Exam CISA topic 1 question 1800 discussion

A Cloud Access Security Broker (CASB) is used to monitor and enforce security policies for cloud applications. The most important aspect for an IS auditor to verify is whether cloud services are classified based on risk, sensitivity, and criticality

Among the options, classifying cloud services (A) stands out as the most important for the auditor to verify. It underpins the CASB’s ability to provide visibility, enforce risk-based policies, and protect the organization’s cloud environment effectively. Without proper classification, the CASB cannot prioritize its security measures, potentially leaving critical services vulnerable or over-restricting benign ones. While central user management, resilient processes, and periodic recertification contribute to overall security, they are either supplementary to or outside the CASB’s primary role. Industry best practices, such as those from Gartner, also highlight service discovery and classification as foundational to CASB deployments, reinforcing this conclusion.

Answer A, When reviewing a Cloud Access Security Broker (CASB) solution, it is most important to ensure that cloud services are classified because the CASB's primary role is to monitor, control, and secure cloud usage. Proper classification of cloud services ensures that the organization understands the risks associated with different types of services (e.g., IaaS, SaaS, PaaS) and can enforce appropriate policies, such as data security, compliance, and user access.

You need centralized management. A just assumes you need classification in your cloud services which is not always the case.