Passed CCSP

RufioRufio CISSP, CRISC, CCSP, CCSKV3, CCNA CYBER OPS, SECURITY+, NETWORK+Member Posts: 25 ■■■□□□□□□□
Passed the CCSP yesterday afternoon.

I used most of the standard resources over 2 months:

(1) CCSP CBK - Gordon
(2) Official ISC2 Training Guide - Participant's Guide
(3) Official ISC2 Training Videos with Gordon
(4) Cybrary CCSP videos
(5) Some NIST and ISO documents
(6) ENISA
(7) CSA - Security Guidance for Critical Areas of Focus in Cloud Computing V3.0

The exam wasn't as bad as I've heard. I've seen comparisons between the CCSP and CISSP and I've heard a few people say the CCSP was way harder than the CISSP. I don't think that's true and in reality, the way ISC2 asks questions is very similar on both tests. Given the fact that the CISSP was double the questions made it way more exhausting, and in my opinion, more difficult. Also the CISSP CBK is way more broad.

In my experience, ISC2 tests have similar characteristics: several vague test questions or vague test answers, general rather than specific questions, etc. Overall, I felt I could typically reduce the choices to one best answer but often there were 2. I only saw a couple of questions (1-2) that caught me off-guard. Just like with the CISSP, questions are typically asked from a managerial perspective. You have to think more about the spirit of the material rather than the letter of the material. For instance, can you identify if a question is talking about SaaS, PaaS, or IaaS without it explicitly mentioning them? Do you know the Cloud computing characteristics well enough that if they aren't explicitly phrased--like they are in the CBK--that you can identify them? This is true for anything in the CBK. The problem I have when studying for ISC2 tests is I get fixated on the exact terms and concepts used in the CBK. This isn't bad and helps in many ways, but it is most useful when you can identify the context of the question without being given the standard definition or term that you've reviewed a dozen times in your study....I hope that makes sense.

As for the time, 4 hours was way more than sufficient. I spent a lot of time reviewing about 20-25 questions I marked for review and still had about 80 minutes left over when I completed the exam. I take my time on exams. I stayed in the CISSP up until the last 8-10 minutes, so for me to leave 80 minutes on the clock is a pretty good indication that it's a small factor. There is ample time to finish the exam and get a good review of confusing questions.

I don't know what to say about the resources. I've heard the CBK isn't sufficient, but I can't really think of any questions that would require more than the CBK. Take that with a grain of salt though. I'm not really sure what value each resource provided other than it added or reinforced concepts and context of cloud computing. So many of the resources provided the exact same information. I was told to go read NIST and as I was going through NIST I wasn't finding much that was different. There were only a handful of new technical terms. But it did reinforce concepts and context. One thing I will say, I found the ISC2 videos were not very engaging. It seemed like each video was filled with so much fluff. I'm interested in what others thought though. Maybe I have an outlier experience and others found them essential or useful.

I found one of the best resources to be this site and forum, so thank you to you good people for sharing your experiences. When others say make sure you know your federation, SDLC, Application attacks, legal/regulation, etc. those are really helpful pointers. On top of what I've already commented on, I would say it's wise to know any concepts with a set of phases or steps. There are lots of these: risk management, forensic evidence, SDLC, incident mgmt, etc. And also, make sure you know the basics and you know them well. Enough that you can pull context without a common definition or scenario.

Comments

  • TheFORCETheFORCE Senior Member Member Posts: 2,298 ■■■■■■■■□□
    Congrats! Well done man!
  • zxbanezxbane Member Posts: 740 ■■■■□□□□□□
    Congrats! This is one I would like to venture into down the line.
  • mog27mog27 Member Posts: 302
    Rufio wrote: »
    Passed the CCSP yesterday afternoon.

    I used most of the standard resources over 2 months:

    (1) CCSP CBK - Gordon
    (2) Official ISC2 Training Guide - Participant's Guide
    (3) Official ISC2 Training Videos with Gordon
    (4) Cybrary CCSP videos
    (5) Some NIST and ISO documents
    (6) ENISA
    (7) CSA - Security Guidance for Critical Areas of Focus in Cloud Computing V3.0

    The exam wasn't as bad as I've heard. I've seen comparisons between the CCSP and CISSP and I've heard a few people say the CCSP was way harder than the CISSP. I don't think that's true and in reality, the way ISC2 asks questions is very similar on both tests. Given the fact that the CISSP was double the questions made it way more exhausting, and in my opinion, more difficult. Also the CISSP CBK is way more broad.

