Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free ISACA CCAK Practice Questions

Pass your Certificate of Cloud Auditing Knowledge (CCAK) — ISACA + CSA exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
ISACA does not publicly report CCAK pass rates Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which STAR offering provides ONGOING, continuous assurance using a defined data feed and dashboard rather than periodic point-in-time audits?

A
B
C
D
to track
Same family resources

Explore More ISACA Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CISA

Practice QuestionsStudy Guide
2 blogs

CISM

Practice QuestionsStudy Guide
2 blogs

CRISC Certified in Risk and Information Systems Control

Practice Questions
1 blog

ISACA COBIT 2019 Foundation

Practice Questions
1 blog

ISACA AAIA Advanced in AI Audit

Practice Questions

ISACA AAIR Advanced in AI Risk

Practice Questions

More From This Family

Videos and articles for deeper review.

ArticleCISA Exam Guide 2026: FREE ISACA Study Plan + Practice28 min readArticleCISM Exam Guide 2026: FREE ISACA Study Plan + Practice30 min readArticleCOBIT 2019 Foundation 2026: Governance-First Prep6 min readArticleCRISC Exam Guide 2026: FREE ISACA Study Plan + Practice30 min read
2026 Statistics

Key Facts: ISACA CCAK Exam

76

Exam Questions

Multiple-choice format

70%

Passing Score

ISACA + CSA published

2 hr

Time Limit

120 minutes total

$395

Member Fee

$495 non-member

9

Domains

~11% weighting each

PSI online

Test Delivery

Online proctored

The ISACA + CSA Certificate of Cloud Auditing Knowledge (CCAK) is a 76-question, 2-hour, 70%-to-pass online proctored exam ($395 ISACA member / $495 non-member) delivered via PSI. It covers nine equally weighted domains spanning cloud governance, cloud compliance programs, CSA Cloud Controls Matrix v4 (17 domains and the Shared Security Responsibility Matrix), the CAIQ v4 questionnaire, threat analysis with STRIDE and NIST SP 800-154, audit methodology and evidence, CCM auditing guidelines and cross-mappings (ISO 27001/27017/27018, NIST 800-53, PCI DSS, HIPAA, FedRAMP), continuous assurance with AWS Config, Azure Policy, GCP SCC, OpenSCAP, and Chef InSpec, and the CSA STAR program (Levels 1, 2 Attestation/Certification, and 3 Continuous). CCAK is the first vendor-neutral cloud-audit credential and is widely used by cloud auditors, GRC professionals, and security architects.

