Between the CCSP CBK and the Official ISC2 Study guides, both have different phases. Which one is correct?
CCSP CBK(Second editon)
1. Panning and requirements analysis
2. Defining
3. Designing
4. Developing
5. Testing
6. Maintenance
ISC2 Official CCSP study guide(Second edition)
1. Defining
2. Designing
3. Development
4.Testing
5. Secure operations
6. Disposal
Interesting question. Highlights a Quality Control issue in the publications. @AndreaMoore can you pass along so that it can be corrected.
Typically SDLC gets boiled down to five stages
Planning
Analysis
Design
Implementation
Maintenance
However, each of those actually break down further.
I like this pictorial to explain
The important thing here is to know how the process works, not necessarily the exact terminology. Kind of like how different tech companies will use different terminology for their process but it is essentially the same. But like @dcontesti said, it should be listed as to which specific SDLC model they will be tested on. I'd recommend on the official exam outline @AndreaMoore.
From the Exam Outline:
1. Planning and requirements analysis --> Combined into Defining
2. Defining ---------------------------------------> Defining
3. Designing -------------------------------------> Designing
4. Developing -----------------------------------> Developing
5. Testing -----------------------------------------> Testing
6. Maintenance ---------------------------------> Secure Operations and Disposal
I remember coming across or something like it a few years ago, and saying "hey that doesn't look right." I can't help you figure out which is the "right" one to memorize for a test, but I would point you to what I think is the applicable distinction between the cloud SDLC and the traditional (uncloud?) one.
It's that "Secure Operations" line in the cloud SDLC. Why is it different from "Maintenance?" Because the software resides under some central control. The best example is SaaS - what at one time we might have called a "web application." The traditional SDLC was about releasing software and getting it to various desktop installations, and then you were into maintenance (patches and updates). Under a cloud model, you're not done at the release. You're running the software; you're users are just interacting with it. In that case, maintenance is more than patching and updating. It is a difference that means something. But these concerns apply to PaaS and IaaS, even if to a lesser degree. You'll always have some responsibility for how the software is running - the operations.
The other discrepancies, in my view, are mostly picking different words to say the same thing. I guess I could say with the cloud you also have more control over disposal. You can take away the application whereas in the traditional SDLC you probably have less control over what your users do (although you could use DRM to stop people from using your old software).
I guess that's a long-winded way of saying that I think sometimes we test the wrong thing. Knowing the wording of the steps shouldn't be as important as knowing the real concepts.
@JoePete wrote:
I guess that's a long-winded way of saying that I think sometimes we test the wrong thing. Knowing the wording of the steps shouldn't be as important as knowing the real concepts.
Totally agree, learning the steps in straight memory work but understanding what happens in each step or phase can demonstrate an understanding of the concept.
Problem is, in different countries/culture/locale words can have several meanings or entirely different meanings.
However, with (ISC)2 printed materials, the words should be the same (MHOO).
@JoePete @dcontesti @tmekelburg1 Thank you all for your replies, your views are very much appreciated. Indeed i totally agree that whatever titles are used to denote each phase is not the most important, but understanding in detail each phase is paramount. However, the titles for each phase need to be consistent in all ISC2 publications so that exam takers have confidence in their learning to assess the options that are being presented to them are the correct ones or incorrect so they can make an informed decision. I would still appreciate ISC2 to formally confirm their agreed stance on which ones they stand by for the benefit of all those who are currently studying or about to take the exam.
Kind regards