Need help limiting the scope of my CCSP studying..

mrbritesidezmrbritesidez Posts: 9Member ■□□□□□□□□□

I have been reading quite a bit of CCSP material. I bought the first edition before the second came out. I read it all, took notes and made note cards. I watched the IT Pro TV CCSP training and the Cybrary Training. I went through the CCSP outline and also read the SecaaS 1 to 10 documents. I have gone back and also re-read the CSA CCSK guidance on cloud controls and got the CCSK. I have also found the notecards and memorized the ISC2 quizlet cards. Despite all this preparation I don't feel quite comfortable and I have the test on Wednesday. I think that I may be over preparing in some areas and under preparing on others. So for those that have taken the test, I would like to ask, could someone help me limit my studying by letting me know whether I should look deeper into the following or not at all?

Need to know SANS security Control?
Do I need to know anything about Puppet or Chef in particular?
Do I need to memorize tech roadmaps?
Do I need to know the 27001 components?
Need to memorize the level of nines? (uptime)
Need to know all 10 GAAP principles?
What the difference between DRS and CRS?
DO I need to know about Basel, clever safe, Lun Credit Card Test or HP Digital Safe? (all found in the notes sections)

Now for the section that is truely giving me heart burn : Domain 6icon_rolleyes.gif
I feel that law and compliance are going to be very important. But it's very hard to know which ones to focus on and the level. Any suggestions? How did you guys go about studying them?

Which NIST things to remember?
  • NIST 800-30 : Risk Management for Tech Systems
  • NIST 800-37: Risk Management for Federal Information Systems
  • NIST 800-39 : Manageming Information Risk "Risk Management" processes
  • NIST 800-40: Patch Management
  • NIST 800-53: Risk Management Framework
  • NIST 800-61: Security Incident Handling Guide
  • NIST 800-92 : Log Management
  • NIST 800-122: Guideline for Protecting PII
  • NIST 800-125: Virtualization technologies
  • NIST 800-144: Guidelines on security and privacy in the public cloud
  • NIST 800-145: Essential Cloud Characteristics (Broad network access, elasticity, ....)
  • NIST 800-160: System Security Engineering
  • NIST 800-161 Supply Chain Management
  • NIST 500-292: Cloud computing REference Architecture
  • NIST 500-293: Us government cloud computing technology road map
  • NIST 500-299: NISt Cloud Computing security Reference architecture
Which ISO things to remember?
  • ISO 15408 - Common Criteria
  • ISO 17778 - Cloud Computing Overview and Vocabulary
  • ISO 17779 - Cloud Computing Reference Architecture
  • ISO 22301 - Business Continuity managemen systems
  • ISO 24762 - Guidelines for Disaster
  • ISO 25999 - British Standard for Business Continuity Management (BCM)
  • ISO 27001 - ISMS
  • ISO 27002 - Implementation of ISMS
  • ISO 27013 - Integrated implementation ISMS
  • ISO 27014 - Governance of IT Security
  • ISO 27016 - ORganizational economics
  • ISO 27017 - ISMS for the Cloud
  • ISO 27018 - Code of practice for PII
  • ISO 27031 - Guidelines for Business Continuity readiness
  • ISO 27034 - Application Security
  • ISO 27035 - Prepare , Identify, Assess, Respond, Learn
  • ISO 27036 - Security for the Supplier relationship
  • ISO 27037 - IR : Identification, collect, acquisition and preservation of evidence
  • ISO 27040 - Storage Security
  • ISO 27041 - Suitability and adequacy of investigative methods
  • ISO 27042 - Guidelines for analysis & interpretation of digital evidence
  • ISO 27043 - Incident investigation prnciples & processes
  • ISO 27050 - ediscovery in cloud (Cloud Forensics)
  • ISO 28000 - Security Management System (SMS) for supply chain
  • ISO 31000 - Risk Management


  • rajpoot296rajpoot296 Posts: 27Member ■□□□□□□□□□
    How did the exam go?
  • Buhlz_IBuhlz_I Posts: 4Registered Users ■□□□□□□□□□
    I took my CCSP test 8/1 and did not pass. My study materials were the OnDemand course, the CBK, the CSA v3 Guide, and NIST 800-145. It wasn't enough.

    My primary deficiencies were in Domain 6, Application Security, and RM

    My take aways are:
    1) Know the OWASP vulnerabilities and how to mitigate (mitigate is used frequently)
    2) Know more intimate details of varying privacy laws and regs beyond that of title, applicable region, and date of origin
    3) Know RM controls.

    I've rescheduled my test towards the EOM, I don't think I was off my too much.

  • SeabSeab Posts: 127Member
    Excellent post. You seem quite ready from my point of view, but been there done that ( not ccsp though! ), so I know exactly what you feel. Any feedback post exam?
Sign In or Register to comment.