Which of the following can BEST help to gain the required information?

An auditor wants to get information about the operating effectiveness of controls addressing privacy, availability, and confidentiality of a service organization. Which of the following can BEST help to gain the required information?A . ISAE 3402 reportB . ISO/IEC 27001 certificationC . SOC1 Type 1 reportD . SOC2 Type 2...

March 15, 2025 No Comments READ MORE +

When an organization is using cloud services, the security responsibilities largely vary depending on the service delivery model used, while the accountability for compliance should remain with the:

When an organization is using cloud services, the security responsibilities largely vary depending on the service delivery model used, while the accountability for compliance should remain with the:A . cloud user.B . cloud service provider. 0C . cloud customer.D . certification authority (CA)View AnswerAnswer: C Explanation: According to the ISACA...

March 8, 2025 No Comments READ MORE +

Which of the following is an example of availability technical impact?

Which of the following is an example of availability technical impact?A . The cloud provider reports a breach of customer personal data from an unsecured server.B . A hacker using a stolen administrator identity alters the discount percentage in the product database.C . A distributed denial of service (DDoS) attack...

March 5, 2025 No Comments READ MORE +

During the planning phase of a cloud audit, the PRIMARY goal of a cloud auditor is to:

During the planning phase of a cloud audit, the PRIMARY goal of a cloud auditor is to:A . specify appropriate tests.B . address audit objectives.C . minimize audit resources.D . collect sufficient evidence.View AnswerAnswer: B Explanation: According to the ISACA Cloud Auditing Knowledge Certificate Study Guide, the primary goal of...

March 4, 2025 No Comments READ MORE +

Application programming interfaces (APIs) are likely to be attacked continuously by bad actors because they:

Application programming interfaces (APIs) are likely to be attacked continuously by bad actors because they:A . are the asset with private IP addresses.B . are generally the most exposed part.C . could be poorly designed.D . act as a very effective backdoor.View AnswerAnswer: B Explanation: APIs are likely to be...

March 3, 2025 No Comments READ MORE +

Which of the following should be an assurance requirement when an organization is migrating to a Software as a Service (SaaS) provider?

Which of the following should be an assurance requirement when an organization is migrating to a Software as a Service (SaaS) provider?A . Location of dataB . Amount of server storageC . Access controlsD . Type of network technologyView AnswerAnswer: C Explanation: Access controls are an assurance requirement when an...

March 3, 2025 No Comments READ MORE +

An organization employing the Cloud Controls Matrix (CCM) to perform a compliance assessment leverages the Scope Applicability direct mapping to:

An organization employing the Cloud Controls Matrix (CCM) to perform a compliance assessment leverages the Scope Applicability direct mapping to:A . obtain the ISO/IEC 27001 certification from an accredited certification body (CB) following the ISO/IEC 17021-1 standard.B . determine whether the organization can be considered fully compliant with the mapped...

March 2, 2025 No Comments READ MORE +

Regarding suppliers of a cloud service provider, it is MOST important for the auditor to be aware that the:

Regarding suppliers of a cloud service provider, it is MOST important for the auditor to be aware that the:A . client organization has a clear understanding of the provider s suppliers.B . suppliers are accountable for the provider's service that they are providing.C . client organization does not need to...

March 1, 2025 No Comments READ MORE +

Which of the following methods can be used by a cloud service provider with a cloud customer that does not want to share security and control information?

Which of the following methods can be used by a cloud service provider with a cloud customer that does not want to share security and control information?A . Nondisclosure agreements (NDAs)B . Independent auditor reportC . First-party auditD . Industry certificationsView AnswerAnswer: B Explanation: An independent auditor report is a...

February 26, 2025 No Comments READ MORE +

What is a sign that an organization has adopted a shift-left concept of code release cycles?

What is a sign that an organization has adopted a shift-left concept of code release cycles?A . Large entities with slower release cadences and geographically dispersed systemsB . A waterfall model to move resources through the development to release phasesC . Maturity of start-up entities with high-iteration to low-volume code...

February 26, 2025 No Comments READ MORE +