🚀 Early Adopter Price: $39/mo for lifeClaim Your Price →
Cloud Auditing Knowledge
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
ISACA CertificatesAssociateComing Soon

Cloud Auditing Knowledge

The CCAK certificate, jointly developed by ISACA and the Cloud Security Alliance, validates expertise in auditing cloud computing systems. It covers cloud governance, cloud compliance, the CSA STAR program, the Cloud Controls Matrix (CCM), CAIQ, and the unique audit considerations for IaaS, PaaS, and SaaS environments.

Who Should Take This

IT auditors, compliance officers, security professionals, and risk practitioners who audit or assess cloud-based environments. Assumes baseline IT audit knowledge (CISA-level or equivalent) and cloud literacy. Learners finish able to plan, execute, and report on cloud audits using the CSA STAR program and the Cloud Controls Matrix.

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
13 Activity Formats

Course Outline

1Cloud Governance
3 topics

Cloud Governance Frameworks

  • Identify the components of a cloud governance program: policy, organization, processes, controls, and measurement.
  • Identify NIST SP 500-292 and ISO/IEC 17789 as foundational cloud reference architectures and describe their roles in audit planning.
  • Apply a cloud governance framework to a sample organization adopting public cloud, identifying the gaps from on-prem governance.

Cloud Strategy and Risk Tolerance

  • Describe how a cloud strategy aligns with business objectives, risk tolerance, and regulatory obligations.
  • Apply a cloud-suitability assessment to determine which workloads should move to which service model (IaaS/PaaS/SaaS).
  • Analyze a 'cloud-first' policy that produced regulatory non-compliance and identify the governance failures that allowed it.

Roles and Responsibilities

  • Define the shared responsibility model and identify which security and compliance responsibilities fall to the customer vs the cloud provider in each service model.
  • Apply RACI mapping to a cloud workload across IaaS, PaaS, and SaaS to clarify accountability for audit findings.
2Cloud Compliance Programs
4 topics

CSA STAR Program

  • Identify the three CSA STAR levels: Level 1 (self-assessment via CAIQ), Level 2 (third-party attestation), Level 3 (continuous monitoring).
  • Describe how CSA STAR registry entries can be used as preliminary evidence in a customer's cloud due-diligence.
  • Apply STAR Level 2 selection guidance to a SaaS provider and identify whether SOC 2 + CCM mapping or ISO 27001 + CCM mapping is most appropriate.

Cloud Controls Matrix (CCM)

  • Identify the CCM v4 control domains and identify them as the canonical control taxonomy referenced by STAR and the CAIQ.
  • Apply CCM to map a customer's existing security controls to cloud-specific control objectives, identifying gaps.
  • Analyze a CCM-based audit finding and determine whether the responsibility for remediation lies with the provider, the customer, or both.

CAIQ and Provider Due Diligence

  • Describe the CAIQ as a structured questionnaire mapping to CCM controls, used by customers to evaluate cloud providers.
  • Apply CAIQ review to a vendor selection scenario, identifying responses that warrant deeper investigation or compensating controls.

Sector-Specific Compliance

  • Identify FedRAMP, HIPAA, PCI DSS, GDPR, and SOX as the most common compliance regimes affecting cloud audits.
  • Apply compliance-mapping when a single cloud workload must satisfy multiple regimes (e.g., HIPAA + PCI + state privacy laws).
3Cloud Audit Methodology
4 topics

Audit Planning for Cloud

  • Identify the cloud-specific audit planning steps: scope definition, provider/customer responsibility split, evidence sources, sampling strategy.
  • Apply audit planning to a hybrid cloud engagement spanning IaaS, SaaS, and on-prem components and identify scope risks.

Evidence Collection in Cloud

  • Identify common cloud evidence sources: provider attestations (SOC 2, ISO 27001), CloudTrail/Activity Logs, configuration snapshots, IAM policies, key management logs.
  • Apply evidence-collection procedures that respect provider boundaries and identify what cannot be directly tested by the customer.
  • Analyze a scenario where customer-collected logs disagree with provider attestations and propose a reconciliation procedure.

Control Testing

  • Identify the four standard control test types: inquiry, observation, inspection, re-performance — and how each adapts to cloud environments.
  • Apply control-testing techniques to a cloud IAM control, an encryption control, and a backup/restoration control.

Continuous Auditing

  • Define continuous auditing in cloud and identify representative tooling (CSPM, AWS Config rules, Azure Policy, GCP Security Health Analytics).
  • Apply continuous-auditing rule design for a cloud environment with strict change-management requirements.
4Cloud-Specific Risks and Controls
4 topics

Multitenancy and Isolation

  • Identify multitenancy as a foundational cloud property and identify common isolation mechanisms (VPC, namespace, tenant column, separate subscription).
  • Apply isolation testing for a SaaS application that claims tenant isolation and identify the audit procedures that validate the claim.

Data Residency and Sovereignty

  • Define data residency, data sovereignty, and data localization and identify the audit implications of each.
  • Apply residency-testing procedures for a workload subject to GDPR and a state-level data residency law (e.g., Russia, China, India).
  • Analyze a 'data crossed jurisdictional boundaries' finding and trace the controls (region selection, replication policies, content-delivery routing) that should have prevented it.

