Security Study Guide

(ISC)² CCSP Study Guide

The (ISC)² Certified Cloud Security Professional (CCSP) validates advanced, vendor-neutral expertise in designing, securing, and operating cloud environments across six domains. It is aimed at experienced security architects, engineers, and managers (the credential requires five years of IT experience, three of them in information security and one in a CCSP domain). Since October 1, 2025 the exam uses Computerized Adaptive Testing (CAT) with 100 to 150 questions in a maximum of 180 minutes (3 hours), scored 0-1000 with 700 to pass.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5 Domain 6

Practice (ISC)² CCSP questions free Create free account

Domain 1: Cloud Concepts, Architecture and Design

Key concepts you must know · 87 practice questions

The three standard service models are IaaS (provider manages physical infrastructure, host, hypervisor, storage, and networking; customer owns guest OS upward), PaaS (provider also manages OS and runtime), and SaaS (provider manages the entire stack except data and access).
NIST SP 800-145 defines five essential characteristics of cloud: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service.
Rapid elasticity lets resources be provisioned and released automatically to scale out and in with demand, often appearing unlimited to the consumer; measured service means usage is metered, monitored, and billed per consumption.
In the shared responsibility model the customer is ALWAYS responsible for their data, its classification, and identity/access configuration (IAM), regardless of service model; the provider secures the infrastructure it controls.
Multi-tenancy means multiple customers share the same physical infrastructure, so the key risk is a failure of logical isolation; providers enforce separation via hypervisor, container, and network controls.
The four deployment models are public, private, community (shared by organizations with common concerns such as mission, compliance, or policy), and hybrid (combination connected by standardized or proprietary technology).
Vendor lock-in is the difficulty and cost of migrating away from a provider due to proprietary services or data formats; mitigate with open standards, abstraction layers, and isolating provider-specific integrations behind well-defined interfaces.
Key cloud roles per ISO/IEC 17789 and NIST SP 500-292: cloud service customer (consumer), cloud service provider, cloud carrier (provides network connectivity/transport), cloud broker, and cloud auditor.
Defense in depth layers independent controls so that the failure of one control does not collapse overall security.
Statelessness (externalizing session state to a managed cache or datastore) makes application instances interchangeable behind a load balancer and supports horizontal scaling and autoscaling.
Infrastructure as Code (e.g., Terraform) enables repeatable, reviewable, auditable provisioning with automated guardrail enforcement; remote state should use encryption at rest and locking (e.g., an S3 backend with encrypt = true and a DynamoDB lock table).
Cost-optimization levers: reserved/committed-use instances for steady long-term workloads, spot/preemptible instances for fault-tolerant batch work, right-sizing to observed utilization, and autoscaling to match real demand.
Trusted cloud reference frameworks include the NIST cloud computing reference architecture (SP 500-292), ISO/IEC 17788/17789, and the Cloud Security Alliance guidance.
Cloud-based business continuity and DR designs use multi-availability-zone and multi-region redundancy to remove single points of failure while balancing cost against required RTO/RPO.

Domain 2: Cloud Data Security

Key concepts you must know · 118 practice questions

The cloud data lifecycle has six phases in order: Create, Store, Use, Share, Archive, Destroy; protection decisions (classification, labeling, encryption) should be designed starting at Create.
Crypto-shredding (crypto-erasure) renders encrypted data permanently unrecoverable by securely destroying the encryption keys, and is the practical sanitization method in shared cloud storage where physical destruction is not possible.
Tokenization replaces sensitive values with non-sensitive tokens while preserving usability; the token vault that maps tokens to real data must be isolated from the application data stores.
Data masking (static or dynamic) obscures or substitutes sensitive identifiers so that non-production or unauthorized users see protected values while format and usability are preserved.
Symmetric encryption uses one shared key (fast, needs secure key exchange); asymmetric uses a public/private key pair (slower, enables secure key exchange and digital signatures).
Encryption in transit uses TLS/SSL; encryption at rest protects stored data; key control determines who can decrypt, making key management the central control in cloud data security.
BYOK (bring your own key) and HYOK (hold your own key) plus client-side encryption let customers retain control over key lifecycle and access to meet compliance and separation-of-duties requirements.
Separation of duties requires that key management responsibilities be kept distinct from data custody so no single party can both access keys and access the data they protect.
Data Loss Prevention (DLP) tooling performs discovery/classification and detects and blocks unauthorized movement or exposure of sensitive data across endpoints, network, and storage.
Data discovery and classification (including data labeling) is a prerequisite for applying the correct controls, since you cannot protect or apply policy to data you have not identified and categorized.
Object storage controls: enforce default encryption (e.g., aws s3api put-bucket-encryption with SSEAlgorithm aws:kms), deny unencrypted uploads via bucket policy conditions, and use object lock in COMPLIANCE mode for WORM retention.
Key vault hygiene: enable purge protection and soft delete so keys cannot be immediately and irrevocably deleted, and schedule key rotation on a defined cadence.
Information Rights Management (IRM/DRM) enforces persistent, policy-based access controls and usage restrictions that travel with the data itself even after it leaves the original store.
Storage tiering and lifecycle policies move aging data to cheaper archive/cold tiers or expire it to control cost while still meeting retention requirements, with encryption remaining enabled.

Domain 3: Cloud Platform and Infrastructure Security

Key concepts you must know · 112 practice questions

Network microsegmentation isolates workloads with fine-grained policy to limit lateral movement, so a compromise in one segment cannot freely spread across the environment.
A bastion host or jump server provides a single hardened, monitored entry point for administrative access to private resources, reducing direct exposure of management interfaces to the internet.
Resilience and availability come from eliminating single points of failure: deploy across multiple availability zones/regions and maintain regularly tested backups paired with a documented disaster recovery plan.
RTO (recovery time objective) is the maximum acceptable time to restore a service after an outage; RPO (recovery point objective) is the maximum acceptable data loss measured in time.
VM escape is the threat where an attacker breaks out of a guest VM to the hypervisor or host, potentially enabling cross-tenant compromise; hypervisor hardening and patching are critical mitigations.
The principle of least privilege grants only the minimum permissions needed; enforce it with RBAC, regular access reviews, and restricting administrative access to authorized, audited paths.
Restrict the blast radius of compromised credentials with MFA, scoped roles, short-lived credentials, and bastion/restricted administrative access.
Block public exposure of storage by default (e.g., aws s3control put-public-access-block with BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets all true).
Default-deny networking: set network ACLs/security groups to deny inbound by default and allow only required ports and source ranges (e.g., authorize TCP 443 from a specific CIDR rather than 0.0.0.0/0).
Cloud network controls include security groups (stateful, instance-level), network ACLs (stateless, subnet-level), and provider firewall rules with explicit priority and direction.
A management plane (the APIs/portal/CLI that control the environment) is the highest-value target; protect it with strong authentication, least privilege, and logging because it can reconfigure all resources.
Storage lifecycle transitions of old data to cheaper archive tiers lower cost while retaining the data to satisfy retention requirements.
A CDN serves cached content from edge locations close to users, lowering latency and reducing origin egress and load; co-locating communicating tiers in the same region/zone reduces cross-zone cost and latency.
Physical and environmental controls remain the provider's responsibility in public cloud, but customers must verify them through provider attestations rather than direct inspection.

