(update: I passed!)
Yesterday I took the CCSP exam. Certified Cloud Security Professional is the new certification launched by ISC2, and is supposed to be complementary to CCSK. I must have been one of the first, as it only opened last Tuesday. I think I did pretty well, but my results won’t be available for the next couple of weeks. This appears to be the normal situation with a new exam.
My overall impression is that the exam covers the field of cloud computing and cloud security pretty broadly with significant detail. Nevertheless, CCSP gives little attention to cloud applications such as Big Data and DevOps. The questions are clear, by and large, and mostly relevant to cloud computing. I have seen other so-called cloud exams that are more like classical technical IT security exams.
Having said that, the CCSP exam still requires significant understanding of IT infrastructure and IT security.
I know how hard it is to make good questions, as I do that for the CCSK trainings I deliver, and this set of questions is pretty decent. Of course, there are some questions that have weird language, and I filed an incident report against them.
At 125 questions this is a significant exam. I took more than an hour to answer them all, and took the rest of two hours reviewing my answers. You have 4 hours in total.
I still think CCSK is a good basis for working your way to CCSP, as CCSP is more extensive in coverage. It is also a more formal exam that you have to take in a controlled testing center. In contrast, CCSK is an open-book on-line exam. This does not make it easier though, as is witnessed by that fact that it is failed regularly by students.
CCSP has 6 domains that cover cloud computing and its risks. Unsurprisingly, the first domain is about cloud architectural concepts and its impact on risk. Second is about data security, arguably the pivotal dimension in cloud computing. The third domain elaborates on the cloud infrastructure stack, which covers business continuity as well. The fourth domain covers application security and identity management, while the fifth domain is about operations in a cloud world. Finally, the last domain is about legal and compliance.
By design, CCSP is a 5 day course, but I currently think that this is very dependent on the background of the attendants. I am not sure if this format is a good way to study for CCSP. In any case students need to do a lot of reading.
Post Scriptum. I now also deliver CCSP courses that train you for the exam. Here is what one of my clients wrote:
Tony Richards, CTO, Securestorm, London UK:
“The training was well paced and covered all the topics. Peter is a knowledgeable and interesting trainer who used his extensive experience with excellent effect. He guided us into very productive group discussions so that we could link what we learned to our work experiences.
As a result our entire team has been able to pass the CCSP exam.”
Goto this page for a one page overview of the differences between CCSK and CCSP.