🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
CCSP
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
CCSP ISC2 Coming Soon

CCSP

ISC2 Certified Cloud Security Professional (CCSP) training equips practitioners with deep expertise in cloud architecture, data protection, platform hardening, application security, and operational controls, enabling robust, compliant cloud environments.

240
Minutes
150
Questions
700/1000
Passing Score
$599
Exam Cost

Who Should Take This

The course is intended for senior cloud security engineers, architects, or consultants who have at least five years of IT experience, including three years in information security. Participants seek to validate their mastery of the CCSP body of knowledge and to earn the globally recognized certification that advances their career and strengthens organizational cloud resilience.

What's Covered

1 All six domains of the ISC2 CCSP Common Body of Knowledge: Domain 1 Cloud Concepts, Architecture, and Design
2 , Domain 2 Cloud Data Security
3 , Domain 3 Cloud Platform and Infrastructure Security
4 , Domain 4 Cloud Application Security
5 , Domain 5 Cloud Security Operations
6 , Domain 6 Legal, Risk, and Compliance

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

69 learning goals
1 Domain 1: Cloud Concepts, Architecture, and Design
3 topics

Cloud computing concepts and reference architectures

  • Apply NIST SP 500-292 cloud computing reference architecture roles (cloud consumer, provider, broker, auditor, carrier) to map security responsibilities and trust boundaries across multi-party cloud ecosystems.
  • Differentiate the security implications of IaaS, PaaS, SaaS, FaaS, and CaaS service models to determine the shared responsibility boundaries for data protection, identity management, and infrastructure hardening.
  • Evaluate public, private, community, and hybrid cloud deployment models to assess risk exposure, data sovereignty implications, and compliance feasibility for different organizational contexts.

Cloud security design principles

  • Implement defense-in-depth security controls across cloud infrastructure layers including network, compute, storage, and application tiers aligned with the CSA Cloud Controls Matrix domains.
  • Apply zero-trust security principles to cloud architecture design including continuous verification, micro-segmentation, least-privilege access, and assume-breach posture across multi-tenant environments.
  • Design a secure multi-cloud architecture strategy that addresses consistent identity federation, centralized policy management, cross-provider encryption, and unified security monitoring across heterogeneous cloud platforms.

Cloud cost and risk analysis

  • Analyze cloud migration risk factors including vendor lock-in, data portability constraints, API dependency, and service discontinuation to recommend risk mitigation strategies for cloud adoption programs.
  • Evaluate cloud service provider business continuity and disaster recovery capabilities including SLA commitments, availability zone architecture, and geographic redundancy to assess organizational resilience posture.
  • Develop a cloud adoption risk framework that integrates vendor lock-in mitigation, exit strategy planning, data portability requirements, and interoperability standards into organizational cloud strategy decisions.
2 Domain 2: Cloud Data Security
3 topics

Cloud data lifecycle and classification

  • Implement a cloud data classification scheme that maps sensitivity levels to storage tiers, encryption requirements, access controls, and retention policies across IaaS, PaaS, and SaaS environments.
  • Apply cloud data lifecycle management controls across creation, storage, use, sharing, archival, and destruction phases with cloud-specific considerations for object versioning, soft delete, and cryptographic erasure.
  • Evaluate data discovery and classification automation tools to determine appropriate scanning coverage for structured databases, unstructured object stores, and SaaS application data repositories.
  • Design a cloud data governance strategy that establishes data ownership accountability, stewardship roles, quality standards, and lineage tracking across multi-cloud data stores and analytics pipelines.

Cloud encryption and key management

  • Implement cloud encryption strategies including server-side encryption, client-side encryption, envelope encryption, and format-preserving encryption to protect data at rest, in transit, and in use.
  • Configure cloud key management architectures including provider-managed keys, BYOK (Bring Your Own Key), HYOK (Hold Your Own Key), and external key management systems to maintain cryptographic control appropriate to data sensitivity.
  • Analyze the tradeoffs between cloud-native key management services, HSM-backed key stores, and external KMS integration to recommend a key management strategy that balances security, operational complexity, and regulatory requirements.
  • Design a comprehensive cloud encryption and key lifecycle management program that addresses key generation, rotation, backup, destruction, and emergency recovery across multi-cloud deployments.