Domain 4: Cloud Application Security

Key concepts you must know · 85 practice questions

Shift-left security integrates automated security testing (SAST, DAST, SCA, secrets scanning) into CI/CD to catch vulnerabilities early and consistently before code reaches production.
The SDLC phases (e.g., requirements, design, development, testing, deployment, operations/maintenance) each have security activities; threat modeling belongs in design and is commonly done with STRIDE.
Prevent injection (SQLi) and XSS with input validation, output encoding, and parameterized queries/prepared statements rather than string concatenation.
A web application firewall (WAF) inspects HTTP/S traffic to block common web exploits such as SQL injection and cross-site scripting at the application layer (e.g., associate a WAFv2 web ACL with an ALB).
Store secrets in a managed secrets manager or vault with access controlled by IAM and full audit logging; never hardcode credentials in source, images, or environment defaults.
An API gateway centralizes authentication, authorization, throttling/rate limiting, and request validation in front of services, providing consistent enforcement.
Zero trust treats no network location as trusted: use mutual TLS with per-service identity and explicit authorization on every call regardless of network position.
MFA combines factors (something you know, have, or are) and significantly reduces account compromise versus password-only authentication.
Federated identity and SSO use standards such as SAML 2.0, OAuth 2.0, and OpenID Connect; OAuth is for authorization and OIDC adds authentication on top of OAuth.
Container security: use minimal base images (distroless or alpine), scan images for vulnerabilities, and set securityContext with allowPrivilegeEscalation: false and a non-root user.
Kubernetes defaults are permissive: pods accept all traffic until a NetworkPolicy is applied; a default-deny ingress policy uses podSelector: {} with policyTypes: [Ingress] and no ingress rules.
Grant workloads cloud permissions via scoped roles (instance profiles or IRSA) with a service trust policy, instead of embedding long-lived access keys.
Serverless functions are billed per invocation and duration so idle time costs nothing; right-sizing memory allocation balances performance and cost because CPU scales with memory.
Cold-start latency affects new serverless instances; provisioned/warm concurrency mitigates it for latency-critical paths at additional cost.

Domain 5: Cloud Security Operations

Key concepts you must know · 173 practice questions

Centralize logging and events into a SIEM for correlation and detection, and use SOAR with documented runbooks to automate and standardize incident containment and response.
Logs must be tamper-resistant, time-synchronized (NTP), and retained per policy; enable integrity validation (e.g., aws cloudtrail create-trail with --enable-log-file-validation and --is-multi-region-trail).
Forward logs to a dedicated, access-restricted account with write-once/immutable (WORM) storage so an attacker who compromises a workload cannot alter or delete the evidence.
Cloud Security Posture Management (CSPM) continuously detects misconfigurations and compliance drift across resources and can apply automated remediation guardrails.
The CSA Cloud Controls Matrix (CCM) is a cloud-specific control framework mapped to multiple standards and regulations, useful for assessment, gap analysis, and compliance.
Threat detection services (e.g., GuardDuty) analyze logs and telemetry for malicious activity; enable continuous configuration recording (AWS Config) to track resource state and rule compliance.
Implement CIS Benchmark monitoring controls such as alerting on root account console logins via a CloudTrail metric filter and a CloudWatch alarm.
Cloud forensics requires preserving order of volatility: isolate the instance, then snapshot disks and capture volatile memory before any remediation, recording a documented chain of custody.
Change and configuration management uses immutable infrastructure and Infrastructure as Code so changes are versioned, reviewed, and reproducible rather than made manually in production.
Patch and vulnerability management reduce the exposure window to known flaws; in PaaS/SaaS and serverless the provider patches the underlying OS and runtime, narrowing customer scope.
ITIL-aligned operations practices (change, configuration, incident, problem, and release management) apply to cloud operations and are tested conceptually on CCSP.
Cost governance: use resource tagging tied to business units with budgets and anomaly-detection alerts to attribute spend and flag unexpected bill spikes the earliest.
Continuous utilization monitoring feeding right-sizing recommendations, scheduled scaling to shed off-hours capacity, and shutting down idle compute reduce operational spend.
Network security operations rely on segmentation/microsegmentation, least privilege, and monitoring of east-west as well as north-south traffic.

