022.

The scored questions test your knowledge across six CSSP domains. Here they are with the relative percentage of questions per domain:

• Cloud Concepts, Architecture, and Design (17%)
• Cloud Data Security (20%)
• Cloud Platform & Infrastructure Security (17%)
• Cloud Application Security (17%)
• Cloud Security Operations (16%)
• Legal, Risk, and Compliance (13%)

Keep in mind that the weighting of domains on the CCSP exam also changed recently. On August 1, 2022, the proportion of cloud data security questions increased from 19% to 20%, and the proportion of cloud security operations decreased from 17% to 16%.

To pass the CSSP exam, you must score at least 700 out of 1000 points (i.e. 70%). The exam is available at testing centers across 882 locations in 114 countries and in six different languages: English, Chinese, German, Japanese, Korean, and Spanish.

To schedule the CSSP exam, create an account with Pearson VUE. From there, you’ll be able to select a location and time to take the test and pay the $599 exam registration fee.

3. Get endorsed by an (ISC)² certified professional

Once you pass the CSSP exam and meet the work experience requirements, you only have a few steps left to get your certification. One of them is to get endorsed by another (ISC)² certified professional in good standing.

If you don’t know any (ISC)² members, that’s okay. You can also get endorsed by (ISC)² itself. Either way, they will need to attest to your professional work experience. You have nine months from the time you pass the CSSP exam to have them do this, after which you must retake the exam.

It’s also worth noting that (ISC)² audits CSSP candidates at random. If you are chosen, you will be required to submit additional information for verification. So don’t try to fudge any numbers. Not only is it wrong, but you will be disqualified from earning the CCSP if you’re caught.

4. Agree to the (ISC)² Code of Ethics

Next, you must agree to the (ISC)² Code of Ethics before you can receive your CSSP certificate. This includes adhering to the following preamble:

• The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
• Therefore, strict adherence to this Code is a condition of certification.

It also means you must commit to do the following:

• Protect society, the common good, necessary public trust and confidence, and the infrastructure.
• Act honorably, honestly, justly, responsibly, and legally.
• Provide diligent and competent service to principals.
• Advance and protect the profession.

If you don’t have a problem agreeing to the above, you’re in good shape to get the CSSP.

5. Pay your first annual maintenance fee (AMF)

Finally, you must pay your first annual maintenance fee (AMF), which is $125 per year. However, if you only get your Associates of (ISC)², it’s just $50 per year.

The AMF is due on the anniversary of your certification date (if you have multiple certifications, it’s the date of your earliest certification). You can pay it online via credit card, wire transfer, or a check in the mail. (If your employer gave you an (ISC)² training voucher, you can use that, too.)

That’s it! Once you complete the five steps above, you’ll get your CCSP certificate sent to you within a few short weeks.

To maintain your CCSP certification, you’ll need to continue paying the $125 AMF annually and recertify by completing 90 continuing professional education (CPE) credits every three years.

What Does the CCSP Certification Cost?

Earning the CCSP will cost you some money. For one, you’ll need to pay for the exam. The exam price (and taxes) will vary by location, but it’s 599 USD in the US, 479 GBP in the UK, and 555 Euro in other European countries.

That said, you also have the option to pay for the exam with an (ISC)² exam voucher. Your employer can buy them in bulk for employees and transfer them to anyone within the organization. But beware of non-official voucher providers as (ISC)² is the only organization authorized to issue them.

You can cancel or reschedule your CSSP exam within 365 days of registering, after which the exam fee won’t be refunded. To cancel or reschedule before then, contact Pearson VUE online within 48 hours of the exam or by phone within 24 hours of the exam. You can then reschedule for a fee of $50 or cancel for $100.

To maintain your CSSP, you’ll need to pay an annual maintenance fee (AMF) of $125. If you only get your Associates of (ISC)², it’s just $50 per year.

Taken together, the CCSP certification costs $724 the first year, and then $125 every year after that. When you consider the potential salary boost and career opportunities that come with having the CSSP certificate, it’s a small price to pay.

Which One Is Best in the Cyber Security Field: CCSP or CISM?

