CCSP cheat sheet

A one-page reference for the ISC2 CCSP — Certified Cloud Security Professional exam: the format, how the domains are weighted, and the glossary terms for this exam.

Exam at a glance

Vendor
ISC2
Level
Advanced
Questions
100
Time
180 min
Mock pass mark
70%
Domains
6
Practice Qs
124
Code
CCSP

Domain weightings

How much of the exam each domain covers. Spend your study time in proportion — the heavier the domain, the more questions you'll see.

Key terms

Shared Responsibility Model
The shared responsibility model divides security duties between the cloud provider and the customer, with the split shifting across IaaS, PaaS, and SaaS. CCSP expects you to know who secures what at each service model.
IaaS, PaaS, SaaS
IaaS, PaaS, SaaS are the three core cloud service models, delivering infrastructure, a development platform, or complete applications respectively. CCSP ties each model to a different shared-responsibility boundary.
Cloud Deployment Models
Cloud deployment models — public, private, hybrid, and community — describe who owns and can access a cloud environment. CCSP maps risk and compliance obligations to the chosen deployment model.
Cloud Data Lifecycle
The cloud data lifecycle is the six phases data moves through: create, store, use, share, archive, and destroy. CCSP Domain 2 assigns appropriate security controls to each phase.
Tokenization
Tokenization replaces sensitive data with a non-sensitive surrogate token that has no exploitable meaning, keeping the real value in a separate secured vault. CCSP contrasts it with encryption for reducing compliance scope.
Data Masking
Data masking obscures sensitive fields — by shuffling, substituting, or redacting — so non-production or lower-trust users cannot see real values. CCSP uses it to protect PII in test and analytics environments.
Key Management
Key management is the secure generation, distribution, rotation, storage, and destruction of cryptographic keys. CCSP stresses customer control of keys in the cloud through BYOK and hardware security modules.
IRM
Information Rights Management (IRM) attaches persistent, policy-based access controls to a file so restrictions travel with the data wherever it goes. CCSP covers IRM as protection that outlives a single storage location.
Management Plane
The management plane is the administrative interface — APIs and consoles — used to configure and control cloud infrastructure. CCSP treats it as a high-value target requiring strong isolation and access control.
Hypervisor Security
Hypervisor security protects the virtualization layer that hosts guest VMs, guarding against escape attacks and cross-tenant compromise. CCSP places it at the core of cloud platform and infrastructure security.
BCDR
Business Continuity and Disaster Recovery (BCDR) planning keeps cloud-hosted services running and recoverable through disruptions. CCSP evaluates cloud-specific BCDR options such as multi-region and provider-failover design.
OWASP Top 10
The OWASP Top 10 is a widely used list of the most critical web-application security risks, such as injection and broken access control. CCSP references it when securing cloud applications and the SDLC.
Secrets Management
Secrets management securely stores and distributes credentials, API keys, and tokens so they are never hard-coded into cloud applications. CCSP covers it under cloud application security and identity.
SOC Reports
SOC Reports (SOC 1, SOC 2, and SOC 3) are independent audit attestations that describe and validate a service provider's controls. CCSP uses SOC 2 in particular to assess a cloud provider's security assurance.
eDiscovery
eDiscovery is the identification, collection, and production of electronically stored information for legal proceedings, which is complicated in multi-tenant cloud environments. CCSP covers its unique cloud forensic and jurisdictional challenges.