What legal documents should be provided to the auditors in relation to risk management?

What legal documents should be provided to the auditors in relation to risk management?
A . Enterprise cloud strategy and policy
B . Contracts and service level agreements (SLAs) of cloud service providers
C . Policies and procedures established around third-party risk assessments
D . Inventory of third-party attestation reports

View Answer

Answer: B

Explanation:

Contracts and SLAs are legal documents that define the roles, responsibilities, expectations, and obligations of both the cloud service provider (CSP) and the cloud customer. They also specify the terms and conditions for service delivery, performance, availability, security, compliance, data protection, incident response, dispute resolution, liability, and termination. An auditor should review these documents to assess the alignment of the CSP’s services with the customer’s business requirements and risk appetite, as well as to identify any gaps or inconsistencies that may pose legal risks.

Reference: ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 35-36 Cloud Security Alliance (CSA), Cloud Controls Matrix (CCM) v4.0, 2021, GRM-01: Contracts and SLAs