Study Guide
Certificate of Cloud Auditing Knowledge Study Guide
Use the saved domain outline to connect cloud governance, compliance, and assurance frameworks, cloud risk management and shared responsibility, cloud audit planning, execution, and reporting, cloud security controls and technical assurance to scenario-based questions and explanations.
How the Exam Is Structured
Certificate of Cloud Auditing Knowledge (CCAK) validates cloud governance, compliance, and assurance frameworks, cloud risk management and shared responsibility, cloud audit planning, execution, and reporting, cloud security controls and technical assurance. The ExamPal practice bank includes 111 premium questions and 40 free questions mapped across the official blueprint.
| Domain | Weight | Focus |
|---|---|---|
| Domain 1: Cloud Governance, Compliance, and Assurance Frameworks | 24% | Task 1.1: Establish and evaluate cloud governance structures aligned with business, regulatory, and risk requirements; Identify governance roles and accountability |
| Domain 2: Cloud Risk Management and Shared Responsibility | 20% | Task 2.1: Assess cloud risk management processes and risk ownership; Recognize and monitor cloud risks |
| Domain 3: Cloud Audit Planning, Execution, and Reporting | 18% | Task 3.1: Plan cloud audits using a risk-based methodology; Define audit planning elements |
| Domain 4: Cloud Security Controls and Technical Assurance | 22% | Task 4.1: Assess identity, access management, and authentication controls; Evaluate password and authentication policies |
| Domain 5: Incident Response, Resilience, and Operational Continuity in the Cloud | 16% | Task 5.1: Assess cloud incident response readiness and responsibilities; Define incident response roles |
24% of exam
Domain 1: Cloud Governance, Compliance, and Assurance Frameworks
Covers cloud governance structures, compliance program design, control frameworks, assurance mechanisms, supply chain obligations, and audit/compliance tooling. This domain emphasizes aligning cloud oversight with business, regulatory, contractual, and risk requirements, including use of CSA CCM, STAR, SOC, ISO, and related crosswalks.
20% of exam
Domain 2: Cloud Risk Management and Shared Responsibility
Covers cloud risk management processes, shared responsibility across service models, migration risk, data governance and privacy, and business/technical impact analysis. The domain emphasizes risk ownership, reassessment triggers, and the interaction of contracts, policies, and technical controls.
18% of exam
Domain 3: Cloud Audit Planning, Execution, and Reporting
Covers risk-based audit planning, initiation and coordination, evidence evaluation, control testing, and reporting of cloud audit results. The domain emphasizes audit scope, reliance on third-party assurance, evidence quality, testing methods, and communicating findings and residual risk.
22% of exam
Domain 4: Cloud Security Controls and Technical Assurance
Covers identity and access management, network and infrastructure security, application and workload security, data protection, vulnerability management, and logging/monitoring. The domain focuses on evaluating technical controls and their operational effectiveness in cloud and virtualized environments.
16% of exam
Domain 5: Incident Response, Resilience, and Operational Continuity in the Cloud
Covers incident response readiness, post-incident analysis, business continuity and resilience, service level agreements, and provider transparency/continuous oversight. The domain emphasizes cloud-specific incidents, threat-informed assessment, recovery objectives, and auditable service commitments.
Key Terms to Know
These terms are loaded from the shared terminology pack and appear across the question explanations.
- Accountability
- The obligation of an assigned party to answer for outcomes, decisions, and compliance performance.
- Attack methods
- Techniques and procedures used by adversaries to compromise systems or data.
- Cloud adoption approach
- The organizational strategy and plan for selecting, implementing, and governing cloud services.
- Cloud compliance program
- A structured set of policies, controls, roles, and processes to meet cloud-related legal and regulatory obligations.
- Cloud process owners
- Individuals responsible for business processes that rely on cloud services and the controls supporting them.
- Cloud provider certifications
- Formal attestations showing that a cloud service provider has been assessed against recognized standards.
- Cloud security controls
- Administrative, technical, and physical safeguards implemented to protect cloud systems, services, and data.
- Compliance risk
- The risk of legal, regulatory, or policy violations resulting from failure to meet applicable requirements.
- Continuous monitoring
- An ongoing process of collecting, analyzing, and acting on security and compliance information in near real time.
- Continuous review
- The ongoing assessment of controls to ensure they remain effective as threats and environments change.
- Control crosswalk
- A mapping between control frameworks used to identify overlaps, gaps, and differences during framework transition.
- Cross-jurisdictional data storage
- The storage of data across multiple legal or national boundaries, potentially subjecting it to multiple laws.
- Cryptographic keys
- Secret values used by cryptographic algorithms to encrypt, decrypt, sign, or verify data.
- Customer management interface
- The portal, API, or console customers use to administer and configure cloud services.
- Data breach
- An incident in which sensitive, protected, or confidential data is accessed or disclosed without authorization.
- Flow-down requirements
- Contractual or compliance obligations that must be passed from a primary provider to subcontractors.
- GDPR
- The General Data Protection Regulation, an EU law governing the protection and processing of personal data.
- Health information
- Sensitive personal data related to an individual’s physical or mental health, often subject to enhanced protection.
Official Materials and Guidance
This page is built from Cloud Security Alliance / ISACA official materials and ExamPal shared release pack, the shared syllabus, topic tree, terminology pack, free pack, and premium pack.
- -Guidance: CSA/ISACA official CCAK guidance and outline saved locally
- -Domain outline: No official public percent split in saved materials; cloud audit planning, governance/risk/compliance, CCM/STAR, cloud security controls, continuous assurance.