CCSP exam and CBK changes in August 2024
The International Information System Security Certification Consortium or ISC2, introduced changes to its Certified Cloud Security Professional (CCSP) certification on August 1, 2024. This is the third update since its inception in 2015, preceded by the last update from August 2022. These enhancements aim to better align CCSP domains with the latest changes in cloud security and the newest trends in cloud computing technologies and methodologies, including emerging, fast and sophisticated threats.
This article explores the 2024 changes to the exam, as well as the 2022 changes to the domains covered by the CCSP certification exam. These changes are closely related to the roles and responsibilities of today’s practicing cloud security professionals. They are drawn from various topics in the updated ISC2 CCSP common body of knowledge (CBK), a comprehensive framework of information security terms, principles, skills and techniques that a competent professional must know and use.
Earn your CCSP, guaranteed!
By reviewing the new topics covered by the exam, you can identify areas of study that may need additional attention if you want to pass the test on the first attempt.
What changes were made to the CCSP exam in 2024?
As of August 1, 2024, the CCSP exam was reduced from 150 to 125 multiple-choice questions. To accommodate this change, the time allotted for the exam decreased from four hours to three hours.
In this update, the domains, their weight and the exam format all remain the same.
What changes were previously made to CCSP domains and their weight?
Although the 2024 update did not lead to any domain changes, the previous update impacted the domains and their weights. As a result of the CCSP domain refresh on August 1, 2022, minor adjustments from the 2019 version were made: a 1% change in the weights for Domain 2: Cloud data security and Domain 5: Cloud security operations. All other domain weights are identical.
Major Domains | August 2019 | August 2022 |
Domain 1: Cloud concepts, architecture and design | 17% | 17% |
Domain 2: Cloud data security | 19% | 20% |
Domain 3: Cloud platform and infrastructure security | 17% | 17% |
Domain 4: Cloud application security | 17% | 17% |
Domain 5: Cloud security operations | 17% | 16% |
Domain 6: Legal, risk and compliance | 13% | 13% |
Total | 100% | 100% |
Although these changes seem minor, ISC2 added new cloud security concepts in 2022 and removed some content from the CCSP CBK. All domains have been updated or realigned to test the knowledge and hands-on experience in cloud security architecture, design, operations and service orchestration that today’s professionals need.
Skills covered in each of the CCSP domains
In each of the six CCSP domains, you will find critical topics you should know. These are areas you need to study before getting tested. To prepare effectively, review the modules, as they highlight critical information which can help you pass the exam for certification.
CCSP Domain 1, Cloud concepts, architecture and design is an overview of cloud computing concepts, models (services and deployments) and principles.
- 1.1 Understand cloud computing concepts
- 1.2 Describe cloud reference architecture
- 1.3 Understand security concepts relevant to cloud computing
- 1.4 Understand design principles of secure cloud computing
- 1.5 Evaluate cloud service providers
CCSP Domain 2, Cloud data security is an overview of data classification and categorization, data lifecycle stages, data retention and auditing.
- 2.1 Describe cloud data concepts
- 2.2 Design and implement cloud data storage architectures
- 2.3 Design and apply data security technologies and strategies
- 2.4 Implement data discovery
- 2.5 Plan and implement data classification
- 2.6 Design and implement information rights management (IRM)
- 2.7 Plan and implement data retention, deletion and archiving policies
- 2.8 Design and implement auditability, traceability and accountability of data events
CCSP Domain 3, Cloud platform and infrastructure security requires a baseline knowledge of cloud security strategies, risks and responsibilities, storage and a business continuity program.
- 3.1 Comprehend cloud infrastructure and platform components
- 3.2 Design a secure data center
- 3.3 Analyze risks associated with cloud infrastructure and platforms
- 3.4 Plan and implementation of security controls
- 3.5 Plan business continuity (BC) and disaster recovery (DR)
CCSP Domain 4, Cloud application security is an overview of the software development lifecycle, testing, architecture and auditing of cloud services.
