ISO 27017:2015 - Cloud Security Auditor Free Practice Test — 30 Questions

Question 1

A cloud service provider (CSP) operating under ISO 27017:2015 discovers a significant data breach affecting the personal information of multiple customers hosted on its platform. The CSP immediately activates its pre-defined incident response plan, which includes isolating the affected systems, conducting a forensic analysis to determine the scope and cause, and notifying the relevant supervisory authorities and affected customers within the legally mandated timeframe. The plan also outlines steps for remediation and post-incident review to prevent recurrence. Which core principle of ISO 27017:2015 is most directly demonstrated by the CSP\'s actions in this scenario?

Accepted Answer

Effective information security incident management

Question 2

Consider a scenario where a cloud service customer, operating under the General Data Protection Regulation (GDPR), has formally terminated their contract with a cloud service provider (CSP). The customer has requested the secure deletion of all their data stored within the CSP\'s infrastructure. As an ISO 27017:2015 auditor, what is the most critical aspect to verify regarding the CSP\'s response to this request to ensure compliance with both the standard and relevant data protection laws?

Accepted Answer

The CSP's documented procedures for secure data deletion, including evidence of their implementation and verification of data remanence mitigation, aligned with contractual obligations and data protection regulations.

Question 3

A cloud service customer (CSC) operating within the European Union experiences a significant data breach impacting personal data of its EU-based customers, stored on a cloud platform provided by a third-party cloud service provider (CSP). The breach originated from a vulnerability in the CSP\'s infrastructure. As a cloud security auditor, what is the primary responsibility of the CSC in managing this incident, considering the shared responsibility model outlined in ISO 27017:2015 and the General Data Protection Regulation (GDPR)?

Accepted Answer

The CSC is primarily responsible for conducting the full forensic investigation of the CSP's infrastructure and directly notifying all affected data subjects and supervisory authorities.

Question 4

When conducting an audit for a cloud service provider (CSP) and a cloud service customer (CSC) to ensure adherence to ISO 27017:2015, what is the most critical initial step an auditor must undertake to establish a baseline for assessing the implementation of cloud-specific controls and the overall security posture?

Accepted Answer

Reviewing the contractual agreements and internal policies of both the CSP and CSC to identify the clearly defined and documented allocation of responsibilities for cloud security controls.

Question 5

A cloud service customer (CSC) operating a critical financial application within a virtual machine (VM) on a public cloud platform experiences unauthorized access to sensitive customer data. Initial forensic analysis suggests the compromise originated from a compromised user account within the CSC\'s managed operating system of the VM. As an ISO 27017:2015 compliant cloud security auditor, what is the primary and most immediate action the CSC should undertake to address this incident?

Accepted Answer

Initiate an internal forensic investigation to identify the source and scope of the compromise within the VM's operating system and user accounts.

Question 6

During an audit of a cloud service customer (CSC) utilizing a Platform as a Service (PaaS) offering, an auditor is assessing the effectiveness of security controls related to data segregation and application integrity. The CSC has deployed custom business applications onto the PaaS. Which of the following areas of responsibility would the auditor primarily attribute to the CSC for ensuring the security of these deployed applications and their associated data, in accordance with ISO 27017:2015 principles?

Accepted Answer

The security of the CSC's deployed applications and the data they process, including access management for application users.

Question 7

A cloud security auditor is reviewing a cloud service provider (CSP) that offers both Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) offerings. The CSP\'s documentation indicates that the customer is responsible for securing the operating system and all software deployed on it, while the CSP is responsible for the physical security of the data center, the network infrastructure, and the hypervisor layer. To assess the CSP\'s compliance with ISO 27017:2015, specifically concerning the clear delineation of responsibilities in a multi-tenant cloud environment, what is the most critical piece of evidence the auditor should seek to examine?

Accepted Answer

Contractual agreements and Service Level Agreements (SLAs) that explicitly define the shared security responsibilities between the CSP and its customers.

