Exam CCAK topic 1 question 23 discussion

To qualify for CSA STAR attestation, a cloud provider's SOC 2 report must cover specific criteria that align with the CSA's requirements. The correct answer is: C. all Cloud Control Matrix (CCM) controls and TSPC security principles. The CSA Security, Trust & Assurance Registry (STAR) attestation involves assessing a cloud service provider's security controls against the Cloud Control Matrix (CCM) and the Trust Services Criteria (TSC), formerly known as Trust Service Principles and Criteria (TSPC). This provides a comprehensive evaluation of the provider’s security posture and practices.

CCAK -, correct ans is C

CSA STAR Attestation—CSA STAR Attestation is an auditing procedure to report on the examination of the implementation of trust service principles (TSP) and cloud-specific control objectives (CCM). CSA STAR Attestation can be considered as a SOC 2 Type 2 attestation augmented by CCM requirements. It was created thanks to a collaboration between CSA and the American Institute of CPAs (AICPA) to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. CCAK Guide - Page: 372

page 379

To qualify for CSA STAR attestation for a particular cloud system, the SOC 2 report must cover Cloud Control Matrix (CCM) and ISO/IEC 27001:2013 controls. The Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) is a publicly accessible registry that documents the security controls provided by various cloud computing offerings. The CSA STAR attestation is a rigorous third-party independent assessment of cloud providers that is based on the Cloud Controls Matrix (CCM) and the ISO/IEC 27001:2013 standard. The CCM is a cybersecurity control framework for cloud computing that is considered the de-facto standard for cloud security and privacy. ISO/IEC 27001:2013 is an international standard that provides a framework for information security management systems (ISMS).