Domain 6: Legal, Risk and Compliance

Key concepts you must know · 54 practice questions

Data sovereignty and jurisdictional law may require that data be stored and processed within specific geographies, directly affecting cloud region selection; enforce with policy (e.g., deny actions where aws:RequestedRegion is not in an allowed list).
GDPR governs EU personal data and defines the data controller (determines purpose/means) and data processor (acts on the controller's instructions); cross-border transfers require an approved legal mechanism.
Independent assurance and attestations (e.g., SOC 2 Type II, ISO/IEC 27001, ISO/IEC 27017 and 27018) let a customer evaluate a provider's controls and inherit only the controls that apply to them.
Accountability cannot be outsourced: transferring a function to a provider does not remove the data owner's reputational, regulatory, and breach-notification obligations.
SLAs define measurable commitments (availability, performance, support response) and remedies; review them to match service tier and price to required performance and availability.
Contracts should include right-to-audit clauses, defined security requirements, incident-response and evidence-access provisions, and escalation/notification SLAs agreed up front.
A reversibility/exit strategy specifies data export formats, timelines, and secure deletion obligations to enable portability and avoid vendor lock-in premiums.
Risk treatment options are avoid, mitigate/reduce, transfer (e.g., insurance/contract), and accept; residual risk that remains after controls must be formally accepted by the business.
Cloud risk assessment frameworks include ISO/IEC 31000 for risk management and NIST SP 800-37 (Risk Management Framework); the CSA CAIQ supports provider due diligence.
eDiscovery and legal hold in cloud are complicated because relevant data may be auto-purged or its physical location obscured; preservation must be coordinated with the provider's capabilities and retention suspended.
PII privacy frameworks and standards include ISO/IEC 27018 (PII in public cloud), GAPP, and sector laws such as HIPAA (US healthcare) and PCI DSS (payment card data).
A Business Impact Analysis (BIA) identifies critical processes and justifies RPO/RTO targets, which then drive the replication and DR design against cost and compliance constraints.
Verify compliance posture with tooling such as aws configservice describe-compliance-by-config-rule, which reports resources as compliant or non-compliant against managed rules.
Vendor and supply-chain risk management requires assessing nested/fourth-party providers, because SaaS providers' own subprocessors can introduce risk the customer must understand.

(ISC)² CCSP exam tips

Always start from the shared responsibility model: identify the service model (IaaS/PaaS/SaaS) first, then decide who owns the control in question. Data and access management are always the customer's.
CCSP is vendor-neutral and concept-driven. When an answer cites a specific AWS/Azure/GCP command, choose it for the principle it demonstrates (e.g., enforce encryption, deny public access) rather than memorizing syntax.
Watch for the 'most early/most effective/best' qualifier in questions. Eliminate answers that destroy evidence (disabling logs), violate least privilege, or break separation of duties.
Know the lifecycles and ordered lists cold: cloud data lifecycle (Create, Store, Use, Share, Archive, Destroy), risk treatment options, and the order of volatility for forensics.
It is a long exam of up to three hours scored to 700/1000, now delivered as a Computerized Adaptive Test (CAT) presenting 100 to 150 questions. Pace yourself, and pick the answer that best reflects (ISC)² best practice rather than a real-world shortcut.

Study guide FAQ

What are the experience requirements to earn the CCSP?

You need five years of cumulative paid IT work experience, including three years in information security and at least one year in one or more of the six CCSP domains. Holding the (ISC)² CISSP can satisfy the entire CCSP experience requirement, and the CCSK from the CSA can substitute for one year of CCSP-domain experience. Without the experience you can pass the exam and become an Associate of (ISC)² while you earn it.

How is the exam structured and scored?

Since October 1, 2025 the CCSP exam uses Computerized Adaptive Testing (CAT), presenting 100 to 150 multiple-choice questions to be completed in a maximum of 180 minutes. It is scored on a scale of 0 to 1000, and you need 700 to pass. The six domains are weighted, with Cloud Security Operations and Cloud Data Security carrying the largest shares and Legal, Risk and Compliance the smallest.

How is CCSP different from the CSA CCSK or CompTIA Cloud+?

CCSP is a senior, experience-based credential focused specifically on cloud security architecture, data, operations, and governance, and it requires endorsement and ongoing CPE/continuing education. The CCSK is a knowledge-only certification (no experience requirement) based on CSA guidance and is a good precursor. Cloud+ is more operational/administrative and broader than security alone. CCSP sits at a more advanced, security-focused tier.

Do I need hands-on experience with a specific cloud provider like AWS or Azure?

No single provider is required because the exam is deliberately vendor-neutral. However, practical familiarity with at least one major platform helps you reason about concepts like IAM, key management, network controls, and logging. Focus your study on the underlying principles and the (ISC)² Common Body of Knowledge rather than provider-specific certification material.

Test yourself: 629 (ISC)² CCSP practice questions