CCAKFree trialFree trial

By isaca
Aug, 2025

Verified

25Q per page

Question 1

Changes to which of the following will MOST likely influence the expansion or reduction of controls required to remediate the risk arising from changes to an organization’s SaaS vendor?

  • A: Risk exceptions policy
  • B: Contractual requirements
  • C: Risk appetite
  • D: Board oversight

Question 2

When a client’s business process changes, the CSP SLA should:

  • A: be reviewed, but the SLA cannot be updated.
  • B: not be reviewed, but the cloud contract should be cancelled immediately.
  • C: not be reviewed as the SLA cannot be updated.
  • D: be reviewed and updated if required.

Question 3

When building a cloud governance model, which of the following requirements will focus more on the cloud service provider’s evaluation and control checklist?

  • A: Security requirements
  • B: Legal requirements
  • C: Compliance requirements
  • D: Operational requirements

Question 4

Prioritizing assurance activities for an organization’s cloud services portfolio depends PRIMARILY on an organization’s ability to:

  • A: schedule frequent reviews with high-risk cloud service providers.
  • B: develop plans using a standardized risk-based approach.
  • C: maintain a comprehensive cloud service inventory.
  • D: collate views from various business functions using cloud services.

Question 5

If the degree of verification for information shared with the auditor during an audit is low, the auditor should:

  • A: reject the information as audit evidence.
  • B: stop evaluating the requirement altogether and review other audit areas.
  • C: delve deeper to obtain the required information to decide conclusively.
  • D: use professional judgment to determine the degree of reliance that can be placed on the information as evidence.

Question 6

Which best describes the difference between a type 1 and a type 2 SOC report?

  • A: A type 2 SOC report validates the operating effectiveness of controls whereas a type 1 SOC report validates the suitability of the design of the controls.
  • B: A type 2 SOC report validates the suitability of the design of the controls whereas a type 1 SOC report validates the operating effectiveness of controls.
  • C: A type 1 SOC report provides an attestation whereas a type 2 SOC report offers a certification.
  • D: There is no difference between a type 2 and type 1 SOC report.

Question 7

You have been assigned the implementation of an ISMS, whose scope must cover both on premise and cloud infrastructure. Which of the following is your BEST option?

  • A: Implement ISO/IEC 27002 and complement it with additional controls from the CCM.
  • B: Implement ISO/IEC 27001 and complement it with additional controls from ISO/IEC 27017.
  • C: Implement ISO/IEC 27001 and complement it with additional controls from ISO/IEC 27002.
  • D: Implement ISO/IEC 27001 and complement it with additional controls from the NIST SP 800-145.

Question 8

As a developer building codes into a container in a DevSecOps environment, which of the following is the appropriate place(s) to perform security tests?

  • A: Within developer’s laptop
  • B: Within the CI/CD server
  • C: Within version repositories
  • D: Within the CI/CD pipeline

Question 9

An organization that is utilizing a community cloud is contracting an auditor to conduct a review on behalf of the group of organizations within the cloud community. From the following, to whom should the auditor report the findings?

  • A: Public
  • B: Management of organization being audited
  • C: Shareholders/interested parties
  • D: Cloud service provider

Question 10

Which of the following parties should have accountability for cloud compliance requirements?

  • A: Customer
  • B: Equally shared between customer and provider
  • C: Provider
  • D: Either customer or provider, depending on requirements

Question 11

Which of the following data destruction methods is the MOST effective and efficient?

  • A: Crypto-shredding
  • B: Degaussing
  • C: Multi-pass wipes
  • D: Physical destruction

Question 12

Under GDPR, an organization should report a data breach within what time frame?

  • A: 72 hours
  • B: 2 weeks
  • C: 1 week
  • D: 48 hours

Question 13

The PRIMARY objective of an audit initiation meeting with a cloud audit client is to:

  • A: select the methodology of the audit.
  • B: review requested evidence provided by the audit client.
  • C: discuss the scope of the cloud audit.
  • D: identify resource requirements of the cloud audit.

Question 14

Which of the following cloud models prohibits penetration testing?

