ISC2 Certified Cloud Security Professional (CCSP) Practice Question

While assessing a prospective IaaS provider, your internal audit team needs a cloud-specific control baseline that already maps its requirements to multiple international standards so they can quickly perform a control gap analysis across areas such as identity, application security, and virtualization. Which document would BEST satisfy this requirement?

Cloud Security Alliance Cloud Controls Matrix (CCM)
ISO/IEC 27002 security control guidelines
Payment Card Industry Data Security Standard (PCI DSS) v4.0
NIST Special Publication 800-171

Report Issue

Answer Description

The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) was created specifically for cloud environments and provides a comprehensive set of cloud security controls mapped to numerous other frameworks and regulations (for example, ISO/IEC 27001, NIST SP 800-53, PCI DSS, and GDPR). Using the CCM as the reference baseline therefore allows auditors to spot control gaps and overlaps efficiently.

NIST SP 800-171 focuses on protecting controlled unclassified information in non-federal systems and is not cloud-specific. ISO/IEC 27002 offers general information-security guidelines but lacks built-in cross-mapping to multiple cloud standards. PCI DSS v4.0 is limited to card-holder data environments and does not cover the full breadth of cloud control domains required for a comprehensive gap analysis.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.