The CCSP isn’t the only certificate you can get to advance your cyber security career. The CISM (Certified Information Security Manager) by ISACA can also do the job. Let’s go over what the two have in common first:

The CCSP and the CISM are both vendor-neutral IT security certifications that require having five years of work experience and passing a 150-question exam. For each, you also need to adhere to a code of ethics and complete continuing education credits to maintain the certification.

That said, the CCSP and the CISM also have important differences. For example, the CISM focuses on information security more generally (including information security governance, risk management, program, and incident management), while CCSP is geared exclusively toward cloud security.

In addition, the CISM exam costs $760 ($575 for ISACA members), while the CCSP exam only costs $599.

So which certification is best? It really depends on your career goals. If you know you want to work in cloud security (a market expected to grow from $8.33 billion in 2020 to 36.43 billion by 2028), then the CCSP is the way to go. However, if you’re interested in IT security more generally or you’re not sure what to specialize in, getting the CISM could be the better route.

Ultimately, it’s up to you. Do your research, weigh your options, and pursue the certification that best suits your needs. And remember, there’s no harm in getting both. The CCSP and the CISM are more complementary than they are different.

How Can I Pass the (ISC)² CCSP Exam?

Passing the (ISC)² CCSP Exam isn’t easy. It takes a lot of preparation and hard work. To increase your chances of passing, here are some things you can do:

1. Know the exam format.

The first step is to familiarize yourself with the CCSP exam format. Unlike the CISSP exam, for example, the CCSP is only offered as a traditional linear test, not a computer adaptive test (CAT) (though this may change in the future).

The CCSP is made up of 150 multiple choice questions, 50 of which are unscored. You have four hours to complete the exam, and you must score 700 out of 1000 points to pass.

2. Study for the exam.

To pass the CCSP exam, you need to study—a lot. Luckily, (ISC)² offers many study resources to help you, including:

• An official (ISC)² guide to the CCSP CBK
• An official (ISC)² CCSP study guide
• Official (ISC)² CCSP practice tests
• A CCSP For Dummies book
• An official CCSP study app
• Official CCSP flash cards
• And CCSP online study groups

Choose a study resource that fits your learning style. Then choose a date for when you want to take the CCSP exam and design a study plan. You should give yourself ample time to prepare so that you don’t have to let other areas of your life suffer (e.g. family and work). The earlier you start studying, the better.

3. Take a course.

As important as it is to study alone, sometimes it also helps to study with others, aka take an exam prep course.

CCSP courses come in many formats. Some are in-person, and others are virtual. Some are self-paced, and others follow a schedule (including intensive boot-camp-style schedules that last only a few days). The right course format for you will depend on your time horizon, budget, and learning style.

Let’s go over some of your course options. For one, you can take a CCSP course by (ISC)² itself. It offers classroom-based, online instructor-led, online self-paced, and private on-site CCSP courses.

Alternatively, there are many CCSP courses offered by third-party companies at affordable rates. For example, you can take the Certified Cloud Security Professional Course by Readynez.

It’s available in virtual format for $2,950 or in classroom format for $3,990. Both span four days and include all course materials and a certificate guarantee. The classroom course also includes accommodation and all meals. This is an especially great way to prepare for the CCSP if you are on a tight schedule or have little time left before your exam date.

4. Take practice exams.

You don’t know what taking the CCSP exam is like until you actually take it. But you can get a good taste with practice exams. Practice exams are just like the real thing, except that they don’t count toward your certification.

We recommend taking as many CCSP practice exams as you can to prepare. Simulate the real exam environment by giving yourself a four-hour time limit and removing any distractions. Then check your answers with a grading key and see how you did. If you notice that you struggle in particular areas, focus on them when you study.

You can find plenty of free and paid CCSP practice exams online. Just do a simple Google search.

5. Develop good test-taking skills.

As with any exam, much of your performance on the CCSP exam comes down to test-taking skills. Here are some good habits to develop as you take practice exams:

• Read questions carefully. Pay special attention to words like “all” or “none” that change the meaning of a question.
• Pace yourself. Remember, you have four hours to complete the exam. When you don’t know the answer, mark the question, move on, and return to it if you have time at the end of the exam.
• Use the process of elimination. If you know some answer choices are wrong, cross them out so you can narrow down the right answer.

