Certificate of Cloud Auditing Knowledge (CCAK) — Question 57

What should an auditor do when assessing the business continuity plan (BCP) and disaster recovery (DR) of a cloud customer?

Answer options

• A. Evaluate the service level agreement (SLA) through a BCP/DR lens.
• B. Get assurances from the cloud service provider that the service level agreement (SLA) can be met in a BCP/DR scenario.
• C. Recommend auditing the BCP/DR planning under a separate engagement.
• D. Limit the scope of the evaluation to security measures that are under the direct responsibility of the auditee.

Correct answer: A

Explanation

The correct answer is A because evaluating the SLA through the lens of BCP/DR ensures that the auditor understands how the cloud service provider's commitments align with the customer's continuity and recovery strategies. Option B is incorrect as it focuses on assurances, which is less comprehensive than evaluating the SLA itself. Option C suggests a separate engagement, which may not be necessary if the auditor can assess BCP/DR within the current scope. Option D limits the evaluation to security measures, neglecting the broader aspects of BCP and DR assessment.