Isaca Updated CCAK Exam Questions and Answers by milan

According to the CCAK Study Guide, the business continuity management and operational resilience strategy of the cloud customer should be formulated jointly with the cloud service provider, as they share the responsibility for ensuring the availability and recoverability of the cloud services. The strategy should cover all aspects of business continuity and resilience planning, taking inputs from the assessed impact and risks, to consider activities for before, during, and after a disruption. These activities include prevention, mitigation, response, recovery, restoration, and improvement. The strategy should also define the roles and responsibilities of both parties, the communication channels and escalation procedures, the testing and exercising plans, and the review and update mechanisms1

The other options are not correct because:

• Option B is not correct because the strategy should not only be developed within the acceptable limits of the risk appetite, but also aligned with the business objectives and stakeholder expectations of both parties. The risk appetite is only one of the factors that influence the strategy formulation1
• Option C is not correct because the strategy should not only cover the activities required to continue and recover prioritized activities within identified time frames and agreed capacity, but also consider the activities for before and after a disruption, such as prevention, mitigation, improvement, etc. The strategy should also include other elements such as roles and responsibilities, communication channels, testing plans, etc1

References: 1: ISACA, Cloud Security Alliance. Certificate of Cloud Auditing Knowledge (CCAK) Study Guide. 2021. pp. 83-84.

According to the ISACA Cloud Auditing Knowledge Certificate Study Guide, the cloud customer is the entity that retains accountability for the business outcome of the system or the processes that are supported by the cloud service1. The cloud customer is also responsible for ensuring that the cloud service meets the legal, regulatory, and contractual obligations that apply to the customer’s business context1. The cloud customer should also perform due diligence and risk assessment before selecting a cloud service provider, and establish a clear and enforceable contract that defines the roles and responsibilities of both parties1.

The cloud user is the entity that uses the cloud service on behalf of the cloud customer, but it is not necessarily accountable for the compliance of the service1. The cloud service provider is the entity that makes the cloud service available to the cloud customer, but it is not accountable for the compliance of the customer’s business context1. The certification authority (CA) is an entity that issues digital certificates to verify the identity or authenticity of other entities, but it is not accountable for the compliance of the cloud service2. References:

• ISACA Cloud Auditing Knowledge Certificate Study Guide, page 10-11.
• Certification authority - Wikipedia

Periodic documentation review is a critical process that helps organizations identify control gaps and shortcomings, particularly in the context of cloud computing. This process involves regularly examining the documentation of processes, controls, and policies to ensure they are up-to-date and effective. It allows an organization to verify that the controls are operating as intended and to discover any areas where the controls may not fully address the organization’s requirements or the unique risks associated with cloud services. By conducting these reviews, organizations can maintain compliance with relevant regulations and standards, and ensure continuous improvement in their cloud security posture.

References = The significance of periodic documentation review is highlighted in cloud auditing and security best practices, as outlined by the Cloud Security Alliance (CSA) and the Certificate of Cloud Auditing Knowledge (CCAK) program12. These resources emphasize the importance of regular reviews as part of a comprehensive cloud governance and compliance strategy.

 The primary component to determine the success or failure of an organization’s cloud compliance program is mapping who possesses the information and data that should drive the compliance goals. This is because the cloud compliance program should be aligned with the organization’s business objectives and risk appetite, and the information and data that support these objectives and risks are often distributed across different cloud service providers, business units, and stakeholders. Therefore, it is essential to identify who owns, controls, and accesses the information and data, and how they are protected, processed, and shared in the cloud environment. This is part of the Cloud Control Matrix (CCM) domain COM-02: Data Governance, which states that "The organization should have a policy and procedures to manage data throughout its lifecycle in accordance with regulatory requirements, contractual obligations, and industry standards."1 References := CCAK Study Guide, Chapter 3: Cloud Compliance Program, page 53