Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Newcomer I

CCSP SDLC steps discrepancies between CBK & Official Study Guide (vol 2) versions

I'll be taking my CCSP in a couple of weeks, I'm hoping I can get help with the discrepancies between the CBK and the Official Study Guide (both from ISC2) as it pertains to the SDLC steps.

The CCSP Official Study Guide
Chapter 7 - Cloud-Secure Software Development Lifecycle (Pg 340-341 ebook)

1. Defining
2. Designing
3. Development
4. Testing
5. Secure Operations
6. Disposal

The Official (ISC)2 Guide to the CCSP CBK
Domain 4 - Cloud Application Security (Pg 213-214)

1. Planning and requirements analysis
2. Defining
3. Designing
4. Developing
5. Testing

Which one is correct? Which one should I concentrate on?
If a question is which one is the last step of SDLC, I can see getting this wrong.


Any help would be greatly appreciated.

3 Replies
Community Champion


Definitely something that should be raised to Casey and his crew.


As to an answer, that's a hard one.


I am not a CCSP so may be all wrong on this one but as a CSSLP, I would suggest that the Official study guide may be missing a few stages.  I have always used a seven stage method:


  • Planning
  • Feasibility or Requirements 
  • Design
  • Development  
  • Testing 
  • Implementation and Integration
  • Operations and Maintenance.

I typically group Disposal in the operations and maintenance phase.


However I have seen other folks use five and six phase approaches. But then I think the two documents should reflect the same steps.


Suggest we wait to see what (ISC)2 has to say on this one.


As to the exam, Testing is NOT the last phase no matter which model one uses.




Newcomer I



Thank you for your reply.   I appreciate it,  specially as I plan on sitting for the CSSLP as well in March of next year.    I don't have the CSSLP book yet and I was hoping that would be the "tie-breaker".


It sounds like adding the CSSLP then by all accounts ISC2 has a total of 3 different lifecycles for software development, which is understandable in real world scenario, but should not be the case for a single topic in an educational setting (but then again, what do I know about education.). 🙂




In 2019 I followed the Firebrand training for CSSP and they follow the (ISC)2 CCSP CBK. Both lists overlap so I shouldn't worry.