CCAK Isaca Certificate of Cloud Auditing Knowledge Free Practice Exam Questions (2025 Updated)

To assist an organization with planning a cloud migration strategy to execution, an auditor should recommend the use of enterprise architecture (EA). EA is a holistic approach to aligning the business and IT objectives, processes, and resources of an organization. EA helps to define the current and future state of the organization, identify the gaps and opportunities, and design the roadmap and governance for the cloud migration. EA also helps to ensure that the cloud migration is consistent with the organization’s vision, mission, values, and strategy, and that it meets the requirements of the stakeholders, customers, and regulators. EA is part of the Cloud Control Matrix (CCM) domain GRC-01: Enterprise Risk Management, which states that "The organization should have a policy and procedures to identify, assess, manage, and monitor risks related to cloud services."1 References := CCAK Study Guide, Chapter 2: Cloud Governance, page 25

 According to the cloud shared responsibility model, the cloud customer is responsible for managing the access controls for the SaaS functionality and operations, and this should be audited by the cloud auditor12. Access controls are the mechanisms that restrict and regulate who can access and use the SaaS applications and data, and how they can do so. Access controls include identity and access management, authentication, authorization, encryption, logging, and monitoring. The cloud customer is responsible for defining and enforcing the access policies, roles, and permissions for the SaaS users, as well as ensuring that the access controls are aligned with the security and compliance requirements of the customer’s business context12.

The other options are not the aspects of SaaS functionality and operations that the cloud customer is responsible for and should be audited. Option B is incorrect, as vulnerability management is the process of identifying, assessing, and mitigating the security weaknesses in the SaaS applications and infrastructure, and this is usually handled by the cloud service provider12. Option C is incorrect, as patching is the process of updating and fixing the SaaS applications and infrastructure to address security issues or improve performance, and this is also usually handled by the cloud service provider12. Option D is incorrect, as source code reviews are the process of examining and testing the SaaS applications’ source code to detect errors or vulnerabilities, and this is also usually handled by the cloud service provider12. References:

Shared responsibility in the cloud - Microsoft Azure

The Customer’s Responsibility in the Cloud Shared Responsibility Model - ISACA

 An organization employing the Cloud Controls Matrix (CCM) to perform a compliance assessment leverages the Scope Applicability direct mapping to understand which controls encompassed by the CCM may already be partially or fully implemented because of the compliance with other standards. The Scope Applicability direct mapping is a worksheet within the CCM that maps the CCM control specifications to several standards within the ISO/IEC 27000 series, such as ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27017, and ISO/IEC 27018. The mapping helps the organization to identify the commonalities and differences between the CCM and the ISO/IEC standards, and to determine the level of compliance with each standard based on the implementation of the CCM controls. The mapping also helps the organization to avoid duplication of work and to streamline the compliance assessment process.12 References := What you need to know: Transitioning CSA STAR for Cloud Controls Matrix …1; Cloud Controls Matrix (CCM) - CSA3

According to the ISACA Cloud Auditing Knowledge Certificate Study Guide, the auditor should review the relationship between the cloud service provider and its service provider to help direct and estimate the level of effort and analysis the auditor should apply1. The auditor should understand the nature and scope of the services provided by the service provider, the contractual obligations and service level agreements, the security and compliance requirements, and the monitoring and reporting mechanisms. The auditor should also assess the risks and controls associated with the service provider, and determine if additional audit procedures are needed to obtain sufficient assurance.

The other options are not the best approach for the auditor. Option A is too strict and might not be feasible or necessary, depending on the type and level of services provided by the service provider. Option C is too lax and might overlook significant risks and gaps in the cloud service. Option D is too narrow and might ignore the impact of the service provider on the cloud customer’s business context. References:

ISACA Cloud Auditing Knowledge Certificate Study Guide, page 13-14.

The correct answer is B. Network security is the type of control that best matches the control description given in the question. Network security involves designing and configuring network environments and virtual instances to restrict and monitor traffic between trusted and untrusted connections, such as firewalls, routers, switches, VPNs, and network segmentation. Network security also requires periodic reviews and documentation of the network configurations and the justification for the allowed services, protocols, ports, and compensating controls.

