ISACA CCAK Certificate of Cloud Auditing Knowledge Online Training
ISACA CCAK Online Training
The questions for CCAK were last updated at Jul 18,2025.
- Exam Code: CCAK
- Exam Name: Certificate of Cloud Auditing Knowledge
- Certification Provider: ISACA
- Latest update: Jul 18,2025
What legal documents should be provided to the auditors in relation to risk management?
- A . Enterprise cloud strategy and policy
- B . Contracts and service level agreements (SLAs) of cloud service providers
- C . Policies and procedures established around third-party risk assessments
- D . Inventory of third-party attestation reports
In relation to testing business continuity management and operational resilience, an auditor should review which of the following database documentation?
- A . Database backup and replication guidelines
- B . System backup documentation
- C . Incident management documentation
- D . Operational manuals
The MOST critical concept for managing the building and testing of code in DevOps is:
- A . continuous build.
- B . continuous delivery.
- C . continuous integration.
- D . continuous deployment.
What is a sign that an organization has adopted a shift-left concept of code release cycles?
- A . Large entities with slower release cadences and geographically dispersed systems
- B . A waterfall model to move resources through the development to release phases
- C . Maturity of start-up entities with high-iteration to low-volume code commits
- D . Incorporation of automation to identify and address software code problems early
Which of the following can be used to determine whether access keys are stored in the source code or any other configuration files during development?
- A . Static code review
- B . Dynamic code review
- C . Vulnerability scanning
- D . Credential scanning
What is an advantage of using dynamic application security testing (DAST) over static application security testing (SAST) methodology?
- A . DAST is slower but thorough.
- B . Unlike SAST, DAST is a black box and programming language agnostic.
- C . DAST can dynamically integrate with most continuous integration and continuous delivery (CI/CD) tools.
- D . DAST delivers more false positives than SAST
Which of the following BEST ensures adequate restriction on the number of people who can access the pipeline production environment?
- A . Separation of production and development pipelines
- B . Ensuring segregation of duties in the production and development pipelines
- C . Role-based access controls in the production and development pipelines
- D . Periodic review of the continuous integration and continuous delivery (CI/CD) pipeline audit logs to identify any access violations
The PRIMARY purpose of Open Certification Framework (OCF) for the CSA STAR program is to:
- A . facilitate an effective relationship between the cloud service provider and cloud client.
- B . enable the cloud service provider to prioritize resources to meet its own requirements.
- C . provide global, accredited, and trusted certification of the cloud service provider.
- D . ensure understanding of true risk and perceived risk by the cloud service users
An auditor identifies that a cloud service provider received multiple customer inquiries and requests for proposal (RFPs) during the last month.
Which of the following What should be the BEST recommendation to reduce the provider’s burden?
- A . The provider can answer each customer individually.
- B . The provider can direct all customer inquiries to the information in the CSA STAR registry.
- C . The provider can schedule a call with each customer.
- D . The provider can share all security reports with customers to streamline the process
Which of the following is the MOST important audit scope document when conducting a review of a cloud service provider?
- A . Documentation criteria for the audit evidence
- B . Testing procedure to be performed
- C . Processes and systems to be audited
- D . Updated audit work program
Latest CCAK Dumps Valid Version with 76 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund
