Questions for the CCAK were updated on : Nov 29 ,2024
Which of the following is a cloud-specific security standard?
A
Explanation:
Reference:
https://en.wikipedia.org/wiki/ISO/IEC_27017#:~:text=ISO%2FIEC%2027017%20is%20a,the%20risk%20of%20security%20p
roblems
A cloud service provider does not allow audits using automated tools as these tools could be considered destructive
techniques for the cloud environment. Which of the following aspects of the audit will be constrained?
B
Explanation:
Reference: https://www.isaca.org/-/media/files/isacadp/project/isaca/articles/journal/2018/volume-5/journal-volume-5-2018
Which of the following is MOST important to consider when an organization is building a compliance program for the cloud?
A
Which of the following should be the FIRST step to establish a cloud assurance program during a cloud migration?
C
Which of the following is the MOST feasible way to validate the performance of CSPs for the delivery of technology
resources?
D
Which of the following defines the criteria designed by the American Institute of Certified Public Accountants (AICPA) to
specify trusted services?
A
Explanation:
Reference:
https://us.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-
criteria.pdf
Which of the following are the three MAIN phases of the cloud controls matrix (CCM) mapping methodology?
D
Explanation:
Reference: https://docplayer.net/153476370-Methodology-for-the-mapping-of-the-cloud-controls-matrix-ccm.html (page 5)
While performing the audit, the auditor found that an object storage bucket containing PII could be accessed by anyone on
the Internet. Given this discovery, what should be the most appropriate action for the auditor to perform?
C
Explanation:
Reference: https://www.isaca.org/resources/isaca-journal/issues/2020/volume-1/is-audit-basics-the-components-of-the-it-
audit-report
What should be an organizations control audit schedule of a cloud service providers business continuity plan and
operational resilience policy?
A
Explanation:
Reference: https://www.isaca.org/why-isaca/about-us/newsroom/press-releases/2021/isaca-provides-guidance-around-eu-
proposed-digital-operational-resilience-act
Which of the following attestation allows for immediate adoption of the Cloud Control Matrix (CCM) as additional criteria to
AICPA Trust Service Criteria and provides the flexibility to update the criteria as technology and market requirements
change?
B
Explanation:
Reference: https://www.sciencedirect.com/topics/computer-science/cloud-controls-matrix
Which of the following standards is designed to be used by organizations for cloud services that intend to select controls
within the process of implementing an Information Security Management System based on ISO/IEC 27001?
D
Explanation:
Reference: https://cyber.gc.ca/en/guidance/guidance-cloud-security-assessment-and-authorization-itsp50105
To ensure that cloud audit resources deliver the best value to the organization, the PRIMARY step would be to:
A
Explanation:
It delivers value to the organization are the resources and efforts being dedicated to, and focused on, the higher-risk areas.
Which of the following approaches encompasses social engineering of staff, bypassing of physical access controls and
penetration testing?
B
Explanation:
Reference: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-5/planning-for-information-security-testinga-
practical-approach
Which of the following aspects of risk management involves identifying the potential reputational harm and/or financial harm
when an incident occurs?
D
Explanation:
Reference: https://compliancecosmos.org/chapter-5-step-three-determining-impact-occurrence
Since CCM allows cloud customers to build a detailed list of requirements and controls to be implemented by the CSP as
part of their overall third-party risk management and procurement program, will CCM alone be enough to define all the items
to be considered when operating/using cloud services?
C