Question 14
UnclassifiedA cloud auditor is evaluating a cloud service provider's adherence to the Cloud Control Matrix (CCM). The auditor needs to assess various aspects of the provider's operations. What areas should the auditor examine to provide a comprehensive evaluation? Select all that apply.
Correct answer: ACD
Explanation
The Cloud Control Matrix (CCM) covers key control domains such as access control, data protection, and incident management, so the auditor should review the CSP’s policies and procedures in those areas. Examining "access control, data encryption, and incident response" shows whether the provider has controls aligned to CCM expectations for security, confidentiality, and operational resilience.
Why each option is right or wrong
A. The CSP's policies and procedures for access control, data encryption, and incident response.
The Cloud Security Alliance Cloud Controls Matrix (CCM) is organized around control domains that include IAM/access control, data security and encryption, and incident response/management, so the auditor must inspect the provider’s documented policies and operating procedures in those areas to verify implementation, not just stated intent. In practice, that means checking whether access is restricted and reviewed, whether encryption is defined and enforced for data at rest/in transit, and whether incident handling is formally defined, tested, and tracked under the CCM control requirements.
B. The aesthetic appeal of the CSP's user interface to ensure it meets industry design standards.
C. The effectiveness of the CSP's change management process and how well it is integrated with incident and problem management.
D. The transparency of the CSP's data processing locations and data transfer mechanisms to assess compliance with data sovereignty laws.