CCSP Reflection
I have just passed my CCSP examination (3rd September 2022). It took me around 3 hours to complete the 150 questions.
This is my second attempt at the examination, which i found considerably easier than the first attempt. I found the exam pretty technical, which suited me well. I found that especially compared to my previous attempt and also the CISSP, the questions were really straight forward and had much simpler english. I found that a lot of the questions were really easy and straightforward and similar to the exam questions in the practice guides, which is really suprising. That definitely was not the case for my first attempt or the CISSP.
I found that although a lot of the questions were easy, technical and straight forward (~60%), there was a big divide. The questions were either really easy (like 5 seconds to answer) or very difficult with similar answers. As with ISC2 in general, its often about finding the right answer given the context. So the technical questions are easy and straightforward, but the non-technical ones were very difficult, as there are multiple right answers.
I was feeling confident throughout the exam which is a new feeling, as i didnt feel that way in the previous attempt or CISSP. Perhaps the new changes with the Computerized Adaptive Testing and the changes to the course content. However, as I approach question 90, i really started to struggle. I found it very fatiguing and was really struggling to concentrate. I find that a four hour exam and 150 questions is just far too much, especially as a bunch of the questions are not marked (50 questions i think?).
If you account for the revision for my previous attempt (maybe February 2021 time) plus my study this time around (which i will get into), I have invested a lot of time in learning the material. With 6 years experience, plus CISSP plus all my revision, im confident in saying I know about cyber security. That being said, there were questions in the exam which i have never heard of. Not in any of the study material (which you’ll see was pretty exhaustive), self study or my career. I found this quite frustrating as i had literally no recollection of the terms used. Obviously i cant go into much detail around it because of the NDA.
What you need to study to pass
Based on my experience, if you do the following, i think that will be enough to see you through the exam.
Ben Malisow’s Official Study Guide & Official Practice tests - Spend an hour a day (Monday-Friday) reading through the official guide, taking the tests at the end of each chapter. Whenever you get a question wrong, note the answer and learn why. For every question, you should know what every possible answer means. Once youve finished that, move onto the practice test book and follow the same process.
Whenever you see a term you are not familiar with, or want some more information, use CCSP Alukos. A fantastic resource, that i cannot believe is free. Its amazing to just search for specific terms and upskill.
Identify which areas of the domains you are weak at and consider how you like to learn. The CCSP is very dry and i found mixing up the textbook material with Gwen Betwys udemy videos quite helpful. I wouldnt say the videos cover any additional material, but help with the monotony of study.
I think you can get away without memorizing all the ISO/NIST standards, but it’s actually a really useful thing to do for your own career and personal development. Its certainly not going to hurt.
As i’ve said, the test was much more straightforward than my previous attempt and the CISSP. The questions were much closer to the text book practice questions than i expected.
What i did to study
My journey is a little bit weird in that i started studying tail end of 2020, for my exam in Feb 2021 (which i failed). I then resumed this year around June 2022 and passed the exam today September 2022. Looking around online, you’ll see that people commit so much time into studying, that it actually put me off. If you follow the previous section, i really think that will be enough for you to pass. I don’t think you need to be pulling 30-hour revision weeks.
Every work day morning, i studied 7am-8am, until i had exhausted the content. I read Ben Malisow’s CCSP (ISC)2 Certified Cloud Security Professional Official Study Guide, went through each chapter questions and then went through the practice test book. Any time i got any question wrong, i’d go back, read up on it and physically write notes.
This is my number one resource and although its from 2020, it was great for this exam. Fortunately, i have an OReily subscription and i skimmed through some other CCSP references, but found then worse than Bens. Full disclaimer - even if you know this book cover to cover, its still not enough to cover everything in the exam. Like i said, there are things i’d never heard of. Please learn from my journey and follow my “what you need to study to pass” section.
As well as that, i brought Gwen Bettwy’s CCSP Cloud Guardian. 
. You absolutely don’t need this book to pass, but i’d recommend it as its a great concise overview. It covers pretty much the same as Ben’s books, but is lightweight and straight to the point. Although the print quality and formatting of the book is terrible, but the content is really great.
I learn by reading books, but as i had failed previously i thought i’d try some Udemy videos. I brought two domains of Gwen Bettwys Udemy courses which covered the areas i thought i was weaker on. I found the videos to be ok, they are worth it if they are on offer as Gwen provides from useful “memory joggers” which can be useful. However, the videos waffle on a bit and dont cover any content not in Bens books or Gwen’s CCSP Cloud guardians. I would still recommend the videos though, as i’ve found a range of learning mediums is the most useful. So read a book for a while, mix it up with a video, then some flash cards and then repeat. I found that an effective process to efficient learning for the CCSP.
When going through the learning materials, i wrote down every standard I came across. I then made flash cards of every single ISO number and tried to figure out some word-associations for them. Some of them were pretty ridiculous like NIST SP 800-82, i’d hate-2 do that, oh its Industrial Control Systems or ISO 27040, international forty years of hurt (football), thats a memory I store, oh its storage security requirements. In the end i memorized about 40-odd standards and it was complete overkill. I do however recommend doing it, as its a really useful exercise. I dont think it directly helped in the exam, but it certainly gave me confidence in the answers as i was sure i knew what all the standards referred too. I think the exam focuses more on whats *in* the standards, rather than what they are about, but i think its far too much information to remember otherwise.
I dont really think that CISSP or CCSP certifications have value themselves or make me a better cyber individual. But as a baseline for competance they are great. The hardest part of these certifications is the journey of self-study, which is also the most valuable. I definitely learned more about cyber, whether or not its accurate or relevant to my role is another question, but i do think