CCAK Exam Prep Free practice test →

Free CCAK Practice Questions

10 free, exam-style Certificate of Cloud Auditing Knowledge (CCAK) practice questions with answers and explanations. No signup required. Work through them below, then take the full free CCAK practice test to study every exam domain.

These 10 free CCAK questions are organized by exam domain, so you can see how each part of the Certificate of Cloud Auditing Knowledge blueprint is tested. Reveal the answer and explanation under each question.

Domain 1: Cloud Governance 18% of exam

Question 1

During a compliance audit of a SaaS HR platform, the vendor's account manager states: 'Because we manage all infrastructure, operating systems, and application code, your security team carries no meaningful security responsibilities for this service.' An informed auditor should:

  1. Accept it - in SaaS, the vendor manages all meaningful layers including infrastructure, OS, middleware, and the application itself
  2. Partially accept - some responsibilities remain, but only for physical security of end-user hardware and devices
  3. Reject it - the customer still retains responsibility for OS-level hardening, patching, and runtime environment configuration
  4. Reject it - the customer always retains accountability for data classification, access entitlements, and service configuration
Show answer & explanation

Correct answer: D - Reject it - the customer always retains accountability for data classification, access entitlements, and service configuration

Question 2

A corporation's board of directors formally approves an enterprise cloud policy defining permitted service categories, mandating encryption for all cloud-stored data, and establishing a board-level risk oversight committee for cloud decisions. According to COBIT 2019, this board activity is BEST aligned with which objective?

  1. APO12 - Managed Risk, within the Align, Plan, and Organize management domain
  2. DSS05 - Managed Security Services, within the Deliver, Service, and Support management domain
  3. EDM03 - Ensured Risk Optimization, within the Evaluate, Direct, Monitor governance domain
  4. BAI06 - Managed IT Changes, within the Build, Acquire, and Implement management domain
Show answer & explanation

Correct answer: C - EDM03 - Ensured Risk Optimization, within the Evaluate, Direct, Monitor governance domain

Domain 2: Cloud Compliance Program 21% of exam

Question 3

A European retail bank uses a SaaS-based CRM platform to manage 85,000 EU customer records. The SaaS provider experiences a security breach exposing those records and notifies the bank within 18 hours. The bank's legal team argues that since the breach originated entirely within the SaaS provider's systems, the bank has no obligation to notify the supervisory authority. This argument is:

  1. Correct - GDPR places primary accountability on the data processor for breaches within its own systems
  2. Incorrect - the bank, as data controller, must notify the supervisory authority within 72 hours
  3. Correct - unless the breach is unlikely to result in a risk to the rights and freedoms of individuals
  4. Incorrect - the bank must also directly notify all 85,000 affected data subjects within 72 hours
Show answer & explanation

Correct answer: B - Incorrect - the bank, as data controller, must notify the supervisory authority within 72 hours

Question 4

A cloud auditor evaluates two SaaS providers. Provider Alpha presents a SOC 2 report dated last week covering only the current assessment date, with no exceptions noted. Provider Beta presents a SOC 2 report dated four months ago covering a 12-month observation period, with no exceptions noted. Which statement BEST characterizes the relative assurance value of these two reports?

  1. Provider Alpha's is more reliable - a recently issued report reflects current control posture more accurately than a four-month-old report
  2. Both are equivalent - since neither report contains audit exceptions, the assurance value is the same
  3. Provider Beta's is more reliable - 12 months of operating effectiveness provides stronger assurance than a single-date assessment
  4. Neither can be fully relied on - both require validation through a concurrent ISO 27001 certificate
Show answer & explanation

Correct answer: C - Provider Beta's is more reliable - 12 months of operating effectiveness provides stronger assurance than a single-date assessment

Domain 3: CCM and CAIQ: Goals, Objectives, and Structure 12% of exam

Question 5

An auditor experienced with CCM v3.0.1 begins a new engagement using CCM v4 for the first time. She identifies a column present in v4 that did not exist in v3.0.1 and concludes it is the addition that most directly transforms CCM into an audit-ready framework. Which addition supports her conclusion?