Identity, Access, and Encryption

  • Identify the audit considerations for cloud IAM: federated identity, role assumption, privileged access, key rotation, ephemeral credentials.
  • Apply audit testing for cloud encryption: KMS key policies, BYOK/HYOK arrangements, key rotation evidence, and crypto-erase procedures.

Supply Chain and Sub-Processor Risk

  • Identify cloud supply-chain audit concerns: sub-processors, fourth-party risk, software supply chain (open-source, container images), and provider acquisition events.
  • Apply sub-processor due-diligence procedures using the provider's published sub-processor list and contractual flow-down requirements.
5Audit Reporting and Continuous Improvement
3 topics

Audit Findings and Reporting

  • Identify the cloud-specific elements of an audit report: provider control reliance, customer-side findings, shared-responsibility gaps, residual risk.
  • Apply audit-finding categorization (provider, customer, shared) to a sample finding list and explain how each category drives different remediation paths.

Provider Reliance and Carve-Out

  • Define inclusive vs carve-out treatment of sub-service organizations in SOC 2 reports and identify the audit implications of each.
  • Analyze a SOC 2 report with a carve-out for the underlying IaaS provider and identify the additional audit work required to fill that gap.

Continuous Improvement

  • Apply continuous-improvement practices: tracking remediations, retesting controls, updating CAIQ/CCM mappings as the environment evolves.
  • Apply post-audit retrospectives to identify systemic gaps in cloud governance vs spot-finding fixes.
6Cloud Audit Tooling and Future Trends
7 topics

CSPM and Cloud Posture Tooling

  • Identify CSPM tooling (AWS Security Hub, Azure Defender for Cloud, GCP Security Command Center, Wiz, Prowler, ScoutSuite) and describe what each contributes to audit evidence.
  • Apply CSPM scanning to produce baseline compliance evidence and triage findings for audit relevance.

AI/ML in Audit

  • Identify the auditor's use of AI/ML for log anomaly detection, control-effectiveness scoring, and questionnaire-evidence triage.
  • Analyze the risks introduced when an audit tool uses ML inference: explainability, sampling bias, training-data leakage, and audit-trail completeness.

Cloud-Native Compliance Automation

  • Identify policy-as-code tooling (OPA, Sentinel, Cedar) used to enforce cloud compliance pre-deployment.
  • Apply policy-as-code review for an organization that uses Terraform + tfsec + OPA to gate deployments and identify audit-evidence sources.

Emerging Risks

  • Identify emerging cloud audit topics: confidential computing, post-quantum readiness, AI-workload sovereignty, and FinOps-aligned cost controls.
  • Analyze a confidential-computing workload claim (Intel SGX, AMD SEV-SNP, Azure Confidential Computing, GCP Confidential VMs) and identify the audit procedures that validate the claim.
  • Apply post-quantum-readiness assessment for a long-data-retention workload and identify the inventory and migration steps required.

Cloud-Native Logging and Forensics

  • Identify the cloud-native log sources required for forensic-grade audit evidence: control-plane logs (CloudTrail/Activity/Audit), data-plane logs, IAM auth logs, KMS use logs.
  • Apply log-retention policy mapping to regulatory requirements (HIPAA 6 yr, PCI 1 yr, SOX 7 yr) and identify the resulting cloud configuration choices.
  • Analyze a forensic-readiness gap where logs were deleted before incident detection and propose preventative controls (immutable log archive, write-once policy, multi-account log aggregation).

Multi-Cloud and Hybrid Audit

  • Identify the audit complications of multi-cloud and hybrid environments: control-framework drift, divergent terminology, fragmented log aggregation, inconsistent identity.
  • Apply a unified-control framework (CCM-mapped) to a multi-cloud audit so findings are comparable across providers.

Audit Reporting Tools

  • Identify common audit-reporting and GRC tooling: ServiceNow GRC, Archer, MetricStream, Hyperproof, Drata, Vanta — and identify their roles in cloud audit.
  • Apply audit-evidence collection to a GRC platform that integrates directly with cloud APIs, and analyze the trade-offs vs manual evidence.
  • Apply audit-trail completeness review across the GRC tool, the cloud provider, and any third-party SaaS integrations.
  • Identify the value of standardizing audit deliverables across providers and engagements: shared templates, version-controlled workpapers, and reusable mapping libraries.

Scope

Included Topics

  • Cloud governance, risk, and compliance frameworks (NIST, ISO 27001/17/18, FedRAMP, SOC 2).
  • CSA STAR program: Level 1 (self-assessment), Level 2 (third-party audit), Level 3 (continuous monitoring).
  • Cloud Controls Matrix (CCM) v4 and Consensus Assessments Initiative Questionnaire (CAIQ).
  • Shared responsibility model and audit considerations for IaaS, PaaS, and SaaS.
  • Cloud audit lifecycle: planning, evidence collection, control testing, reporting.
  • Cloud-specific risks: multitenancy, data residency, lock-in, supply chain, identity federation.
  • Continuous auditing and continuous compliance in cloud environments.
  • Privacy regulations affecting cloud audits (GDPR, HIPAA, CCPA, sector-specific).
  • Major cloud providers' compliance programs (AWS Artifact, Azure Trust Center, GCP Compliance Reports).

Not Covered

  • Pen-testing techniques or hands-on cloud configuration.
  • Detailed coverage of any single cloud provider's services beyond audit-relevant context.

Cloud Auditing Knowledge is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified