ISC2 Certified Cloud Security Professional (CCSP) Practice Question

A company that processes payment card data uses a public IaaS provider for its e-commerce platform. When the internal audit team begins planning an upcoming PCI-DSS assessment, they discover that several required controls-such as physical security of the data center and hypervisor hardening-are managed entirely by the cloud provider. To prevent gaps in evidence collection, which stakeholder should the audit team engage first to clarify control ownership and arrange timely access to relevant artifacts?

The cloud service provider's dedicated compliance or audit liaison
The organization's Data Protection Officer (DPO)
The acquiring bank's PCI Qualified Security Assessor (QSA)
The internet service provider's network operations center

Report Issue

Answer Description

For controls that fall under the cloud provider's portion of the shared-responsibility model-like data-center physical security and hypervisor management-the audit team must coordinate with the cloud service provider (CSP). Engaging the CSP's compliance or audit liaison at the start of planning ensures everyone understands which party owns each PCI-DSS control, what evidence will be supplied (for example, SOC 1/SOC 2 or ISO 27001 reports), and how on-site visits or documentation reviews will be scheduled. Other parties such as the organization's data protection officer, the acquiring bank's QSA, or the ISP can support the effort, but none of them can supply evidence for controls implemented solely by the CSP. Therefore, the CSP's compliance representative is the critical stakeholder to involve first.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.