Question 29
UnclassifiedIn which control should a cloud service provider, upon request, inform customers of compliance impact and risk, especially if customer data is used as part of the services?
Correct answer: A
Explanation
The Service Provider control applies because it requires the provider to “inform customers of compliance impact and risk” when customer data is used in delivering the service. That duty is tied to the provider’s role in handling customer data and advising on any resulting compliance effects.
Why each option is right or wrong
A. Service Provider control
Under the Service Provider control, the cloud provider has an affirmative duty to disclose compliance impact and risk to customers when requested, particularly where customer data is processed or used in delivering the service. The control is triggered by the provider’s role as a processor/service provider, so the obligation to inform the customer about downstream compliance effects and associated risk sits with that control rather than a general security or privacy control.
B. Impact and Risk control
C. Data Inventory control
D. Compliance control