CCSK vs CCSP: An Unbiased Comparison

CCSP CCSK pyramidBy Graham Thompson, CCSK, CCSP, CISSP, Authorized Trainer, Intrinsec Security


CCSK vs CCSP–I’m commonly asked two questions whenever someone discovers I’m an instructor for both the Cloud Security Alliance CCSK and (ISC)2 CCSP courses:

1 – “What’s the difference between the two certifications?”
2 – “How hard is the CCSK exam?” … It’s very hard, but more on that later!

In this entry I’ll identify the differences between two of the industry’s highest regarded cloud security certifications, CCSK and CCSP. Hopefully after reading you’ll know which certification will better fit your professional goals. I don’t believe I have a bias here because I’ve been teaching both courses for a while. In fact, I delivered the first public CCSK course outside of the initial Train-the-Trainer in San Jose. As for the CCSP, I actually helped develop that course. I believe what follows is an honest opinion between the two courses.

CCSK| Certificate of Cloud Security Knowledge (Updated for v4 Course)

The Certificate of Cloud Security Knowledge (CCSK) by the Cloud Security Alliance is considered to be the grand-daddy of cloud security certifications. Why? Primarily because the CCSK was quite literally the industry’s first examination of cloud security knowledge when it was released back in 2011. The course breakdown is roughly split 60/40 between tactical (technical) and strategic (business driven) discussion of cloud security. It is agnostic in approach. To be honest, when I’m delivering CCSK training I probably spend a little too much time equating IaaS tactical security discussions to how it’s done in AWS, but I (and students) feel this approach drives home the controls they cover in the course.

Update for CCSK Version 4

The best way to describe the updates for CCSK V4 are that from a strategic 20,000-foot view it’s mostly more of the same. Governance, contracts, risk management, legal aspects are covered to mostly the same degree but they expanded it to be more global in nature.

However, drop down the viewpoint to that of a more tactical 1,000-foot view and the updated version is very different. Example: leveraging Lambda serverless computing and object storage to remove network attack paths back to the datacenter isn’t exactly a governance item; but from a more tactical approach, it really shows the different architecture patterns you can leverage in cloud that are basically impossible in traditional computing. They also pull in discussions that didn’t exist before such as containers, CI/CD toolchains, DevOps, Chaos engineering and expanded discussions surrounding Software Defined Networking security concepts.

CCSK Course Details

For the CCSK course itself, it’s delivered in two different formats:

  • CCSK Foundation (1 or 2-day course)
  • CCSK PLUS (2 or 3-day course)

What’s the main difference between the two different formats, aside from the course length? It comes down to practical experience and course exercises.

  • The CCSK Foundation format can be delivered over one day, which means you have the time to review theory, but not enough for in-depth class discussion or practical exercises.
  • The CCSK PLUS has everything presented in the CCSK Foundation format, but with more time to really drive home the major topics and learning objectives with course exercises/activities. Quite literally, the following formula applies:

CCSK PLUS = CCSK Foundation + AWS labs

In my personal opinion, a person with limited cloud exposure will find a 1-day crash course to be a complete waste of time. I’ve seen it myself, and that is why as a trainer I don’t usually deliver the course in a single day. However if you are new to cloud and can only do the 1-day session, do yourself a favor and read/understand the guidance v4 document before you take the class. Alternatively, if you’ve been working in cloud for a while and are looking to understand what CSA has to say on cloud security, you would likely prefer the 1-day approach. If you are looking for more info, a lot of these details about the CCSK can be found on Cloud Security Alliance’s website.

CCSK Exam Breakdown

I mentioned the exam was pretty hard at the start of this blog entry. The reason for this has everything to do with the split between tactical and strategic domains of knowledge.

People are either tactical types or strategic governance types. The tactical types enjoy the bits and bytes of computing and that’s totally cool. Then, you have the governance types. These are the managers, directors and others where the mindset is how the business as a whole may be impacted by cloud adoption. One person having a foot in both areas is pretty rare, and that is what makes the CCSK exam so hard. I’ve seen hardcore techies fail, and I’ve seen MBA’s fail.

One thing to note that I’ve heard from heads of training departments has to do with it being an open book exam that is not proctored, rather it is taken online from any location (home/office/hotel). It appears these traits lead some to think less of the exam because it doesn’t seem to be as “legitimate” as closed-book proctored. I still contend properly-written open book exams are legitimate and the exam is tough. I believe it would be impossible to answer 60 questions in 90 minutes if you have to research every question. I would have no problem hiring someone who has a CCSK but not the CCSP.

Continuing Professional Education Credits (CPE)

The CCSK course is CPE eligible. Keep in mind the CPE guidelines for courses are that you must take lunch and breaks into account, meaning a 3-day course winds up netting you 21 CPEs (7 per day). Not bad! Side note- the CCSK does not require CPE maintenance, once you have earned it—it’s yours.

