nerdexam
Isaca

CCAK · Question #20

Since CCM allows cloud customers to build a detailed list of requirements and controls to be implemented by the CSP as part of their overall third-party risk management and procurement program, will C

The correct answer is A. No. CCM must be completed with definitions established by the CSP because of its relevance to. CCM (Cloud Controls Matrix) is a comprehensive control framework, but it is not self-sufficient on its own. It must be supplemented with CSP-specific definitions, service descriptions, and operational context because controls must be interpreted and implemented differently depend

Cloud Risk Management

Question

Since CCM allows cloud customers to build a detailed list of requirements and controls to be implemented by the CSP as part of their overall third-party risk management and procurement program, will CCM alone be enough to define all the items to be considered when operating/using cloud services?

Options

  • ANo. CCM must be completed with definitions established by the CSP because of its relevance to
  • BYes. CCM suffices since it maps a huge library of widely accepted frameworks.
  • CYes. When implemented in the right manner. CCM alone can help to measure, assess and monitor
  • DNo. CCM can serve as a foundation for a cloud assessment program, but it needs to be completed

How the community answered

(28 responses)
  • A
    93% (26)
  • B
    4% (1)
  • C
    4% (1)

Explanation

CCM (Cloud Controls Matrix) is a comprehensive control framework, but it is not self-sufficient on its own. It must be supplemented with CSP-specific definitions, service descriptions, and operational context because controls must be interpreted and implemented differently depending on the specific cloud services, deployment models, and technologies in use. While CCM maps to many widely accepted frameworks (ISO 27001, NIST, PCI DSS, etc.), it does not capture every nuance of a particular CSP's environment, contractual obligations, or the unique risk profile of the customer's use case. A complete cloud assessment program requires CCM as a foundation plus CSP-specific and organization-specific additions.

Topics

#CCM#Cloud Controls#Shared Responsibility Model#Cloud Risk Management

Community Discussion

No community discussion yet for this question.

Full CCAK Practice