How NOT to prepare for the (ISC)² CCSP exam?

I’ve recently sat the (ISC)² CCSP exam and in the spirit of giving back to the community and numerous requests, I’ve decided to put some thoughts together. This article is not about how to pass the (ISC)² Certified Cloud Security Professional exam. The combination of experience, knowledge, exam skills, and luck will differ from one person to another and ultimately these factors will play a key role, whether one fails or passes the (ISC)² CCSP exam. The intention is to give the reader clues to what mistakes one should avoid during the preparation phase and how to minimise the risk of failing the (ISC)² CCSP exam. That’s all one can do — minimise the risk of failure, as there is no such thing as being fully prepared to take the (ISC)² CCSP exam.

Mistake 1: CCSP is not CISSP

You probably heard the expression “CISSP is a mile wide and an inch deep.” I’m not too sure who was the author of this phrase but it is very true. The (ISC)² CISSP exam covers lots of ground at a high level. The questions are straightforward and so are the answers. One studying the official (ISC)² CISSP book and practicing around 1000–2000 questions will likely pass the CISSP exam.

If CISSP is a mile wide and an inch deep, than CCSP is a mile wide and five inches deep.

However, this cannot be said about the (ISC)² CCSP exam. It is very easy to fall into the trap that because one already holds the CISSP certification, it will also pass the (ISC)² CCSP exam. Further from the truth. The (ISC)² CCSP Common Body of Knowledge also covers lots of ground but at a deeper level. One needs to have a thorough understanding of concepts in order to be able to apply them in certain scenarios. It demands more practical knowledge of the design phases of the cloud services procurement, migration, etc.

Mistake 2: Reading Materials

Do not solely rely on the official CCSP books such as this one and this one. Yes, you should read them and probably read them twice(!) but reading them will not get you through the finish line. The CCSP syllabus covers a lot of other documents and references such as CSA, ENISA, NIST, and ISO papers which you should read too. Putting it bluntly there is a lot more to read than the official books referenced above.

Stick to the official CCSP syllabus and dive deep into each topic. For example — APIs. Knowing the basics about SOAP and REST will not take you far, you need to know these architectures well enough to be able to pick the best one for a certain scenario or explain them at depth at a low level.

Mistake 3: Sample Questions

Similar to the reading materials included above, there are plenty of the CCSP sample question banks out there. By all means, use them extensively but do not think that any similar questions will appear on the exam. I liked the ones from Wiley Efficient Learning because they were challenging. However, as it turned out they were far easier than the actual exam and probably gave me a false sense of confidence, during the mock-up tests, scoring over 80%.

The (ISC)² exams are rigorously proctored by Pearson VUE Examination Centres and there is a very little chance to see a question on the exam, you may have seen before. Don’t count on it!

The key takeaway here is to use the questions but most importantly study all good and bad answers. There is lots of knowledge buried in the responses and ironically the more questions you get wrong during the preparation phase, the more knowledgeable you will come out of the process. Why? Because nobody reads responses if the question was already answered correctly.

Mistake 4: Experience

Speaking of experience, the longer you work with the Information Security concepts, the greater chances of success you have in the (ISC)² CCSP exam. One common mistake is to rely heavily on your vendor-specific cloud work experience such as AWS, Azure or GCP. I cannot imagine a hands-on cloud professional, who actually implements and configures vendor-specific cloud services passing the (ISC)² CCSP exam without deep dive into the CCSP topics. It is a different type of knowledge.

Consequently, I would not recommend this exam for anyone with less than 5 years of professional experience, exposed to a wide array of concepts on the daily basis. The Network / Cloud Architects, Security Consultants or Technical Auditors are common job titles that come to mind as a perfect fit to sit and pass the (ISC)² CCSP exam.

Mistake 5: Don’t cram and don’t drag it.

Cramming before the exam may work for some but I don’t believe it is the best approach for the (ISC)² CCSP exam. There are too many materials to read. Take your time and study in-depth each concept you don’t feel proficient at.


Dragging it for too long, however, is neither a good idea. You will start forgetting details about concepts or regulatory principals / standards; required to pass the (ISC)² CCSP exam. I suspect that 30 days (or 100 hours) of committed study time should be enough with one caveat, see the Experience section above.

Good luck and let me know your experience!

Note. This post honors the (ISC)² Exam Non-Disclosure Agreement. Please do not post questions about the specific content of the (ISC)² CCSP exam.

Jake Eliasz is an Executive Principal Consultant at NCC Group with a passion to make the world a safer place. For nearly 20 years, he has been helping global businesses juggling between ever-growing cyber threats, compliance, and security of their most valuable assets. Jake holds a number of industry leading certifications such as CISSP, CISSP-ISSAP, CCSP, CISA, CEH and many more. Full LinkedIN profile at

Cyber Security Professional holding a number of industry-leading certifications such as CISSP, CISSP-ISSAP, CCSP, CISA, CEH and more.