Preface (Read this first!)
- Legend
- What’s New in the August 2026 Exam
- Exam Prep Strategy
- Exam Mindset
- Time management
- Evaluating Exam Answers (The READ Strategy)
- Recommended Study Materials
- Books
- Practice Questions
- Video Training
- Flashcards
Domain 1: Cloud Concepts, Architecture and Design
- 1.1 Understand Cloud Computing Concepts
- 1.1.1 Cloud Computing Definitions
- 1.1.2 Cloud Computing Roles
- 1.1.3 Essential Cloud Computing Characteristics
- 1.1.4 Building Block Technologies
- 1.2 Describe Cloud Reference Architecture
- 1.2.1 Cloud Computing Activities
- 1.2.2 Cloud Service Capabilities
- 1.2.3 Cloud Service Categories
- 1.2.4 Cloud Deployment Models
- 1.2.5 Cloud Shared Considerations
- 1.2.6 Impact of Related Technologies
- 1.3 Understand Security Concepts Relevant to Cloud Computing
- 1.3.1 Cryptography and Key Management
- 1.3.2 Identity and Access Control
- 1.3.3 Data and Media Sanitization
- 1.3.4 Network Security
- 1.3.5 Virtualization Security
- 1.3.6 Common Cloud Threats
- 1.3.7 Security hygiene
- 1.4 Understand Design Principles of Secure Cloud Computing
- 1.4.1 Cloud Secure Data Lifecycle
- 1.4.2 Cloud-based Disaster Recovery (DR) and Business Continuity (BC)
- 1.4.3 Cost Benefit Analysis
- 1.4.4 Functional Security Requirements
- 1.4.5 Security Considerations for Different Cloud Categories
- 1.4.6 Cloud Design Patterns
- 1.4.7 DevOps Security
- 1.5 Evaluate Cloud Service Providers
- 1.5.1 Verification Against Criteria
- 1.5.2 System/Subsystem Product Certifications
- Vendor Management and Assessment
- Security Governance
- 1.6 Comprehend Artificial Intelligence (AI)/Machine Learning (ML)
- 1.6.1 Cloud Threat Detection and Analysis
- 1.6.2 Data Source Validation and Verification
- 1.6.3 Security Orchestration, Automation And Response (SOAR)
- 1.6.4 Ethical Concerns
- 1.6.5 Regulatory Requirements
Domain 2: Cloud Data Security
- 2.1 Describe Cloud Data Concepts
- Security Fundamentals: CIA Triad and Beyond
- Data Security Roles
- 2.1.1 Cloud Data Life Cycle Phases
- 2.1.2 Data Dispersion
- 2.1.3 Data Flows
- 2.2 Design and Implement Cloud Data Storage Architectures
- 2.2.1 Storage Types
- 2.2.2 Threats to Storage Types
- 2.3 Design and Apply Data Security Technologies and Strategies
- 2.3.1 Encryption and Key Management
- 2.3.2 Hashing
- 2.3.3 Data Obfuscation
- 2.3.4 Tokenization
- 2.3.5 Data Loss Prevention (DLP)
- 2.3.6 Keys, Secrets, and Certificates Management
- 2.4 Implement Data Discovery
- Data Storage and Analytics Concepts
- Data Types and Discovery Challenges
- 2.4.1 Structured Data
- 2.4.2 Unstructured Data
- 2.4.3 Semi-Structured Data
- 2.4.4 Data Location
- 2.5 Implement Data Classification
- 2.5.1 Data Classification Policies
- 2.5.2 Data Mapping
- 2.5.3 Data Labeling and Tagging
- 2.6 Design and Implement Information Rights Management (IRM)
- 2.6.1 Objectives
- 2.6.2 Appropriate Tools
- 2.7 Plan and Implement Data Retention, Deletion, and Archiving Policies
- 2.7.1 Data Retention Policies
- 2.7.2 Data Deletion Procedures and Mechanisms
- 2.7.3 Data Archiving Procedures and Mechanisms
- 2.7.4 Legal Hold
- 2.8 Design and Implement Auditability, Traceability, and Accountability of Data Events
- 2.8.1 Definition of Event Sources and Requirement of Identity Attribution
- 2.8.2 Logging, Storage and Analysis of Data Events
- 2.8.3 Chain of Custody and Non-Repudiation
- 2.9 Comprehend Data Protection of Artificial Intelligence (AI) and Machine Learning (ML) Data
