​How CCAK Elevates and Impacts Other Credentials

Written by Daniele Catteddu, Chief Technology Officer, CSA

The skills gap is not a new topic when it comes to cloud or cybersecurity. Per Flexera's 2020 State of the Cloud report, 59% of enterprises expect cloud usage to exceed prior planned usage due to COVID-19 – which creates a high demand for cloud audit and computing professionals. Plus, a 2020 Sophos survey found that 70% of organizations in cloud environments experienced a security incident in the last year – issues that qualified cloud audit professionals can alleviate.

Professionals who show they can grow and adapt with rapidly changing technology will be the ones unpacking bobbleheads at a new desk. Organizations continue to prioritize candidates with a comprehensive set of skills and a proven depth of knowledge. To gain an advantage in a crowded job market, professionals need credentials to distinguish themselves from the competition.

The Certificate of Cloud Auditing Knowledge (CCAK) is the first technical, vendor-neutral designation that enables you to demonstrate your expertise in the essential principles of auditing the security of a cloud computing system. CCAK-holders can minimize the risks of cloud adoption and help their organizations and/or clients reap the full benefits of the cloud environment. So how does the CCAK engage with or impact the existing credentials you already have hanging on your wall?

CCSK

CSA’s Certificate of Cloud Security Knowledge (CCSK) is acknowledged as the standard of expertise in cloud security. Building on the body of knowledge covered in CCSK, CCAK is not an introductory course but one that assumes students have a solid understanding of cloud computing and cloud security. By providing additional guidance on how to govern, assess and audit cloud services, how to manage specific compliance challenges and how to use CSA tools (such as CCM, CAIQ, Top Threat Post Incident Analysis Methodology and STAR), CCAK takes the foundational skills developed in the CCSK and delves into the advanced territory of cloud controls design, implementation and evaluation process.

CISA

ISACA’s Certified Information Systems Auditor (CISA) is the standard of achievement for those who audit, control, monitor and assess an organization’s information technology and business systems. Assuming students have a practical understanding of IT/IS Auditing, CCAK is an ideal extension of CISA as it offers dedicated guidance on cloud auditing (not currently offered in the CISA curriculum). CCAK focuses on relevant issues such as complex supply chain management, shared responsibility model, indirect control and governance, and compliance inheritance.

PCI/DSS Qualified Security Assessor & ISO 27001 Lead Auditor Credentials

CCAK is dedicated to cloud computing, whereas the ISO 27001 Lead Auditor certification is centered on building and auditing information security management systems, and PCI/DSS is focused on evaluating merchant and service providers that need to comply with PCI/DSS requirements. CCAK provides guidance on how to evolve an existing security governance and compliance program that accommodates and integrates cloud services. By looking at other relevant security frameworks and requirements, it extends the scope of ISO 27001 and PCI/DSS that an organization may want to follow, such as AICPA TSC (SOC2), FedRAMP, BSI C5 and CSA CCM.

FedRAMP 3PAO Assessor

While both CCAK and the FedRAMP 3PAO Assessor course are credentials specific to cloud computing, the CCAK is intended to provide a broad, regulation-agnostic approach to cloud auditing, taking the perspective of the cloud customer versus the cloud service provider. FedRAMP is heavily tailored to US federal cloud security standards and IT procurement processes. It is not intended as a catch-all for federal agencies or other cloud customers looking to audit and evaluate cloud vendors. CCAK, on the other hand, helps professionals identify the steps and actions a cloud customer should implement to effectively govern cloud services, evaluate them, and establish a sustainable compliance strategy and program.

Because the CCAK is a wholly unique offering in the market focused specifically on auditing the security of cloud computing systems, it does not directly conflict with any existing industry credentials. Rather, it extends upon the knowledge established in other programs, providing certificate-holders with an advanced, comprehensive set of skills that organizations are eager to employ.