Domain 6: Legal, Risk & Compliance Review — 69 of 70

Domain 6 – Section B Review: Audit & Risk

CCSP Domain 6 — Legal, Risk & Compliance Section Review 15–20 min
Section B tested audit evidence evaluation and risk management decision-making. Before moving to contracts and vendors, verify that you can evaluate audit reports critically and apply the right risk treatment to cloud scenarios.

These questions combine audit, SOC reports, risk assessment, and risk treatment. Focus on evidence quality, business impact, and formal process.

Scenario questions (10)

Question 1

A cloud customer receives a SOC 2 Type II report from their provider. The report covers January through June. The customer reviews it in December.

What is the PRIMARY concern?

A. Type II reports are only valid for six months
B. A six-month gap exists between the report period end and the review date, during which controls may have changed
C. The report should have covered a full calendar year
D. SOC 2 reports cannot be shared with customers

Answer & reasoning

Correct: B

A significant gap between the report period and review date means controls could have changed. The customer should request an updated report or bridge letter.

Question 2

An audit of a cloud provider's SOC 2 report reveals a carve-out for the provider's data center subcontractor.

What should the customer do?

A. Accept the report as sufficient since the main provider is audited
B. Request separate audit evidence for the subcontractor's physical security controls
C. Terminate the contract due to incomplete audit coverage
D. Ignore the carve-out since physical security is less important in the cloud

Answer & reasoning

Correct: B

Carve-outs mean the subcontractor's controls were not audited. For critical controls like physical security, the customer needs separate assurance.

Question 3

A risk assessment identifies a cloud-hosted system with a Single Loss Expectancy of $1,000,000 and Annual Rate of Occurrence of 0.05. The proposed mitigation costs $75,000 per year and reduces the ARO to 0.01.

Is the mitigation cost-justified?

A. Yes, any risk reduction is worthwhile
B. No, because the ARO is already low enough
C. No — Current ALE ($50,000) minus Mitigated ALE ($10,000) equals $40,000 savings, which is less than the $75,000 cost
D. Yes, because the SLE is very high

Answer & reasoning

Correct: C

Current ALE = $1M x 0.05 = $50,000. Mitigated ALE = $1M x 0.01 = $10,000. Annual savings = $40,000. Since the mitigation costs $75,000 but only saves $40,000, it is not cost-justified quantitatively.

Question 4

An organization identifies a high risk of government data access in a cloud region. They process classified data. The security team recommends encryption with customer-held keys.

Is this the MOST appropriate risk treatment?

A. No — risk transfer through insurance is the best approach
B. Yes, customer-held encryption keys prevent all unauthorized access
C. Yes, encryption fully eliminates the government access risk
D. No — for classified data with high government access risk, risk avoidance is more appropriate than mitigation alone

Answer & reasoning

Correct: D

For classified data, encryption alone may not prevent government-compelled access. Risk avoidance — not storing classified data in that jurisdiction — is more appropriate.

Question 5

A SOC 2 report lists Complementary User Entity Controls requiring the customer to implement MFA on all administrative accounts. The customer has not implemented MFA.

What is the impact?

A. The provider's security controls are not fully effective because the customer has not implemented their required portion
B. The customer needs a new SOC 2 report from the provider
C. No impact — complementary controls are optional recommendations
D. The provider's audit report is invalid

Answer & reasoning

Correct: A

Complementary User Entity Controls are required for the provider's controls to be fully effective. Customer gaps create gaps in the overall control environment.

Question 6

An organization's risk register shows all cloud risks managed by the IT security team in a separate spreadsheet. The enterprise risk committee has no visibility.

What governance issue exists?

A. The IT security team is not qualified to assess risks
B. The risk register has too many entries
C. The spreadsheet format is inadequate
D. Cloud risks are not integrated into enterprise risk management, leaving executive leadership without visibility into material risks

Answer & reasoning

Correct: D

Cloud risks must be part of the enterprise risk register visible to executive leadership. A shadow register creates a governance blind spot.

Question 7

A cloud risk is identified but never formally assessed or documented. Six months later, the risk materializes and causes a significant incident.

How should this risk be classified retroactively?

A. Accepted risk
B. Transferred risk
C. Mitigated risk
D. Unmanaged risk — it was never formally assessed, treated, or accepted through proper governance

Answer & reasoning

Correct: D

A risk that was identified but never assessed, documented, or treated is unmanaged. Risk acceptance requires formal documentation and authorized approval.

Question 8

An organization wants continuous assurance of their cloud provider's security posture rather than relying solely on annual SOC 2 reports.

What approach BEST achieves this?

A. Conduct monthly penetration tests of the provider's infrastructure
B. Implement continuous compliance monitoring combined with periodic formal audit reports
C. Review the provider's security blog posts weekly
D. Request more frequent SOC 2 reports

Answer & reasoning

Correct: B

Continuous compliance monitoring provides real-time assurance between formal audits. Combined with periodic reports, this provides both ongoing and formal assurance.

Question 9

After implementing controls for a cloud risk, residual risk is assessed at a medium level. The organization's risk tolerance for this system is low.

What is the appropriate action?

A. Transfer all residual risk to the cloud provider
B. Accept the residual risk and move on
C. Reclassify the risk tolerance to medium to match the residual risk
D. Implement additional controls to reduce residual risk to within the low tolerance level

Answer & reasoning

Correct: D

When residual risk exceeds tolerance, additional treatment is required. Adjusting tolerance to match residual risk defeats the purpose of setting tolerance.

Question 10

A cloud provider offers CSA STAR Level 1 (self-assessment) and ISO 27001 certification. A customer needs to evaluate the provider's cloud-specific security controls.

Which provides STRONGER assurance?

A. ISO 27001, because it involves independent third-party certification and audit
B. Neither provides meaningful assurance
C. CSA STAR Level 1, because it is cloud-specific
D. They provide equal assurance

Answer & reasoning

Correct: A

ISO 27001 involves independent third-party certification with formal audits. CSA STAR Level 1 is a self-assessment without independent verification.

Section B master pattern

When answering Domain 6 Section B questions, ask yourself:

  • Is the audit evidence independently verified or self-reported?
  • Are there gaps in audit coverage (time, scope, carve-outs)?
  • Is risk expressed in business terms or only technical terms?
  • Is risk treatment formal and authorized or informal and ignored?
  • Does residual risk fall within defined tolerance?

If you evaluate evidence critically, express risk in business terms, and follow formal processes, you will answer correctly.

Next Module Module 69: Outsourcing and Cloud Contracts