    In my experience, ISC2 tests have similar characteristics: several vague test questions or vague test answers, general rather than specific questions, etc. Overall, I felt I could typically reduce the choices to one best answer but often there were 2. I only saw a couple of questions (1-2) that caught me off-guard. Just like with the CISSP, questions are typically asked from a managerial perspective. You have to think more about the spirit of the material rather than the letter of the material. For instance, can you identify if a question is talking about SaaS, PaaS, or IaaS without it explicitly mentioning them? Do you know the Cloud computing characteristics well enough that if they aren't explicitly phrased--like they are in the CBK--that you can identify them? This is true for anything in the CBK. The problem I have when studying for ISC2 tests is I get fixated on the exact terms and concepts used in the CBK. This isn't bad and helps in many ways, but it is most useful when you can identify the context of the question without being given the standard definition or term that you've reviewed a dozen times in your study....I hope that makes sense.

    As for the time, 4 hours was way more than sufficient. I spent a lot of time reviewing about 20-25 questions I marked for review and still had about 80 minutes left over when I completed the exam. I take my time on exams. I stayed in the CISSP up until the last 8-10 minutes, so for me to leave 80 minutes on the clock is a pretty good indication that it's a small factor. There is ample time to finish the exam and get a good review of confusing questions.

    I don't know what to say about the resources. I've heard the CBK isn't sufficient, but I can't really think of any questions that would require more than the CBK. Take that with a grain of salt though. I'm not really sure what value each resource provided other than it added or reinforced concepts and context of cloud computing. So many of the resources provided the exact same information. I was told to go read NIST and as I was going through NIST I wasn't finding much that was different. There were only a handful of new technical terms. But it did reinforce concepts and context. One thing I will say, I found the ISC2 videos were not very engaging. It seemed like each video was filled with so much fluff. I'm interested in what others thought though. Maybe I have an outlier experience and others found them essential or useful.

    I found one of the best resources to be this site and forum, so thank you to you good people for sharing your experiences. When others say make sure you know your federation, SDLC, Application attacks, legal/regulation, etc. those are really helpful pointers. On top of what I've already commented on, I would say it's wise to know any concepts with a set of phases or steps. There are lots of these: risk management, forensic evidence, SDLC, incident mgmt, etc. And also, make sure you know the basics and you know them well. Enough that you can pull context without a common definition or scenario.


    I have mine booked for end of November. I am using the same resources you did, minus the ISO documents. I am trying to memorize the important ISO numbers. Would you say that is important?

    I also agree the ISC2 videos had lots of fluff. It may be okay if you are new to cloud computing and weren't using it for the exam, but I did not feel confident at all those videos were preparing me for the actual exam. Glad to hear the exam wasn't as horrible as some have said. After easily passing the CISSP years ago and more recently the ISSEP I'm hoping I only have to take it once.
    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Ben Franklin

    "The internet is a great way to get on the net." --Bob Dole
  • beadsbeads Senior Member Member Posts: 1,503 ■■■■■■■■■□
    Biggest problem people are really having with this exam is the lack of pre-digested materials telling you exactly what to and not study as is the case with its more well known predecessor the CISSP. This too will change in time when there are half a dozen authors spelling out every minute detail of the exam and people will still compare to "male child birth". Whatever that is, I don't know myself but it sounds bad, doesn't it?

    Passed the exam last July. Wasn't bad.

    No, I stopped updating my 'I love me certificates' section years ago.

    - b/eads
  • RufioRufio CISSP, CRISC, CCSP, CCSKV3, CCNA CYBER OPS, SECURITY+, NETWORK+ Member Posts: 25 ■■■□□□□□□□
    TheFORCE wrote: »
    Congrats! Well done man!

    Thanks man. I appreciated your write up for the CCSP.
  • DAVIS NGUYENDAVIS NGUYEN Member Posts: 1,472 ■■■□□□□□□□
  • TreySongTreySong Member Posts: 65 ■■■□□□□□□□
Sign In or Register to comment.