The other options are not directly related to the question. Option A, virtual instance and OS hardening, refers to the process of applying security configurations and patches to virtual instances and operating systems to reduce their attack surface and vulnerabilities. Option C, network vulnerability management, refers to the process of identifying, assessing, prioritizing, and remediating network vulnerabilities using tools such as scanners, analyzers, and testers. Option D, change detection, refers to the process of monitoring and detecting changes in the system or network environment that could affect the security posture or performance of the system or network.

References :=

IVS-01: Network Security - CSF Tools - Identity Digital1

Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, Chapter 6: Cloud Security Controls

Cloud Controls Matrix (CCM) - CSA2

 Effective operationalization of cloud security controls is highly dependent on the level of training and awareness among the staff who implement and manage these controls. Without proper understanding and awareness of security policies, procedures, and the specific controls in place, even the most sophisticated security measures can be rendered ineffective. Training ensures that the personnel are equipped with the necessary knowledge to perform their duties securely, while awareness programs help in maintaining a security-conscious culture within the organization.

References = This answer is supported by the CCAK materials which highlight the importance of training and awareness in cloud security. The Cloud Controls Matrix (CCM) also emphasizes the need for security education and the role it plays in the successful implementation of security controls1234.

The primary purpose of the Open Certification Framework (OCF) for the CSA STAR program is to provide global, accredited, and trusted certification of the cloud service provider. According to the CSA website1, the OCF is an industry initiative to allow global, trusted independent evaluation of cloud providers. It is a program for flexible, incremental and multi-layered cloud provider certification and/or attestation according to the Cloud Security Alliance’s industry leading security guidance and control framework. The OCF aims to address the gaps within the IT ecosystem that are inhibiting market adoption of secure and reliable cloud services. The OCF also integrates with popular third-party assessment and attestation statements developed within the public accounting community to avoid duplication of effort and cost. The OCF manages the foundation that runs and monitors the CSA STAR Certification program, which is an assurance framework that enables cloud service providers to embed cloud-specific security controls. The STAR Certification program has three levels of assurance, each based on a different type of audit or assessment: Level 1: Self-Assessment, Level 2: Third-Party Audit, and Level 3: Continuous Auditing. The OCF also oversees the CSA STAR Registry, which is a publicly accessible repository that documents the security controls provided by various cloud computing offerings2. The OCF helps consumers to evaluate and compare their providers’ resilience, data protection, privacy capabilities, and service portability. It also helps providers to demonstrate their compliance with industry standards and best practices.

References:

Open Certification Framework Working Group | CSA

STAR | CSA

A SOC 2 Type 2 report is the most comprehensive type of report for cloud service providers, as it evaluates the design and operating effectiveness of a service organization’s controls over a period of time. This type of report is specifically intended to meet the needs of customers who need assurance about the security, availability, processing integrity, confidentiality, or privacy of the data processed by the service provider1234.

References = The importance of SOC 2 Type 2 reports for cloud service providers is discussed in various resources, including those provided by ISACA and the Cloud Security Alliance, which highlight the need for such reports to ensure the operating effectiveness of controls5678.

 According to the web search results, impact analysis is the aspect of risk management that involves identifying the potential reputational and financial harm when an incident occurs. Impact analysis is the process of assessing the probabilities and consequences of risk events if they are realized1. Impact analysis helps to understand how project outcomes and objectives might change due to the impact of the risk event, and to measure the severity of the risk impact in terms of cost, schedule, quality, and other factors23. Impact analysis also helps to prioritize the risks and plan appropriate responses and controls23.

The other options are not correct. Likelihood is the aspect of risk management that involves estimating the probability or frequency of a risk event occurring23. Mitigation is the aspect of risk management that involves implementing actions or controls to reduce the likelihood or impact of a risk event23. Residual risk is the aspect of risk management that involves measuring the remaining risk after applying mitigation actions or controls23. References:

Risk Analysis: Definition, Examples and Methods - ProjectManager

Risk Assessment and Analysis Methods: Qualitative and Quantitative - ISACA

Systems Engineering: Risk Impact Assessment and Prioritization

The most relevant question in the cloud compliance program design phase is who owns the cloud governance strategy. Cloud governance is a method of information and technology (I&T) governance focused on accountability, defining decision rights and balancing benefit, risk and resources in an environment that embraces cloud computing. Cloud governance creates business-driven policies and principles that establish the appropriate degree of investments and control around the life cycle process for cloud computing services1. Therefore, it is essential to identify who owns the cloud governance strategy in the organization, as this will determine the roles and responsibilities, decision-making authority, reporting structure, and escalation process for cloud compliance issues. The cloud governance owner should be a senior executive who has the vision, influence, and resources to drive the cloud compliance program and align it with the business objectives2.