- 2.9.1 Data Set and Model Privacy
- 2.9.2 Data Set and Model Security
Domain 3: Cloud Platform and Infrastructure Security
- 3.1 Comprehend Cloud Infrastructure Components
- 3.1.1 Physical Environment
- 3.1.2 Network and Communications
- 3.1.3 Compute
- 3.1.4 Virtualization
- 3.1.5 Storage
- 3.1.6 Management Plane
- 3.2 Design a Secure Data Center
- 3.2.1 Logical Design
- 3.2.2 Physical Design
- 3.2.3 Environmental Design
- 3.2.4 Design Resilience
- 3.3 Analyze Risks Associated with Cloud Infrastructure
- 3.3.1 Risk Assessment and Analysis
- 3.3.2 Cloud Vulnerabilities, Threats and Attacks
- 3.3.3 Risk Treatment Strategies
- 3.4 Design and Plan Security Controls
- 3.4.1 Physical and Environmental Protection
- 3.4.2 System and Communication Protection
- 3.4.3 Identification, Authentication and Authorization in Cloud Infrastructure
- 3.4.4 Audit Mechanisms
- 3.5 Plan Disaster Recovery (DR) and Business Continuity (BC)
- BC and DR Definitions
- 3.5.1 Business Continuity/Disaster Recovery Strategy
- 3.5.2 Business Requirements
- 3.5.3 Creation, Implementation and Testing of Plan
Domain 4: Cloud Application Security
- 4.1 Advocate Training and Awareness for Application Security
- 4.1.1 Cloud Development Basics
- 4.1.2 Common Pitfalls
- 4.1.3 Common Cloud Vulnerabilities
- 4.2 Describe the Secure Software Development Life Cycle (SDLC) Process
- 4.2.1 Business Requirements
- 4.2.2 Phases and Methodologies
- 4.3 Apply the Secure Software Development Life Cycle (SDLC)
- 4.3.1 Cloud-specific Risks
- 4.3.2 Threat Modeling
- 4.3.3 Avoid Common Vulnerabilities During Development
- 4.3.5 Software Configuration Management and Versioning
- 4.4 Apply Cloud Software Assurance and Validation
- 4.4.1 Functional Testing
- 4.4.2 Security Testing Methodologies
- 4.4.3 Quality Assurance (QA)
- 4.4.4 Abuse Case Testing
- 4.5 Use Verified Secure Software
- 4.5.1 Approved Application Programming Interfaces (API)
- 4.5.2 Supply-chain Management
- 4.5.3 Third-party Software Management
- 4.5.4 Validated Open Source Software
- 4.6 Comprehend and Apply the Specifics of Cloud Application Architecture
- 4.6.1 Supplemental Security Components
- 4.6.2 Cryptography
- 4.6.3 Sandboxing
- 4.6.4 Application Virtualization and Orchestration
- 4.7 Design Appropriate Identity and Access Management (IAM) Solutions
- 4.7.1 Federated Identity
- 4.7.2 Identity Providers (IdP)
- 4.7.3 Single Sign-On (SSO)
- 4.7.4 Multifactor Authentication (MFA)
- 4.7.5 Cloud Access Security Broker (CASB)
- 4.7.6 Secrets, Key, and Certificate Management
Domain 5: Cloud Security Operations
- 5.1 Build and Implement Physical and Logical Infrastructure for Cloud Environment
- 5.1.1 Hardware Specific Security Configuration Requirements
- 5.1.2 Secure by Default
- 5.1.3 Installation and Configuration of Management Plane Tools
- 5.1.4 Virtual Hardware Specific Security Configuration Requirements
- 5.1.5 Installation of Guest Operating System Virtualization Toolsets
- 5.2 Operate and Maintain Physical and Logical Infrastructure for Cloud Environment
- 5.2.1 Access Controls for Local and Remote Access
- 5.2.2 Secure Network Configuration
- 5.2.3 Network Security Controls
- 5.2.4 Operating System (OS) Hardening
- 5.2.5 Patch Management
- 5.2.6 Availability of Clustered Hosts
- 5.2.7 Availability of Guest Operating System (OS)
- 5.2.8 Performance and Capacity Monitoring
- 5.2.9 Hardware Monitoring
- 5.2.10 Configuration of Host and Guest OS Backup and Restore Functions
- 5.2.11 Management Plane
