Career Employer

FREE CCSP Study Guide 2026: All 6 Domains

The most important things the CCSP tests — an interactive study guide with built-in quizzes and flashcards, organized by all 6 ISC2 cloud security domains.

Check sections to boost your score

Don't know where to start?

To find us again, just search “Career Employer CCSP

By

This free CCSP study guide walks through every content domain the Certified Cloud Security Professional exam tests, organized to the current ISC2 exam outline (effective October 1, 2025).[1]

It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, flashcards, and practice questions, so you learn by doing — not just reading.

The CCSP tests six official domains (one Common Body of Knowledge), co-developed by ISC2 and the Cloud Security Alliance. We teach all six in six study modules — one per domain, in order — and lead with the heaviest-weighted content.

Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview that maps the official content — not a full cloud-security textbook.

CCSP is one of the 9 ISC2 certifications — explore our ISC2 study guides to compare and prep across the whole family.

CCSP Exam Snapshot

CCSP exam at a glance
DetailCCSP Exam
Questions100–150 items (adaptive); 25 unscored pretest items in the minimum form
FormatComputerized Adaptive Testing (CAT); multiple choice + advanced items
Time3 hours maximum
Passing score700 out of 1000 (scaled)
Administered byISC2 (with the Cloud Security Alliance), delivered at Pearson VUE
Certifying bodyISC2
Eligibility5 yrs IT (3 in security, 1 in a CCSP domain); CISSP satisfies it fully; or Associate of ISC2
Cost$599 USD (verify on-site; pricing varies)
RecertificationEvery 3 years — 90 CPE credits (min 30/yr) + $135 annual maintenance fee
Outline versionEffective October 1, 2025 (CAT)

The CCSP covers six domains. Unlike many exams the weights are fairly even, but Cloud Data Security is the largest at 20%, and Domains 1, 3, and 4 are each 17% — so most of the exam sits in the first four domains.[1] Study by weight:

CCSP weighting by domain (ISC2 exam outline, eff. Oct 1, 2025)
Cloud Data Security20% · Domain 2
Cloud Concepts, Architecture & Design17% · Domain 1
Cloud Platform & Infrastructure Security17% · Domain 3
Cloud Application Security17% · Domain 4
Cloud Security Operations16% · Domain 5
Legal, Risk & Compliance13% · Domain 6

Module 1 · Cloud Concepts, Architecture & Design

One official domain, 17% of the exam. This domain is the vocabulary and mental model for everything else: what cloud actually is, the service and deployment models, how security duties are split, and the principles of secure cloud design. Get this right and the rest of the CCSP clicks into place.

1.1 Cloud Concepts & Service Models

NIST defines by five essential characteristics: , , , , and . All five must be present for a service to be true cloud — and resource pooling is what creates multi-tenancy, the source of most cloud isolation concerns.[4]

There are three service models, , and — and the model decides how much you must secure (see 1.2). And four core deployment models: , , , and (plus ).

The three cloud service models
ModelProvider managesCustomer managesExample
IaaSHardware, network, virtualizationOS, runtime, apps, dataRaw VMs and storage
PaaSUp to the runtime/platformApplication and data onlyManaged app platform/database
SaaSEverything but your data/settingsData and limited settingsA finished web application

1.2 Reference Architecture & Shared Responsibility

The is the most-tested concept in this domain. Security duties are split between the and the , and the boundary shifts by service model. The provider always secures the physical layer and ; the customer always secures its data and access — no matter the model.[5]

Other roles in the include the , the cloud partner, and the regulator. Secure design then layers in — granting no implicit trust by network location and verifying every request — which fits the cloud’s lack of a fixed perimeter.

1.3 Secure Design & Evaluating Providers

Secure cloud design starts with the (taught in Module 2), BCDR planning, cost-benefit analysis, and functional security requirements. It increasingly relies on newer technologies: , , , and (protecting data in use).

When you evaluate a cloud provider, you verify it against recognized criteria — for cloud controls, (ISO/IEC 15408) for product assurance, and for validated cryptographic modules — plus attestations like and the registry.

