ISC2 CCSP

CCSP exam and CBK changes in August 2024

Fakhar Imam
December 2, 2024 by
Fakhar Imam

The International Information System Security Certification Consortium or ISC2, introduced changes to its Certified Cloud Security Professional (CCSP) certification on August 1, 2024. This is the third update since its inception in 2015, preceded by the last update from August 2022. These enhancements aim to better align CCSP domains with the latest changes in cloud security and the newest trends in cloud computing technologies and methodologies, including emerging, fast and sophisticated threats.

This article explores the 2024 changes to the exam, as well as the 2022 changes to the domains covered by the CCSP certification exam. These changes are closely related to the roles and responsibilities of today’s practicing cloud security professionals. They are drawn from various topics in the updated ISC2 CCSP common body of knowledge (CBK), a comprehensive framework of information security terms, principles, skills and techniques that a competent professional must know and use.

Earn your CCSP, guaranteed!

Earn your CCSP, guaranteed!

Save your spot for an upcoming CCSP Boot Camp and earn one of the most in-demand cloud security certifications — guaranteed!

By reviewing the new topics covered by the exam, you can identify areas of study that may need additional attention if you want to pass the test on the first attempt.

What changes were made to the CCSP exam in 2024? 

As of August 1, 2024, the CCSP exam was reduced from 150 to 125 multiple-choice questions. To accommodate this change, the time allotted for the exam decreased from four hours to three hours.

 In this update, the domains, their weight and the exam format all remain the same.

What changes were previously made to CCSP domains and their weight?

Although the 2024 update did not lead to any domain changes, the previous update impacted the domains and their weights. As a result of the CCSP domain refresh on August 1, 2022, minor adjustments from the 2019 version were made: a 1% change in the weights for Domain 2: Cloud data security and Domain 5: Cloud security operations. All other domain weights are identical.

Major Domains August 2019 August 2022
Domain 1: Cloud concepts, architecture and design 17% 17%
Domain 2: Cloud data security 19% 20%
Domain 3: Cloud platform and infrastructure security 17% 17%
Domain 4: Cloud application security 17% 17%
Domain 5: Cloud security operations 17% 16%
Domain 6: Legal, risk and compliance 13% 13%
Total 100% 100%

Although these changes seem minor, ISC2 added new cloud security concepts in 2022 and removed some content from the CCSP CBK. All domains have been updated or realigned to test the knowledge and hands-on experience in cloud security architecture, design, operations and service orchestration that today’s professionals need.

Skills covered in each of the CCSP domains

In each of the six CCSP domains, you will find critical topics you should know. These are areas you need to study before getting tested. To prepare effectively, review the modules, as they highlight critical information which can help you pass the exam for certification.

CCSP Domain 1, Cloud concepts, architecture and design is an overview of cloud computing concepts, models (services and deployments) and principles.

  • 1.1 Understand cloud computing concepts
  • 1.2 Describe cloud reference architecture
  • 1.3 Understand security concepts relevant to cloud computing
  • 1.4 Understand design principles of secure cloud computing
  • 1.5 Evaluate cloud service providers

CCSP Domain 2, Cloud data security is an overview of data classification and categorization, data lifecycle stages, data retention and auditing.

  • 2.1 Describe cloud data concepts
  • 2.2 Design and implement cloud data storage architectures
  • 2.3 Design and apply data security technologies and strategies
  • 2.4 Implement data discovery
  • 2.5 Plan and implement data classification
  • 2.6 Design and implement information rights management (IRM)
  • 2.7 Plan and implement data retention, deletion and archiving policies
  • 2.8 Design and implement auditability, traceability and accountability of data events

CCSP Domain 3, Cloud platform and infrastructure security requires a baseline knowledge of cloud security strategies, risks and responsibilities, storage and a business continuity program.

  • 3.1 Comprehend cloud infrastructure and platform components
  • 3.2 Design a secure data center
  • 3.3 Analyze risks associated with cloud infrastructure and platforms
  • 3.4 Plan and implementation of security controls
  • 3.5 Plan business continuity (BC) and disaster recovery (DR)

CCSP Domain 4, Cloud application security is an overview of the software development lifecycle, testing, architecture and auditing of cloud services.

