Cloud Audit Process
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.
Included in this chapter:
- The cloud audit-scope problem and the reliance model
- SOC report types, Type I vs Type II, and ISAE 3402
- Scope statements, gap analysis, ISMS, and the audit lifecycle
- Exam-pattern recognition and specialized compliance
SOC report types under AICPA SSAE 18
| Attribute | SOC 1 | SOC 2 | SOC 3 |
|---|---|---|---|
| Subject of the report | Controls over financial reporting (ICFR) | Security and the Trust Services Criteria | Public summary of a SOC 2 |
| Trust Services Criteria covered | None (financial controls) | Security, availability, processing integrity, confidentiality, privacy | Same TSC as the SOC 2 it summarizes |
| Type I vs Type II | Both available | Both available | Type II only (no I/II label) |
| Level of detail | Full control descriptions and test results | Full control descriptions and test results | Auditor opinion only, no control detail |
| Distribution | Restricted (NDA, financial auditors) | Restricted (NDA, customers) | Unrestricted, public |
| Typical cloud use | Customer financial-statement audits | Security due diligence on the provider | Posted on the provider trust site |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
References
- ISC2 — CCSP Certification Exam Outline (Domain 6: Legal, Risk & Compliance)
- Cloud Security Alliance — Security Guidance (shared responsibility model) Whitepaper
- AICPA — SOC 2 and the SSAE 18 attestation standard
- AICPA — System and Organization Controls (SOC) suite and the Trust Services Criteria
- IFAC / IAASB — ISAE 3402, Assurance Reports on Controls at a Service Organization
- Cloud Security Alliance — Cloud Controls Matrix (CCM) Whitepaper
- ISO/IEC 27001:2022 — Information security management systems (requirements)
- PCI Security Standards Council — PCI DSS