Thoughts on the CREST CPSA

I’ve just sat my CPSA in preparation for $newjob.

The CPSA is part of a UK government qualifications track administered by CREST for accrediting ethical security testers and their companies. You can find a fairly barebones syllabus online along with some suggested reading material.

The CPSA changed radically a couple of years back, in that it used to be open book and packaged with a practical component, the CRT. It’s now closed book, separate from the CRT (and indeed, a prerequisite for sitting the CRT) and administered in Pearson test centres in MCQ format. The only other discussion of the CPSA I’ve found is from before this change.

The exam content is under NDA and of course, the question bank will give different content to each candidate, so this discussion isn’t going to give much away. However, although I’ve worked in security for the last five years (and IT in general for twenty) I went into the exam feeling the least confident I’ve ever felt. I’d read the syllabus and most of the reading list and still really had no idea about the content or question style.

So, here’s my advice:

  • Read the syllabus thoroughly. Note that some points aren’t examinable in the CPSA but are for the CRT and vice versa.
  • If you’re actively working in pen testing and have a background in general IT, or better still, have a CISSP or GSEC then you’ll be good with just a bit of general reading up.
  • Read the question and answers thoroughly, obviously!

Good luck!