Provider-evaluation criteria you should recognize
CriterionWhat it certifies
ISO/IEC 27017Cloud-specific information security controls
ISO/IEC 27018Protection of PII in public clouds (privacy)
Common Criteria (ISO/IEC 15408)Security assurance of a product/system
FIPS 140-3Validation of cryptographic modules
SOC 2Controls for security, availability, integrity, confidentiality, privacy
CSA STAR / CCMCloud security posture (self-assessed or certified)

Checkpoint · Cloud Concepts, Architecture & Design

Question 1 of 10

Which characteristic of cloud computing as defined by NIST allows a consumer to unilaterally provision computing capabilities such as server time and network storage without requiring human interaction with the service provider?

Module 2 · Cloud Data Security

One official domain, 20% of the exam — the largest. Data is what you are ultimately protecting, so this domain is the heart of the CCSP: the data lifecycle, storage, encryption and key management, obfuscation, discovery, classification, rights management, retention, and auditability.

2.1 Data Lifecycle & Storage

Cloud data security is organized around the — six phases data passes through, each with its own controls. Storage types differ by service model: IaaS uses long-term, ephemeral, and raw-disk storage; PaaS and SaaS use structured and unstructured stores; object, file, volume, and database storage all appear.

2.2 Encryption, Keys & Obfuscation

is the backbone of cloud data protection — at rest, in transit, and (with ) in use. The hard part is the : who holds the keys decides who can read the data. lets the customer bring keys into the provider’s KMS; keeps keys entirely outside the provider’s reach.

Beyond encryption, data obfuscation hides sensitive values: , , and . For resilience and confidentiality, and spread data across locations.

And when data must go, the cloud answer to data remanence is — destroy the keys and the ciphertext becomes useless, because you can’t physically shred a provider’s multi-tenant disks.[7]

Key-control models compared
ModelWho holds the keysTrade-off
Provider-managedThe cloud providerEasiest; the provider can access plaintext
BYOKCustomer keys inside the provider's KMSMore control; provider still operates the KMS
HYOKCustomer, fully outside the providerMost control and most operational burden

2.3 Classification, IRM, Retention & Audit

You can’t protect what you can’t see. Data discovery finds sensitive data (structured, unstructured, and via real-time analytics); then labels it by sensitivity so the right controls, retention, and destruction rules apply. enforces those rules by discovering, monitoring, and blocking unauthorized exfiltration.

binds persistent usage rights to the data itself (so a file stays protected even after it leaves your environment). Finally, retention, deletion, and archiving policies — including legal hold — and auditability (logging data events, preserving , and ensuring ) round out the domain.

Data-protection tools and what they do
Tool / conceptPurpose
Data discoveryFind and locate sensitive data across structured and unstructured stores
Data classificationLabel data by sensitivity to drive handling and protection
DLPDiscover, monitor, and block unauthorized data exfiltration
IRMBind persistent access/usage rights to a data object
Retention / legal holdKeep data for required periods; suspend deletion for litigation
Audit loggingRecord data events for traceability, accountability, and nonrepudiation

Checkpoint · Cloud Data Security

Question 1 of 10

In the cloud data lifecycle, which phase immediately follows the Create phase?

Module 3 · Cloud Platform & Infrastructure Security

One official domain, 17% of the exam. This domain secures the cloud’s foundations: the physical environment, network, compute, storage, virtualization, and the management plane — plus risk analysis, security controls, and business continuity for that infrastructure.

3.1 Infrastructure, Virtualization & Risk

Cloud infrastructure spans the physical environment, network and communications, compute, storage, and the layer that makes multi-tenancy possible — controlled through the , the single most valuable target in the environment. Know your vs .

The big risks here are virtualization and container threats — most notably the , where a guest breaks isolation to reach the host — and a compromised management plane. Risk assessment identifies, analyzes, and mitigates these cloud-specific threats and vulnerabilities.[6]

3.2 Security Controls & BCDR

Protect the platform with layered controls: physical and environmental protection (HVAC, power, tiered data centers), system and communication protection, virtualization protection, cloud , and audit mechanisms (log collection, correlation, packet capture). Then plan for failure with .

BCDR starts from business requirements expressed as three metrics: (time to recover), (acceptable data loss), and (capacity needed while degraded). You then create, implement, and — critically — test the strategy.