Question 8

A multinational corporation, \"Aethelred Analytics,\" is planning to migrate its customer relationship management (CRM) database, containing personally identifiable information (PII) subject to stringent data protection regulations like GDPR, to a cloud computing environment. They are evaluating potential cloud service providers (CSPs). As an ISO 27017:2015 auditor, what is the primary consideration for Aethelred Analytics regarding the security of their PII during this migration, given the shared responsibility model inherent in cloud computing?

Accepted Answer

Ensuring the CSP's contractual obligations and documented security controls adequately address the protection of PII, aligning with Aethelred Analytics' risk appetite and regulatory compliance needs.

Question 9

A cloud service auditor is assessing a client\'s adherence to ISO 27017:2015 controls for their use of a Platform as a Service (PaaS) offering. The client has developed and deployed a custom web application on this PaaS. Which of the following areas would be the primary focus of the auditor\'s review concerning the client\'s responsibilities?

Accepted Answer

Verification of the PaaS provider's patching schedule for the underlying operating system and middleware.

Question 10

A cloud service auditor is reviewing the security posture of a large enterprise that utilizes Infrastructure as a Service (IaaS) from a reputable cloud provider for hosting critical business applications. The enterprise has a robust internal security team and has implemented numerous security measures within their virtualized environment. During the audit, the auditor needs to assess the effectiveness of the enterprise\'s controls related to the security of the underlying cloud infrastructure. Which of the following areas would be the LEAST direct responsibility of the cloud service customer (enterprise) under the ISO 27017:2015 framework for this IaaS scenario?

Accepted Answer

Ensuring secure configuration of virtual network interfaces and firewall rules for deployed virtual machines.

Question 11

During an audit of a cloud service provider (CSP) against ISO 27017:2015, an auditor discovers that while the CSP has implemented numerous security controls for its infrastructure, there is no formal, publicly accessible document that clearly articulates the division of security responsibilities between the CSP and its customers. The CSP\'s sales and support teams provide ad-hoc explanations when asked, but a consolidated, official statement is missing. What is the most significant implication of this finding for the audit\'s conclusion regarding the CSP\'s compliance with ISO 27017:2015?

Accepted Answer

A significant non-conformity related to the CSP's obligation to define and communicate security responsibilities.

Question 12

A financial services organization, \"FinSecure Corp,\" is in the process of migrating its customer transaction data to a public cloud infrastructure. As a Cloud Security Auditor, you are tasked with assessing the security posture of this migration, specifically focusing on the controls governing data confidentiality during transmission. FinSecure Corp has contracted with a reputable CSP that offers various security features. Considering the shared responsibility model outlined in ISO 27017:2015, which party bears the primary accountability for ensuring the encryption of sensitive customer transaction data while it is being transmitted from FinSecure Corp\'s on-premises systems to the CSP\'s cloud environment?

Accepted Answer

The cloud service customer (FinSecure Corp)

Question 13

A cloud service auditor is assessing a client\'s adherence to ISO 27017:2015 for their use of a Platform as a Service (PaaS) offering. The client has deployed a custom-built web application on this PaaS. Which of the following areas would be the primary focus for the auditor when evaluating the client\'s security responsibilities in this scenario?

Accepted Answer

The security of the underlying virtualized infrastructure and the operating system patching managed by the cloud service provider.

Question 14

A cloud service auditor is assessing a cloud service customer\'s (CSC) compliance with ISO 27017:2015. The CSC utilizes a public cloud provider for hosting sensitive customer data. The cloud service agreement (CSA) clearly delineates that the cloud service provider (CSP) is responsible for the security of the underlying infrastructure, including physical security of data centers and network security. However, the CSC retains responsibility for data classification, access control management, and incident response planning for its specific applications. During the audit, it is discovered that the CSP has a robust physical security program and has provided a recent third-party audit report confirming compliance with relevant security standards. The CSC, however, has not updated its internal data classification policy in three years, and its access control review process for cloud-based applications is manual and prone to delays. What is the most critical finding for the cloud service auditor concerning the CSC\'s adherence to ISO 27017:2015 principles?

Accepted Answer

The CSC's failure to maintain an up-to-date data classification policy and an inefficient access control review process for cloud applications, despite the CSP's strong infrastructure security.

