After about 1.5 years off from taking and failing this exam twice, I sat for it again last Friday. In preparation, work paid for a 5 day boot camp with a 93% success rate! I went through that and also bought the new CCSP CBK 3rd edition to supplement my learning. I also did a number of official CCSP practice quizzes and was in the mid-to high 80% range. During the test I felt really good. I didn't think there were many surprises, and even the 25 sample questions didn't seem to jump out at me. Upon completion, I was again disappointed to learn I didn't pass. I was above in two domains and below in four. Actually, I did worse than in my previous attempts. Clearly, I am missing something. I am going to try and perform a gap-analysis on each domain. I figure I will take additional remaining CCSP Official practice exam questions (30 questions each), focus on each domain, and see if they match up with my results. As a current CISSP and CISM holder, this is frustrating me. I don't need this exam, but would like to obtain and hold it. Now it's more of a challenge for me. Although, the definition of insanity is really making sense now.
Why not try the CCSK, as it may help you get your confidence back?
For the CCSP Exam I felt that this was helpful in my ability to pass.
Review "NIST Special Publication 800-146 Chapter 4", using this chapter as a foundation, I created alternate scenario questions in my head and answered them.
What change to part of the scenario would make me come up with a different answer? Like a "What if i changed this, would it change that?"
Hello Dmor_11 ,
Wow! Thanks for sharing your story first of all. It’s an eye opener for other CISSPs.
Following are some study resources/tips, maybe you find them helpful:
1. NIST SP 500-292 (Cloud computing reference architecture)
2. ISC2 CBK Reference, and the Official Study Guide
3. Lots of practice tests
4. Time to review
I wish you all the best and hopefully you make it through this time.
Wow! Thanks for sharing your story first of all. It’s an eye opener for other CISSPs too! I attended a skillsoft CCSP bootcamp recently and the instructor mentioned that “CCSP is more of a tweaked CISSP, and that it’s made by CISSPs for CISSPs”, but your experience is a game changer to that notion.
My sense is the CCSP is kind of a certification lost on the seas of security without a home port. Cloud security varies so much depending on the type of service (and, in some cases, service provider) that the CCSP content may feel too broad. While I haven't looked at the most recent CBK, I agree the prior versions really seemed to be built upon the foundation of the CISSP plus some more business focused concepts. As an example, you need to understand risk management well for cloud security due to the variation in pricing models across different service types. The CCSP CBK didn't really hit on that (again, I haven't looked at the most recent), but if you have that it may help you get the big picture that makes a lot of the CCSP content fall into place.
To me that is the big wrinkle that has come with the cloud is it really forces security folks to understand business drivers. Back in the on-premise days there weren't as many variables. Part and parcel with that is being able to communicate security to the business folks. To them, they think data and applications are just a box that you are moving from an on-premise closet to some "cloud." That move literally changes the security context of everything. I think that's the hard part of the CCSP. It's trying to certify a range of knowledge that typically is built up in steps (business, sense, security sense, and knowledge of particular providers).