isaca ccak practice test
Certificate of Cloud Auditing Knowledge
Question 1
Organizations maintain mappings between the different control frameworks they adopt to:
- A. help identify controls with common assessment status.
- B. avoid duplication of work when assessing compliance.
- C. help identify controls with different assessment status.
- D. start a compliance assessment using latest assessment.
Answer:
C
Explanation:
Reference: https://www.isaca.org/resources/news-and-trends/industry-news/2019/employing-cobit-2019-for-enterprise-
governance-strategy
Question 2
You have been assigned the implementation of an ISMS, whose scope must cover both on premise and cloud infrastructure.
Which of the following is your BEST option?
- A. Implement ISO/IEC 27002 and complement it with additional controls from the CCM.
- B. Implement ISO/IEC 27001 and complement it with additional controls from ISO/IEC 27017.
- C. Implement ISO/IEC 27001 and complement it with additional controls from ISO/IEC 27002.
- D. Implement ISO/IEC 27001 and complement it with additional controls from the NIST SP 800-145.
Answer:
B
Question 3
A CSP providing cloud services currently being used by the United States federal government should obtain which of the
following to assure compliance to stringent government standards?
- A. Multi-Tier Cloud Security (MTCS) Attestation
- B. FedRAMP Authorization
- C. ISO/IEC 27001:2013 Certification
- D. CSA STAR Level Certificate
Answer:
B
Explanation:
Reference: https://www.ftptoday.com/blog/benefits-using-fedramp-authorized-cloud-service-provider
Question 4
Which of the following key stakeholders should be identified the earliest when an organization is designing a cloud
compliance program?
- A. Cloud process owners
- B. Internal control function
- C. Legal functions
- D. Cloud strategy owners
Answer:
A
Question 5
To qualify for CSA STAR attestation for a particular cloud system, the SOC 2 report must cover:
- A. ISO/IЕС 27001: 2013 controls.
- B. maturity model criteria.
- C. all Cloud Control Matrix (CCM) controls and TSPC security principles.
- D. Cloud Control Matrix (CCM) and ISO/IEC 27001:2013 controls.
Answer:
C
Explanation:
Reference: https://downloads.cloudsecurityalliance.org/star/attestation/GuidelinesforCPAsv2.pdf (8)
Question 6
The MAIN difference between Cloud Control Matrix (CCM) and Consensus Assessment Initiative Questionnaire (CAIQ) is
that:
- A. CCM assesses the presence of controls, whereas CAIQ assesses overall security of a service.
- B. CCM has a set of security questions, whereas CAIQ has a set of security controls.
- C. CCM has 14 domains and CAIQ has 16 domains.
- D. CCM provides a controls framework, whereas CAIQ provides industry-accepted ways to document which security controls exist in IaaS, PaaS, and SaaS offerings.
Answer:
D
Explanation:
Reference: https://sdtimes.com/cloud-security-alliance-unveils-governance-risk-management-and-compliance-grc-stack/
Question 7
Which of the following is a corrective control that may be identified in a SaaS service provider?
- A. Log monitoring
- B. Penetration testing
- C. Incident response plans
- D. Vulnerability scan
Answer:
D
Question 8
Due to cloud audit team resource constraints, an audit plan as initially approved cannot be completed. Assuming that the
situation is communicated in the cloud audit report, which course of action is MOST relevant?
- A. Focusing on auditing high-risk areas
- B. Testing the adequacy of cloud controls design
- C. Relying on management testing of cloud controls
- D. Testing the operational effectiveness of cloud controls
Answer:
A
Explanation:
Reference: https://www.ucop.edu/ethics-compliance-audit-services/_files/webinars/10-14-16-cloud-
computing/cloudcomputing.pdf (31)
Question 9
One of the Cloud Control Matrixs (CCMs) control specifications states that Independent reviews and assessments shall be
performed at least annually to ensure that the organization addresses nonconformities of established policies, standards,
procedures, and compliance obligations. Which of the following controls under the Audit Assurance and Compliance domain
does this match to?
- A. Audit planning
- B. Information system and regulatory mapping
- C. GDPR auditing
- D. Independent audits
Answer:
B
Question 10
Which of the following configuration change controls is acceptable to a cloud auditor?
- A. Development, test and production are hosted in the same network environment.
- B. Programmers have permanent access to production software.
- C. The Head of Development approves changes requested to production.
- D. Programmers cannot make uncontrolled changes to the source code production version.
Answer:
D
Question 11
Which of the following is the common cause of misconfiguration in a cloud environment?
- A. Absence of effective change control
- B. Using multiple cloud service providers
- C. New cloud computing techniques
- D. Traditional change process mechanisms
Answer:
A
Explanation:
Reference: https://businessinsights.bitdefender.com/the-top-5-cloud-threats-that-smbs-need-to-address
Question 12
Which of the following metrics are frequently immature?
- A. Metrics around Infrastructure as a Service (IaaS) storage and network environments
- B. Metrics around Platform as a Service (PaaS) development environments
- C. Metrics around Infrastructure as a Service (IaaS) computing environments
- D. Metrics around specific Software as a Service (SaaS) application services
Answer:
A
Question 13
Which of the following quantitative measures is KEY for an auditor to review when assessing the implementation of
continuous auditing of performance on a cloud system?
- A. Service Level Objective (SLO)
- B. Recovery Point Objectives (RPO)
- C. Service Level Agreement (SLA)
- D. Recovery Time Objectives (RTO)
Answer:
C
Question 14
Which of the following is MOST important to consider when developing an effective threat model during the introduction of a
new SaaS service into a customer organizations architecture? The threat model:
- A. recognizes the shared responsibility for risk management between the customer and the CSP.
- B. leverages SaaS threat models developed by peer organizations.
- C. is developed by an independent third-party with expertise in the organization’s industry sector.
- D. considers the loss of visibility and control from transitioning to the cloud.
Answer:
A
Question 15
As a developer building codes into a container in a DevSecOps environment, which of the following is the appropriate
place(s) to perform security tests?
- A. Within developer’s laptop
- B. Within the CI/CD server
- C. Within version repositories
- D. Within the CI/CD pipeline
Answer:
D