Question 15

A cloud service customer (CSC) operating a critical financial application within a public cloud environment detects an unusual pattern of network traffic that suggests a potential denial-of-service (DoS) attack targeting the application\'s availability. The CSC\'s internal security team has confirmed the anomaly originates from external sources but cannot definitively ascertain if the attack vector is exploiting a vulnerability within the CSC\'s configuration or the cloud service provider\'s (CSP) underlying network infrastructure. Given the shared responsibility model inherent in cloud computing and the principles outlined in ISO 27017:2015, what is the most prudent immediate step for the CSC\'s security team to take?

Accepted Answer

Immediately notify the cloud service provider (CSP) through the designated incident reporting channel, providing all available details of the observed anomaly and requesting their assistance in identifying the source and mitigating the attack.

Question 16

When conducting an audit of a cloud service provider (CSP) to assess compliance with ISO 27017:2015, what is the primary objective related to the lifecycle management of customer data, specifically concerning its removal from the CSP\'s infrastructure?

Accepted Answer

To verify the CSP's documented and implemented procedures for secure data deletion and destruction, ensuring compliance with contractual obligations and relevant legal frameworks.

Question 17

When conducting an audit of a cloud service provider (CSP) offering Platform as a Service (PaaS) against ISO 27017:2015, what specific area of the CSP\'s documentation and operational practices requires the most rigorous examination to ensure compliance with the shared responsibility model?

Accepted Answer

The CSP's documented procedures for customer onboarding and the explicit delineation of security responsibilities for the PaaS offering, including the management of the underlying operating system and middleware.

Question 18

Consider a scenario where a financial institution, operating as a cloud service customer (CSC), has migrated its core banking application to a Platform as a Service (PaaS) offering from a cloud service provider (CSP). The CSC has identified a vulnerability in the application\'s authentication module that could allow unauthorized access to sensitive customer data. According to the principles outlined in ISO 27017:2015, which of the following is the primary responsibility of the CSC in addressing this specific vulnerability?

Accepted Answer

Implementing a secure coding standard for application development and patching the identified vulnerability within the application's authentication module.

Question 19

During an audit of a cloud service provider (CSP) against ISO 27017:2015, an auditor is reviewing the CSP\'s security documentation and contractual agreements. The CSP offers Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) to its clients. What specific aspect of the CSP\'s security posture should the auditor prioritize to ensure compliance with the standard\'s emphasis on shared responsibility in a cloud environment?

Accepted Answer

The clarity and completeness of the CSP's documented delineation of security controls and responsibilities, explicitly identifying which controls are managed by the CSP, which are shared, and which are the customer's responsibility.

Question 20

When conducting an audit of a Cloud Service Provider (CSP) against ISO 27017:2015, what is the primary focus of the auditor regarding the implementation of security controls for Infrastructure as a Service (IaaS) offerings?

Accepted Answer

Verification of the CSP's documented and implemented controls for the underlying infrastructure and platform services, ensuring clear demarcation of responsibilities.

Question 21

A financial institution, operating under strict regulatory compliance mandates such as the Gramm-Leach-Bliley Act (GLBA) and the Payment Card Industry Data Security Standard (PCI DSS), is migrating its customer transaction processing to a Platform as a Service (PaaS) offering from a third-party cloud service provider. As the designated cloud security auditor for the financial institution, what is the most critical area of focus during the audit to ensure compliance and security within this shared responsibility model, considering the sensitive nature of the data being processed?

Accepted Answer

Verification of the cloud service provider's documented security controls and contractual obligations as they pertain to the protection of the financial institution's data and the agreed-upon service level agreements.

Question 22

A financial institution, operating as a cloud service customer (CSC), is migrating its customer transaction data to a public cloud environment. The data is classified as highly sensitive and subject to stringent regulatory requirements, including data residency and encryption mandates. The cloud service provider (CSP) offers a range of encryption services. Which party bears the primary responsibility for defining the encryption algorithms, managing the cryptographic keys, and ensuring the overall effectiveness of the encryption strategy for this sensitive data, in accordance with ISO 27017:2015 principles?

