The CCSP Cloud Security Certification is Hot, How Can I Prepare?


The (ISC)2 CCSP is hot. That's the Certified Cloud Security Professional. It's from the same group that offers the famous CISSP.

At the end of 2018 there were 131,180 people with CISSP world-wide, and 84,557 in the U.S.A. But, only 4,518 people world-wide held CCSP.

Do you want to be one of the new ones?

Not What You Expect

I've worked with cloud technology, largely IaaS on both Google's and Amazon's large cloud systems. I even wrote a course on how to safely deploy and configure IaaS cloud servers. Also, how to provision and program PaaS systems. However...

A certification exam is a peculiar challenge. More so for this one, as it isn't what many of us assume. My practical background of working on cloud servers provided no real advantage.

I was able to take Learning Tree's CCSP test-prep course. That course, #1213, helped to get me through the exam on the first attempt.

The Big Picture

As usual, they talk about a CBK (or Common Body of Knowledge) divided into domains. For CCSP, those are:

    • Architectural Concepts & Design Requirements

    • Data Security

    • Platform & Infrastructure Security

    • Application Security

    • Operations

    • Legal & Compliance

However, that's just the official story...

What's Its Name?

Let's say you removed the title and then showed me the material. Then you told me that the cert was "CCSP". So, what is it?

To be honest, I would have guessed that it stood for Certified Compliance Security Professional.

Yes, some questions use cloud terminology. And, some (but not all) of those explicitly ask you to answer in a cloud context. But, how many enterprise operations don't include some cloud technology today?

The dominant theme is compliance. Compliance with international law (e.g., GDPR), with national laws and regulations (HIPAA, Sarbanes-Oxley, PIPEDA), and with industry regulations (PCI DSS). Also, government (NIST) and international (ISO) standards and best practices.

finger pointing to a tablet with terms and stars

So, What Background Do You Need?

CCSP is not an introductory certification. It assumes that you're familiar with security and IT concepts. You don't have to have CISSP, but you need to know the technology covered in that exam.

You must also be comfortable with cloud concepts and terms. Know the cloud service models and deployment models. Understand the architecture. Also, know some common commercial examples of the service models.

When the exam uses cloud terms, it adheres to NIST definitions. See NIST SP-800-145,"The NIST Definition of Cloud Computing". Additionally, Learning Tree's Introduction to Cloud Computing course provides a solid background.

There is almost nothing in the CCSP question pool about cryptography, networking protocols, or operating systems. The test has 125 questions randomly selected from pools for each domain. I got one rather basic question about cryptography. Then, two about DNS. Finally, two about operating systems running on the virtualization environment found in cloud computing.

The other 120 questions, 96% of the exam, were about risk management, disaster recovery and business continuity, software development project management, and ISO and US Government standards. And, of course, compliance, compliance, compliance!

In addition, a significant block of content looks at data center design. Again, this isn't limited to "cloud" in the strict sense of the term. If you have helped design a data center, then you will know the needed concepts.

[sidebar_cta header="The (ISC)2 Cybersecurity Workforce Study Provided Interesting Findings. Learn What This Means for Your Organization." color="blue" icon="" btn_href="https://www.learningtree.com/resources-library/webinars/learning-from-the-isc-cybersecurity-workforce-study/" btn_href_en="https://www.learningtree.com/resources-library/webinars/learning-from-the-isc-cybersecurity-workforce-study/" btn_href_ca="https://www.learningtree.ca/resources-library/webinars/learning-from-the-isc-cybersecurity-workforce-study/" btn_href_uk="https://www.learningtree.co.uk/resources-library/webinars/learning-from-the-isc-cybersecurity-workforce-study/" btn_href_se="https://www.learningtree.se/kunskapsbank/webinars/learning-from-the-isc-cybersecurity-workforce-study/" btn_text="Watch On-Demand Webinar"]

What is the Test Like?

There are 125 questions, and you have 4 hours to answer them. This is good news. You aren't as pressed for time as you are with the CompTIA Security+ exam.

Additionally, 25 of those questions don't count. ISC2 inserts 25 "beta questions", ones they might use some day but only if they seem useful. Using this process, questions on Linux containers and SDN (or Software-Defined Networking) are already in the question pools.

And then, for the 100 questions that might count, ISC2 looks at the statistics. They drop questions that are too hard or too easy. If the pass rate for a question is too high or too low, then they don't count it.

Here's how to handle that: Don't panic!

When you get a weird question (and you will), give it your best guess and move on.

Do a good job of preparing (and the Learning Tree course does this), and don't worry. If you are well prepared, then the strange or surprising questions are those that don't count for or against you. Pick the best answer and move on.


Several of the questions will be a large paragraph setting up a scenario and then posing a question. The exam tests your ability to carefully read complex, verbose text. Many questions have one subtly placed word that makes all the difference. So, read carefully!

You will probably have a sequence of 4 or 5 questions based on the same scenario. The text may be similar, but read it all. Make sure you spot the important part in each question.

The pass/fail threshold is 70%. On any certification exam I want to be getting at least halfway from the minimum passing score to 100% before I risk taking the real test. So, my preparation goal was 85% or better.

Test Logistics

An entry-level exam like CompTIA Security+ is available most every day at all Pearson-Vue testing centers. That's not the case for CCSP.

I traveled to Chicago, about 2 hours away, where it was available 2 days every 2 weeks.

Then, be patient. I had to wait almost 10 weeks for the official verification after being told "You have provisionally passed."

verification stamped with the word passed

Good Luck!

You can do it! Take Learning Tree's test-prep course, and then follow the suggestions for further self-study and practice exams.

Written by Bob Cromwell