- 5.3 Implement Operational Controls and Standards
- 5.3.1 Change Management
- 5.3.2 Continuity Management
- 5.3.3 Information Security Management
- 5.3.4 Continual Service Improvement Management
- 5.3.5 Incident Management
- 5.3.6 Problem Management
- 5.3.7 Release Management
- 5.3.8 Deployment Management
- 5.3.9 Configuration Management
- 5.3.10 Service-Level Management
- 5.3.11 Availability Management
- 5.3.12 Capacity Management
- 5.4 Support Digital Forensics
- 5.4.1 Forensic Data Collection Methodologies
- 5.4.2 Evidence Management
- 5.4.3 Collecting, Acquiring, and Preserving Digital Evidence
- 5.5 Manage Communication with Relevant Parties
- 5.5.1 Vendors
- 5.5.2 Customers
- 5.5.3 Partners
- 5.5.4 Regulators
- 5.5.5 Other Stakeholders
- 5.6 Manage Security Operations
- 5.6.1 Security Operations Center (SOC)
- 5.6.2 Intelligent Monitoring of Security Controls
- 5.6.3 Log Capture and Analysis
- 5.6.4 Incident Response (IR)
- 5.6.5 Vulnerability Assessments
- 5.6.6 Penetration Testing
- Vulnerability Assessment vs Penetration Testing
Domain 6: Legal, Risk, and Compliance
- 6.1 Articulate Legal Requirements and Unique Risks within the Cloud Environment
- 6.1.1 Conflicting International Legislation
- 6.1.2 Evaluation of Legal Risks Specific to Cloud Computing
- 6.1.3 Legal and Regulatory Frameworks and Guidelines
- 6.1.4 eDiscovery
- 6.1.5 Forensics Requirements
- 6.2 Understand Privacy Requirements
- 6.2.1 Difference Between Contractual and Regulated Private Data
- 6.2.2 Country-Specific Legislation Related to Private Data
- 6.2.3 Jurisdictional Differences in Data Privacy
- 6.2.4 Standard Privacy Requirements
- 6.2.5 Privacy Impact Assessments (PIA)
- 6.3 Understand Audit Processes, Methodologies, and Required Adaptations for a Cloud Environment
- 6.3.1 Internal and External Audit Controls
- 6.3.2 Impact of Audit Requirements
- 6.3.3 Identify Assurance Challenges of Virtualization and Cloud
- 6.3.4 Types of Audit Reports
- 6.3.5 Restrictions of Audit Scope Statements
- 6.3.6 Gap Analysis
- 6.3.7 Audit Planning
- 6.3.8 Internal Information Security Management System (ISMS)
- 6.3.9 Internal Information Security Controls System
- 6.3.10 Policies
- 6.3.11 Identification and Involvement of Relevant Stakeholders
- 6.3.12 Specialized Compliance Requirements for Highly-Regulated Industries
- 6.3.13 Impact of Distributed Information Technology (IT) Model
- 6.4 Understand Implications of Cloud to Enterprise Risk Management
- 6.4.1 Assess Providers Risk Management Programs
- 6.4.2 Difference Between Data Roles
- 6.4.3 Regulatory Transparency Requirements
- 6.4.4 Risk Treatment
- 6.4.5 Different Risk Frameworks
- 6.4.6 Metrics for Risk Management
- 6.4.7 Assessment of Risk Environment
- 6.5 Understand Outsourcing and Cloud Contract Design
- 6.5.1 Business Requirements
- 6.5.2 Vendor Management
- 6.5.3 Contract Management
- 6.5.4 Supply-Chain Management
- Government Cloud Standards
Addendum A - Standards and Frameworks
- Cloud definitions and reference architectures
- Descriptions
- Audit, assurance, and product evaluation
- Descriptions
- Information security and cloud-specific ISO/IEC standards
- Descriptions
- Digital forensics and eDiscovery
- Descriptions
- Risk management and governance
- Descriptions
- Architecture and operations frameworks
- Descriptions
- Incident response and log management
- Descriptions
- Privacy laws, frameworks, and impact assessment
- Descriptions
- Application security, OWASP, SANS, MITRE
- Descriptions