Exam CCAK topic 1 question 210 discussion

The BEST course of action for a cloud auditor to understand the provider's network security controls would be: C. Check the information provided by the cloud service provider. This option involves reviewing documentation, reports, and certifications provided by the cloud service provider, such as compliance with industry standards (e.g., ISO 27001, SOC 2) and details about their security controls. This information should give a comprehensive overview of the provider's network security measures. Additionally, cloud service providers often have established security practices and controls that have been externally audited, making this option both practical and efficient for understanding their security posture.

P# 153 The best sources of information for IaaS and PaaS services are the CSP documentation repositories. Mature CSPs include shared responsibility mappings against common frameworks, such as the AWS Standardized Architecture for NIST-based Assurance Frameworks. As a product consumer, CSPs should share under NDA their SOC II (Service Organization Controls II) type 2 assessment findings. A SOC II example from the Microsoft library requires customer sign-in prior to download. These documents should direct users to customer control responsibilities. Additionally, it is customary to have CSP experts onsite to assist further with implementing and configuring these controls.