For this post, I will provide you with my recommended path, in terms of what materials to read and how to practice for the exam. I took the CCSP because I wanted to have a better understand of cloud concepts prior diving deep into specific technologies such as (Azure, AWS, or Google Cloud). If you are in a position where you will help your organization move to the cloud or have a security role pertaining to the cloud, I definitely recommend this certification.
I ended up pushing the exam back one month because I didn’t feel ready; however, the exam was not difficult, I think some of the practice exams I found were harder than the exam itself. With that being said, I do think it’s best to over-prepare at times rather than under-prepare; therefore, make sure you have a good understanding of the material.
Before we get started
Before you get started with your studying, I highly suggest you review the CCSP exam outline as it will give you a better direction on what material/topics you should really know for the exam.
- The CCSP Exam Outline covers the domains that are required for the exam along with their weight in terms of percentage as seen below:
- Cloud Concepts, Architecture and Design 17%
- Cloud Data Security 19%
- Cloud Platform & Infrastructure Security 17%
- Cloud Application Security 17%
- Cloud Security Operations 17%
- Legal, Risk and Compliance 13%
I copied the CCSP Exam Outline in a google docs as I used this as a base to keep my notes, I hope it helps you.
Getting Started: Obtaining the right study material
Before I share my recommended books, I want you to understand that you will NOT learn all concepts from any individual book. You will need to review other content (think NIST, CSA, ISO) .
- (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide, 2nd Edition – Alternatively you can get both the study guide and the practice questions too as a bundle (Here) – This book is very good at covering most exam objectives (Cloud Data Security, Cloud Application Security, Cloud Security Operations, Cloud Platform and Infrastructure Security, etc). Note, you’ll also have access to Wiley online test banks which allows you to create quizzes or full exams as an extra practice.
- The Official (ISC)2 Guide to the CCSP CBK – This is an excellent source of studying which covers and aligns well with the CCSP Exam outline provided above. The questions in the book are good for reinforcement; however, you’ll probably want to find other sources of questions that are more reflective on the questions from the actual exam.
Recommended Material to read/know
- Security Guidance for Critical Areas of Focus in Cloud Computing v4.0
- NIST 800-145 – The NIST Definition of Cloud Computing
- Microsoft: Shared Responsibilities for Cloud Computing
- Cybrary.it – By Kelly Handerhan – This is a 12+ hr course which covers all domains. Kelly does a great job at giving you exam tips which can come in handy. I’d highly recommend it, specially if you are a visual learner. Additionally, Kelly includes a set of notes that includes PowerPoint presentations on each domain, this is a great way to summarize each domain at the end of your reading.
- LinuxAcademy (Via ACloudGuru) – If you have access or can get a trial, I found this to be very helpful as well. I found this interesting as it includes small labs at the end of most domains (Azure, AWS) that demonstrates & reinforces the topics you just learned (e.g. Cloud characteristics -resource pooling, elasticity, on-demand service). Additionally, it includes useful quizzes, flashcards, and other useful notes.
- Cybary.it – Kelly Handerhan includes some practice exams which are very relevant.
- Wiley – If you bought one of the Sybex books you’ll have access to this. This is a great way to create custom quizzes, full length exams, flash cards, etc. Most of the questions are the same ones as the book, if you can answer those you won’t have a problem answering the ones online.
- Udemy – I was able to find a few exams that were somewhat relevant, it’s up to you if you want to spend that extra $ to find appropriate ones. I’m actually coming up with practice questions to publish here as well (Check back soon)
What material should I know?
Additionally, here’s additional topics I recommend being familiar with to ensure there are no surprises on the day of the exam.
NIST 800-145,CAPEX to OPEX, Cloud computing characteristics (On-demand self service, elasticisty …),Trusted Cloud Initiative (ITIL, SABSA, TOGAF),GDPR, understand Cloud Data Life Cycle ,Risk Frameworks (ENISA, CSA Top Threats, NIST 800-146),OWASP Top ten vulnerabilities, Chain of Custody & Data Forensic collection and challenges in the cloud, eDiscovery, sandboxing ,KVM & associated risks, STRIDE Model, DAST & SAST, SOC report types, Incident Management (ITIL), Disaster Recovery & BC, Gap Analysis, RTO/RPO, OWASP & API (RESTful/SOAP).
