cso spotlight: certifications

Certified Cloud Security Professional (CCSP): Exam, cost, and requirements

Get answers to your burning questions about this cloud security certification and whether it's the right cert for you.

cloud security expert casb binary cloud computing cloud security by metamorworks getty
metamorworks / Getty Images

What is the CCSP certification?

CCSP is a cloud-focused security certification for experienced security pros offered by the International Information System Security Certification Consortium, or (ISC)2. CCSP stands for Certified Cloud Security Professional, and it's one of a suite of certs offered by (ISC)2, a nonprofit focused on training and certifying cybersecurity professionals.

While (ISC)2 has been offering certifications since the 1980s, CCSP is a relatively new cert on the scene: it was rolled out at the RSA Conference in 2015 and has grown more popular since as more and more enterprises aim to securely move storage, infrastructure, and applications to the cloud. (ISC)2 says that CCSP certification demonstrates that "you have the advanced technical skills and knowledge to design, manage and secure data, applications and infrastructure in the cloud using best practices, policies, and procedures."

Following are some answers to frequently asked questions about this security certification built for the cloud.

Who should get CCSP certified?

As Daniel Carter, author of CCSP Cloud Security Professional All-in-One Exam Guide, said an interview, "The best candidates are more experienced IT architect and security types, including engineers. For people whose companies are moving into the cloud, it's important. It's also a good way to expand your marketability to employers. Since the cloud is so new, the CCSP gives employers a way to see that potential employees have gone through the rigor of the exam."

A CCSP certification signals both that you have demonstrated domain knowledge and that you possess relevant experience. We'll dig into what a CCSP cert can mean for your career later in this article; but first, let's look how you can go about getting certified.

What is covered on the CCSP exam?

Let's start with the part of CCSP certification most people are most focused on: the exam. The CCSP contains questions that draw from what (ISC)2 calls the common body of knowledge, or CBK, for cloud security professionals — a "peer-developed compendium of what a competent professional in their respective field must know, including the skills, techniques, and practices that are routinely employed." The CBK is in turn broken down into domains, or topic areas. The different CCSP domains and the portion of the exam you can expect each to take up are as follows:

  • Cloud concepts, architecture, and design: 17%
  • Cloud data security: 19%
  • Cloud platform and infrastructure security:17%
  • Cloud application security: 17%
  • Cloud security operations: 17%
  • Legal, risk and, compliance: 13%

You'll take the exam on a computer terminal at your local Pearson VUE test center. You have three hours to take the test, which consists of 100 to 150 questions; the length varies because it's an "adaptive" test, meaning that if you answer enough questions within a domain correctly to show competence for that domain, your computer terminal will stop asking you those types of questions. (There's a lively discussion thread in the (ISC)2 community forums where test-takers talk about how many questions they saw when they took it.)

The questions are multiple-choice, but you may encounter "scenario-based" questions, where you have to answer several multiple-choice questions about an example scenario. In addition, 25 questions on each test are "pre-test" questions: they're included for research purposes as (ISC)2 assesses them for possible inclusion on future tests. They don't count towards your score, but they also aren't marked, so you won't know which ones they are.

The CCSP exam is available in English and Japanese. You can find more details on (ISC)2's website.

How much does the CCSP exam cost?

The CCSP exam costs $599 in the United States, with comparable costs in local currencies in the EU and the UK.

This is a not insignificant outlay of cash—and it's important to keep in mind that this isn't the only cost involved in CCSP certification. There are more requirements (and associated payments) as well.

What are the CCSP requirements?

Passing the CCSP exam is only one step of the CCSP certification process. Because this isn't a certification for those at the beginning of their careers, candidates must also demonstrate industry career experience.

In a nutshell, to get CCSP certified, you must have:

  • At least five years of paid work experience in IT;
  • At least three years of which must be in information security;
  • And at least one year of which must be in one or more of the six CCSP CBK domains we listed above.

(ISC)2's website has more details, including ways alternate experience like part-time or unpaid work can be counted towards these requirements. If you already have the Cloud Security Alliance's Certificate of Cloud Security Knowledge, (ISC)2 considers that equivalent to a year of professional experience. (ISC)2's CISSP security certification has its own extensive professional experience requirements, and if you already have that cert, that experience also qualifies you for CCSP. (CSO has more info on CISSP here.)

In addition, (ISC)2 requires an endorsement from another (ISC)2-certified professional that attests to your work experience, although you can make arrangement with (ISC)2 itself to provide an endorser if you don't know anyone who can serve the role.

One last note on this topic: even if you don't have all the experience needed to achieve certification yet, you can still take the CCSP exam. If you pass, you can receive Associate of (ISC)2 status, with access to (ISC)2 training resources as you work towards your ultimate certification goal, which you have six years to achieve.

How much does CCSP certification cost?

In addition to the cost of the exam, candidates aiming to be fully certified must pay (ISC)2 $125 in Annual Maintenance Fees. (For Associates, these fees are only $50 a year.) Because these fees are for membership in the organization, they are the same no matter how many (ISC)2 certs you're maintaining. You'll also need to fulfill continuing education requirements, which may have associated costs as well.

CCSP vs CISSP: Is CCSP harder than CISSP?

As we noted above, (ISC)2 has another certification for upper-level security pros with a fair amount of industry experience: Certified Information Systems Security Professional, or CISSP. The biggest difference between them is that the CISSP exam draws from a much broader and more general pool of security knowledge: it's meant to show that you can design, implement, and manage a cybersecurity program at the enterprise level. CCSP, by contrast, is entirely cloud focused. It covers less ground than CISSP—and indeed, the CISSP exam is twice as long as CCSP’s. But CCSP is also more in-depth on cloud topics.

A thread on the (ISC)2 community forums offers some interesting insight into how different people who have taken, or are considering taking, both exams approach the question of which is harder—and in what order you should take the two exams.

What CCSP training is available?

If you dive into that thread, you'll also see discussion of how much time and effort those forum users put into studying for the exam — and it some cases it was many, many hours. Even if you think you're cloud security savvy, you're still going to want study resources to help you prepare. (ISC)2 provides its own official material for this purpose, including a study guide and a collection of practice tests.

Of course, there are third-party books available as well. We've mentioned Daniel Carter above; his book is considered the gold standard. You also might want to check out Gwen Bettwy's CCSP Cloud Guardians.

If you want to go beyond books, there are a variety of more fully featured and interactive training courses available to you. (ISC)2 offers a self-paced training course that comes bundled with the exam itself, which can save you a bit of money. The Infosec Institute offers a CCSP boot camp that comes with an exam pass guarantee (basically, if you fail the exam after taking their training course, they'll pay for you to take it again).

As is the case with most certs, there are plenty more training courses out there. Here's a great list of open online CCSP courses, ranked by enrolled students and reviews, to give you a sense of the most popular.

What salary can I get with CCSP certification?

We're going to end with the question that's probably been lurking in your mind as you made your way through this article: Can a CCSP certification help you make more money?

This is much easier to ask than to answer. Obviously, it's in the best interest of (ISC)2 to tell you that you a CCSP will boost your earning power. The org's website references a couple of salary surveys that show that CCSP holders make good money—more than $115,000 in North America, and on par with that elsewhere.

Of course, it's very difficult to tell whether this is a matter of correlation or causation. After all, in order to achieve CCSP certification, you need to have five or more years of industry experience under your belt, and that alone will boost your value in the job market. You should be wary of anyone who tries to guarantee you that a certification will provide a specific salary boost. That said, in an in-demand domain like cloud security, a certification can only make you stand out more—and CCSP and (ISC)2 are well respected in the industry.

Copyright © 2021 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations