When an organization is using cloud services, the security responsibilities largely vary depending on the service delivery model used, while the accountability for compliance should remain with the:

1. A. cloud user.
2. B. cloud service provide
3. C. cloud customer.
4. D. certification authority (CA)

Correct Answer: C
According to the ISACA Cloud Auditing Knowledge Certificate Study Guide, the cloud customer is the entity that retains accountability for the business outcome of the system or the processes that are supported by the cloud service1. The cloud customer is also responsible for ensuring that the cloud service meets the legal, regulatory, and contractual obligations that apply to the customer??s business context1. The cloud customer should also perform due diligence and risk assessment before selecting a cloud service provider, and establish a clear and enforceable contract that defines the roles and responsibilities of both parties1.
The cloud user is the entity that uses the cloud service on behalf of the cloud customer, but it is not necessarily accountable for the compliance of the service1. The cloud service provider is the entity that makes the cloud service available to the cloud customer, but it is not accountable for the compliance of the customer??s business context1. The certification authority (CA) is an entity that issues digital certificates to verify the identity or authenticity of other entities, but it is not accountable for the compliance of the cloud service2. References:
✑ ISACA Cloud Auditing Knowledge Certificate Study Guide, page 10-11.
✑ Certification authority - Wikipedia

An auditor wants to get information about the operating effectiveness of controls addressing privacy, availability, and confidentiality of a service organization. Which of the following can BEST help to gain the required information?

1. A. ISAE 3402 report
2. B. ISO/IEC 27001 certification
3. C. SOC1 Type 1 report
4. D. SOC2 Type 2 report

Correct Answer: D
A SOC2 Type 2 report can best help an auditor to get information about the operating effectiveness of controls addressing privacy, availability, and confidentiality of a service organization. A SOC2 Type 2 report is an internal control report that examines the security, availability, processing integrity, confidentiality, and privacy of a service organization??s system and data over a specified period of time, typically 3-12 months. A SOC2 Type 2 report is based on the AICPA Trust Services Criteria and provides an independent auditor??s opinion on the design and operating effectiveness of the service organization??s controls. A SOC2 Type 2 report can help an auditor to assess the risks and challenges associated with outsourcing services to a cloud provider and to verify that the provider meets the relevant compliance requirements and industry
standards.12 References := CCAK Study Guide, Chapter 5: Cloud Auditing, page 971; SOC 2 Type II Compliance: Definition, Requirements, and Why You Need It2

Which of the following is the BEST method to demonstrate assurance in the cloud services to multiple cloud customers?

1. A. Provider??s financial stability report and market value
2. B. Reputation of the service provider in the industry
3. C. Provider self-assessment and technical documents
4. D. External attestation and certification audit reports

Correct Answer: D
External attestation and certification audit reports are considered the best method to demonstrate assurance in cloud services to multiple customers because they provide an independent verification of the cloud service provider??s controls and practices. These reports are conducted by third-party auditors and offer a level of transparency and trust that cannot be achieved through self-assessments or internal documents. They help ensure that the cloud provider meets industry standards and regulatory requirements, which is crucial for customers to assess the risk and compliance posture of their cloud service providers.
References = The importance of external attestation and certification audit reports is supported by the Cloud Security Alliance (CSA) and ISACA, which state that the CCAK credential prepares IT and security professionals to ensure that the right controls are in place and to mitigate the risks and costs of audit management and penalties for non- compliance1.

Which audit report provides an attestation of audit results that cloud service providers will make available for public consumption?

1. A. SOC1 Type1
2. B. SOC2 Type2
3. C. SOC 3
4. D. SOC1

Correct Answer: C

Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an information security management system based on ISO/IEC 27001?

1. A. ISO/IEC 27002
2. B. Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
3. C. NISTSP 800-146
4. D. ISO/IEC 27017:2015

Correct Answer: D
ISO/IEC 27017:2015 is a standard that provides guidelines for information security controls applicable to the provision and use of cloud services by providing additional implementation guidance for relevant controls specified in ISO/IEC 27002, as well as additional controls with implementation guidance that specifically relate to cloud services1. ISO/IEC 27017:2015 is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an information security management system based on ISO/IEC 27001, which is the international standard for information security management systems1. ISO/IEC 27017:2015 can help organizations to establish, implement, maintain and continually improve their information security in the cloud environment, as well as to demonstrate compliance with contractual and legal obligations1.
ISO/IEC 27002 is a code of practice for information security controls that provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining information security management systems2. However, ISO/IEC 27002 does not provide specific guidance for cloud services, which is why ISO/IEC 27017:2015 was developed as an extension to ISO/IEC 27002 for cloud services1.
Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is a set of security controls that provides organizations with a detailed understanding of security concepts and principles that are aligned to the cloud model. The CCM is not a standard, but rather a framework that can be used to assess the overall security risk of a cloud provider. The CCM can also be mapped to other standards, such as ISO/IEC 27001 and ISO/IEC 27017:2015, to facilitate compliance and assurance activities.
NIST SP 800-146 is a publication from the National Institute of Standards and Technology (NIST) that provides an overview of cloud computing, its characteristics, service models, deployment models, benefits, challenges and considerations. NIST SP 800-146 is not a standard, but rather a reference document that can help organizations to understand the basics of cloud computing and its implications for information security. NIST SP 800-146 does not provide specific guidance or controls for cloud services, but rather refers to other standards and frameworks, such as ISO/IEC 27001 and CSA CCM, for more detailed information on cloud security. References :=
✑ ISO/IEC 27017:2015 - Information technology — Security techniques ??
✑ ISO/IEC 27017:2015(en), Information technology ? Security techniques ??
✑ ISO 27017 Certification - Cloud Security Services | NQA
✑ An introduction to ISO/IEC 27017:2015 - 6clicks
✑ ISO/IEC 27017:2015 - Information technology — Security techniques ??
✑ [Cloud Controls Matrix | Cloud Security Alliance]
✑ [NIST Cloud Computing Synopsis and Recommendations]