Certificate of Cloud Auditing Knowledge (CCAK) — Question 13

How should controls be designed by an organization?

Answer options

• A. By the internal audit team
• B. Using the ISO27001 framework
• C. By the cloud provider
• D. Using the organization’s risk management framework

Correct answer: D

Explanation

The correct answer, D, emphasizes that controls should be tailored based on the organization's specific risk management framework, ensuring they address unique threats and vulnerabilities. Option A is incorrect as the internal audit team typically evaluates controls rather than designs them. Option B, while useful, is a guideline and not the organization's own risk framework. Option C is also incorrect as the cloud provider's controls may not align with the organization's specific needs.