Industry Experts Blog

One Audience. One Topic. Multiple Experts.

CCSK vs CCSP – What certification is best for you? (Pt. 1)

by Graham Thompson | February 3, 2017 | Training & Certifications

Introduction: CCSK vs CCSP (Pt. 1)

*NOTE: This ‘CCSK vs CCSP” entry has been updated to reflect the latest versions (CCSK v4.0 and CCSP 2017)*

CCSK vs CCSP ? I?m commonly asked two questions whenever someone discovers I?m an instructor for both the Cloud Security Alliance CCSK and (ISC)2 CCSP courses:

  ?What?s the difference between the two certifications?
  ?How hard is the CCSK exam?? ?it?s very hard, but more on that later!

In this entry I?ll be taking a closer look at two of the industry?s most prominent cloud security certifications, CCSK and CCSP, with the main goal of clearly identifying the differences between the two, and hopefully helping you discover if one seems to be a better fit for your professional goals than the other.

Now, for the whole ?CCSK vs CCSP? question, I don?t believe I have a personal bias in this debate since I?ve been teaching both courses for a while. In fact, I delivered the first public CCSK course outside of the initial Train the Trainer in San Jose. As for the CCSP, I actually helped develop that course. So all-in-all, I really believe what follows is an honest opinion between the two courses.

Without further ado, let?s start the discussion by taking a closer look at the CCSK and gaining a better idea as to what this certification represents.

CCSK logo used in CCSK vs CCSP (pt.1) article

CCSK: Certificate of Cloud Security Knowledge

First and foremost, the Certificate of Cloud Security Knowledge (CCSK) is considered to be the grand-daddy of cloud security certifications. Why? Well, a few reasons, but primarily because the CCSK was quite literally the industry?s first examination of cloud security knowledge when it was released back in 2011.

The course breakdown for the CCSK is roughly split 60/40 between tactical (technical) and strategic (business driven) discussion of cloud security. It is agnostic in approach. To be honest, when I?m delivering CCSK training for Intrinsec Security I probably spend a little too much time equating IaaS tactical security discussions to how it?s done in AWS, but I honestly feel this drives home the controls they cover in the course.

It was towards the end of 2017 when Cloud Security Alliance (CSA) updated the CCSK from Version 3 (v3.0) to Version 4 (v4.0). I won?t spend too much time discussing the older version as I wrote a detailed article on the differences between v3.0 and v4.0 in August (2017). I will say this: the updated version of the CCSK (v4.0) is almost a complete tear-down of the previous guidance. It features new security architecture approaches, new tools, new technologies and new concepts that are frankly awesome.

To provide one last piece of context before we move on, the best way I can describe the most recent version of CCSK is that from a strategic 20,000 foot view, it?s mostly more of the same. Governance, contracts, risk management, and legal aspects are all still covered to mostly the same degree as before. Now, it should be noted that CSA did expand the view to be more global in nature rather than the previous USA-centric approach.

However, if we drop down the viewpoint from 20,000 feet to that of a more tactical 1,000 foot view, the updated version is suddenly very different.

Example: leveraging Lambda serverless computing and object storage to remove network attack paths back to the datacenter isn?t exactly a governance item; but from a more tactical approach, it really shows the different architecture patterns you can leverage in cloud that are basically impossible in traditional computing.

Cloud Security Alliance also pull in discussions that didn?t exist before such as containers, CI/CD toolchains, DevOps, Chaos engineering and expanded discussions surrounding Software Defined Networking security concepts. That said, the depth of discussion surrounding these technologies won?t satisfy the individual looking for a deep technical dive, but the course and guidance does cover the security benefits and implications of these new technologies. The new version of the course has also removed reference to many standards that never really took hold in the marketplace.



For the CCSK course itself, as far as instructor-led training goes, students have two different options to choose from:

  CCSK Foundation (1 or 2 day course)
  CCSK Plus (2 or 3 day course)

What?s the main difference between CCSK Foundation and CCSK Plus, aside from the course length?

The answer is simple: in-class exercises/labs and practical experience.

Take CCSK Foundation for example, Intrinsec?s class will take two full days of training to fully review all of the official courseware, theory and discussion. The second option, CCSK Plus, covers everything reviewed in the CCSK Foundation class while also offering students an additional day of in-class exercises and practical labs. This extra day of class is what enables you to gain some hands-on experience and really drive home the major CCSK topics and learning objectives covered in the course.