ISC2 Facts & Exam Tips
The following are standard facts related to most ISC2 exams (Think CISSP), keep these in mind when taking any ISC2 exams such as CISSP, CCSP.
- Risks cannot be eliminated, there will always be residual risk
- Human Life is the most valuable (ALWAYS)
- Security is everyone’s responsibility
- If it’s not necessary to your business or function, get rid of it (otherwise it will create a liability for your organization)
- ISC2 exams are international, keep in mind that international based-answers are better than regional answers (Perfect example is GDPR which applies to multiple countries)
- Regulations & Laws should be treated as additional risks
- If you develop/design anything with Security as an initial consideration and throughout it’s lifecycle, it will make things easier & more cost effective
- Thorough testing (e.g. DAST/SAST) will always find a problem (Specifically in SDLC).
- Separation of duties will always be the best answer
- Chain of Custody should always be established first and maintained
- Risk Assessment is never-ending
- Think like a manager when answering most questions (In terms of governance), but have a thorough understanding of technology to be in a position to suggest potential solutions to problems.
- Top bottom Develop a security culture from Top to bottom (Always have buy-in from the top)
- Make sure you read the question thoroughly. Some of the questions are lengthily as they’re scenario based; however, focus on the key terms such as “Which one is the best, Which one is NOT” so you don’t jump ahead.
- You may mark questions during the exam and come back to them later, don’t waste your brain power in tackling confusing questions. Sometimes other questions might give you the answer or make your brain remember that particular concept better.
My game plan
80+ days before the exam:
I started with the The Official (ISC)2 Guide to the CCSP. I allocate 1-2 hours for reading on the weekdays. While reading, I would highlight and add sticky notes to pages that I thought were important. On the weekends I’d spent more time to read and would answer any end of chapter questions, type up vocabulary and ensured I had a good understanding.
60+ days before the exam:
About two weeks after I initially started reading, I started doing practice exams/quizzes from the Wiley question bank. This helped me see what concepts I was strong at, and what I was weak at.
40+ days before the exam:
I started watching the Kelly Handerhan Video series on Cybrary. I would watch it for about 1 hour and fast forward on the topics that I knew well. I also watched the My takeaway from here was that she gave good exam tips, and she explained some of the topics really well using her own examples. She provides good & easy to understand examples (such as a Cloud delivery model like a Pizza-as-a-service)
15+ Days before the exam:
At this point I was just taking practice exams getting 60-80%. I did not feel confident to take the exam and thus decided to reschedule. I pushed back the exam by 4 weeks. During this time I also had a good perspective on how the exam would be structured and how they would phrase certain questions. Such as “Choose the BEST answer”, or “What is the Most Important”, or “What is NOT”. My takeaway was that I had a better mindset of how the real exam would be like.
30+ Days before the exam:
At this point I was just focusing on those areas where I was scoring low and re-testing my knowledge. I can say I definitely felt more comfortable and was scoring higher. In retrospect I think I was ready to take it then, but I wasn’t feeling confident. At this time I actually started looking into Azure to get a better understanding of how these concepts were put into practice in the real world.
2 Days before the exam:
I was reviewing terminology mainly to ensure that I wouldn’t get terms confused (think of Elasticity vs. Scalability).
1 Day before the exam:
I did nothing, whatever I had learn or not learned didn’t make a difference.
Don’t overthink this exam, if you have cloud experience already, some of the technical questions & concepts should be fairly easy to you. Additionally, if you have taken the CISSP before, you’ll have a good idea of how to answer these questions, and realize that this is a much easier exam. Remember the exam tips and how the questions are asked so there is no confusion. Choose the “best” answer and I can assure you that will be the correct answer. Good luck!