The three BCDR business-requirement metrics
MetricMeasuresDrives
RTO — Recovery Time ObjectiveMax acceptable time to restore a processRecovery design and failover speed
RPO — Recovery Point ObjectiveMax acceptable data loss (backward in time)Backup/replication frequency
RSL — Recovery Service LevelPercent of full capacity needed in a disasterSizing of recovery resources

Checkpoint · Cloud Platform & Infrastructure Security

Question 1 of 10

What is the primary purpose of a Trusted Platform Module (TPM) in cloud host hardware?

Module 4 · Cloud Application Security

One official domain, 17% of the exam. This domain is about building and validating secure cloud applications: training and awareness, the secure SDLC, software assurance and testing, cloud application architecture, and identity and access management for applications.

4.1 Secure SDLC & Testing

A builds security into every phase instead of bolting it on at the end. It begins with awareness and training and proceeds through design, build, test, and deploy — with threat modeling (, DREAD, PASTA) in design to surface what could go wrong before any code is written.

You validate software with complementary testing: (static, on the code), (dynamic, on the running app), (both, instrumented), and (open-source component risk). Use verified, approved APIs and watch for the and supply-chain risks.[1]

Application security testing methods
MethodHow it testsBest at
SASTAnalyzes source/binary without running itCatching code flaws early
DASTTests the running app from outsideRuntime/config flaws
IASTInstruments the running app (static + dynamic)Correlating code to runtime behavior
SCAInventories open-source componentsVulnerable dependencies / licensing

4.2 Cloud App Architecture & IAM

Secure cloud application architecture adds supplemental security components: a to filter web traffic, an to govern APIs, database activity monitoring, and XML firewalls — plus and application virtualization/orchestration.

Identity is the new perimeter. Cloud relies on and an identity provider, , and , governed across SaaS by a . Know the federation standards — SAML, OAuth 2.0, and OpenID Connect (OIDC).

Federation standards — authentication vs. authorization
StandardWhat it doesUse
SAMLXML-based federated authenticationEnterprise web SSO
OAuth 2.0Delegated authorization (not identity)Granting an app access to resources
OpenID ConnectAuthentication layer on top of OAuth 2.0Federated login (who the user is)

Checkpoint · Cloud Application Security

Question 1 of 10

Which secure software development practice integrates security testing automatically into the build and deployment pipeline?

Module 5 · Cloud Security Operations

One official domain, 16% of the exam. This is where security runs day to day: building and operating physical and logical cloud infrastructure, applying operational controls and standards, supporting digital forensics, managing communications, and running the security operations center.

5.1 Building & Operating Infrastructure

Building secure infrastructure starts at the hardware: BIOS/UEFI and configuration, hardware monitoring, and to verify a host before trusting it. You then install and configure virtualization management tools and design for availability with high availability, clustering, and redundancy.

Operating it means hardening (OS baselines), patch management, infrastructure as code, and secure access for local and remote administration — RDP, SSH, jumpboxes, and secure consoles. Scalability and capacity keep the environment available.

Operating the cloud infrastructure securely
AreaPractices
Hardware trustBIOS/UEFI hardening, TPM, host attestation, hardware monitoring
AvailabilityHigh availability, clustering, redundancy, capacity management
HardeningOS baselines, patch management, infrastructure as code
Secure accessSSH, RDP, jumpboxes, secure console/terminal access

5.2 Operational Controls, Forensics & SOC

Operational discipline comes from ITIL / ISO/IEC 20000-1 service-management controls: change, configuration, release and deployment, problem, incident, service-level, and availability/capacity management. Most cloud incidents trace back to weak change or configuration management.

When something goes wrong, the uses a to aggregate and correlate logs for detection and incident management, and supports digital forensics — evidence collection under , following ISO/IEC 27037–27050. Cloud forensics is hard because you don’t control the physical media. You also manage communication with vendors, customers, partners, regulators, and stakeholders.[9]

Core ITSM / operational controls (ITIL · ISO/IEC 20000-1)
ControlWhat it governs
Change managementEvaluating and approving changes (prevents most cloud incidents)
Configuration managementTracking the state and relationships of assets
Incident & problem managementHandling events and eliminating root causes
Release & deployment managementControlled, repeatable rollouts
Service-level managementMeeting and reporting on SLAs

Checkpoint · Cloud Security Operations

Question 1 of 10

Which phase of incident response focuses on limiting the scope and magnitude of an incident?

