Learn About Our CCSK X CCSP Training Week

CCZT Exam Thoughts


Are you considering taking the new Certificate of Competence in Zero Trust (CCZT) exam from the Cloud Security Alliance (CSA)? I’ve taken (and yes, passed) the exam. I would like to share some thoughts.


First off, this exam is tough. Just like the CCSK exam, there are 60 multiple choice questions, and you have 90 minutes to complete it. You logon to the CSA exam site and write this exam from wherever you are, whenever you want. No test center required for this exam. Additionally, the exam is open book, just like the CCSK exam. This open book format has been questioned by some as “cheating”, but I’ll get back to that in a little bit.


You can mark questions and go back as needed. You must submit answers for them to be graded. They have a bunch of “shortcut” keystrokes that can be used, but I didn’t want to bother remembering all of them, so I just used my mouse to navigate the screen.


As usually happens with writing exams, my anxiety got me. Really had to take some deep breaths during the test. Here’s my usual approach to defeat my exam anxiety that might work for you if you are the same: I just read the first few questions and get a feel for the exam difficulty. I don’t even look at the potential answers. I just read the questions and then go back to answer them once my mind settles down and allows me to read the questions coherently. Once calmed down somewhat, I go back to the beginning and start the exam in earnest.


Back to that whole open book thing. People have said in the past with the CCSK exam that they can look up everything in the book and that answers are the direct words from the guidance document. I can assure you, that approach won’t work this time. Sure, there are some questions that follow this pattern, but there really isn’t that many of them.


Pulling a number out of thin air, I’d guess maybe 25% of the questions are very direct questions that can be quickly looked up. Maybe another 25% of the questions are very factual basic questions that don’t need to be looked up if you remember the basics about zero trust tenets and pillars. There were very few questions that asked about the same subject twice.


So that leaves us with about half of the questions being advanced to expert-level questions that can’t be easily looked up. The book won’t help you because you need to infer answers based on multiple facets of subject knowledge. In fact, I can guarantee that going into the exam with a mentality of “it’s open book, I don’t need to study!” will guarantee failure. You need 48 correct answers out of 60 (that’s an 80% passing score). With a couple of the questions, none of what I saw as keywords (in the question or the multiple choice answers) to found any results in the official documentation. There are other questions that words in the answers are changed from the material and the “best” or most appropriate answer has to be thought of because none of the answers completely answer the question.


Like the CCSK, time management is paramount. I wish there was a timer for each question. At a time limit of 90 minutes to answer 60 questions, you get 1.5 minutes per question. Even with all the course material open on a 2nd screen, you won’t have time to look everything up. You’ll need to be aware of the time, decide on an answer and then move on to the next question. Google and ChatGPT won’t help you either. As I always say, The CSA doesn’t care what Larry in Wichita thinks about a subject. They care what you know about what the CSA says about a subject.


I finished the exam with about 2 minutes to spare. There are no bonus points for finishing faster. Take your time, but be aware how much time you’re spending on any particular question. As I said earlier, don’t expect too many quick win easy questions that can be answered in seconds to compensate for spending 5 minutes on a single question. Almost all the questions require thought.


Don’t expect a technical-heavy exam by the way. The CCZT exam is surprisingly high-level big picture viewpoint. You likely won’t get detailed technical questions about Software Defined Perimeter or Zero Trust Network Access implementations for example. I honestly don’t remember any “this question is terrible and needs to be removed because it’s way too vague (or wrong)”. The exam writers did a good job and there was obviously a strong review process.


The Cloud Security Alliance has made a CCZT exam prep kit available on their site. I highly recommend that you read it. I was foolish and didn’t read it before my exam. I sure wish I did! That way, I would have known in advance the amount of Zero Trust planning questions I was going to face. The planning section is by far the largest amount of questions. Note: They state this in the exam prep kit, so I’m not breaking any NDA by saying this publicly.


One final note, the Cloud Security Alliance is no longer giving the study material away for free like they did with the CCSK v4 guidance. They do offer the study material when you purchase an exam token, buy the self-study kit or attend CCZT instructor-led training.


At Intrinsec, we are pleased to offer official CCZT training to you and your staff. Looking for a dedicated course for your teams? Contact us for exclusive unadvertised pricing.


Posted under:

Graham Thompson is an Information Security professional with over 25 years of enterprise experience across engineering, architecture, assessment and training disciplines. He is the founder and CEO of Intrinsec Security, a leading training company that is solely focused on delivering leading authorized IT security training from partners such as the Cloud Security Alliance, ISC2, ISACA, EC-Council and CompTIA.

CCSK | CCSP: The Industry’s Leading Cloud Security Certifications - learn more

Upgrade your Skills. Secure your Potential.

Our experts provide hands-on and on-demand training that helps IT and data security professionals meet today's cyber security challenges and prepares you for a successful future.

Training Schedule Contact Us