Concluding Thoughts on CCSK

With the updated v4 content, the CCSK remains highly relevant to security professionals who are seeking a course that delivers a general tactical and strategic understanding of the challenges and advantages of cloud. Ready to get started? Download our CCSK prep kit or look for upcoming training sessions near you. If, instead, you are looking for coverage of traditional information security concepts in addition to cloud specific issues, you might want to look at the CCSP.

CCSP| Certified Cloud Security Professional (updated for 2017 version)

(ISC)² is the organization who gets the credit for the CCSP. However, (ISC)² and Cloud Security Alliance (the organization who founded CCSK) collaborated to create the CCSP course and certification exam. Also (ISC)² is the same organization who developed the popular CISSP designation. The CCSP looks and feels like a cloud version of the CISSP.

The CCSP is, in my humble opinion, more suited for CISSP holders. The CCSP will go into many subjects that are assumed knowledge in the CCSK. For example, the OSI reference model is covered in the CCSP whereas the CCSK assumes you have this knowledge already when talking to encapsulation of packets in an SDN network.

Course Details

The main difference between CCSP and CCSK can be found in three areas: Expanded governance discussion, Datacenter Security and Privacy. A CISSP is expected to understand a wide range of security domains and ISC2 wants to ensure that CCSP certified professionals are fully aware of the governance and security issues that come along with cloud, the datacenter and the privacy of consumers using cloud services. So really, when the dust settles, the following formula pretty much sums up the new CCSP:

CCSP = CCSK + Expanded Governance Items + Traditional Security + Privacy

The CCSP course is typically delivered over a 5-day period. There’s some repetition in the material and you can finish it in the allotted 5 days. I wouldn’t say it can be done in 4 days either.

Course Format

The CCSP course is pretty much 100% lecture. There are no labs at all. Zero. None. Zilch. Nada. Instead, you have a series of Q&A and work-group type of scenarios that are peppered throughout the course. This makes the CCSP a course that could be considered more strategic in nature. I would give the CCSP a 70% strategic, 30% tactical approach; almost the inverse of the CCSK.

Update for 2017 version

(ISC)² updated the CCSP Common Book of Knowledge (CBK) and the course in 2017.  The CBK itself is about 150 pages bigger than its predecessor (735 vs 584) This update expands on concepts, introduces new subjects (such as economics of cloud, business requirements, etc.) and new technologies (e.g. DevOps, Containers, etc.), albeit to a lesser technical degree than the CCSK.

CCSP Exam Breakdown

As for the exam itself, I’m under an NDA, so I naturally can’t get into the types of questions they present. I think it would be a fair statement though to say the average CCSP exam candidate is a CISSP holder and  would be tested on knowledge of both cloud and traditional data center security concepts.

Continuing Professional Education Credits (CPE)

CCSP is listed as a 40-hour course, so you should be taking home roughly 35 CPE’s.  Of note for current CISSP’s is that future CPEs earned apply to both the CISSP and CCSP designations. Keep in mind-the CSA’s CCSK can be substituted for one year of experience in pursuit of the (ISC)2 CCSP Certification.

Concluding Thoughts on CCSP

While the latest version of the CCSP expands discussion on strategic issues it doesn’t get into the same depth of tactical discussion that is found in the CCSK. The course is written along the same lines of the CISSP, so coverage includes everything that an Information Security Professional should know to secure an environment, ranging from the physical design of a datacenter up to cloud application security.

 CCSK vs. CCSP| Final Thoughts

As I said earlier, I don’t have a bias here. I’ve laid out what I consider to be the strengths of both offerings This table basically recaps some highlights:

CCSK Course Highlights CCSP Course Highlights
100% focused on cloud security. –Covers traditional information security and cloud security
60% tactical, 40% strategic 70% strategic, 30% tactical
Quicker delivery and more comprehensive review of cloud-specific technologies (e.g. SDN, DevOps, Serverless) More comprehensive review of IT security principles along the lines of the CISSP CBK
Less expensive course and exam More expensive course and exam
Open book exam online (exam included with training cost) Closed book proctored exam at testing center (exam additional charge)

Which Do I Prefer?

I appreciate the coverage of the CCSP, but if I had to do only one, I would do the CCSK because it is 100% focused on cloud security and architectural patterns as well as cloud-specific technologies are covered in greater depth (even more so after the v4 update). I also prefer how it’s consumed in a shorter time frame (due to aforementioned cloud focus).

If you have the time and resources doing both is not a bad idea either. In that case, I would do the CCSK first then the CCSP (and the CCSK counts as 1 year of experience towards the CCSP requirements, as well). Either way, the only way you can go wrong is by not doing either one.

About the author
Graham Thompson is a cloud security architect and delivers both CCSK and CCSP official courses as an authorized trainer for Intrinsec Security. You can reach Graham on LinkedIn or by old fashioned e-mail.

12 thoughts on “CCSK vs CCSP: An Unbiased Comparison

  1. Thank you for your unbiased opinion of both areas of focus. I am interested in studying for the CCSK, but have found very few book sources to read. Can you suggest any books out there that you found valuable for the CCSK certification?