Module 6 · Legal, Risk & Compliance

One official domain, 13% of the exam — the lightest, but dense with names. This domain covers the legal, privacy, audit, enterprise-risk, and contractual issues unique to the cloud. It is terminology-heavy, which makes it ideal for flashcards.

6.1 Legal, Privacy & Audit

The cloud crosses borders, so conflicting international legislation and data-location rules matter. Privacy law is central: in the EU, plus the distinction between regulated and contractual , the controller/processor roles, and standards like . A assesses privacy risk.

Auditing the cloud is different too: you usually can’t audit the provider directly, so you rely on audit reports (and SOC 1/SOC 3), ISAE/SSAE attestations — plus gap analysis and a defined audit scope. follows ISO/IEC 27050.

The SOC report family
ReportReports onAudience
SOC 1Controls over financial reportingAuditors / financial stakeholders
SOC 2Security, availability, integrity, confidentiality, privacyCustomers (under NDA)
SOC 3A public summary of the SOC 2General public

6.2 Enterprise Risk & Cloud Contracts

Cloud changes enterprise risk: a distributed IT model spreads control across the provider, so you must assess the provider’s risk-management program, risk profile, and risk appetite. Apply a recognized framework — ISO 31000, the NIST RMF, or ENISA — and a decision (avoid, mitigate, transfer/share, or accept).

Because you depend on a third party, the contract is your primary control. Key clauses include the , and metrics, data access and location, termination and litigation terms, and protection against . Supply-chain management follows ISO/IEC 27036.

Checkpoint · Legal, Risk & Compliance

Question 1 of 10

Which document is most commonly used to evaluate the security and assurance posture of a cloud provider against a comprehensive control framework before signing a contract?

How to Use This CCSP Study Guide

This guide is built to be worked, not just read. The most efficient path to a pass:

  • Lead with Cloud Data Security. It’s the largest domain (20%), and Domains 1, 3, and 4 are each 17% — so the first four domains are most of the exam.
  • Think like a cloud architect, not a single-vendor admin. CCSP questions ask for the best answer across people, process, and technology — and they’re vendor-neutral.
  • Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
  • Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
  • Drill the weak domain. Send your weak area into the flashcards and a practice test until your readiness climbs comfortably toward passing.

CCSP Concept Questions

Common CCSP concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.

CCSP Glossary

The high-yield CCSP terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.