  • 4.1 Advocate training and awareness for application security
  • 4.2 Describe the secure software development life cycle (SDLC) process
  • 4.3 Apply the secure software development life cycle (SDLC)
  • 4.4 Apply cloud software assurance and validation
  • 4.5 Use verified secure software
  • 4.6 Comprehend the specifics of cloud application architecture
  • 4.7 Design appropriate identity and access management (IAM) solutions

CCSP Domain 5, Cloud security operations includes ways of achieving data center high availability through redundancy, capacity/maintenance monitoring, risk management and change/configuration monitoring. It also covers data center redundancy and standards.

  • 5.1 Build and implement physical and logical infrastructure for cloud environment
  • 5.2 Operate and maintain physical and logical infrastructure for cloud environment
  • 5.3 Implement operational controls and standards [e.g., information technology infrastructure library (ITIL), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 20000-1)
  • 5.4 Support digital forensics
  • 5.5 Manage communication with relevant parties
  • 5.6 Manage security operations

Earn your CCSP, guaranteed!

Earn your CCSP, guaranteed!

Save your spot for an upcoming CCSP Boot Camp and earn one of the most in-demand cloud security certifications — guaranteed!

CCSP Domain 6, Legal, risk and compliance covers the laws, regulations and standards for protecting data in cloud computing.

  • 6.1 Articulate legal requirements and unique risks within the cloud environment
  • 6.2 Understand privacy issues
  • 6.3 Understand audit process, methodologies, and required adaptations for a cloud environment
  • 6.4 Understand implications of cloud to enterprise risk management
  • 6.5 Understand outsourcing and cloud contract design

Comparison of old and new exams

Effective August 1, 2024, the CCSP exam decreased from 150 total questions to 125.  As a result, the exam time also decreased from four to three hours

Prior to this change, the last update was effective on August 1, 2022. During the 2022 update, the CCSP exam increased from 100 operational items with 25 pretest (unscored) items to 100 operational items with 50 pretest items. As a result, the exam time increased from three to four hours. 

Explore the history of the exam in the table below.

Exam format Pre-2022 2022 update 2024 update
Length of the exam 3 hours 4 hours 3 hours
Number of questions 125 150 125
Type of questions Multiple choice Multiple choice Multiple choice
Passing score 700 points out of 1000 700 points out of 1000 700 points out of 1000

The refreshed CCSP exam costs U.S. $599 and is available in Chinese Simplified, English, German and Japanese. Pearson VUE administers tests.

Can I appear for the refreshed CCSP exam with old CCSP material?

Yes, you can take the exam if you have already studied the previous CCSP CBK and have current experience in the field. Nevertheless, ISC2 cannot guarantee that you will pass the exam merely using old material. To be safe, you should look for updated material and courses based on the latest exam content outline to avoid risking failure on test day.

However, since the 2024 update only affected exam questions and time, any material after the 2022 update should remain relevant — until the next exam update.

How do I prepare for the new CCSP exam?

First, you must thoroughly examine the new topics and pay special attention to the recent CCSP CBK, which represents the most up-to-date concepts for the upcoming exam. 

Devise a learning path that covers all cloud security knowledge topics covered by the domains in-depth and focuses on those areas in which you feel less versed. Make full use of the updated CCSP training courses and options listed below.

Study resources

The Infosec CCSP training hub is a good place to start and get an overview for your options. ISC2 also offer these CCSP study resources:

  • Official ISC2 CCSP Study Guide, 2nd Edition
  • Official ISC2 CCSP CBK Reference, 3rd Edition
  • Official ISC2 CCSP Practice Tests, 2nd Edition

Community discussion

The ISC2 Community features a CCSP study group. Users preparing for the exam or recently passing the test create discussion threads.

Another group where certification-seekers and holders can share general information on exam topics is the TechExams community forum.

Appropriate training

Reputable training partners like Infosec can also help you prepare for the exam with relevant, up-to-date course content in various formats to fit your needs. For example, you can train with:

Earn your CCSP, guaranteed!

Earn your CCSP, guaranteed!

Save your spot for an upcoming CCSP Boot Camp and earn one of the most in-demand cloud security certifications — guaranteed!

Updates to the CCSP exam and CBK changes

As securing cloud services remains a challenge, employers seek those who meet the certification requirements for the CCSP vendor-neutral credential offered by the ISC2 for their knowledge and experience of cloud security architecture, design, operations and service orchestration, which this credential certifies. 

Preparation is key to grasping the six domains and numerous subdomains and earning one of the most advanced cloud security certifications available today.

For more on the CCSP certification, check out our CCSP certification hub.

Fakhar Imam
Fakhar Imam

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.