Certified Cloud Security Professional (CCSP) — Question 364

During the course of an audit, which of the following would NOT be an input into the control requirements used as part of a gap analysis.

Answer options

• A. Contractual requirements
• B. Regulations
• C. Vendor recommendations
• D. Corporate policy

Correct answer: C

Explanation

The correct answer is C, as vendor recommendations are typically not considered a primary input for establishing control requirements during a gap analysis. In contrast, contractual requirements, regulations, and corporate policy are foundational elements that directly inform the necessary controls.