Certificate of Cloud Auditing Knowledge

The Certificate of Cloud Auditing Knowledge (CCAK) is the first credential available for industry professionals to demonstrate their expertise in the essential principles of auditing cloud computing systems. The CCAK credential and training program fills the gap in the market for technical education for cloud IT auditing.

This credential leverages CSA’s cloud expertise and ISACA’s traditional audit expertise, combining our know-how and expertise to develop and deliver the best possible solution for cloud auditing education. CCAK benefits both CSA and ISACA members and certification holders as it builds on the body of knowledge covered in CSA’s Certificate of Cloud Security Knowledge (CCSK) and complement’s ISACA’s ANSI accredited certifications such as CISA, CISM, CRISC and CGEIT.

How is this certification program different from other IT audit certification programs?

An audited organization using cloud computing will have a very different approach to satisfying control objectives. A cloud tenant will certainly not have the same administrative access as in a legacy IT system and will employ a wide range of security controls that will be foreign to an audit and assurance professional that is grounded in traditional IT audit practices.

Credentials the CCAK Complements

The CCAK complements and enhances the skills and knowledge in the following credentials:
Certificate of Cloud Security Knowledge (CCSK)
Certified Information Systems Auditor (CISA)
FedRAMP 3PAO Assessor
PCI/DSS Qualified Security Assessor
ISO 27001 Lead Auditor Credentials

How to Prepare for the CCAK Exam

The CCAK is an online, proctored exam that contains 76 multiple choice questions. The exam is two hours and the passing score is 70%. Purchasing the exam provides you with one test attempt, which you will have one year to use.
There are no prerequisites to take the CCAK exam. Prior experience in IT audit, security, risk or cloud computing is essential to pass the CCAK exam. CCAK complements and enhances the knowledge of CCSK certificate holders.
Learn how these two certificates complement each other.

What will you learn when you earn the CCAK?

Assessment: Understand the difference in assessing and auditing cloud environments versus traditional IT infrastructure & services.
Evaluation: Discover how to use cloud security assessment methods and techniques to evaluate a cloud service prior to and during the provision of the service.
Governance: Learn how existing governance policies and frameworks are affected by the introduction of cloud into the ecosystem.
Compliance: Understand the unique requirements of compliance in the cloud due to shared responsibility between cloud providers andcustomers.
Internal Security: Learn how to use a cloud-specific security controls framework to ensure security within your organization.
Continuous Monitoring: Architect in a way that allows you to measure control effectiveness through metrics and ultimately leads to continuous monitoring.

MODULE 1: Cloud Governance

•Overview of governance
•Cloud assurance
•Cloud governance frameworks
•Cloud risk management
•Cloud governance tools

MODULE 2: Cloud Compliance Program

•Designing a cloud compliance program
•Building a cloud compliance program
•Legal and regulatory requirements
•Standards and security frameworks
•Identifying controls and measuring effectiveness
•CSA certification, attestation and validation

MODULE 3: CCM and CAIQ Goals, Objectives and Structure

•CCM
•CAIQ
•Relationship to standards: mappings and gap analysis
•Transition from CCM V3.0.1 to CCM V4

MODULE 4: A Threat Analysis Methodology for Cloud Using CCM

•Definitions and purpose
•Attack details and impacts
•Mitigating controls and metrics
•Use case

MODULE 5: Evaluating a Cloud Compliance Program

•Evaluation approach
•A governance perspective
•Legal, regulatory and standards perspectives
•Risk perspectives
•Services changes implications
•The need for continuous assurance/continuous compliance

MODULE 6: Cloud Auditing

•Audit characteristics, criteria & principles
•Auditing standards for cloud computing
•Auditing an on-premises environment vs. cloud
•Differences in assessing cloud services and cloud delivery models
•Cloud audit building, planning and execution

MODULE 7: CCM: Auditing Controls

•CCM audit scoping guidance
•CCM risk evaluation guide
•CCM audit workbook 
•CCM an auditing example

MODULE 8: Continuous Assurance and Compliance

•DevOps and DevSecOps
•Auditing CI/CD pipelines
•DevSecOps automation and maturity

MODULE 9: STAR Program

•Standard for security and privacy
•Open Certification Framework
•STAR Registry
•STAR Level 1
•STAR Level 2
•STAR Level 3