- 4.1 Advocate training and awareness for application security
- 4.2 Describe the secure software development life cycle (SDLC) process
- 4.3 Apply the secure software development life cycle (SDLC)
- 4.4 Apply cloud software assurance and validation
- 4.5 Use verified secure software
- 4.6 Comprehend the specifics of cloud application architecture
- 4.7 Design appropriate identity and access management (IAM) solutions
CCSP Domain 5, Cloud security operations includes ways of achieving data center high availability through redundancy, capacity/maintenance monitoring, risk management and change/configuration monitoring. It also covers data center redundancy and standards.
- 5.1 Build and implement physical and logical infrastructure for cloud environment
- 5.2 Operate and maintain physical and logical infrastructure for cloud environment
- 5.3 Implement operational controls and standards [e.g., information technology infrastructure library (ITIL), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 20000-1)
- 5.4 Support digital forensics
- 5.5 Manage communication with relevant parties
- 5.6 Manage security operations
Earn your CCSP, guaranteed!
CCSP Domain 6, Legal, risk and compliance covers the laws, regulations and standards for protecting data in cloud computing.
- 6.1 Articulate legal requirements and unique risks within the cloud environment
- 6.2 Understand privacy issues
- 6.3 Understand audit process, methodologies, and required adaptations for a cloud environment
- 6.4 Understand implications of cloud to enterprise risk management
- 6.5 Understand outsourcing and cloud contract design
Comparison of old and new exams
Effective August 1, 2024, the CCSP exam decreased from 150 total questions to 125. As a result, the exam time also decreased from four to three hours.
Prior to this change, the last update was effective on August 1, 2022. During the 2022 update, the CCSP exam increased from 100 operational items with 25 pretest (unscored) items to 100 operational items with 50 pretest items. As a result, the exam time increased from three to four hours.
Explore the history of the exam in the table below.
Exam format | Pre-2022 | 2022 update | 2024 update |
Length of the exam | 3 hours | 4 hours | 3 hours |
Number of questions | 125 | 150 | 125 |
Type of questions | Multiple choice | Multiple choice | Multiple choice |
Passing score | 700 points out of 1000 | 700 points out of 1000 | 700 points out of 1000 |
The refreshed CCSP exam costs U.S. $599 and is available in Chinese Simplified, English, German and Japanese. Pearson VUE administers tests.
Can I appear for the refreshed CCSP exam with old CCSP material?
Yes, you can take the exam if you have already studied the previous CCSP CBK and have current experience in the field. Nevertheless, ISC2 cannot guarantee that you will pass the exam merely using old material. To be safe, you should look for updated material and courses based on the latest exam content outline to avoid risking failure on test day.
However, since the 2024 update only affected exam questions and time, any material after the 2022 update should remain relevant — until the next exam update.
How do I prepare for the new CCSP exam?
First, you must thoroughly examine the new topics and pay special attention to the recent CCSP CBK, which represents the most up-to-date concepts for the upcoming exam.
Devise a learning path that covers all cloud security knowledge topics covered by the domains in-depth and focuses on those areas in which you feel less versed. Make full use of the updated CCSP training courses and options listed below.
Study resources
The Infosec CCSP training hub is a good place to start and get an overview for your options. ISC2 also offer these CCSP study resources:
- Official ISC2 CCSP Study Guide, 2nd Edition
- Official ISC2 CCSP CBK Reference, 3rd Edition
- Official ISC2 CCSP Practice Tests, 2nd Edition
Community discussion
The ISC2 Community features a CCSP study group. Users preparing for the exam or recently passing the test create discussion threads.
Another group where certification-seekers and holders can share general information on exam topics is the TechExams community forum.
Appropriate training
Reputable training partners like Infosec can also help you prepare for the exam with relevant, up-to-date course content in various formats to fit your needs. For example, you can train with:
- Live or in-person CCSP Boot Camp
- A self-paced boot camp if you can't attend live instruction
- An on-demand library of courses, labs and other materials.
Earn your CCSP, guaranteed!
Updates to the CCSP exam and CBK changes
As securing cloud services remains a challenge, employers seek those who meet the certification requirements for the CCSP vendor-neutral credential offered by the ISC2 for their knowledge and experience of cloud security architecture, design, operations and service orchestration, which this credential certifies.
Preparation is key to grasping the six domains and numerous subdomains and earning one of the most advanced cloud security certifications available today.
For more on the CCSP certification, check out our CCSP certification hub.