Accepted Answer

The cloud service customer (CSC)

Question 23

A cloud service auditor is reviewing the security posture of a client utilizing a Platform as a Service (PaaS) offering for their customer relationship management (CRM) system. The client has reported a critical vulnerability discovered within the operating system\'s kernel that underpins the PaaS environment. According to the principles outlined in ISO 27017:2015, which party bears the primary responsibility for addressing and remediating this specific operating system kernel vulnerability?

Accepted Answer

The cloud service customer

Question 24

When auditing a cloud service provider offering Infrastructure as a Service (IaaS) to a client organization, what specific security control area would a cloud security auditor primarily focus on verifying as the customer\'s direct responsibility, beyond the provider\'s foundational infrastructure security?

Accepted Answer

The secure configuration and management of virtual network firewalls and access control lists within the customer's virtual private cloud.

Question 25

When auditing a cloud service provider (CSP) for compliance with ISO 27017:2015, and a cloud service customer (CSC) has requested the permanent deletion of their data at the conclusion of their contract, what is the auditor\'s primary responsibility to ensure the CSC\'s data has been irretrievably removed from the CSP\'s infrastructure?

Accepted Answer

Review the CSP's documented procedures for secure data deletion and verify their effective implementation through evidence demonstrating the data's unrecoverability.

Question 26

During an audit of a cloud service customer (CSC) utilizing Infrastructure as a Service (IaaS) from a certified cloud service provider (CSP), an auditor is examining the implementation of access control mechanisms for virtual machines. The CSC has contracted with the CSP to manage the underlying network infrastructure and hypervisor security, while the CSC is responsible for configuring user access and authentication within the virtual machines themselves. Which of the following best describes the CSC\'s primary responsibility in this scenario, as per ISO 27017:2015, concerning the security of the virtual machine access controls?

Accepted Answer

Verifying that the CSP's security controls for the underlying infrastructure adequately support the CSC's access control policies for virtual machines.

Question 27

Consider a scenario where a cloud service customer (CSC) is utilizing a Platform as a Service (PaaS) offering from a cloud service provider (CSP) to host a custom-built web application. The CSC has developed the application and deployed it onto the PaaS. During an audit, it is discovered that unauthorized external entities have gained access to sensitive customer data stored within the application\'s database. The investigation reveals that the vulnerability exploited was within the application\'s authentication module, which was custom-coded by the CSC. Additionally, the audit found that the access control list for the database within the PaaS environment was overly permissive, allowing broader access than necessary, a configuration set by the CSC. Based on the principles of ISO 27017:2015, which of the following areas of responsibility would be primarily attributed to the cloud service customer in this situation?

Accepted Answer

Securing the application code and managing access controls for the deployed application and its associated data.

Question 28

Consider a scenario where a client organization has contracted with a cloud service provider for Infrastructure as a Service (IaaS). The client is deploying custom web applications and storing sensitive customer data within virtual machines. As an auditor adhering to ISO 27017:2015, which of the following aspects of the client\'s cloud deployment would typically fall outside the direct security responsibilities of the cloud service provider in this IaaS model?

Accepted Answer

The secure configuration and regular patching of the guest operating systems within the virtual machines.

Question 29

During an audit of a cloud service provider (CSP) adhering to ISO 27017:2015, an auditor is examining the CSP\'s approach to managing shared security responsibilities with its customers. The CSP offers Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). Which of the following auditor findings would most strongly indicate a deficiency in the CSP\'s adherence to the standard concerning the clarity and implementation of its security responsibilities?

Accepted Answer

The CSP's contractual agreements clearly delineate customer responsibilities for data encryption and access management within the IaaS environment, while the CSP's internal documentation outlines its commitment to securing the underlying infrastructure and hypervisor.

Question 30

When conducting an audit of a cloud service provider (CSP) against ISO 27017:2015, what is the primary focus of the auditor when assessing the CSP\'s adherence to controls related to the secure development and maintenance of cloud services, as outlined in Clause 6.3.1?

Accepted Answer

Verification that the CSP has implemented a robust secure software development lifecycle (SSDLC) and integrated security into the ongoing maintenance of its cloud offerings.

ISO 27017:2015 - Cloud Security Auditor Free Practice Test — 30 Questions

A lot more is already mapped out

About the ISO 27017:2015 - Cloud Security Auditor Certification