References:

Building Cloud Governance From the Basics - ISACA

[Cloud Governance | Microsoft Azure]

Mapping the Cloud Controls Matrix (CCM) to other international standards and regulations allows cloud service providers (CSPs) and customers to align their security and compliance measures with a broad range of industry-accepted frameworks. This alignment helps in simplifying compliance processes by ensuring that fulfilling the controls in the CCM also satisfies the requirements of the mapped standards and regulations. It reduces the need for multiple assessments and streamlines the compliance and security efforts, making it more efficient for both CSPs and customers to demonstrate adherence to various regulatory requirements.

References = The benefits of CCM mapping are discussed in resources provided by the Cloud Security Alliance (CSA), which detail how the CCM’s controls are aligned with other security standards, regulations, and control frameworks, thus aiding organizations in their compliance and security strategies12.

The optimal and most efficient mechanism to assess the controls that the provider is responsible for is to review third-party audit reports. Third-party audit reports are independent and objective assessments of the provider’s security, compliance, and performance, conducted by qualified and reputable auditors. Third-party audit reports can provide assurance and evidence that the provider meets the industry standards and best practices, as well as the contractual and legal obligations with the SaaS company. Third-party audit reports can also cover a wide range of controls, such as data security, encryption, identity and access management, incident response, disaster recovery, and service level agreements. Some examples of third-party audit reports are ISO 27001 certification, SOC 1/2/3 reports, CSA STAR certification, and FedRAMP authorization123.

Reviewing the provider’s published questionnaires (A) may not be optimal or efficient, as the published questionnaires may not be comprehensive or up-to-date, and may not reflect the actual state of the provider’s controls. The published questionnaires may also be biased or inaccurate, as they are produced by the provider themselves.

Directly auditing the provider © may not be feasible or necessary, as the independent contractor may not have access to the provider’s environment or data, and may not have the authority or expertise to conduct such an audit. The independent contractor should rely on the third-party audit reports and certifications to assess the provider’s compliance with relevant standards and regulations.

Sending a supplier questionnaire to the provider (D) may not be optimal or efficient, as the supplier questionnaire may not cover all the aspects of the provider’s controls, and may not provide sufficient evidence or assurance of the provider’s security maturity. The supplier questionnaire may also take a long time to complete and verify, and may not be consistent with the industry standards and best practices. References :=

How to Evaluate Cloud Service Provider Security (Checklist)

Cloud service review process - Cloud Adoption Framework

How to choose a cloud service provider | Microsoft Azure

According to the blog article “Continuous Auditing and Continuous Certification” by the Cloud Security Alliance, a certification target helps in the formation of a continuous certification framework by incorporating the scope description and security attributes to be tested1 A certification target is a set of security objectives that a cloud service provider (CSP) defines and commits to fulfill as part of the continuous certification process1 Each security objective is associated with a policy that specifies the assessment frequency, such as every four hours, every day, or every week1 A certification target also includes a set of tools that are capable of verifying that the security objectives are met, such as automated scripts, APIs, or third-party services1

The other options are not correct because:

Option A is not correct because the service level objective (SLO) and service qualitative objective (SQO) are not part of the certification target, but rather part of the service level agreement (SLA) between the CSP and the cloud customer. An SLO is a measurable characteristic of the cloud service, such as availability, performance, or reliability. An SQO is a qualitative characteristic of the cloud service, such as security, privacy, or compliance2 The SLA defines the expected level of service and the consequences of not meeting it. The SLA may be used as an input for defining the certification target, but it is not equivalent or synonymous with it.

Option C is not correct because the frequency of evaluating security attributes is not the only component of the certification target, but rather one aspect of it. The frequency of evaluating security attributes is determined by the policy that is associated with each security objective in the certification target. The policy defines how often the security objective should be verified by the tools, such as every four hours, every day, or every week1 However, the frequency alone does not define the certification target, as it also depends on the scope description and the security attributes to be tested.