  2. Seeing that the CSA teamed up with (ISC)^2 speaks volumes. The CCSK is good and all with how it is designed, but the fact remains that it is still a completely unproctored, online test and anyone can take the test for you. The CCSP has now been out for more than a couple of years and sending the CCSK to irrelevancy. The CCSK still shows up sometimes on job postings, but more and more, job recruiters are asking for CCSP over CCSK. When I ask job recruiters, it is always the same answer…”CCSK is an online and unproctured exam and is therefore untrustworthy.”

    1. Many thanks for your feedback. At CSA, we believe first and foremost, that the relevance of an educational program is determined by the soundness and credibility of its content. No surprise then that we think CCSK V4 represents the most-up-to date training program for cloud security currently available. And yes, it’s certainly possible that someone might cheat, but our mission is to educate people on how to secure the cloud and related technologies and not to force people to behave with integrity, though we certainly hope people will!

      We strongly believe in CCSP, on which we collaborated with ISC2, and we’ll continue to work with them to support and evolve it. Even though CCSK and CCSP are different in nature (one is a certificate of knowledge, the other a certification), both organizations agree that CCSK and CCSP are meant to complement one another rather than compete. We want to make sure that CCSK continues to be one of the primary benchmarks for measuring cloud security skill sets and we plan to continue evolve the CCSK as a certificate program. Again, thanks for taking the time to weigh in–we always appreciate thoughtful discourse.

    2. Jason – your concern about the open-book exam is understood, but in reality this is not a real scenario where people will cheat (Mostly these are industry working professionals, and not high-school kids, and at least that is what i am thinking most people who work in the industry of Cloud and Security intersection professionals will be doing and not try to cheat). I think you still didn’t get the main point of this article. I strongly suggest you read thru the outlines and scope of both of these certs once more to get this point. And as Ryan Bergsma also explained to you very beautifully – these two are fairly different Certs – both organizations (CSA and ISC2, agree that CCSK (CSA) and CCSP (ISC2) are meant to complement one another rather than compete. If any recruiters/hiring managers are saying this – they are not well informed and not worthy of listening or taking advise from these types of people. I agree with Ryan and the main author Graham too!

      1. Where are you finding these recruiters that can say “CCSK is an online and unproctored exam and is therefore untrustworthy”? I’ve been in IT & CyberSecurity for 25 years and not once has a recruiter been switched on enough to discuss the relative merits and “trustworthiness” of certifications.

    3. Jason’s got it pretty close. It’s the first part of July 2019, and I just looked up a several job search engines and CCSP shows up 2x or 3x more than CCSK as part of the job description. My personal take is to go with the CCSK because it’s cheaper and provides more of the technical knowledge, but if I was looking to use a cert to enhance my resume, I’d rather go with the CCSP. So it depends on what your end goal is.

  3. Good Analogy, I don’t have a CISSP certification , but my company has paid for CCSP boot camp. I am more strategic then technical in my knowledge as a Director of Infomration technology is to see th ebig picture but also know the technical flow of it. Wha would you suggest ? Thank you

    1. Hi Iftekhar,
      I have a CISSP so for me the more practical hands on CCSK would be much better, however, in your case its best to appreciate the governance and strategic merits of Cloud and so I belive going for the CCSP would be best.

  4. Hi i am torn between the CCSP ans CCSK, I’ve alrewdy got the Isaca CISM and been in IT for about 15 years and 7 years in infosec with technical knowledge and now in assurance/governance. The main reason for me wanting to do one or the other is to move into a contracting role. Any suggestions?

  5. I got the chance to find and read these posts around month ago when preparing my CCSP exam. After reading Graham’s post, I was even asking myself whether it’s worthy to continue learning and take the exam but finally I still convinced myself to get it done (maybe much consideration of “sunk cost”–I purchased the books in 2017 but the exam plan being posted due to other reason so I started to prepare it seriously this year, around 4 months in total and 1 hour learning time roughly per day.

    I took the exam today and passed it, yeah, I am happy with the result. However, I am also feeling the CCSP is really “one mile width, one inch depth”, and even less “one inch” if comparing to CISSP–I passed it around 10yrs ago. CCSP is too theoretic and abstract so it’s hard to apply it into real working practice. Similar to CISA course as well, I did have the certificate in earlier time but I would say it’s not easy to integrate the concepts with real practice (maybe I was not studying hard and understand the points well, or maybe the environment I am in doesn’t have strong and modern IT governance therefore the big gap existing between practice and perfect standard / framework, 🙂 ). Instead CISSP can really cover the points of security field.

    Anyway, I still put CCSK on my list and would be next target, after quick reading its security guide. A bit more “tactical” and better keep pace with the rapid development of cloud industry.

    Lastly, I think either CCSK or CCSP is not enough to let you have on-field skill to perform cloud security related task but they are the good guideline / mindset to help you better understand why cloud vendor make this or that feature, while the real skill set still relying on the real experience on AWS, Azure or any other cloud.

Leave a Reply

The name and email fields are solely used to comment on posts. Cloud Security Alliance does no further processing of this data. See Section 3 of the CSA Privacy Policy for details.

Share this content on your favorite Social Network.