Frequently Asked Questions
Q. Why are (ISC)² and CSA introducing this new credential?
A. As powerful as cloud computing is for an organization, understanding the associated information security risks and mitigation strategies is critical. Cloud computing is increasingly the future of IT, and must integrate with in-house IT infrastructure and data assets. Information technology professionals who understand how cloud services can be securely implemented and managed within their organization's IT strategy and governance requirements are essential.
(ISC)² and the Cloud Security Alliance (CSA) have developed a cloud security credential that defines the qualifications and experience level necessary to secure cloud services. The Certified Cloud Security Professional (CCSP) validates that professionals have met the highest standard for cloud security expertise, so they can benefit from the power of cloud computing while keeping sensitive data secure.
By combining the expertise from both organizations, (ISC)² and CSA are establishing a common global understanding of professional knowledge and best practices in design, implementation, management and service orchestration of cloud computing systems. The combined initiative addresses the expanded information security complexities as organizations begin to leverage cloud-based infrastructure, software and services more frequently.
Q. What market need does the CCSP fill?
A. According to the 2015 (ISC)² Global Information Security Workforce Study, 73 percent of respondents believe that cloud computing will require information security professionals to develop new skills. Further, 70 percent of respondents believe that a cloud security certification program would be at least somewhat relevant to them, of which 31 percent indicate that it would be very relevant. Cloud computing was identified as the top area of information security with growing demand for education and training within the next three years.
Microsoft calls the cloud: "A transformative technology that will drive down costs, spur innovation, and open up new jobs and skillsets across the globe." Several factors are contributing to rapid growth and change in the cloud computing market. The cloud provides multiple business and consumer benefits, many of which relate to business agility and cost of ownership. In the coming years, cloud computing will grow largely at the expense of traditional IT.
The growing adoption of cloud services will increase the demand for security professionals who can apply the proper controls to public, private, community and hybrid cloud models. Also, cloud service providers, organizations adopting cloud services and professional service firms assisting with cloud management and implementation will all need qualified cloud professionals. As organizations replace traditional IT architectures with cloud models, cloud expertise will move from a "nice to have" capability to a "must have."
Q. Why are (ISC)2 and CSA qualified to offer a cloud security credential?
A. Both (ISC)² and the Cloud Security Alliance are world-renowned, respected organizations amongst the information security and cloud computing industries, respectively. They have converged their industry expertise to offer a vendor-neutral, advanced cloud security professional certification. Both have extensive and comprehensive bodies of knowledge developed by global subject matter experts that address cloud security.
There is demand amongst (ISC)² members and the information security industry for a global, vendor-neutral, advanced cloud security professional certification. Cloud computing has emerged as a critical topic area within IT that requires further security considerations. As the largest not-for-profit membership body of certified information security professionals worldwide, (ISC)² recognizes that security must be addressed within cloud computing in order for the IT and information security fields to thrive in the future.
The Cloud Security Alliance (CSA) is the world's leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA's activities, knowledge and extensive network benefit the entire community impacted by cloud-from providers and customers, to governments, entrepreneurs and the assurance industry-and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. CSA has developed the definitive best practices for the industry, such as the "Security Guidance for Critical Areas of Focus in Cloud Computing", the "Cloud Controls Matrix", "Top Threats to Cloud Computing" and 50 other cloud security research artifacts.
Q. How does the CCSP help employers?
A. The CCSP provides employers with a reliable indicator of candidates' overall competency in cloud security; thereby ensuring they put the right people in place who can leverage the 3 benefits of cloud computing and possess the knowledge, skills and abilities needed to address the security and business issues associated with the complexities of cloud computing. The CCSP should simplify and improve the hiring process for both public and private sector organizations.
- CCSP is powered by the two leading non-profit membership organizations focused on cloud and information security: CSA and (ISC)². Their collaboration ensures this credential reflects the most current and comprehensive best practices for securing and optimizing cloud computing environments.
- CCSP's experience requirement - minimum of 5 years of full-time, paid, cumulative information technology, including at least 3 years of information security and 1 year of cloud computing - helps confirm competency based on hands-on experience, thereby validating candidates' practical knowledge applicable to day-to-day responsibilities.