You should also arrive at the testing center early. Give yourself a good time cushion in case you run into traffic. You don’t want to be stressed before the exam even starts!

Come to the exam well rested and fed. Get a good night’s rest the night before, have a hearty breakfast, and bring some water. Four hours is a long time. So make sure you’ll have the energy and stamina to get through it.

6. Request special accommodations if needed.

Lastly, (ISC)² offers special exam accommodations to those that need them. If you have special needs, don’t hesitate to make it known by filling out an accommodation form before your register for the exam. Email it to examadministration@isc2.org with the following:

• An explanation of the accommodations you need
• Documentation supporting the accommodation
• The exam you want to take
• The exam location

Special exam accommodations are approved on a case-by-case basis. Once approved, (ISC)² sends them to Pearson VUE, whom you can contact after two to three business days to schedule your exam.

If you follow all the above steps, you’re much more likely to pass the CCSP exam.

Is getting Certified in CCSP worth It?

At this point, you may wonder if getting the CSCP is worth it. After all, it takes a lot of work, time, and even some money. But we’re here to tell you it’s definitely worth it. When you earn the CCSP, you get to:

• Join a global community. There are over 168,000 certified (ISC)² members, over 10,000 of which hold the CCSP certification. This means you can network with other professionals in your field, share and learn the best IT cloud practices, hear about new job postings, and stay on top of the latest industry trends and developments. You can even join a local (ISC)² chapter in your area.
• Earn member perks. As an (ISC)² member, you get a lot of member perks, including discounts on (ISC)² events, 50% off official (ISC)² textbooks, and a free subscription to the bimonthly InfoSecurity Professional e-magazine. These perks alone can be worth getting the CCSP.
• Continue to learn. To maintain your CCSP certification, you must regularly earn continuing professional education (CPE) credits. This involves attending events and webinars, mentoring, volunteering, and taking classes through the Professional Development Institute (PDI). The PDI offers 35 express learning, immersive and lab-style courses—all of which will help keep your cloud security skills sharp and stay up-to-date on the latest industry trends and developments. There’s no better way to invest in yourself and your IT career development.
• Advance your career. When it comes to landing IT jobs and promotions, having the CCSP certificate helps you stand out from your peers. Your CCSP certificate will signal to employers that you are an expert in cloud security. Plus, it’s a highly versatile certificate that can benefit you across other IT positions as well. You never know when it might come in handy!
• Boost your salary. On average, (ISC)² members report earning 35% more than non-members. With that kind of salary increase, the CCSP exam and recertification fees will pay for themselves in no time. In the US, the average CCSP earns $138,610!

Ultimately, you must be the one to decide if the CCSP is worth it. But given what we know about the CCSP holders, it’s clear that certifying has some huge advantages!

How Important Is the CCSP Certification?

Getting the CCSP certification may not seem that important to you right now, but it’s becoming more and more important over time. Cloud computing is a giant market expected to reach $1.614.1 trillion by 2030! That means companies will need more CCSPs in the coming years. But that’s not the only reason the CCSP is important.

The CCSP certification is also an important sign of credibility. Organizations and companies around the world recognize and respect the certification and look for it in job candidates. The CCSP is accredited by the American National Standards Institute (ANSI) under ANSI/ISO/IEC Standard 17024.

In addition, the CCSP plays an important role in offering cloud security professionals a common language for all things cloud security. Because CCSP is vendor-neutral, it helps everyone stay on the same page when it comes to cloud security terminology and methods.

All in all, there’s no better way to deepen your cloud security knowledge than by getting the CCSP. It’s a must-have for anyone working in (or interested in working in) the field.

CCSP Certification: Overview and Career Path

The CCSP is the most comprehensive vendor-neutral cloud security certification out there. The only other cloud security certification that comes close is the Certificate of Cloud Security Knowledge (CCSK) by the Cloud Security Alliance (CSA).

In fact, if you earn their CCSK, you can waive one year of work experience for the CCSP. That’s how you know the CCSP is the superior certification.

