Certificate of Cloud Auditing Knowledge (CCAK) — Question 19

An independent contractor is assessing security maturity of a SaaS company against industry standards. The SaaS company has developed and hosted all their products using the cloud services provided by a third-party cloud service provider (CSP). What is the optimal and most efficient mechanism to assess the controls CSP is responsible for?

Answer options

• A. Review third-party audit reports.
• B. Review CSP’s published questionnaires.
• C. Directly audit the CSP.
• D. Send supplier questionnaire to the CSP.

Correct answer: A

Explanation

The most effective way to assess the controls that a CSP is responsible for is to review third-party audit reports, as these provide independent verification of the CSP's security measures. Other options, like reviewing questionnaires or sending supplier inquiries, may not provide as comprehensive or reliable an assessment of the controls in place. Directly auditing the CSP is also impractical for an independent contractor without proper authority.