Data loss prevention and privacy

  • Deploy cloud-native and CASB-integrated data loss prevention controls to detect and prevent unauthorized data exfiltration across email, file sharing, API endpoints, and SaaS collaboration platforms.
  • Implement data masking, tokenization, and anonymization techniques to protect personally identifiable information in cloud databases, analytics pipelines, and non-production environments.
  • Assess data residency and sovereignty requirements to determine appropriate cloud region selection, data replication constraints, and jurisdictional controls for organizations subject to multiple privacy regulations.
3 Domain 3: Cloud Platform and Infrastructure Security
4 topics

Compute and virtualization security

  • Implement hypervisor security hardening controls including VM isolation, secure configuration baselines, and hypervisor patching procedures to mitigate virtual machine escape and side-channel attack risks.
  • Configure container security controls including image vulnerability scanning, runtime protection, namespace isolation, pod security policies, and secrets management for Kubernetes orchestration platforms.
  • Evaluate serverless function security considerations including cold start vulnerabilities, ephemeral execution context, event injection risks, and resource limit abuse to recommend appropriate function-level security controls.
  • Assess confidential computing technologies including secure enclaves, trusted execution environments, and homomorphic encryption to determine applicability for protecting data in use within multi-tenant cloud infrastructure.

Cloud network security

  • Implement virtual network security controls including security groups, network ACLs, virtual firewalls, and micro-segmentation to enforce east-west and north-south traffic policies in cloud VPC architectures.
  • Configure hybrid cloud connectivity using VPN tunnels, dedicated interconnects, and transit gateway architectures with encryption in transit to establish secure communication between on-premises and cloud environments.
  • Design a cloud network security architecture that integrates DDoS mitigation, web application firewall, CDN security, and DNS protection services to defend internet-facing cloud workloads against volumetric and application-layer attacks.

Cloud infrastructure hardening

  • Establish cloud infrastructure hardening baselines using CIS Benchmarks, cloud provider security best practices, and automated compliance scanning to maintain secure configuration state across compute, storage, and network resources.
  • Implement infrastructure-as-code security scanning and policy-as-code enforcement to detect misconfigurations, enforce guardrails, and prevent security drift in cloud infrastructure provisioning pipelines.
  • Evaluate cloud storage security configurations including bucket policies, access logging, server-side encryption defaults, and versioning controls to prevent data exposure through misconfigured object storage services.

Cloud identity and entitlement management

  • Implement cloud IAM policies using least-privilege principles, permission boundaries, and service control policies to restrict resource access across cloud accounts and subscriptions.
  • Assess cloud infrastructure entitlement management tools to detect over-permissioned accounts, dormant credentials, and privilege escalation paths across multi-cloud identity stores.
4 Domain 4: Cloud Application Security
4 topics

Secure cloud application development

  • Implement a secure cloud-native SDLC that integrates threat modeling, security requirements analysis, secure design review, SAST/DAST scanning, and security testing into CI/CD pipelines for cloud application delivery.
  • Apply OWASP cloud-native application security guidelines to prevent injection, broken authentication, sensitive data exposure, and insecure API configurations in microservices and serverless architectures.
  • Evaluate cloud application threat modeling approaches to determine appropriate methodologies (STRIDE, LINDDUN, PASTA) for identifying cloud-specific threats including multi-tenancy risks, shared resource abuse, and API gateway vulnerabilities.

Cloud identity and API security

  • Configure cloud identity federation using SAML 2.0, OAuth 2.0, and OpenID Connect to establish secure single sign-on across SaaS applications, custom cloud workloads, and hybrid identity environments.
  • Implement API security controls including API gateway authentication, rate limiting, schema validation, mutual TLS, and API key rotation to protect cloud service interfaces from abuse and unauthorized access.
  • Design a cloud application identity and access management strategy that integrates service accounts, workload identity, managed identities, and machine-to-machine authentication for zero-trust microservice communication.

