Certificate of Cloud Auditing Knowledge (CCAK) — Question 10

Since CCM allows cloud customers to build a detailed list of requirements and controls to be implemented by the CSP as part of their overall third-party risk management and procurement program, will CCM alone be enough to define all the items to be considered when operating/using cloud services?

Answer options

• A. No. CCM must be completed with definitions established by the CSP because of its relevance to service continuity.
• B. Yes. CCM suffices since it maps a huge library of widely accepted frameworks.
• C. Yes. When implemented in the right manner, CCM alone can help to measure, assess and monitor the risk associated with a CSP or a particular service.
• D. No. CCM can serve as a foundation for a cloud assessment program, but it needs to be completed with requirements applicable to each company.

Correct answer: D

Explanation

The correct answer is D because CCM provides a starting point for assessing cloud services, but additional company-specific requirements are necessary for a comprehensive evaluation. Options A and C incorrectly suggest that CCM alone can address all needs, while B overlooks the need for tailored requirements in different organizational contexts.