- CCSP is vendor-neutral and requires practical knowledge and skills covering a broad set of cloud security capabilities necessary for cloud professionals to effectively carry-out their responsibilities and contributes to the overall security of their cloud environment.
- As a professional credential, CCSP reflects more than the knowledge needed to pass a test. It includes: a) exam and testing meeting American National Standards Institute (ANSI) requirements; b) legal commitment to code of ethics; c) endorsement from appropriate certified professionals; and d) commitment to continuing professional education - all of which provide employers with increased confidence that CCSP's are qualified and committed to tackling the cloud security challenges of today and tomorrow.
Q. How will CCSP help information security and compliance professionals proficient in cloud computing?
A. The CCSP will provide candidates with a widely recognized measure of their competency in cloud security; thereby providing valuable differentiation that promotes their cloud security knowledge, skills and experience and instills confidence among existing and prospective employers as well as the industry in general. The CCSP will help cloud security professionals:
- Validate and enhance their standing as advanced cloud security professionals with a comprehensive, credible, international certification.
- Instill employer confidence in their abilities and expand career opportunities with a credential that confirms their current expertise as well as their capacity to grow and evolve with the cloud security industry.
- Provide the assurance that can only come with a credential backed by (ISC)², the globally recognized Gold Standard in information security certification.
- Apply cloud security anywhere in the world, knowing that their CCSP counterparts in other countries operate using a common globally recognized body of knowledge.
- Continue ongoing education in the latest advances in cloud security through the (ISC)² periodic recertification process.
Q. Who should obtain the CCSP?
A. The CCSP is most appropriate for those well versed in IT and information security, with some experience in cloud computing. The ideal candidate will have experience in applying security concepts and controls to cloud environments.
We expect CCSP professionals will come from a suite of IT, IT security and compliance positions, including:
- IT Architects - Systems Architects, Enterprise Architects, Security Architects, Web Solutions Architects should all find CCSP applicable and helpful to their careers
- Web Security & Cloud Security Engineers should view the CCSP as a career-enhancing credential.
- IT Security Professionals, including CISSPs, with cloud experience. They should want to further their careers by positioning themselves as cloud security professionals.
- Governance, Risk & Compliance (GRC) professionals - those who meet the CCSP criteria will see value in the credential, given the importance of the risk and compliance aspects of cloud services.
- IT Auditors may see CCSP as a good way to further their careers as the world moves to the cloud.
Q. What is required to earn the CCSP?
A. To attain CCSP, applicants must have a minimum of five years of cumulative, paid, full-time working experience in information technology, of which three years must be in information security and one year in one of the six CBK domains:
- Architectural Concepts & Design Requirements
- Cloud Data Security
- Cloud Platform and Infrastructure Security
- Cloud Application Security
- Legal and Compliance
Earning the Cloud Security Alliance's Certificate of Cloud Security Knowledge (CCSKTM) can be substituted for one year of experience in one of the six domains of the CCSP CBK. Earning the (ISC)² Certified Information Systems Security Professional (CISSP®) credential can be substituted for the entire CCSP experience requirement.
Exam candidates are given 4 hours to take the exam, which consists of 125 questions. The exam costs US$549. As with all (ISC)² credentials, CCSP candidates must also subscribe to the (ISC)² Code of Ethics and be endorsed by an (ISC)² member in good standing.
Q. What is required to maintain the CCSP?
A. During their three-year certification cycle, CCSPs must pay Annual Maintenance Fees (AMFs) of US$100 per year, earn 90 CPEs, with a minimum of 30 each year. Associates of (ISC)² working toward the CCSP must pay US$35 AMFs and earn 15 CPEs each year.
As part of (ISC)²'s and CSA's collaboration, CCSP and other (ISC)² credential holders can utilize CSA's education and training, research projects, events, working groups and other programs to stay abreast of cloud security best practices while helping to satisfy their CPE requirements.
Q. Does the CCSP complement other (ISC)² and CSA certifications/education programs?
A. Yes. The Certified Cloud Security Professional (CCSP) credential complements and builds upon the existing credentials and educational programs of both CSA and (ISC)². Both organizations provide a complimentary portfolio of industry-leading certifications that validate a professional's knowledge in the security of cloud computing systems.
