CCSP: the (ISC)2 Cloud Security Certification

In 2015 the Cloud Security Alliance and ISC2 announced a new cloud security certification: Certified Cloud Security Professional or CCSP for short (you can read the official announcement here at ISC2 and here at CSA).

TL;DR: go here if you are interested in in-company CCSP training.

The CCSP certification

CCSP has 6 domains that cover cloud computing and its risks. Unsurprisingly, the first domain is about cloud architectural concepts and its impact on risk. Second is about data security, arguably the pivotal dimension in cloud computing. The third domain elaborates on the cloud infrastructure stack, which covers business continuity as well. The fourth domain covers application security and identity management, while the fifth domain is about operations in a cloud world. Finally, the last domain is about legal and compliance. More details here.

CCSP is supposed to be a more extensive certification than CCSK with a more formal exam and a requirement for 5 years in IT; at least three of which must have been spent in security, and at least one year in cloud computing. For a more extensive comparison between CCSK and CCSP have a look over here.

The CCSP exam and getting certified

I was one of the first to do the exam (and pass it).

My overall impression is that the exam covers the field of cloud computing and cloud security pretty broadly with significant detail, though little attention is given to cloud applications such as Big Data and DevOps. The questions are clear, by and large, and mostly relevant to cloud computing. I have seen other so-called cloud exams that are more like classical technical IT security exams.

I know how hard it is to make good questions, as I do that for the CCSK trainings I deliver, and this set of questions is pretty decent. Of course, there are some questions that have weird language, and I did file an incident report against them.

At 125 questions this is a significant exam. I took more than an hour to answer them all, and took the rest of two hours reviewing my answers. You are allowed 4 hours in total.

Learning path for CCSP

There is an official book: the Official (ISC)2 Guide to the CCSP CBK (that is an affiliate link, by the way), and in 2018, (ISC)2 published an official practice test set.

CCSP is designed to be a 5 day course, but I currently think that it is very dependent on the background of the attendants. I am not sure if this format is a good way to study for CCSP. In any case there is also a lot of reading to be done.

I still think CCSK is a good basis for working your way to CCSP, as CCSP is more extensive in coverage. It is also a more formal exam that you have to take in a controlled testing center. In contrast, CCSK is an open-book on-line exam. This does not make it easier though, as is witnessed by that fact that it is failed regularly by students.

While ISC2 (who also run CISSP; arguably the most relevant IT security certification) coming to the game underlines the relevance and maturity of cloud security, there will be some questions left for people who either have or are pursuing  CCSK certification.

If you are currently thinking of getting CCSK, should this be a moment to reconsider? It does make sense to evaluate your options. If you spend time on a certification, you might as well spend it wisely.

Getting to CCSP is a path with a lot of unknowns at this time. So here is one thing to consider: participants in my CCSK training report that it helps them  in their day jobs now, even more so if they take it as a team. (Go here for more comparison between CCSK and CCSP.)

At the moment I offer CCSP training only in-company (click for details).

Sign up on the right to be updated on CCSP, including training opportunities.

Leave a Reply