Certificate of Cloud Auditing Knowledge (CCAK) — Question 8

During an audit it was identified that a critical application hosted in an off-premises cloud is not part of the organization’s DRP (Disaster Recovery Plan). Management stated that it is responsible for ensuring that the cloud service provider (CSP) has a plan that is tested annually. What should be the auditor’s NEXT course of action?

Answer options

• A. Review the CSP audit reports.
• B. Review the security white paper of the CSP.
• C. Review the contract and DR capability.
• D. Plan an audit of the CSP.

Correct answer: C

Explanation

The correct course of action is to review the contract and DR capability to ensure that the CSP's disaster recovery provisions align with the organization’s needs. While reviewing audit reports or security papers may provide insights, they do not directly address the contractual obligations and specific disaster recovery capabilities that are essential for compliance. Planning an audit of the CSP may be unnecessary without first understanding the existing contractual agreements.