My way to the CCSP
I get asked a lot about the CCSP and how I prepared for it. Almost a year after sitting for the exam, I decided to write about my preparation and the exam experience. Cloud security is an important topic, and the CCSP is one of the most respected cloud security certifications, if not the most respected one. I’ve considered going deeper into cloud security and taking this exam for a while, and I finally decided once the (ISC)² chose to change how they charge certifications' maintenance fees. They moved from a fee for each credential for a fixed annual membership that included maintenance fees for all certifications that the member holds. So, adding the CCSP after the CISSP and the CISSP-ISSMP wouldn’t add to the annual maintenance fees. Of course, this was not the only criterion, but it is relevant.
About the CCSP
(ISC)² developed the Certified Cloud Security Professional (CCSP) credential to ensure that cloud security professionals have the required knowledge, skills, and abilities in cloud security design, implementation, architecture, operations, controls, and compliance with regulatory frameworks.
- Cloud Concepts, Architecture and Design
- Cloud Data Security
- Cloud Platform & Infrastructure Security
- Cloud Application Security
- Cloud Security Operations
- Legal, Risk and Compliance
CCSP candidates need to have at least five years of IT experience, with a minimum of 3 years in Information Security, and at least one year in 1 or more of the domains. CISSP holders are waived from those requirements, including the endorsement process, which is required for other candidates. More (and potentially updated) information can be found on the (ISC)² website.
Booking and studying for certification is the perfect opportunity to force me to explore topics related to my professional focus areas, but that I don’t have relevant hands-on practical professional experience. In the case of the CCSP, those were mostly some topics in Domain 4 – Cloud Application Security, such as cloud specifics concerns on SDLC, ISO27034, Organizational Normative Framework (ONF), among others. This is to highlight that you should know the content, your strengths, and your weaknesses.
When I started my preparation for the CCSP, I checked the exam outline to understand what topics should be my main focus. I knew I had to focus on the Cloud Application Security domain; have a glance at some topics on the domains Cloud Concepts, Architecture and Design, and Cloud Security Operations. I also realized I didn’t really need to bother that much with Cloud Data Security and Legal, Risk and Compliance, domains that I already had a strong knowledge base.
Before deciding to take the CCSP, I had read the book Practical Cloud Security by Chris Dotson, an excellent resource for anyone interested in Cloud Security. Unlike other CCSP specific material, this book covers not only concepts but also briefly describes how the leading cloud service providers apply the concepts.
Specifically for the CCSP, I used the book (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide, 2nd Edition by Ben Malisow. This one I did not read entirely, just the topics that I felt I needed to know more about, mostly topics on the questions I got wrong in the practice questions I’ve taken.
This leads us to my preferred study resource, the book CCSP Official (ISC)2 Practice Tests, also by Ben Malisow. This book has over 1,000 practice questions, one chapter per domain, plus two full practice exams with questions from all domains in a similar distribution as the exam. I answered all of them, reviewing the ones I got wrong. This practice is for me the 80-20 for certification preparation. If you don’t want or don’t think you need to go deep through the entire content, use this method to prioritize topics in your preparation.
Before answering and reviewing the practice questions, I took the course Become a Certified Cloud Security Professional (CCSP) by Mike Chapple on LinkedIn Learning. This course provides an excellent summary of the CSSP topics. Probably not enough as a single study resource, but a very good overview.
A couple of days before the exam, I also reviewed my old CISSP material, mainly the mind maps I created when preparing for the CISSP, just to remember some topics as there is a clear overlap between the CISSP and the CCSP.
The CCSP is a linear, mostly multiple-choice, closed book exam. I’ve taken plenty of such exams and wrote about my general strategy for this kind of exam here on this post. The exam wasn’t as hard as I expected after reading some reviews online, but it is definitely not an easy test. You need to know your stuff. As expected, questions on the cloud application security domain were the most challenging for me. After 3 hours and 125 questions, I was confident I had passed, but still, the moments you wait for the proctor representative to hand over to you the printout with the results are always a bit tense. I was pleased to read the congratulations message on the paper.
Getting the cert
Being a CISSP holder, I did not have to go through the endorsement process. I just had to indicate that I’m a CISSP after getting the official results over email. After a couple of weeks, I received confirmation of the certification.
In this post, I wanted to share what I tell those who ask me about my preparation for the CCSP. It worked for me, it might not be enough, or it’d be a waste of time for you depending on previous knowledge and experience. Getting to know the CCSP Common Body of Knowledge and understanding what you need based on your knowledge and experience is essential for planning a proper preparation for this exam.