Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CCAK

ISACA CCAK Exam
Certificate of Cloud Auditing Knowledge (Page 3 )

Updated On: 1-Feb-2026
Page 3 of 63
PDF with 334 Questions

What is the advantage of using dynamic application security testing (DAST) over static application security testing (SAST) methodology?

  1. Unlike SAST, DAST is a blackbox and programming language agnostic.
  2. DAST can dynamically integrate with most CI/CD tools.
  3. DAST delivers more false positives than SAST.
  4. DAST is slower but thorough.

Answer(s): A


Reference:

https://www.synopsys.com/blogs/software-security/sast-vs-dast-difference/



In which control should a cloud service provider, upon request, inform customers of compliance impact and risk, especially if customer data is used as part of the services?

  1. Service Provider control
  2. Impact and Risk control
  3. Data Inventory control
  4. Compliance control

Answer(s): A


Reference:

https://rmas.fad.harvard.edu/cloud-service-providers



Which of the following is the BEST recommendation to offer an organization’s HR department planning to adopt a new public SaaS application to ease the recruiting process?

  1. Ensure HIPAA compliance
  2. Implement a cloud access security broker
  3. Consult the legal department
  4. Do not allow data to be in cleratext

Answer(s): B


Reference:

https://www.mcafee.com/enterprise/en-us/security-awareness/cloud/what-is-a-casb.html



During an audit it was identified that a critical application hosted in an off-premises cloud is not part of the organization’s DRP (Disaster Recovery Plan). Management stated that it is responsible for ensuring that the cloud service provider (CSP) has a plan that is tested annually. What should be the auditor’s NEXT course of action?

  1. Review the CSP audit reports.
  2. Review the security white paper of the CSP.
  3. Review the contract and DR capability.
  4. Plan an audit of the CSP.

Answer(s): B



Since CCM allows cloud customers to build a detailed list of requirements and controls to be implemented by the CSP as part of their overall third-party risk management and procurement program, will CCM alone be enough to define all the items to be considered when operating/using cloud services?

  1. No. CCM must be completed with definitions established by the CSP because of its relevance to service continuity.
  2. Yes. CCM suffices since it maps a huge library of widely accepted frameworks.
  3. Yes. When implemented in the right manner, CCM alone can help to measure, assess and monitor the risk associated with a CSP or a particular service.
  4. No. CCM can serve as a foundation for a cloud assessment program, but it needs to be completed with requirements applicable to each company.

Answer(s): C



Viewing page 3 of 63
Viewing questions 11 - 15 out of 334 questions



Post your Comments and Discuss ISACA CCAK exam prep with other Community members:

Join the CCAK Discussion