To qualify for the CCSP certificate, you must have five years of work experience, pass the CCSP exam, agree to the (ISC)² Code of Ethics, get endorsed by another (ISC)² member in good standing, and pay an annual maintenance fee (AMF).

Here are the six domains that the CCSP exam covers (and the proportion of questions they make up on the exam):

• Cloud Concepts, Architecture, and Design (17%). This covers the background knowledge to understanding cloud computing systems.
• Cloud Data Security (20%). This covers different strategies for protecting cloud data and implementing security programs and procedures.
• Cloud Platform & Infrastructure Security (17%). This covers different components of a sound cloud infrastructure, including disaster recovery, business continuity, and more.
• Cloud Application Security (17%). This covers applying the Secure Software Development Life Cycle (SDLC) and designing appropriate identity and access management (IAM) solutions.
• Cloud Security Operations (16%). This covers operating and managing physical and logical cloud infrastructure, managing communication with third parties, and more.
• Legal, Risk, and Compliance (13%). This covers all the legal requirements, unique risks, privacy issues, audit processes, and outsourcing that come with running a cloud environment.

Earning the CCSP will open a world of new opportunities for you. According to the (ISC)² website, the CCSP is ideal for those who want to work in the following positions:

• Cloud Architect—This person is responsible for overseeing a company’s cloud computing strategy, including cloud application design, cloud adoption plans, and cloud monitoring and management.
• Cloud Engineer—This person is responsible for all the technical aspects of cloud computing, like design, planning, management, and support.
• Cloud Consultant—This person consults companies on the best cloud computing strategies and solutions. They are well-versed in the technical side of cloud security but also skilled at communicating cloud security concepts in layman’s terms.
• Cloud Administrator—This person works to maintain the infrastructure of an organization’s cloud structure so that it continues to run well without disruptions.
• Cloud Security Analyst—This person evaluates cloud security technologies and infrastructure and makes sure they conform to security standards. They also monitor and document cloud environments.
• Cloud Specialist—This person helps organizations migrate their data and services to the cloud. They are instrumental in a company’s digital transformation.
• Auditor of Cloud Computing Services—This person ensures that a company’s cloud data and services are protected with the appropriate controls.
• Professional Cloud Developer—This person programs computer applications that operate in the cloud. The role is similar to that of a software developer, except that it involves developing cloud software exclusively.

As you can see, there are many different career directions you can take with a CSSP certificate. It will look good on your résumé no matter where you go.

In the final section, we’ll go over how much you can expect to make as a CCSP.

How Much Can Certified Cloud Security Professionals Make - 2022 Overview

On average, CCSPs earn 35% more than uncertified cloud professionals. And according to one estimate, the average salary for a CCSP is $138,610!

Of course, the amount you can make will vary by position. According to Payscale.com, you can expect your salary to be in the following ranges:

• Security Architect: $94k - $160k ($126,595 average)
• Security Engineer: $76k - $145k ($107,500 average)
• Information Security Analyst: $65k - $80k ($73,289 average)
• Cyber Security Engineer: $97k - $147k ($120,000 average)
• Information Security Manager: $110k - $128k ($116,981 average)
• Security Analyst: $70k - $83k ($74,546 average)
• Director of Computing/Networking/IT Security: $130k - $178k ($160,994 average)
• Cyber Security Analyst: $94k - $158k ($113,000 average)

Your expected salary as a CCSP will also vary by location. According to a 2021 Certification Magazine survey, the average CCSP salary is $150,400 in North America and $119,880 globally.

As for other regions of the world, an (ISC)² Cybersecurity Workforce Study shows the following average CCSP salaries:

• Asia-Pacific: $61,835
• Europe, Middle East, and Africa: $78,548
• Latin America: $16,476

If you’re ready to take your cyber security career to the next level or you’re interested in learning more about cloud security, take the Certified Cloud Security Professional Course by Readynez. It will go over everything you need to know to pass the CCSP exam within four days, and you can choose to do it online or in person.

And the best part? It’s only $2,950 for the virtual course or $3,990 for the in-person course, and it comes with a certification guarantee! If you want to make sure you pass the CCSP, this is the way to go. Contact us today to learn more!