  • A: Hybrid Cloud
  • B: Private Cloud
  • C: Public Cloud
  • D: Community Cloud

Question 15

What type of termination occurs at the initiative of one party, and without the fault of the other party?

  • A: Termination for cause
  • B: Termination for convenience
  • C: Termination at the end of the term
  • D: Termination without the fault

Question 16

An auditor is performing an audit on behalf of a cloud customer. For assessing security awareness, the auditor should:

  • A: assess the existence and adequacy of a security awareness training program at the cloud service provider’s organization as the cloud customer hired the auditor to review and cloud service.
  • B: assess the existence and adequacy of a security awareness training program at both the cloud customer’s organization and the cloud service provider’s organization.
  • C: assess the existence and adequacy of a security awareness training program at the cloud customer’s organization as they hired the auditor.
  • D: not assess the security awareness training program as it is each organization’s responsibility

Question 17

The MOST critical concept of managing the build and test of code in DevOps is:

  • A: continuous build.
  • B: continuous delivery.
  • C: continuous deployment.
  • D: continuous integration.

Question 18

The Cloud Computing Compliance Controls Catalogue (C5) framework is maintained by which of the following agencies?

  • A: Agence nationale de la sécurité des systèmes d’information (ANSSI)
  • B: National Institute of Standards and Technology (NIST)
  • C: National Security Agency (NSA)
  • D: Bundesamt für Sicherheit in der Informationstechnik (BSI)

Question 19

Which statement about compliance responsibilities and ownership of accountability is correct?

  • A: Organizations may be able to transfer their accountability for compliance with various regulatory requirements to their CSPs, but they retain the ownership of responsibility.
  • B: Organizations may be able to transfer their responsibility for compliance with various regulatory requirements to their CSPs, but they retain the ownership of accountability.
  • C: Organizations may transfer their responsibility and accountability for compliance with various regulatory requirements to their CSPs.
  • D: Organizations are not able to transfer their responsibility nor accountability for compliance with various regulatory requirements to their CSPs.

Question 20

Which objective is MOST appropriate to measure the effectiveness of password policy?

  • A: The number of related incidents increases.
  • B: Attempts to log with weak credentials increases.
  • C: Newly created account credentials satisfy requirements.
  • D: The number of related incidents decreases.

Question 21

A Dot Release of Cloud Control Matrix (CCM) indicates what?

  • A: The introduction of new control frameworks mapped to previously-published CCM controls.
  • B: A revision of the CCM domain structure.
  • C: A technical change (revision or addition or deletion) of a number of controls is smaller than 10% compared to the previous “Full” release.
  • D: A technical change (revision or addition or deletion) of a number of controls is greater than 10% compared to the previous “Full” release.

Question 22

What should be the auditor’s PRIMARY objective while examining a cloud service provider’s (CSP’s) SLA?

  • A: Verifying whether commensurate compensation in the form of service credits is factored in if the CSC is unable to match its SLA obligations
  • B: Verifying whether the SLA includes all the operational matters which are material to the operation of the service
  • C: Verifying whether the SLA caters to the availability requirements of the cloud service customer (CSC)
  • D: Verifying whether the SLAs are well-defined and measurable

Question 23

Policies and procedures shall be established, and supporting business processes and technical measures implemented, for maintenance of several items ensuring continuity and availability of operations and support personnel. Which of the following controls BEST matches this control description?

  • A: Operations Maintenance
  • B: System Development Maintenance
  • C: Equipment Maintenance
  • D: System Maintenance

Question 24

Which of the following is an example of a corrective control?

  • A: A central anti-virus system installing the latest signature files before allowing a connection to the network
  • B: Unsuccessful access attempts being automatically logged for investigation
  • C: Privileged access to critical information systems requiring a second factor of authentication using soft token
  • D: All new employees having standard access rights until their manager approves privileged rights

Question 25

Which of the following is a cloud-specific security standard?

  • A: ISO27017
  • B: ISO27701
  • C: ISO22301
  • D: ISO14001
Page 1 of 11 • Questions 1-25 of 258
12345

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!