Anonymization
Irreversibly removing identifying information so data can never be re-linked to an individual.
API gateway
A managed entry point that enforces authentication, rate limiting, and routing for APIs.
BCDR
Business Continuity and Disaster Recovery — plans to maintain and restore operations after a disruption.
Bit splitting
Dividing encrypted data into segments distributed across storage nodes so no single node holds usable data.
Broad network access
Cloud capabilities are available over the network and accessed through standard mechanisms across diverse client devices.
BYOK
Bring Your Own Key — the customer generates or imports its own keys into the provider's KMS.
CAIQ
Consensus Assessments Initiative Questionnaire — a CSP self-assessment aligned to the CCM.
CASB
Cloud Access Security Broker — a policy enforcement point between users and cloud services giving visibility, compliance, data security, and threat protection.
Chain of custody
The documented handling of evidence that preserves its integrity and legal admissibility.
Cloud broker
An intermediary that manages the use, performance, and delivery of cloud services and negotiates relationships between providers and customers.
Cloud computing
A model for on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort (NIST SP 800-145).
Cloud reference architecture
A conceptual model describing cloud roles, activities, and functions (NIST SP 500-292).
Cloud secure data lifecycle
The six phases data passes through in the cloud: Create, Store, Use, Share, Archive, Destroy.
Cloud service customer (CSC)
The entity that uses cloud services.
Cloud service provider (CSP)
The entity that offers and operates cloud services.
Common Criteria
ISO/IEC 15408 — an international standard for evaluating the security assurance of products.
Community cloud
Cloud infrastructure shared by several organizations with common concerns (mission, compliance).
Confidential computing
Protecting data while it is in use by processing it inside a hardware-based trusted execution environment.
Container
OS-level virtualization that packages an application with its dependencies and shares the host kernel — lighter than a VM.
Crypto-shredding
Cryptographic erasure — making data unrecoverable by destroying its encryption keys; the cloud way to 'destroy' data.
CSA CCM
The CSA Cloud Controls Matrix — a vendor-neutral cloud security control framework mapped to major standards.
CSA STAR
The CSA Security, Trust, Assurance and Risk registry — provider self-assessment (CAIQ) and third-party certification of cloud security.
DAST
Dynamic Application Security Testing — testing a running application from the outside for vulnerabilities.
Data classification
Categorizing data by sensitivity so the right protection, handling, and retention rules are applied.
Data dispersion
Splitting data into fragments stored across multiple locations (a cloud RAID-like technique) for resilience.
Data masking
Obscuring data by substituting or scrambling it while preserving its format, typically for non-production use.
DevSecOps
Integrating automated security into DevOps CI/CD pipelines so security keeps pace with continuous delivery.
DLP
Data Loss Prevention — tools and processes that discover, monitor, and block unauthorized exfiltration of sensitive data.
eDiscovery
The identification, collection, and production of electronically stored information for legal matters (ISO/IEC 27050).
Encryption
Transforming plaintext into ciphertext with an algorithm and key; reversible only with the key.
Federated identity
Linking a user's identity across multiple systems or organizations so one login works across services.
FedRAMP
A U.S. government program that standardizes the security assessment and authorization of cloud services for federal use.
FIPS 140-3
The current U.S. federal standard for validating cryptographic modules (succeeding FIPS 140-2).
GDPR
The EU General Data Protection Regulation governing the processing of personal data.
Host attestation
Verifying the integrity and trust state of a host before extending trust to it.
Hybrid cloud
A composition of two or more distinct clouds bound together by technology that enables data and application portability.
HYOK
Hold Your Own Key — the customer retains and controls keys entirely outside the provider's environment.
IaaS
Infrastructure as a Service — the provider supplies compute, storage, and networking; the customer manages the OS, runtime, and applications.
IAM
Identity and Access Management — the framework for managing digital identities and their access rights.
IAST
Interactive Application Security Testing — instrumenting a running app to combine static and dynamic analysis.
IRM
Information Rights Management — persistent access and usage controls bound to data objects wherever they travel.
ISO/IEC 27001
The international standard for an Information Security Management System (ISMS).
ISO/IEC 27017
A code of practice for information security controls specific to cloud services.
ISO/IEC 27018
A code of practice for protecting personally identifiable information (PII) in public clouds acting as PII processors.
Key management system (KMS)
A system that generates, stores, rotates, and retires cryptographic keys.
Management plane
The centralized console/API used to provision and control cloud resources — a high-value target because of its broad reach.
Measured service
Resource usage is metered and reported, enabling pay-per-use billing and optimization.
MFA
Multi-Factor Authentication — verifying identity with two or more independent factors from different categories.
Microsegmentation
Fine-grained network isolation policies applied down to individual workloads, a building block of zero trust.
Multi-cloud
The use of cloud services from more than one provider, often to avoid lock-in or for resilience.
Nonrepudiation
Assurance that an actor cannot deny having performed an action.
On-demand self-service
A consumer can provision computing capabilities automatically, without human interaction with the provider — one of the five essential cloud characteristics.
OWASP Top 10
A community-maintained list of the most critical web application security risks.
PaaS
Platform as a Service — the provider supplies a managed platform/runtime; the customer manages only the deployed application and its data.
PII
Personally Identifiable Information — data that can identify an individual; 'regulated' vs 'contractual' PII is a tested distinction.
Privacy Impact Assessment (PIA)
A structured assessment of the privacy risks of a system or process.
Private cloud
Cloud infrastructure provisioned for the exclusive use of a single organization.
Public cloud
Cloud infrastructure provisioned for open use by the general public.
Rapid elasticity
Capabilities can be scaled out and in quickly, appearing unlimited to the consumer and matching demand.
Resource pooling
A provider's resources are pooled to serve multiple consumers in a multi-tenant model, dynamically assigned and reassigned.
Right to audit
A contract clause that lets the customer assess a provider's controls (often substituted by SOC 2 / ISO certifications).
Risk treatment
How an organization addresses a risk: avoid, mitigate, transfer/share, or accept it.
RPO
Recovery Point Objective — the maximum acceptable data loss measured backward in time; it drives backup frequency.
RSL
Recovery Service Level — the percentage of full compute capacity a process requires during a disaster.
RTO
Recovery Time Objective — the maximum acceptable time to restore a process after a disruption.
SaaS
Software as a Service — the provider delivers a fully managed application; the customer manages only its data and limited settings.
Sandboxing
Isolating execution so untrusted code cannot affect the wider system.
SAST
Static Application Security Testing — analyzing source or binary code without executing it.
SCA
Software Composition Analysis — identifying open-source components and their known vulnerabilities.
Secure SDLC
Building security into every phase of the software development life cycle rather than testing for it at the end.
Serverless (FaaS)
An execution model where the provider fully manages infrastructure and code runs in response to events (Function as a Service).
Shared responsibility model
The division of security duties between provider and customer; the boundary shifts by service model — most customer responsibility in IaaS, least in SaaS, with data and access always the customer's.
SIEM
Security Information and Event Management — aggregates and correlates logs and events for detection and investigation.
SLA
Service Level Agreement — a contractual commitment on service performance and availability metrics.
SOC
Security Operations Center — the team and function that monitors and responds to security events.
SOC 2
An AICPA report on a provider's controls against the Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy).
SSO
Single Sign-On — one authentication grants access to multiple systems.
STRIDE
A threat-modeling taxonomy: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
Tokenization
Replacing sensitive data with a non-sensitive token mapped to the real value in a separate secure vault.
TPM
Trusted Platform Module — a hardware chip that stores keys and supports host attestation.
Type 1 hypervisor
A bare-metal hypervisor that runs directly on hardware with no host OS — smaller attack surface; used in production cloud.
Type 2 hypervisor
A hosted hypervisor that runs atop a host operating system — larger attack surface; used for desktop labs.
Vendor lock-in
Difficulty migrating away from a provider because of proprietary dependencies.
Virtualization
Abstracting physical resources into virtual instances so one physical host can run many isolated workloads.
VM escape
An attack where code in a guest VM breaks isolation to reach the hypervisor or host, threatening multi-tenant isolation.
WAF
Web Application Firewall — filters and monitors HTTP traffic to protect web applications.
Zero trust
A model that grants no implicit trust by network location; every request is authenticated, authorized, and continuously validated.