Cloud application supply chain and runtime protection

  • Implement software composition analysis and container image scanning in cloud CI/CD pipelines to detect vulnerable dependencies, license violations, and malicious packages before deployment to production environments.
  • Assess cloud application runtime protection approaches including RASP, eBPF-based monitoring, and cloud workload protection platforms to determine appropriate runtime security controls for different application architectures.
  • Design a cloud application software supply chain security program that integrates SBOM generation, provenance attestation, dependency vulnerability tracking, and secure artifact registry management.

Cloud application sandboxing and isolation

  • Implement application-level isolation mechanisms including sandboxing, process isolation, and service mesh mTLS to enforce security boundaries between microservices in shared cloud infrastructure.
  • Evaluate CASB deployment models (proxy-based, API-based, agent-based) to determine appropriate cloud access governance controls for sanctioned and unsanctioned SaaS application usage.
5 Domain 5: Cloud Security Operations
5 topics

Cloud security monitoring and incident response

  • Configure cloud-native security monitoring by integrating cloud audit logs, flow logs, DNS logs, and API activity logs into a centralized SIEM platform with correlation rules tuned for cloud-specific attack patterns.
  • Implement a cloud incident response plan that addresses shared responsibility model considerations, evidence preservation in ephemeral environments, provider communication protocols, and cross-region containment procedures.
  • Analyze cloud forensics challenges including volatile evidence collection, snapshot-based acquisition, provider cooperation requirements, and jurisdictional evidence handling to assess investigation feasibility in cloud environments.
  • Design a cloud security operations center integration strategy that unifies on-premises and multi-cloud telemetry, automates cloud-specific response playbooks, and establishes escalation procedures for provider-side incidents.

Cloud security posture management

  • Deploy cloud security posture management tooling to continuously assess infrastructure configuration compliance, detect drift from security baselines, and generate remediation recommendations across multi-cloud deployments.
  • Implement cloud workload protection platform capabilities including vulnerability assessment, file integrity monitoring, behavioral analysis, and network segmentation verification across virtual machines, containers, and serverless functions.
  • Evaluate CNAPP (Cloud-Native Application Protection Platform) architectures to assess unified visibility across CSPM, CWPP, CIEM, and pipeline security for converged cloud security operations.

Cloud disaster recovery and business continuity

  • Implement cloud-based disaster recovery strategies including pilot light, warm standby, multi-site active-active, and backup-and-restore patterns that satisfy recovery time and recovery point objectives within budget constraints.
  • Evaluate cloud backup encryption, cross-region replication, and immutable storage configurations to determine appropriate data protection controls that prevent ransomware destruction and satisfy compliance retention requirements.
  • Plan a cloud DR testing program that incorporates chaos engineering experiments, automated failover validation, cross-region recovery drills, and tabletop exercises to verify cloud resilience capabilities.

Cloud change and patch management

  • Establish cloud change management processes that incorporate infrastructure-as-code review, deployment pipeline approvals, canary releases, and automated rollback triggers to maintain service integrity during changes.
  • Assess cloud patch management strategies including automated patching, immutable infrastructure replacement, and rolling update orchestration to determine appropriate approaches for different workload criticality levels.

Cloud communications and operations security

  • Implement cloud service availability monitoring including synthetic transaction testing, health check endpoints, SLA tracking dashboards, and automated alerting for service degradation detection.
  • Configure cloud cost anomaly detection and resource usage monitoring to identify cryptojacking, resource abuse, and unauthorized service provisioning as indicators of account compromise.
  • Recommend a cloud operations security communication plan that defines provider notification channels, incident status page monitoring, and coordinated disclosure procedures for shared responsibility incidents.
6 Domain 6: Legal, Risk, and Compliance
4 topics

Cloud legal and regulatory frameworks

  • Apply GDPR, CCPA, and international privacy law requirements to cloud service configurations including data processing agreements, subprocessor management, and cross-border data transfer mechanism selection.
  • Evaluate cloud service agreement terms including liability limitations, data ownership clauses, breach notification obligations, and right-to-audit provisions to assess contractual security risk exposure.
  • Differentiate e-discovery obligations in cloud environments including data preservation challenges, provider cooperation requirements, and cross-jurisdictional legal holds to determine appropriate litigation readiness procedures.

