Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CCAK

ISACA CCAK Exam Questions
Certificate of Cloud Auditing Knowledge (Page 6 )

Updated On: 2-Mar-2026
Page 6 of 63
PDF with 334 Questions

Which of the following is MOST important to consider when developing an effective threat model during the introduction of a new SaaS service into a customer organization’s architecture? The threat model:

  1. recognizes the shared responsibility for risk management between the customer and the CSP.
  2. leverages SaaS threat models developed by peer organizations.
  3. is developed by an independent third-party with expertise in the organization’s industry sector.
  4. considers the loss of visibility and control from transitioning to the cloud.

Answer(s): A



While performing the audit, the auditor found that an object storage bucket containing PII could be accessed by anyone on the Internet. Given this discovery, what should be the most appropriate action for the auditor to perform?

  1. Highlighting the gap to the audit sponsor at the sponsor’s earliest possible availability
  2. Asking the organization’s cloud administrator to immediately close the gap by updating the configuration settings and making the object storage bucket private and hence inaccessible from the Internet
  3. Documenting the finding in the audit report and sharing the gap with the relevant stakeholders
  4. Informing the organization’s internal audit manager immediately about the gap

Answer(s): C


Reference:

https://www.isaca.org/resources/isaca-journal/issues/2020/volume-1/is-audit-basics-thecomponents-of-the-it-audit-report



To qualify for CSA STAR attestation for a particular cloud system, the SOC 2 report must cover:

  1. ISO/I?? 27001: 2013 controls.
  2. maturity model criteria.
  3. all Cloud Control Matrix (CCM) controls and TSPC security principles.
  4. Cloud Control Matrix (CCM) and ISO/IEC 27001:2013 controls.

Answer(s): C


Reference:

https://downloads.cloudsecurityalliance.org/star/attestation/GuidelinesforCPAsv2.pdf (8)



Which of the following is MOST important to consider when an organization is building a compliance program for the cloud?

  1. The rapidly changing service portfolio and architecture of the cloud.
  2. Cloud providers should not be part of the compliance program.
  3. The fairly static nature of the service portfolio and architecture of the cloud.
  4. The cloud is similar to the on-premise environment in terms of compliance.

Answer(s): A



When developing a cloud compliance program, what is the PRIMARY reason for a cloud customer to review which cloud services will be deployed?

  1. To determine how those services will fit within its policies and procedures
  2. To determine the total cost of the cloud services to be deployed
  3. To confirm which vendor will be selected based on the compliance with security requirements
  4. To confirm if the compensating controls implemented are sufficient for the cloud

Answer(s): A


Reference:

https://www.isaca.org/credentialing/certificate-of-cloud-auditing-knowledge



Viewing page 6 of 63
Viewing questions 26 - 30 out of 334 questions



Post your Comments and Discuss ISACA CCAK exam dumps with other Community members:

CCAK Exam Discussions & Posts

AI Tutor