Certified Information Systems Auditor (CISA) — Question 337

Which of the following BEST enables an IS auditor to understand the shared control requirements between multiple cloud service providers and the customer organization?

Answer options

• A. Roles and responsibilities of the IT professionals working under a shared responsibility model
• B. An industry-accepted cloud security framework for which all parties have obtained certification
• C. Logs produced by a cloud access security broker (CASB) monitoring the multi-cloud solution
• D. A risk and controls matrix that documents a clear set of actions for each party

Correct answer: D

Explanation

The correct answer, D, is ideal because a risk and controls matrix explicitly details the roles and responsibilities of each party, ensuring clarity in shared controls. Option A, while relevant, does not provide a comprehensive overview like the matrix does. Option B focuses on certification but lacks specificity about control obligations, and option C, although useful for monitoring, does not clarify the requirements between the parties involved.