Domain 6 of 6 · Chapter 3 of 5

Cloud Audit Process

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.

Included in this chapter:

  • The cloud audit-scope problem and the reliance model
  • SOC report types, Type I vs Type II, and ISAE 3402
  • Scope statements, gap analysis, ISMS, and the audit lifecycle
  • Exam-pattern recognition and specialized compliance

SOC report types under AICPA SSAE 18

AttributeSOC 1SOC 2SOC 3
Subject of the reportControls over financial reporting (ICFR)Security and the Trust Services CriteriaPublic summary of a SOC 2
Trust Services Criteria coveredNone (financial controls)Security, availability, processing integrity, confidentiality, privacySame TSC as the SOC 2 it summarizes
Type I vs Type IIBoth availableBoth availableType II only (no I/II label)
Level of detailFull control descriptions and test resultsFull control descriptions and test resultsAuditor opinion only, no control detail
DistributionRestricted (NDA, financial auditors)Restricted (NDA, customers)Unrestricted, public
Typical cloud useCustomer financial-statement auditsSecurity due diligence on the providerPosted on the provider trust site

Decision tree

What assurance do you need?SOC 1 / ISAE 3402financial reportingFinancialSOC 3public, no detailPublic summarySecurity assuranceSOC 2SecurityNeed operation over time?SOC 2 Type Idesign at a dateNoSOC 2 Type IIoperating effectivenessYes

Cheat sheet

  • You audit the cloud provider through its attestations, not on-site
  • SOC 1 is financial, SOC 2 is security, SOC 3 is the public summary
  • SOC 2 maps to the five Trust Services Criteria, security being mandatory
  • Type I attests design at a date, Type II tests operation over a period
  • For a provider's security assurance, request the SOC 2 Type II
  • ISAE 3402 is the international equivalent of an SSAE 18 SOC 1
  • SOC 1 and SOC 2 are restricted; only SOC 3 is public
  • The audit scope statement must split provider-owned from customer-owned controls
  • Gap analysis compares current controls to a chosen baseline; it does not remediate
  • The ISMS is the governance program audit and gap analysis feed back into
  • Security policies form a hierarchy: organizational, functional, then cloud-computing
  • Identify and involve stakeholders early in audit planning
  • Internal audit is first-party self-assessment; external audit is independent third-party
  • Match the scenario to its specialized compliance regime; one report is not universal
  • Verify a provider against ISO/IEC 27017 cloud controls and ISO/IEC 27001 certification
  • ISO/IEC 27001 certification and a SOC 2 report attest different things
  • Virtualization and multi-tenancy create cloud-specific assurance challenges
  • The distributed-IT model spreads data across jurisdictions, so the scope must name regions
  • Reliance on a provider's report does not transfer accountability
  • Check the report is current and the auditor's opinion is unqualified
  • A CASB closes the SaaS monitoring gap that native CSP logging leaves open
  • Admin-activity logs are on by default, but data-access logs must be explicitly enabled
  • CUECs are controls the customer must implement for the provider's objectives to hold
  • Cloud audit logs need immutable, tamper-evident storage to hold evidentiary value
  • Customer audit scope rises up the stack: IaaS guest-OS-up, PaaS app-layer, SaaS access and data

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. ISC2 — CCSP Certification Exam Outline (Domain 6: Legal, Risk & Compliance)
  2. Cloud Security Alliance — Security Guidance (shared responsibility model) Whitepaper
  3. AICPA — SOC 2 and the SSAE 18 attestation standard
  4. AICPA — System and Organization Controls (SOC) suite and the Trust Services Criteria
  5. IFAC / IAASB — ISAE 3402, Assurance Reports on Controls at a Service Organization
  6. Cloud Security Alliance — Cloud Controls Matrix (CCM) Whitepaper
  7. ISO/IEC 27001:2022 — Information security management systems (requirements)
  8. PCI Security Standards Council — PCI DSS