Questions for the CCAK were updated on : Dec 01 ,2025
Page 1 out of 14. Viewing questions 1-15 out of 207
Question 1
As part of continuous auditing, which of the following should a third-party auditor verify on a regular basis?
A. Reporting tools are reliable and based on defined objectives.
B. The cloud service provider is compliant.
C. Assessment tools are configured based on cloud security best practices.
D. Application programming interfaces (APIs) implemented are appropriate.
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 2
Management planes deployed in cloud environments may pose a risk of potentially allowing access to the entire environment. Which of the following controls is MOST appropriate for mitigating this risk?
A. Change management
B. Regular audits
C. Access restriction
D. Increased monitoring
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 3
When performing audits in relation to the organizational strategy and governance, what should be requested from the cloud service provider?
A. Enterprise cloud security strategy
B. Enterprise cloud strategy and policy
C. Attestation reports
D. Policies and procedures
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 4
An auditor is auditing the services provided by a cloud service provider. When evaluating the security of the cloud customer's data in the cloud, which of the following should be of GREATEST concern to the auditor?
A. Personally identifiable information (Pll) is pseudonymized but not fully encrypted.
B. The cloud customer has encrypted the confidential data in the cloud using its own encryption keys.
C. The confidential data stored in the cloud is encrypted using encryption keys that are managed by the provider.
D. According to the cloud customer's data handling policy, all confidential data should be encrypted, but the confidential data stored in the cloud is well segmented but not encrypted.
Answer:
A
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 5
For an auditor auditing an organization's cloud resources, which of the following should be of GREATEST concern?
A. The organization does not have separate policies for governing its cloud environment.
B. The organization's IT team does not include resources with cloud certifications.
C. The organization does not perform periodic reviews or control monitoring for its cloud environment, but it has a documented audit plan and performs an audit for its cloud environment every alternate year.
D. The risk management team reports to the head of audit.
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 6
What should be the auditor's PRIMARY objective when examining a cloud service provider's service level agreement (SLA)?
A. Verifying whether the SLA includes all the operational matters that are material to the operation of the service
B. Verifying whether the SLAs are well defined and measurable
C. Verifying whether commensurate compensation in the form of service credits are factored in if the customer is unable to match its SLA obligations
D. Verifying whether the SLA caters to the availability requirements of the cloud service customer
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 7
To ensure that cloud audit resources deliver the best value to the organization, the FIRST step is to:
A. schedule the audits and monitor the time spent on each audit.
B. monitor progress of audits and initiate cost control measures.
C. develop a cloud audit plan on the basis of a detailed risk assessment.
D. train the cloud audit staff on current technology used in the organization.
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 8
Which audit report provides an attestation of audit results that cloud service providers will make available for public consumption?
A. SOC1 Type1
B. SOC2 Type2
C. SOC 3
D. SOC1
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 9
Which of the following principles, when combined with a structured development methodology, would BEST contribute to the consistent introduction of secure and compliant Software as a Service (SaaS) solutions in an organization?
A. Least common mechanism
B. Security by design
C. Least privilege
D. Fail safe defaults
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 10
To ensure that compliance obligations for data residency in the cloud are aligned with an organization's risk appetite, which of the following activities is MOST important to perform?
A. Manage compliance obligations through a structured risk management process.
B. Communicate the organization's risk appetite across cloud service providers.
C. Perform a cloud vendor assessment every time there is a change to data flows.
D. Develop risk metrics to show how the organization is meeting the obligations.
Answer:
A
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 11
Which of the following is MOST important to consider when an organization is building a compliance program for the cloud?
A. The similarity of the cloud to the on-premise environment in terms of compliance
B. The fairly static nature of the service portfolio and architecture of the cloud
C. The rapidly changing service portfolio and architecture of the cloud
D. That cloud providers should not be part of the compliance program
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 12
Which of the following is MOST important for an auditor to understand regarding cloud security controls?
A. Controls adapt to changes in the threat landscape.
B. Controls are the responsibility of the cloud service provider.
C. Controls are the responsibility of the internal audit team.
D. Controls are static and do not change.
Answer:
A
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 13
Account design in the cloud should be driven by:
A. business continuity policies.
B. security requirements.
C. management structure.
D. organizational structure.
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 14
The control domain feature within a Cloud Controls Matrix (CCM) represents:
A. CCM's ability to scan and check Active Directory, LDAP, and x.500 directories for suspicious and/or privileged user accounts.
B. a logical grouping of security controls addressing the same category of IT risks or information security concerns.
C. a set of application programming interfaces (APIs) that allows a cloud consumer to restrict the replication area within a well-defined jurisdictional perimeter.
D. CCM's ability to scan for anomalies in DNS zones in order to detect DNS spoofing, DNS hijacking, DNS cache poisoning, and similar threats.
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 15
The MAIN difference between the Cloud Controls Matrix (CCM) and the Consensus Assessment Initiative Questionnaire (CAIQ) is that:
A. CCM assesses the presence of controls, whereas CAIQ assesses the overall security of a service.
B. CCM has 14 domains, whereas CAIQ has 16 domains.
C. CCM provides a controls framework, whereas CAIQ provides industry-accepted ways to document which security controls exist in Infrastructure as a Service (laaS), Platform as a Service (PaaS), and Software as a Service (SaaS) offerings.
D. CCM has a set of security questions, whereas CAIQ has a set of security controls.