ISC2 Certified Cloud Security Professional (CCSP) Practice Question

During a quarterly compliance review, your company's internal auditor needs evidence that snapshots of an application's databases stored in a public IaaS environment are encrypted at rest. She requests an on-site inspection of the cloud provider's storage arrays and hardware security modules. The provider declines, citing multitenant security restrictions, but offers a current SOC 2 Type II report that covers its encryption and key-management controls. Considering the impact of audit requirements on cloud operations, what is the most reasonable action to take next to satisfy the auditor?

Invoke the contract's right-to-audit clause and insist on an on-site inspection of the provider's storage hardware, threatening service termination if access is denied.
Migrate or replicate the database snapshots to on-premises storage so auditors can physically inspect the media themselves.
Review the offered SOC 2 Type II report and map its tested encryption controls to the organization's policy requirements.
Issue an eDiscovery request for all raw encryption logs and cryptographic key material maintained by the cloud provider.

Report Issue

Answer Description

Because customers typically cannot obtain physical access to a cloud provider's infrastructure, audit evidence is normally gathered through third-party assurance mechanisms such as SOC or ISO/IEC 27001 reports. Reviewing the relevant control descriptions, test procedures, and results in the SOC 2 Type II report allows the auditor to verify that backup encryption is designed and operating effectively while respecting the provider's need to protect other tenants and proprietary details. Demanding a physical inspection or key material is unrealistic in a multitenant public cloud and would almost certainly violate the provider's security policies. Replicating all data on-premises just for audit access is costly and does not address the original control objective. eDiscovery requests are used for litigation, not routine compliance testing, and would not grant physical access to hardware. Therefore, accepting and mapping the SOC report to internal requirements is the correct approach.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.