“ SOC reports refer to an audit of internal controls to ensure data security, minimal waste, and shareholder confidence; SOX relates to government-issued record keeping and financial information disclosure standards law. In other words, one is about keeping information safe, and the other is about keeping corporations in check.“
The main title of the (ISC)² article on CCSP vs CCAK is “CCSP Certification vs. CCAK Certificate: What Are the Distinctions?”
That’s exactly what you get. A list of technical differentiators between CCSP and CCAK, but according to (ISC)².
But if you hope to get an actual answer to what the right certification is, for you… they forget to ask …you.
What do you think would be the conclusion, if you ask that question to either one of the contestants while you compare 2 certifications? Of course each party will simply draw the conclusion that their own certification is the best choice.
To answer the most important question, the dilemma CCSP or CCAK, is simple: do you need technical or audit skills for cloud security?
In essence, the answer is simple:
if you need cloud audit skills, dive in to the Cloud Security Alliance (CSA) and ISACA Certificate CCAK.
if you want to have architect level technical cloud expertise and knowledge, choose CCSP
if you want cloud security knowledge, in basic or advanced hands-on, there are other choices to start with (more about it below)
So, if you ask the question “what is the right certification for you”, you immediately know that there is no right answer, but there are many options. Options for a multi level expertise roadmap in cloud security, based on your current skills and your future goals.
If you like a tough challenge: why not jump into the CCAK or CCSP, CCSP or CCAK, whatever, right away.
But if you would like to boost your chance of success… take a deep breath and better plan smartly.
And don’t start with CCSP/CCAK, but prepare your track towards CCSP/CCAK first.
First some background to plan your roadmap
Just to set expectations, this article only focuses on the personal education and certification options, offered by (ISC)², ISACA and CSA. Including other education provider would lead us too far. There are way more other (cyber)security certifications available, but we focus on the cloud security track, which limits the options…
Feel free to comment with other options for cloud security training. I’ll update the article where relevant.
The Cloud Security Alliance launched the CCSK in 2011. And as they explained here, “the CCSK was quite literally the industry’s first examination of cloud security knowledge when it was released back in 2011. “
The CCSK is an easy entry, high level introduction to Cloud Security, and it doesn’t require you to have deep technical cloud security expertise.
But it still is a nice baseline for the cloud security essential knowledge.
You need at least five years of cumulative, paid work experience
CCSP is pretty much the same level of difficulty as CISSP, but has focus on cloud security.
The CCSP was launched in 2015, as a cooperation between (ISC)² and CSA. (see CSA press release here), a couple years after the CCSK launch in 2011. The CCSP is the bigger brother of the CCSK, more advanced, and as CSA rightfully mentions in there CCSK-CCSP comparison blog, the CCSP is on the level of CISSP with a major cloud flavor.
That’s where the dummy math description comes from…
As ISACA mentions on their product page: “The Industry’s First Global Cloud Auditing Credential”.
For completeness, I mentioned the CISSP ( Certified Information Systems Security Professional). I don’t think it needs a lot of explanation, it’s pretty much the reference standard for IT Systems security. (ISC)² references it as “The World’s Premier Cybersecurity Certification”.
It’s a pretty heavy exam, and it does require at least 5 years professional security experience. This is not an entry level exam.
You can buy a double-try access ticket for the CCSK online exam (60 questions, 90 minutes), so if you would fail the first attempt, study again and retry the exam.
Then plan your track: only technical (no interest for audit) or audit, or both
If you focus on technical expertise in cloud security, CCSP is a reference standard (at least, on of them…) .
As mentioned: CCSP = CISSP + CCSK.
So the track is clear
After passing the CCSK exam,
Take the CISSP exam
then take the CCSP
This is the easier route if you already have 5yr+ experience. It’s not the cheapest route, as you pass the CISSP first, but it’s worth the effort. (you only need to pay 1 yearly fee at (ISC)², so after 1 certification, … no extra cost in yearly membership fee) For junior, less experienced, security engineers, start with SSCP before jumping into CISSP, and then CCSP.
When you target IT security audits, you need to take a different route depending your background. Having the CCSP/CISSP background is extremely useful to boost your career in audit.
But for the CCAK, the core audit baseline is CISA.
Keep in mind, similar to CISSP and CCSP, CISA has the same requirements regards professional experience, 5 years.
But if you’re a ISACA CISA, you can add CCSK to the track and land on the CCAK.
Then it’s obvious, first tech, then audit, meaning a smart combination of
(SSCP > ) CISSP
CISA (or alternative)
ISO27001 Implementer & Auditor
And alternative route to the auditing experience is ISO27001 auditing, but you’ll need some implementation experience before you can audit.
Within the ISACA portfolio, the CISM (Certified Information Security Manager), covers the same areas as most ISO27001 (lead) implementer courses.
Which can be helpful to ramp up for the CISA audit part, to gain some hands-on in IT & Infosec governance.
Visualizing your cloud security education roadmap
Lots of blah for a simple choice?
Allow me to visualize the options…
The difference between “certification” and “certificate”, does it really matter?
In it’s blog post (ISC)² tries to put CCSP above CCAK by saying “CCSP is a certification; CCAK is a certificate.”