Option D is not correct because CSA STAR level 2 attestation is not a component of the certification target, but rather a prerequisite for it. CSA STAR level 2 attestation is a third-party independent assessment of the CSP’s security posture based on ISO/IEC 27001 and CSA Cloud Controls Matrix (CCM)3 CSA STAR level 2 attestation provides a baseline assurance level for the CSP before they can define and implement their certification target for continuous certification. CSA STAR level 2 attestation is also required for CSA STAR level 3 certification, which is based on continuous auditing and continuous certification3

References: 1: Continuous Auditing and Continuous Certification - Cloud Security Alliance 2: Service Level Agreement | CSA 3: Open Certification Framework | CSA - Cloud Security Alliance

One possible reason why the results of third-party audits and certification should be relied on when analyzing and assessing the cybersecurity risks in the cloud is to contrast the risk generated by the loss of control. When an organization moves its data and processes to the cloud, it inevitably loses some degree of control over its security and compliance posture, as it depends on the cloud service provider (CSP) to implement and maintain adequate security measures and controls1 This loss of control can increase the organization’s exposure to various cybersecurity risks, such as data breaches, unauthorized access, denial of service, malware infection, etc2

To mitigate these risks, the organization needs to have a clear understanding of the security and compliance level of the CSP, as well as the shared responsibility model that defines the roles and responsibilities of both parties3 Third-party audits and certification can provide some level of assurance that the CSP meets certain standards and requirements related to security and compliance, such as ISO/IEC 27001, CSA STAR, SOC 2, etc. These audits and certification can also help the organization compare and contrast the security posture of different CSPs in the market, as well as identify any gaps or weaknesses that need to be addressed or compensated.

Therefore, relying on the results of third-party audits and certification can help the organization contrast the risk generated by the loss of control in the cloud, and make informed decisions about selecting and managing its cloud services.

References: 1: Security in the Cloud: Are Audits and Certifications Really Enough?3 2: Understanding The Third-Party Impact On Cybersecurity Risk - Forbes2 3: Open Certification Framework | CSA - Cloud Security Alliance : Reducing Cybersecurity Security Risk From and to Third Parties - ISACA1 : Why your cloud services need the CSA STAR Registry listing

During the implementation phase of a cloud assurance program, the focus is on establishing the operational aspects that will ensure the ongoing security and compliance of the cloud environment. This includes developing the monitoring goals and requirements which are essential for setting up the assurance framework. It involves determining what needs to be monitored, how it should be monitored, and the metrics that will be used to measure compliance and performance.

References = The information aligns with best practices for cloud migration and assurance programs as outlined in various resources, including the Cloud Assurance Program Guide by Microsoft Cybersecurity1, which discusses the importance of developing and implementing policies for cloud data and system migration, and the Enterprise Guide to Successful Cloud Adoption by New Relic2, which emphasizes the role of observability in cloud migration, including the establishment of monitoring goals.

The Cloud Controls Matrix (CCM) by the Cloud Security Alliance provides a comprehensive control framework that aligns with industry standards, regulations, and best practices, offering a structured approach for cloud security and compliance management. This mapping capability makes it highly valuable in cloud audits as noted in the CCAK, which relies on CCM for its comprehensive applicability in regulatory compliance and security (referenced in CSA CCM V4 documentation and ISACA CCAK content).

 The objective that is most appropriate to measure the effectiveness of password policy is newly created account credentials satisfy requirements. This is because password policy is a set of rules and guidelines that define the characteristics and usage of passwords in a system or network. Password policy aims to enhance the security and confidentiality of the system or network by preventing unauthorized access, data breaches, and identity theft. Therefore, the best way to evaluate the effectiveness of password policy is to check whether the newly created account credentials meet the requirements of the policy, such as length, complexity, expiration, and history. This objective can be measured by conducting periodic audits, reviews, or tests of the account creation process and verifying that the passwords comply with the policy standards. This is part of the Cloud Control Matrix (CCM) domain IAM-02: User ID Credentials, which states that "The organization should have a policy and procedures to manage user ID credentials for cloud services and data."1 References := CCAK Study Guide, Chapter 4: A Threat Analysis Methodology for Cloud Using CCM, page 76