  1. A 17th domain - CEK (Cryptography, Encryption & Key Management) - was separated from existing controls
  2. The CAIQ questionnaire is now fully integrated as a dedicated tab within the CCM spreadsheet workbook
  3. Expanded cross-framework mappings now cover GDPR, COBIT 2019, HIPAA, and the German BSI C5 Criteria Catalogue
  4. Per-control Auditing Guidelines specify what to examine, interview, test, and observe for each control
Show answer & explanation

Correct answer: D - Per-control Auditing Guidelines specify what to examine, interview, test, and observe for each control

Domain 6: Cloud Auditing 15% of exam

Question 6

An internal audit team plans to physically visit their IaaS provider's data center to observe access controls and environmental safeguards. The provider's standard contract prohibits customer on-site visits to shared infrastructure facilities. What is the MOST appropriate course of action for the audit team?

  1. Issue a qualified audit opinion citing scope limitation due to inability to perform direct observation
  2. Escalate to legal counsel to enforce a right-to-audit clause in the service contract before proceeding
  3. Document that the provider's physical controls cannot be verified and treat them as non-existent
  4. Obtain the provider's SOC 2 Type II report and ISO 27001 certificate as substitute assurance evidence
Show answer & explanation

Correct answer: D - Obtain the provider's SOC 2 Type II report and ISO 27001 certificate as substitute assurance evidence

Domain 7: CCM: Auditing Controls 8% of exam

Question 7

A cloud audit of a financial services firm produces three findings: (1) privileged cloud administrator accounts have no MFA enforced, (2) service accounts from a decommissioned project remain active with production-level permissions, and (3) privileged console sessions are neither recorded nor time-limited. These findings MOST directly indicate deficiencies in which CCM v4 domain?

  1. GRC - Governance, Risk and Compliance
  2. LOG - Logging and Monitoring
  3. SEF - Security Incident Management, E-Discovery and Cloud Forensics
  4. IAM - Identity and Access Management
Show answer & explanation

Correct answer: D - IAM - Identity and Access Management

Domain 8: Continuous Assurance and Compliance 7% of exam

Question 8

A post-incident review reveals that attackers exploited a critical vulnerability in an open-source XML parsing library bundled within the organization's cloud-hosted application. The CVE had been publicly disclosed 43 days before the incident. Which DevSecOps control, integrated into the CI/CD pipeline, would MOST directly have identified this risk before deployment?

  1. Static Application Security Testing (SAST) - analyzes proprietary source code for logic flaws and insecure patterns
  2. Dynamic Application Security Testing (DAST) - tests the running application for exploitable behavioral weaknesses
  3. Software Composition Analysis (SCA) - identifies known CVEs in third-party and open-source components
  4. Infrastructure as Code (IaC) scanning - detects security misconfigurations in cloud resource templates
Show answer & explanation

Correct answer: C - Software Composition Analysis (SCA) - identifies known CVEs in third-party and open-source components

Question 9

An organization deploys a Cloud Security Posture Management (CSPM) tool that continuously scans all cloud configurations against CCM v4 controls and CIS Benchmarks, generating real-time alerts when deviations are detected. This capability MOST directly contributes to which objective?

  1. Continuous assurance - providing stakeholders with ongoing confidence that controls are operating effectively
  2. Continuous monitoring - maintaining real-time awareness of the environment's security and compliance posture
  3. Continuous auditing - automatically executing formal audit procedures to produce attestable findings
  4. Continuous certification - sustaining an active STAR certification through automated evidence submission
Show answer & explanation

Correct answer: B - Continuous monitoring - maintaining real-time awareness of the environment's security and compliance posture

Domain 9: STAR Program 5% of exam

Question 10

A cloud customer's procurement policy requires their IaaS provider to satisfy three assurance criteria: (1) assessment performed by an ISO 17021-1 accredited certification body, (2) independent evaluation of both ISO/IEC 27001 controls AND CCM v4 controls within a single engagement, and (3) a certificate that may be publicly disclosed. Which STAR Level 2 assessment type satisfies ALL three requirements?

  1. STAR Attestation (Type II) - performed by a licensed CPA firm under SOC 2 standards with CCM as additional criteria
  2. STAR Certification - performed by an ISO 17021-1 accredited certification body under ISO 27001 and CCM criteria
  3. STAR Level 1 CAIQ Submission - self-assessed by the CSP and published publicly to the STAR Registry
  4. C-STAR - performed by CCRC-approved assessors under CCM combined with applicable Chinese national standards
Show answer & explanation

Correct answer: B - STAR Certification - performed by an ISO 17021-1 accredited certification body under ISO 27001 and CCM criteria

The rest of the CCAK blueprint

The CCAK exam also covers these domains. Drill them in the full free practice test:

Ready for the real thing?

Practice hundreds more CCAK questions with instant scoring, weak-area drills, and full exam simulations.

Start the free practice test See pricing