Certificate of Cloud Auditing Knowledge (CCAK) — Question 191

An organization is in the initial phases of cloud adoption. It is not very knowledgeable about cloud security and cloud shared responsibility models. Which of the following approaches is BEST suited for such an organization to evaluate its cloud security?

Answer options

• A. Use of an established standard/regulation to map controls and use as the audit criteria
• B. For efficiency reasons, use of its on-premises systems’ audit criteria to audit the cloud environment
• C. As this is the initial stage, the ISO/IEC 27001 certificate shared by the cloud service provider is sufficient for audit and compliance purposes.
• D. Development of the cloud security audit criteria based on its own internal audit test plans to ensure appropriate coverage

Correct answer: A

Explanation

The correct answer is A because using an established standard or regulation provides a reliable framework for assessing security controls in the cloud environment. Option B is incorrect as relying solely on on-premises audit criteria may not address unique cloud security challenges. Option C is not sufficient because while the ISO/IEC 27001 certificate is valuable, it may not cover all aspects necessary for a comprehensive audit. Option D is also unsuitable as developing internal criteria may lead to gaps in the security assessment.