Cloud audit and assurance

  • Execute cloud security assessments using CSA STAR self-assessment, SOC 2 Type II report analysis, ISO 27017/27018 certification review, and FedRAMP authorization documentation to evaluate provider security posture.
  • Analyze the CSA Cloud Controls Matrix domain mappings to determine control coverage gaps between organizational security requirements and cloud service provider implemented controls.
  • Design a continuous cloud compliance monitoring program that integrates automated control assessment, evidence collection, exception management, and regulatory reporting across multi-cloud deployments.

Cloud risk management and governance

  • Implement a cloud risk management framework that addresses provider risk assessment, supply chain risk analysis, concentration risk evaluation, and risk treatment decisions specific to cloud consumption models.
  • Develop a cloud governance framework that establishes cloud usage policies, provider selection criteria, security baseline standards, and escalation procedures for shadow IT and unsanctioned cloud service adoption.
  • Analyze cloud provider shared responsibility models across IaaS, PaaS, and SaaS to determine residual risk ownership and map compensating controls for gaps between provider and consumer obligations.

Cloud privacy and ethical considerations

  • Apply privacy-by-design principles to cloud architecture decisions including data minimization, purpose limitation, storage limitation, and privacy impact assessments for cloud-hosted personal data processing.
  • Evaluate cloud provider data processing addendum compliance with GDPR Article 28 requirements including subprocessor notification, audit rights, data deletion obligations, and international transfer safeguards.

Scope

Included Topics

  • All six domains of the ISC2 CCSP Common Body of Knowledge: Domain 1 Cloud Concepts, Architecture, and Design (17%), Domain 2 Cloud Data Security (20%), Domain 3 Cloud Platform and Infrastructure Security (17%), Domain 4 Cloud Application Security (17%), Domain 5 Cloud Security Operations (16%), Domain 6 Legal, Risk, and Compliance (13%).
  • Cloud computing reference architectures including NIST SP 500-292, ISO/IEC 17788/17789, and CSA reference architecture covering IaaS, PaaS, SaaS, and emerging FaaS/CaaS service models.
  • Cloud data security lifecycle management: data discovery, classification, encryption (client-side, server-side, BYOK, HYOK), key management, tokenization, data loss prevention, and data residency controls across multi-cloud environments.
  • Cloud platform security: hypervisor security, container orchestration hardening, serverless function isolation, virtual network security, micro-segmentation, and cloud-native security tooling integration.
  • Cloud application security: secure DevOps in cloud, API gateway security, identity federation for SaaS, CASB deployment models, web application firewalls, and runtime application self-protection.
  • Cloud security operations: SOC integration with cloud telemetry, CSPM and CWPP tooling, cloud forensics challenges, incident response in shared responsibility models, and disaster recovery across availability zones and regions.
  • Legal and compliance frameworks for cloud: GDPR cloud obligations, data sovereignty requirements, cross-border transfer mechanisms, cloud audit standards (SOC 2, ISO 27017/27018, CSA STAR), and contractual security requirements in cloud service agreements.

Not Covered

  • Single-vendor cloud platform implementation details that are specific to AWS, Azure, or GCP product configurations rather than vendor-neutral CCSP CBK concepts.
  • Physical data center construction, electrical engineering, and HVAC design detail beyond what is needed to understand shared responsibility models.
  • Entry-level cloud computing fundamentals covered by foundational cloud certifications that are assumed prerequisite knowledge for CCSP candidates.
  • Deep software development and programming language specifics beyond secure cloud application architecture and design principles.

Official Exam Page

Learn more at ISC2

Visit

CCSP is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

(ISC)²®, CISSP®, CCSP®, SSCP®, CSSLP®, and all (ISC)² certification marks are registered trademarks of (ISC)². (ISC)² does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.