Isaca Certificate of Cloud Auditing Knowledge CCAK Question # 3 Topic 1 Discussion

CCAK Exam Topic 1 Question 3 Discussion:

Question #: 3

Topic #: 1

Which of the following would be the MOST critical finding of an application security and DevOps audit?

Certifications with global security standards specific to cloud are not reviewed, and the impact of noted findings are not assessed.

Application architecture and configurations did not consider security measures.

Outsourced cloud service interruption, breach, or loss of stored data occurred at the cloud service provider.

The organization is not using a unified framework to integrate cloud compliance with regulatory requirements

Get Premium CCAK Questions

Explanation

According to the web search results, the most critical finding of an application security and DevOps audit would be that the application architecture and configurations did not consider security measures. This finding indicates a serious lack of security by design and security by default principles, which are essential for ensuring the confidentiality, integrity, and availability of the application and its data . If the application architecture and configurations are not secure, they could expose the application to various threats and vulnerabilities, such as unauthorized access, data breaches, denial-of-service attacks, injection attacks, cross-site scripting attacks, and others . This finding could also result in non-compliance with relevant security standards and regulations, such as ISO 27001, PCI DSS, GDPR, and others . Therefore, this finding should be addressed with high priority and urgency by implementing appropriate security measures and controls in the application architecture and configurations.

The other options are not as critical as option B. Option A is a moderate finding that indicates a lack of awareness and assessment of the global security standards specific to cloud, such as ISO 27017, ISO 27018, CSA CCM, NIST SP 800-53, and others . This finding could affect the security and compliance of the cloud services used by the application, but it does not directly impact the application itself. Option C is a severe finding that indicates a major incident that occurred at the cloud service provider level, such as a service interruption, breach, or loss of stored data. This finding could affect the availability, confidentiality, and integrity of the application and its data, but it is not caused by the application itself. Option D is a minor finding that indicates a lack of efficiency and consistency in integrating cloud compliance with regulatory requirements. This finding could affect the compliance posture of the application and its data, but it does not directly impact the security or functionality of the application. References:

[Application Security Best Practices - OWASP]

[DevSecOps: What It Is and How to Get Started - ISACA]

[Cloud Security Standards: What to Expect & What to Negotiate - CSA]

[Cloud Computing Security Audit - ISACA]

[Cloud Computing Incident Response - ISACA]

[Cloud Compliance: A Framework for Using Cloud Services While Maintaining Compliance - ISACA]

Actual exam question for Isaca CCAK exam by Arlo30532 at Aug 3, 2025, 12:00:00 AM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Isaca Certificate of Cloud Auditing Knowledge CCAK Question # 3 Topic 1 Discussion

Isaca Certificate of Cloud Auditing Knowledge CCAK Question # 3 Topic 1 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Isaca Certificate of Cloud Auditing Knowledge CCAK Question # 3 Topic 1 Discussion

Isaca Certificate of Cloud Auditing Knowledge CCAK Question # 3 Topic 1 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval