CCAK Exam Details

  • Exam Code
    :CCAK
  • Exam Name
    :Certificate of Cloud Auditing Knowledge
  • Certification
    :Isaca Certifications
  • Vendor
    :Isaca
  • Total Questions
    :232 Q&As
  • Last Updated
    :Jul 12, 2026

Isaca CCAK Online Questions & Answers

  • Question 51:

    In a multi-level supply chain structure where cloud service provider A relies on other sub cloud services, the provider should ensure that any compliance requirements relevant to the provider are:

    A. passed to the sub cloud service providers based on the sub cloud service providers' geographic location.
    B. passed to the sub cloud service providers.
    C. treated as confidential information and withheld from all sub cloud service providers.
    D. treated as sensitive information and withheld from certain sub cloud service providers.

  • Question 52:

    Which industry organization offers both security controls and cloud-relevant benchmarking?

    A. Cloud Security Alliance (CSA)
    B. SANS Institute
    C. International Organization for Standardization (ISO)
    D. Center for Internet Security (CIS)

  • Question 53:

    To ensure that cloud audit resources deliver the best value to the organization, the PRIMARY step would be to:

    A. develop a cloud audit plan on the basis of a detailed risk assessment.
    B. schedule the audits and monitor the time spent on each audit.
    C. train the cloud audit staff on current technology used in the organization.
    D. monitor progress of audits and initiate cost control measures.

  • Question 54:

    With regard to the Cloud Control Matrix (CCM), the `Architectural Relevance' is a feature that enables the filtering of security controls by:

    A. relevant architecture frameworks such as the NIST Enterprise Architecture Model, the Federal Enterprise Architecture Framework (FEAF), The Open Group Architecture Framework (TOGAF), and the Zachman Framework for Enterprise Architecture.
    B. relevant delivery models such as Software as a Service, Platform as a Service, Infrastructure as a Service.
    C. relevant architectural paradigms such as Client-Server, Mainframe, Peer-to-Peer, and SmartClient-Backend.
    D. relevant architectural components such as Physical, Network, Compute, Storage, Application, and Data.

  • Question 55:

    Which of the following is a corrective control that may be identified in a SaaS service provider?

    A. Log monitoring
    B. Penetration testing
    C. Incident response plans
    D. Vulnerability scan

  • Question 56:

    When an organization is moving to the cloud, responsibilities are shared based upon the cloud service provider's model and accountability is:

    A. shared.
    B. avoided.
    C. transferred.
    D. maintained.

  • Question 57:

    Which of the following cloud environments should be a concern to an organization s cloud auditor?

    A. The cloud service provider s data center is more than 100 miles away.
    B. The technical team is trained on only one vendor Infrastructure as a Service (laaS) platform, but the organization has subscribed to another vendor's laaS platform as an alternative.
    C. The organization entirely depends on several proprietary Software as a Service (SaaS) applications.
    D. The failover region of the cloud service provider is on another continent.

  • Question 58:

    What is below the waterline in the context of cloud operationalization?

    A. The controls operated by the customer
    B. The controls operated by both
    C. The controls operated by the cloud access security broker (CASB)
    D. The controls operated by the cloud service provider

  • Question 59:

    Under GDPR, an organization should report a data breach within what time frame?

    A. 72 hours
    B. 2 weeks
    C. 1 week
    D. 48 hours

  • Question 60:

    Which best describes the difference between a type 1 and a type 2 SOC report?

    A. A type 2 SOC report validates the operating effectiveness of controls whereas a type 1 SOC report validates the suitability of the design of the controls.
    B. A type 2 SOC report validates the suitability of the design of the controls whereas a type 1 SOC report validates the operating effectiveness of controls.
    C. A type 1 SOC report provides an attestation whereas a type 2 SOC report offers a certification.
    D. There is no difference between a type 2 and type 1 SOC report.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Isaca exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CCAK exam preparations and Isaca certification application, do not hesitate to visit our Vcedump.com to find your solutions here.