Because CSA is the agile group that quickly addresses changes in the cloud security landscape and is an "incubator of cloud best practices," their research and working groups as well as their education and training programs can provide relevant opportunities for continuing education and CPEs for maintaining the CCSP.
Q. Aren't other credentials already gauging cloud security knowledge? How does CCSP compare with CCSK?
A. CSA's Certificate of Cloud Security Knowledge (CCSK) examination tests across a broad foundation of cloud security knowledge. The CCSK body of knowledge includes 14 domains and covers some unique and critical areas of knowledge, such as Security as a Service, which are not covered in other credentials. CCSK also covers the CSA Cloud Controls Matrix, the industry standard security controls framework, which is a requirement for the CSA Security, Trust and Assurance Registry (STAR) program of cloud provider certification. CCSK provides an excellent indicator of baseline cloud security knowledge appropriate for almost any IT position. The knowledge reflected by the CCSK certification program helps employers ensure their teams are better equipped to cope with the increasingly pervasive cloud computing issues they now face.
The CCSP credential builds upon many of the areas covered by CCSK in order to provide deeper knowledge derived from experience with cyber, information, software and cloud computing infrastructure security. It validates practical know-how applicable to those professionals whose day-to-day responsibilities involve cloud security architecture, design, operations, and service orchestration. As an advanced professional credential, CCSP also reflects more than the knowledge needed to pass an exam. It includes: a) exam and testing meeting ANSI requirements; b) legal commitment to code of ethics; c) endorsement from appropriate certified professionals; and d) commitment to continuing professional education - all of which demonstrate that CCSPs are qualified and committed to tackling the cloud security challenges of today and tomorrow.
While there are other cloud-related certifications available, most are vendor-specific and relate to vendor technology and solutions. Those that include information security, do so nominally at a theoretical level. Both CCSP and CCSK are vendor-neutral and reflect overall industry best practices for securing cloud environments.
Q. When should I choose CCSP vs. CCSK?
A. Professionals whose job requirements include a heavy involvement with cloud security should pursue both the CCSK and CCSP. The CCSK is an excellent indicator of baseline cloud security knowledge. It is appropriate for a wide range of IT professionals, including those in governance and compliance and even some non-IT professionals. The CCSP credential is intended for professionals who are heavily involved in cloud security via roles that are accountable for protecting enterprise architectures.
The typical cloud security professional will likely achieve the CCSK first, and then the CCSP credential. Attainment of the CCSK also can be substituted for the one year of cloud security experience out of the total five years in qualifying for the CCSP. We strongly recommend the CCSK for those who do not yet have the necessary information security and cloud experience to qualify for CCSP.
Since CCSP builds off CCSK, existing holders of the CCSK are encouraged to pursue the CCSP as the next logical step in their career path if the majority of their day-to-day duties involve securing cloud computing environments.
The breadth of CCSK, combined with the depth of CCSP will now be the benchmark for comprehensive and demonstrable cloud security expertise.
Q. When can I register for the CCSP exam and when can I sit for the exam?
A. Exam registration is available as of April 21, 2015. Candidates will be able to sit for the CCSP exam beginning July 21, 2015. Candidates can register to take the CCSP exam at PearsonVUE testing centers worldwide at http://www.pearsonvue.com/isc2/.
Q. What's the best way to study for the CCSP exam?
A. The CCSP exam outline is a useful self-study aid. It provides an overview of each domain and a list of key knowledge areas in each of the domains, as well as a list of references to aid candidates in studying the domains in depth. The electronic version of the Official Guide to the (ISC)² CCSP CBK textbook will be available at a later date. The (ISC)² Training Courses for the CCSP will be available starting June 8, 2015 in the United States. Candidates will be able to register for the exam and /or classes beginning April 21, 2015.
Q. When will the exam be made available in languages other than English?
A. We will evaluate each opportunity on a case by case basis. We are in the process of evaluating languages as they relate to market need and will announce other developments as they arise.
Q. How can someone early in their career get involved in the CCSP?
A. (ISC)² offers an Associate of (ISC)² program for CCSP, which gives aspiring IT and information security professionals interested in cloud computing access to career development resources, such as networking with established professionals and the opportunity to test their knowledge by taking the CCSP exam while they're acquiring their work experience necessary to become credentialed.