SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships

Insight Into CCSK Certification

Cybersecurity Assessments | SchellmanLife

Though perhaps not as prominent as the widely known Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP) certifications, the Certificate of Cloud Security Knowledge (CCSK) can also be helpful to cybersecurity professionals.

I hadn’t heard of CCSK until I started with Schellman, but since they supported me in my interest in obtaining more credentials to expand my knowledge base and career opportunities, I went for this one after considering my options among the hundreds of certifications available to those of us in the industry.

In this article, I’m going to provide some insight into this certification, including details on the 14 domains that cover most of the exam. I successfully obtained CCSK certification, and after reading this, you should be able to do the same.

What is CCSK?

These days, many organizations are working in some capacity in the cloud, regardless of which industry they’re in—that’s likely due to the many benefits of cloud computing, including:

  • Enhanced scalability
  • Reduced maintenance requirements
  • Reduced costs
  • Pay-as-you-go model
  • Increasing or decreasing resources, depending on demand

More data in the cloud means more cybersecurity concerns, and that’s where CCSK comes in. Offered by the Cloud Security Alliance (CSA), the CCSK provides candidates effective practices for protecting data in the cloud. More relevant than ever, CCSK can help professionals better understand critical facets regarding cloud computing, including:

  • The inimitable challenges presented by the cloud
  • Best practices to promote secure cloud environments
  • How cloud architectures should be planned and applied appropriately

As it’s recognized in the industry as a standard for cloud-security expertise, should you successfully pass the exam and become certified, not only will you have a certification, you will:

  • Boost your professional credibility as you’ll have proved your proficiency in cloud security.
  • Demonstrate that you’re better prepared for engagements, projects, or roles involving cloud security management practices, consultancy, and risk assessment.

What are the CCSK Domains?

But to do that, you’ll of course need to pass. During the CCSK exam, you’re provided three study materials and must answer 60 open-book questions in 90 minutes.

Questions regarding “Security Guidance for Critical Areas of Focus in Cloud Computing v4.0” makes up most of the exam material, of which there are 14 domains:

1) Cloud Computing Concepts and Architecture

Defines cloud computing at its most fundamental level and makes use of related architectural frameworks, including descriptions of important cloud computing properties, as well as pertinent service and deployment approaches.

2) Governance and Enterprise Risk Management

Addresses the effect that cloud computing has on how an entire organization is run.

3) Legal Issues, Contracts, and Electronic Discovery

Tackles the legal repercussions that businesses must consider when switching to the cloud. The chapter demonstrates various legal systems that differ according to jurisdictional location.

4) Compliance and Audit Management

Explores processes of audit management and compliance frameworks that are industry-specific to provide an understanding of compliance in cloud environments.

5) Information Governance

Concentrates on the protection of data in cloud environments, including the implementation of data governance frameworks as well as the classification of data, data retention, and data-loss prevention.

6) Management Plane and Business Continuity

Emphasizes the management and administration-level tools and best practices for using the cloud, including those for data provisioning and de-provisioning, monitoring and logging, and lifecycle management.

7) Infrastructure Security

Details how organizations can secure networks, tools, and servers through segmentation and intrusion detection systems (IDS).

8) Virtualization and Containers

Defines virtualization along with the usage of containers and hypervisors and how they can be integral to an organization.

9) Incident Response

Speaks to the incident response lifecycle, from detection/response techniques to incident handling.

10) Application Security

Highlights control functions that organizations can use in the cloud to secure their cloud environments.

11) Data Security and Encryption

Covers data security controls and how organizations can protect data when it is at rest, in motion, and in use within the cloud.

12) Identity, Entitlement, and Access Management

Outlines how identity and access management (IAM)—including measures such as single sign-on (SSO) solutions and other authentication mechanisms—are important to ensuring security within the cloud.

13) Security as a Service

Addresses security services that are provided by third-party providers and Cloud Security Providers (CSPs).

14) Related Technologies

Touches upon the relevant technologies like Big Data, Internet of Things, and how the cloud factors in.


What Will You Learn During the CCSK Exam?

If these 14 domains make up about 85% of the exam, guidance from ENISA and CCM account for the remaining 15%:

  • European Union Agency for Cybersecurity (ENISA): The advice and tools offered by ENISA provide into the broader landscape of cybersecurity, particularly on a global scale, including cloud security issues.
  • CSA’s Cloud Controls Matrix (CCM): An integral tool for organizations looking to assess security controls implemented by cloud service providers (CSPs) before engaging with their services.

Below are a few highlighted details that you’ll learn and study during the CCSK exam (categorized by CSA domain guidance):


Relevant Details

Domain 1

Cloud Computing Concepts and Architectures


3 Types of Service Models:

  • Software as a Service (SaaS)
  • Platform as a Service (PaaS)
  • Infrastructure as a Service (IaaS)

4 Types of Deployment Models:

  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud

4 Levels of the Logical Model (from bottom to top layer):

  • Infrastructure
  • Metastructure
  • Applistructure
  • Infostructure

Domain 3

Legal Issues, Contracts, and Electronic Discovery

2 Roles of Data Handlers

Data Controller: Responsible for the collection/processing of the data

Data Processor: Processes the data on behalf of the data controller

Domain 5

Information Governance

6 Phases of the Data Security Lifecycle:

  • Create
  • Store
  • Use
  • Share
  • Archive
  • Destroy

Domain 6

Management Plane and Business Continuity

The Metastructure Level

  • Where management renders the building, configuring and destroying of infrastructure
  • Also known as the ‘Management Plane’

Domain 7

Infrastructure Security

Of the multiple types of compute abstraction types, the most common are:

  • Virtual Machines (VMs): As the most well-known form of compute abstraction, VMs get cloned off of a base image typically from IaaS providers so that they can emulate the configuration of another separate physical computer.
  • Containers: Code-execution environments that run in an operating system and utilize those resources.

Domain 9

Incident Response

The 4 Phases of the Incident Response Lifecycle:

  • Preparation
  • Detection & Analysis
  • Containment, Eradication, and Recovery
  • Post-Mortem

Domain 14

Related Technologies

Big Data is classified by the “3 Vs”:

  • High volume
  • High velocity
  • High variety

Possessing expertise in all these areas—the 14 domains within CSA’s Security Guidance together with knowledge of ENISA and CCM—and passing the exam will demonstrate to your (potential) employers and clients alike that you have a thorough understanding of the basics of cloud security and understand how to effectively deploy cloud knowledge regardless of vendor.


Moving Forward with Your CCSK Certification

In my personal opinion, CCSK is a great baseline certification for anyone looking to start building their professional development. It offers potential growth in everything related to the cloud—including the design, implementation, and management of secure cloud environments—as well as the relevant security processes.

By becoming certified in CCSK, professionals will not only be better prepared to handle the ongoing challenges presented by the adaptable and rapidly expanding cloud security field, but they’ll also be better qualified to enjoy all that cloud computing has to offer.

If you’re still not sure if CCSK is right for you, make sure to check out our other articles that can provide valuable insight into different cybersecurity courses or certifications you may be considering:

About Ryan Ratty

Ryan Ratty is a Senior Associate at Schellman. His focus is on FedRAMP and CMMC assessments.