CSA’s Certificate in Cloud Security Knowledge (CCSK) is a vendor-neutral exam that tests knowledge related to the cloud.
CCSK was one of the first cloud security exams, and has been last updated in 2017 (from v3.0 -> v4.0). It’s likely that CCSK v5.0 will be on the horizon but when that will be is unclear (at least to me).
MY REASONS FOR DOING
I hadn’t anticipated doing this certification initially but following completing the CISSP exam in May 2021 I started looking ahead at CCSP. I checked with some experienced professionals, and the advice was to pair CCSP and CCSK together. I didn’t know too much about CCSK but upon looking at the official websites, this is seen as a complementary (and suggested) pairing. The suggested sequence is to do CCSK then CCSP — and from what I’ve seen this seems like the right order.
This was also a good opportunity to further build upon material that was covered in CISSP and earlier cloud learning. It was also good to get a non-vendor perspective on the matter.
CCSK EXAM — GENERAL ASPECTS
Here I describe the information that is readily available in CSA materials.
- In essence, the exam has an 80% pass mark with a ~63% pass-rate.
- The exam consists of 60 questions to be completed within the 90 minute period.
- You get two attempts when you purchase/receive your exam voucher (so a back-up if you run into trouble)
- You can sit the exam at any time — you simply click start exam and you’re ready to go!
- The exam is non-proctored and open book.
Note. In my opinion, while at first glance this might seem easy, the reality is that it would likely be tricky (not impossible) to complete without any prep. If you’re sharp, then potential that you’ll be fine, but potentially an unnecessary risk.
There are discount vouchers available — so worthwhile to investigate this prior to sitting (e.g. All-in-One book offers a 10% discount).
MY PREP JOURNEY
I used Whizlabs cloud challenge as the opportunity to clear this exam. This exam is based on specific artifacts — therefore I’d recommend to cover the official 3 main bodies of knowledge below. I didn’t use any videos or other resources aside from the All-in-One book (see below) and general prep advice (e.g. what book to read) from CS connections 😊
STUDY PREP RESOURCES
The exam tests three main bodies of knowledge:
-CSA Security Guidance: For Critical Areas of Focus in Cloud Computing (currently v4.0)
- ENISA Recommendations: Benefits, Risks and Recommendations for Information Security
- CSA Cloud Controls Matrix (also v4.0)
Pictures of these three items are below (courtesy of the CSA website) and the good news is that they are free to download!
Be aware that CSA covers 87% of the exam questions, ENISA 6% and CCM 7%.
CCSK BoK Overview
CSA Security Guidance covers 14 Domains. These range from Cloud Computing concepts, GRC & legal issues to data encryption, IAM and SECaaS. The Guidance book is not long at 150 pages but likely that newer people to cloudsec (like myself) will need to read at least twice. The content is dense and for those earlier along in their journey Graham Thompson’s CSA CCSK All-In-One provides additional explanatory content (and practice questions).
The ENISA Recommendations was published in 2009 with many of the concepts and ideas just as relevant today. Apparently, the CSA Security Guidance is based on this document, so there are several overlapping parts. However, there are additional concepts, and despite the advice from All-In-One, well worth your time to (speed) read through the document following CSA Sec Guidance reading.
The CSA CCM is the other artifact that is covered. I’d recommend to download both the CCM and the CAIQ (it is an option via CSA website to download both). Familiarise yourself with them both of these assets. These are what you might use in practice (or at least read) — so having a basic understanding helpful.
All these artifacts can be downloaded via the CSA website — https://cloudsecurityalliance.org/education/ccsk/
- CSA CCSK All-in-One Book (2020)by Grant Thompson
So, I really liked this book — but to be truthful I’m not convinced it’s a ‘must-have’. However, given the 62% pass rate for CCSK, I thought better to over-prepare (rather than under-prepare) and started with this book first. It may have been interesting to read the CSA guidance first as my experience on whether this was a mandatory read or not might have been a little different. I’d received advice when looking at CCSP to complete CCSK at the same time — so for me it was about fortifying my knowledge in this area. Hence, the book was still very much worthwhile.
If you are only planning on studying/doing CCSK though, then the free documents are likely enough. Similarly, if you already have a strong cloud security knowledge. I didn’t — but now it’s better ^^
CSA is kind enough to include an exam prep-kit, which includes a break-down of the number of questions by domain. It can be accessed via the CSA website — https://cloudsecurityalliance.org/artifacts/ccskv4-exam-prep-kit/
- ANALYSIS OF TOPIC BREAKDOWN
So the below analysis from the prep-kit gives a breakdown of the percentage cover by topic.
Whether you wish to go for the maximum impact topics first is totally up-to-you. The book does have a specific order, but where the above table might help is for your second revision. I personally wouldn’t skip topics (as the pass mark is 80% and why take a chance?). However, if you were short on time you might consider whether you might cover ENISA say (worth 5%) or simply try to wing it… it’s up to you, but again the 80% pass mark reduces the margin for error.
Practice, practice, practice, then practice some more!
I used the following practice tests.
1) The official CSA practice test examples (14 questions total) — available via the website (via the official CCSK exam prep-kit — see above)
2) CSA All-in-One includes practice questions at the end of each chapter
3) Whizlab’s CCSK Practice questions (3 * 60 question sets = 180 questions total)
The official practice tests were very limited and just provided an idea of potential questions (but no answers). The CSA All-in-One were good (so maybe still worth buying the book still).
Whizlab’s practice questions were by far the best. The exam pattern gives a clear idea what type of questions that could be expected. I did the first two practice tests twice after reading the All-in-One book. I scored 80% on first go (using a closed book) and used this as a guide for my further study. I knew that I needed a clear margin to pass and read CSA guidance twice and ENISA prior to sitting the third practice exam prior to sitting the official. The third practice exam I used exam conditions.
- MY METHOD: PRACTICE QUESTIONS & PREP
Everyone has a different method for exam prep. For me, practice questions form a strong part of this foundation. I tend to complete a first reading on a topic then try to do practice questions (multiple times) to help guide my second read. It’s easy enough to make simple mistakes during exams, so ensuring that I’ve got an idea about exam pattern, question type and any knowledge gaps is crucial.
SITTING THE EXAM METHOD
Personally, I strongly recommend the below:
- I had printed copies of the CSA Cloud Sec Guidance and ENISA. These were bound and I used post-it notes to index the chapters (so I could flick to the various sections).
- As per the advice from All-in-One I had pdf of the same documents and CCM/CAIQ all available and set-up to run across a multi-monitor set-up. This would mean that I could run the exam on one screen and the other documents across the other screen.
- The plan was to have a real copy and pdf, as for the hard copy I had highlighted key sections and could quickly navigate to various diagrams.
Read the questions carefully. Pace yourself but keep an eye on the clock. Time is against you for exams and it is important that you complete all the questions. You can always tag for review for those that you are uncertain.
Lastly, if you’ve put in the work then there is a good chance you’ll pass.
If you don’t get it the first time, don’t dismay. CSA has been very forward thinking offering a second chance. However, if you miss the first time then definitely make sure that you do a further revision.
I wish you well for your CCSK sitting.
Disclaimer: Please use this advice at your discretion. I won’t accept any responsibility, nor liability, for the accuracy of the above information or the outcome of your exam (after all, exams can change). I hope that this resource can provide assistance with preparation for the exam, but what might work for me — may not work for you. I appreciate any feedback in comments and really have added this post to assist those considering this certification. Also, I hope that there is further uptake of CSA CCSK