In other words, the following formula accurately sums up the CCSK classes:

CCSK Plus = CCSK Foundation + AWS labs

To some, none of this is really ?Breaking News? and a lot of this information and more can be found on the Cloud Security Alliance website, or even on Intrinsec?s CCSK training page. With that in mind, I?d like to share my thoughts on the timing of each course, or the length of delivery.

In my personal opinion, a person with limited exposure to cloud computing will find a 1 day crash course to be a complete waste of time. I?ve seen this happen myself, and that is why as a trainer I don?t usually deliver the course in a single day.

I?m all for the ?fire-hose? approach to training, but there?s just way too much information to cover in one day for anything to actually stick if the subject is new to you. You?ll probably wind up leaving the session really wet, confused, possibly even stunned, not entirely sure as to what just happened.

Alternatively, if you?ve been working in cloud for a while, you would likely prefer the 1 day approach as you?re likely looking to understand what the CSA has to say on cloud security. If you are new to cloud and can only do the 1 day session, do yourself a favor and read/understand the guidance v4 document before you take the class.

CCSK v4 image used in CCSK vs CCSP (pt.1) article


Now that everyone is more familiar with the Certificate of Cloud Security Knowledge, let?s shift our focus to the CCSK certification exam. At the start of this article I briefly commented on the difficulty of the CCSK exam. The reasoning for this statement has everything to do with how the course is split between tactical and strategic domains of knowledge.

In my opinion people are either tactical or governance-focused. More specifically, people are either tactical in nature, whereby they enjoy the bits and bytes of computing ? and that?s totally cool! Then, you have the governance types. These are managers, directors, or essentially any other people who are interested in how the business as a whole may be impacted by cloud adoption. One person having a foot in both areas is pretty rare, and that what makes the CCSK exam so hard. It tests you on both topics. I?ve seen hardcore techies fail, and I?ve seen MBA?s fail.

Here are the important details for the CCSK exam: a passing grade is 80% or higher, it?s open book, you have 90 minutes to answer 60 questions, and the exam can be taken online anywhere and anytime (with internet access) ? meaning it?s not a proctored exam. For those interested in learning more, Cloud Security Alliance has a CCSK FAQ page with some helpful information.

Oh ? and for those of who might think less of the CCSK exam because it doesn?t seem to be as ?legitimate? as closed-book proctored exams (like the CCSP). I guess I understand the concern that someone could be hired to write the exam for someone else, but as far as the quality of the exam goes, I still contend properly-written open book exams are legitimate and this exam is tough. I honestly believe it would be impossible to answer all 60 questions in 90 minutes if you have to research every question. I would have no problem hiring someone who has a CCSK but not the CCSP.

Continuing Professional Education (CPE) Credits

For those of you who are interested in CPE credits, the CCSK course is CPE eligible. Keep in mind the CPE guidelines for courses are that you must take lunch and breaks into account, meaning a 3 day course winds up netting you 21 CPEs (7 per day). Not bad!


With the updated v4.0 content, the CCSK remains highly relevant to security professionals who are seeking a course that delivers a general tactical and strategic understanding of the challenges and advantages of cloud. If you are looking for coverage of traditional information security concepts in addition to cloud specific issues, you might want to look at the Certified Cloud Security Professional (CCSP) ? don?t worry, I’ll share more details about the CCSP shortly.

While I have many more thoughts on the CCSK, that?s my general take on it. I truly hope you?re able to take something away from this. If you?re interested in learning more about the specifics of our CCSK course, like the exact content covered throughout training or what?s included with registration, feel free to explore our CCSK training options or alternatively you can always hit us up on our live chat and we?d be happy to answer any of your questions.

Wait! What about CCSP?

Graham Thompson

Graham Thompson

Cloud Security Trainer and Architect

Graham’s the cloud security SME and principal trainer for Intrinsec. He’s logged over 20 years of IT experience assessing, recommending, designing and implementing secure system and network solutions for Fortune 500 companies and Government agencies. Since 2010, Graham’s been a leader in delivering cloud training and performing cloud security solutions across North America.


Sign In

Share This