CCSP Study Guide FAQ

As of the October 1, 2025 update, the CCSP uses Computerized Adaptive Testing (CAT): 100 to 150 items with a maximum of 3 hours. The number varies because the test adapts to your performance, and the minimum-length form includes 25 unscored pretest items. Questions are multiple choice and advanced item types.

References

  1. 1.ISC2. “CCSP Certification Exam Outline (effective October 1, 2025).” isc2.org.
  2. 2.ISC2. “CCSP — Certified Cloud Security Professional.” isc2.org.
  3. 3.ISC2. “CCSP Experience Requirements.” isc2.org.
  4. 4.National Institute of Standards and Technology. “SP 800-145: The NIST Definition of Cloud Computing.” csrc.nist.gov.
  5. 5.National Institute of Standards and Technology. “SP 800-146: Cloud Computing Synopsis and Recommendations.” csrc.nist.gov.
  6. 6.National Institute of Standards and Technology. “SP 800-53 Rev. 5: Security and Privacy Controls.” csrc.nist.gov.
  7. 7.Cloud Security Alliance. “Security Guidance for Critical Areas of Focus in Cloud Computing v4.0.” cloudsecurityalliance.org.
  8. 8.Cloud Security Alliance. “Cloud Controls Matrix (CCM).” cloudsecurityalliance.org.
  9. 9.International Organization for Standardization. “ISO/IEC 27017 — Cloud information security controls.” iso.org.
  10. 10.International Organization for Standardization. “ISO/IEC 27018 — Protection of PII in public clouds.” iso.org.
  11. 11.FedRAMP (U.S. General Services Administration). “FedRAMP — Program overview.” fedramp.gov.
  12. 101.National Institute of Standards and Technology (NIST). “SP 800-63: Digital Identity Guidelines.” csrc.nist.gov, accessed 19 June 2026.
  13. 102.International Organization for Standardization (ISO/IEC). “ISO/IEC 27037 — Digital evidence identification, collection, acquisition and preservation.” iso.org, accessed 19 June 2026.
  14. 103.Cloud Security Alliance (CSA). “CSA STAR Registry.” cloudsecurityalliance.org, accessed 19 June 2026.
Career Employer

Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.

Follow Us:

All Posts

Career Employer’s Editorial Process

Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.