ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) and its associated CAIQ questionnaire provide a comprehensive set of cloud-specific control objectives mapped to multiple industry standards (e.g., ISO/IEC 27001, NIST 800-53). When a vendor completes the CCM/CAIQ, it documents how each of its cloud security controls aligns with these domains, giving the customer granular visibility into areas such as identity and access management, application security, and change management. An OWASP ASVS report focuses narrowly on application security and does not cover the breadth of cloud operational controls. A SOC 1 Type II report addresses financial reporting controls, not overall cloud security. A CVSS vulnerability scoring sheet lists specific flaws but does not map the organization's control environment to recognized cloud frameworks. Therefore, requesting the completed CSA CCM/CAIQ is the most effective way to assess the vendor's cloud control coverage.