And they continue “A certification recognizes a candidate’s knowledge, skills, and abilities, typically framed by a job role, while a certificate’s scope is narrower and only documents training course completion. A certification often requires continuing professional education (CPE) to stay in front of trends, while a certificate’s body of knowledge does not evolve over time or require CPE credits to maintain.“
And their explanation is at least flawed and cutting corners to benefit CCSP.
There are many explanations and interpretations of “certification”, depending the context. But in essence, “certification” is a process and a certificate is a document (the result).
When you certify for “CCSP” at (ISC)², you need to comply with the CCSP condition and then get a document, your CCSP certificate. Idem for CCAK, you need to comply with their conditions.
Both the certification process for CCSP as the process for the CCAK are used by other similar education providers.
Eg, PECB, ISACA, EC-COUNCIL, … and others require to pay a yearly fee, keep CPE/CPD (continous professional education or development). Some yearly fees are cheaper as others.
Like CSA, Microsoft and others ask for a 1 time exam fee, and then update the exam on longer term, not yearly, and do not require a yearly maintenance fee.
It’s a choice of the certificate owner, how the evaluation and exams are done.
Some of them comply to the ISO17024, and education standard. There are huge benefits to comply (like increased credibility, compatibility with other certifications, …). But it’s not mandatory.
(ISC)² uses an exam, with experience requirement and continuous education once you pass the exam, but you do not need to pass the exam again, unless it’s upgraded to a new build or major version.
But CSA does exactly the same, for example when CCSK was upgraded from v3 to v4, you needed to pass the exam again.
Not on a yearly basis, but the program is updated, the exam is updated… on a regular basis, without yearly fee.
It’s rather a (small) financial effort, not of significance for most companies paying the bill. (Although as an individual, the cost of certification can become a serious burden…)
And it’s certainly not relevant when choosing between CCSP and CCAK. CCAK is cheaper, as referenced in the (ISC)² comparison chart.
(ISC)²: CCSP Certification vs. CCAK Certificate: What Are the Distinctions?
You need to have the user certificates installed on your user account on the local pc (actually the personal user certificate store) to make the document signing work in the applications.
If you haven’t used the eID certificates before, or in the case of a new computer, you’ll need to install the user certificates on your computer. The easiest and official way to install them, is using the eID viewer application.
Note on Language
The eID website is supporting NL, FR, DE and EN as language, I’ll only refer to NL and EN as main languages but FR and DE are supported too.
Download and install the eID software from this source: https://eid.belgium.be/nl (for NL. Also available: EN, FR and DE). It includes the eID middleware and the eID viewer we’ll use to read and install the eID certificaties on your computer (actually your user account).
Verifying the presence of the user certificates (Signing)
When you use the certificates and/or the eID software, the certificates should be installed in the user certificates store automatically, but that is not always the case, depending the configuration and security of your computer.
Select the “Certificates” module and NOT “Fill & Sign”.
The “Fill and Sign” is used for graphical signatures, replacing the manual signing of paper copies, and eliminates the need of rescanning.
eID is a “qualified” and legally support signature.
If your counterpart (the other signing party) doesn’t require a qualified signature, this is a good alternative for eID (as there is some sensitive data like social security number, incl birthday and gender mentioned in the eID signature)
Open the PDF file you want to sign.
Verify the presence of the Signature certificate
It should be popping up from the certificate store, which we fixed earlier. (if not present, go back and fix it)
Signing a document
When the certificate is correctly installed, go to the “Protect” menu, then click the “Sign & certify” button in the ribbon.
Then drag an area to mark a signing area and choose the signature options.
The manual explains how to create an account, how to enroll and access the course.
The footnote manual also explains that you can only consult the content on 1 device, one.
“One course can only be linked with one device. If you want to open the course using a different device, click the Link course button using the secondary device.“
It also explains how you can ‘unlink’ the content, see chapter 11.
11. Unlinking Account
When you decide not to use a device for accessing PECB course materials, please click the About option at the top menu, and then click Yes to unlink KATE from your current device. Once unlinked, you will no longer be able to access any course from this device.
What it does NOT explain is how to “log off” as user or how to switch user account.
THAT option is pretty well hidden in the application.
But as I mentioned, the content is USER based, so you CAN switch accounts.
Let me show you.
For your information, in my case I have 2 accounts, 1 user and 1 trainer account. Which is very handy to show how it works.
To run this scenario, you must have these prerequisites met:
have active user accounts
course content linked in your online profiles
This is what I’ve got (*)
My user account (course I’m learning, or have learned)
My Trainer account (courses I teach)
How do you switch between both of them?
First logon (eg after fresh install or log out) with one of both accounts
Of course enter your password (I won’t show mine).
Then you get the view on your course content, choose one of the views from the start, (*)
How to log out and log on again?
Here’s the trick.
Once logged in, click the about menu.
Then you’ll get a special button , asking you to “unlink this account”.
Please read: “Log off”.
When you hit that button you get a message that sounds bizar on first sight:
“Are you sure you want to unlink your KATE account from this device? If you choose OK, this device will be unlinked from your PECB account and will no longer have access at course materials assigned to it. You can link back this device anytime using your PECB account credentials.”
Well, that’s not really clear …
To put is simple, you can log on again. Just hit the yes button to log off (log out).
If you hit the yes button, the application shuts down, instead of showing the logon screen again.
If that happens, restart the application and we’re back at the beginning of the procedure. Now you can logon with the other account.