ISC2 Certified Cloud Security Professional (CCSP) Practice Question

Your organization maintains an ISO/IEC 27001-certified ISMS. After migrating a critical payment application to an IaaS provider, the internal audit team needs evidence that controls at the provider's facility are operating effectively. Which approach best satisfies the ISMS's requirement for objective evidence without breaching the provider's shared-responsibility boundaries?

Rely on the provider's publicly posted ISO/IEC 27001 certificate as complete proof of control operation.
Require the provider to forward raw hypervisor audit logs to the company's SIEM every day.
Request and review the provider's most recent SOC 2 Type II report covering the physical and virtualization controls.
Conduct quarterly on-site penetration tests inside the provider's data center.

Report Issue

Answer Description

A SOC 2 Type II report is an independent attestation that describes the provider's relevant control objectives, details the tests performed by the external auditor, and states whether the controls were operating effectively over a defined period. Reviewing this report provides objective, time-bound evidence that internal auditors can place reliance on while keeping within the provider's normal assurance mechanisms.

Penetration tests performed on-site by the customer would violate most providers' policies and are rarely permitted.
Receiving daily hypervisor logs would place an unrealistic operational burden on both parties and still would not demonstrate that the controls were tested by an independent party.
An ISO/IEC 27001 certificate alone confirms that the provider has an ISMS in place, but it does not give visibility into how individual controls operated during the certification period and therefore provides insufficient evidence for the customer's ISMS.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.