Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CCAK

ISACA CCAK Exam
Certificate of Cloud Auditing Knowledge (Page 9 )

Updated On: 1-Feb-2026
Page 9 of 63
PDF with 334 Questions

Which of the following quantitative measures is KEY for an auditor to review when assessing the implementation of continuous auditing of performance on a cloud system?

  1. Service Level Objective (SLO)
  2. Recovery Point Objectives (RPO)
  3. Service Level Agreement (SLA)
  4. Recovery Time Objectives (RTO)

Answer(s): C



Which of the following controls framework should the cloud customer use to assess the overall security risk of a cloud provider?

  1. SOC3 - Type2
  2. Cloud Control Matrix (CCM)
  3. SOC2 - Type1
  4. SOC1 - Type1

Answer(s): C

Explanation:


Reference:

https://www.isaca.org/resources/news-and-trends/newsletters/atisaca/2021/volume-
22/preventingthe-next-cybersecurity-attack-with-effective-cloud-security-audits



An organization is in the initial phases of cloud adoption. It is not very knowledgeable about cloud security and cloud shared responsibility models. Which of the following approaches is BEST suited for such an organization to evaluate its cloud security?

  1. Use of an established standard/regulation to map controls and use as the audit criteria
  2. For efficiency reasons, use of its on-premises systems’ audit criteria to audit the cloud environment
  3. As this is the initial stage, the ISO/IEC 27001 certificate shared by the cloud service provider is sufficient for audit and compliance purposes.
  4. Development of the cloud security audit criteria based on its own internal audit test plans to ensure appropriate coverage

Answer(s): A



An organization has an ISMS implemented, following ISO 27001 and Annex A controls. The CIO would like to migrate some of the infrastructure to the cloud. Which of the following standards would BEST assist in identifying controls to consider for this migration?

  1. ISO/IEC 27701
  2. ISO/IEC 22301
  3. ISO/IEC 27002
  4. ISO/IEC 27017

Answer(s): D

Explanation:

ISO/IEC 27017 standard defines the requirements for an information security management system (ISMS). Note that the entire organization is not necessarily affected by the standard, because it all depends on the scope of the ISMS. The scope could be limited by the provider to one group within an organization, and there is no guarantee that any group outside of the scope has appropriate ISMSs in place. It is up to the auditor to verify that the scope of the engagement is ?fit for purpose.? As the customer, you are responsible for determining whether the scope of the certification is relevant for your purposes.



When performing audits in relation to Business Continuity Management and Operational Resilience strategy, what would be the MOST critical aspect to audit in relation to the strategy of the cloud customer that should be formulated jointly with the cloud service provider?

  1. Validate if the strategy covers unavailability of all components required to operate the business-as-usual or in disrupted mode, in parts or total- when impacted by a disruption.
  2. Validate if the strategy covers all aspects of Business Continuity and Resilience planning, taking inputs from the assessed impact and risks, to consider activities for before, during, and after a disruption.
  3. Validate if the strategy covers all activities required to continue and recover prioritized activities within identified time frames and agreed capacity, aligned to the risk appetite of the organization including the invocation of continuity plans and crisis management capabilities.
  4. Validate if the strategy is developed by both cloud service providers and cloud service consumers within the acceptable limits of their risk appetite.

Answer(s): B



Viewing page 9 of 63
Viewing questions 41 - 45 out of 334 questions



Post your Comments and Discuss ISACA CCAK exam prep with other Community members:

Join the CCAK Discussion