Sample ISACA CCAK Practice Questions

Try these sample questions to test your ISACA CCAK exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which framework provides a structured set of principles for the effective governance of IT and is explicitly referenced in the CCAK body of knowledge as a primary cloud governance framework?
A.ISO/IEC 38500
B.ITIL 4
C.PMBOK
D.PRINCE2
Explanation: ISO/IEC 38500 is the international standard for the corporate governance of information technology and is one of the principal frameworks referenced in CCAK material. It defines six principles (responsibility, strategy, acquisition, performance, conformance, human behavior) that boards and executives apply to govern IT, including cloud services.
2In COBIT 2019, which element distinguishes governance objectives from management objectives?
A.Governance objectives use EDM (Evaluate, Direct, Monitor); management objectives use PBRM (Plan, Build, Run, Monitor)
B.Governance objectives are optional; management objectives are mandatory
C.Governance objectives apply only to cloud; management objectives apply only to on-premises
D.Governance objectives are technical controls; management objectives are policies
Explanation: COBIT 2019 separates the five EDM (Evaluate, Direct, Monitor) governance objectives executed by the board from the management objectives in the four PBRM domains (Align Plan Organize, Build Acquire Implement, Deliver Service Support, Monitor Evaluate Assess). This is a foundational distinction CCAK candidates must apply to cloud governance design.
3An enterprise is migrating workloads to a SaaS provider. Which governance principle most directly addresses the board's accountability for cloud-related risks the provider cannot transfer back?
A.Risk ownership remains with the enterprise even when operations are outsourced
B.Risk transfers entirely to the cloud provider once the contract is signed
C.Risk is shared 50/50 by default under the shared responsibility model
D.Risk is owned by the SaaS administrator who configures the tenant
Explanation: A core CCAK governance tenet is that accountability for risk cannot be outsourced even when operations are. The customer organization remains accountable to regulators, customers, and shareholders for data, compliance, and business outcomes regardless of which CSP runs the workload.
4Which NIST publication is the primary reference for risk-assessment methodology used to evaluate cloud-related information security risk?
A.NIST SP 800-53
B.NIST SP 800-30
C.NIST SP 800-171
D.NIST SP 800-61
Explanation: NIST SP 800-30 (Guide for Conducting Risk Assessments) defines the methodology for identifying threat sources, threat events, vulnerabilities, likelihood, impact, and risk. CCAK uses it as a standard reference for cloud risk-assessment activities.
5FAIR (Factor Analysis of Information Risk) expresses risk in which terms?
A.Likelihood and impact on a 1-5 qualitative scale
B.Loss event frequency and loss magnitude expressed in monetary terms
C.Confidentiality, integrity, and availability ratings
D.Probability and severity using ordinal categories
Explanation: FAIR is a quantitative risk model that decomposes risk into Loss Event Frequency (LEF) and Loss Magnitude (LM), both ultimately expressed as monetary values. This produces a defensible, comparable measure of cyber risk that supports business decisions.
6In a CSP-customer relationship, who is ultimately accountable for ensuring that personal data processed in the cloud complies with privacy law (e.g., GDPR)?
A.The data controller (customer organization)
B.The data processor (cloud provider)
C.Whichever party stores the data
D.Whichever party encrypts the data
Explanation: Under GDPR and similar privacy regimes, the data controller determines the purposes and means of processing and remains accountable for lawful processing. The CSP typically acts as a data processor under contract; processor obligations exist but they do not transfer controller accountability.
7Which statement best describes the role of a cloud governance committee in a large enterprise?
A.It writes infrastructure as code templates for cloud deployments
B.It approves cloud strategy, risk appetite, and policy exceptions, and monitors KPIs/KRIs
C.It performs day-to-day patching and configuration of cloud workloads
D.It is a single individual responsible for all cloud security operations
Explanation: A cloud governance committee (sometimes called a Cloud Center of Excellence steering body) provides strategic direction: approving cloud strategy, defining risk appetite, ratifying policies and exceptions, and reviewing key performance and risk indicators. Operational delivery is performed by engineering and operations teams.
8An organization wants its cloud strategy to align directly with enterprise objectives. Which COBIT 2019 component most directly supports cascading enterprise goals into IT and cloud goals?
A.The COBIT goals cascade
B.The COBIT process capability model
C.The COBIT performance management approach
D.The COBIT design factors
Explanation: The COBIT goals cascade translates enterprise goals into alignment goals and then into governance/management objectives, ensuring IT (and cloud) activities trace back to business value. CCAK leverages this cascade to align cloud governance with enterprise outcomes.
9Which of the following is the BEST example of a cloud-specific risk that traditional on-premises risk frameworks may underweight?
A.Insider threat from privileged administrators
B.Multi-tenancy and isolation failure between tenants
C.Loss of physical hardware to fire or flood
D.Software bugs in vendor applications
Explanation: Multi-tenancy is intrinsic to public cloud and introduces risks (hypervisor escape, shared-resource side channels, noisy-neighbor effects, tenant-isolation control failures) that on-premises frameworks rarely consider. CCAK emphasizes evaluating tenant-isolation controls during cloud risk assessment.
10Which document does the NIST Cybersecurity Framework (CSF) 2.0 use to organize cybersecurity outcomes?
A.Five functions: Identify, Protect, Detect, Respond, Recover
B.Six functions: Govern, Identify, Protect, Detect, Respond, Recover
C.Four functions: Plan, Build, Run, Monitor
D.Three functions: Confidentiality, Integrity, Availability
Explanation: NIST CSF 2.0 (released February 2024) added 'Govern' to the original five functions, producing six: Govern, Identify, Protect, Detect, Respond, Recover. The Govern function makes governance outcomes explicit and is highly relevant to CCAK's emphasis on cloud governance.

About the ISACA CCAK Exam

The Certificate of Cloud Auditing Knowledge (CCAK) is the first global, vendor-neutral cloud-audit credential, co-issued by ISACA and the Cloud Security Alliance (CSA). It validates expertise in evaluating cloud compliance and auditing using the CSA Cloud Controls Matrix (CCM) v4, the Consensus Assessments Initiative Questionnaire (CAIQ) v4, and the CSA STAR program (Levels 1, 2, and 3). The exam covers cloud governance, risk, compliance program design, threat analysis with STRIDE and NIST SP 800-154, audit evidence and sampling, control inheritance, continuous assurance with cloud-native and open-source tools, and the STAR Registry's role in CSP procurement and assurance.

Assessment

76 multiple-choice questions across 9 weighted domains: Cloud Governance, Cloud Compliance Program, CCM and CAIQ, Threat Analysis Methodology, Evaluating Compliance, Cloud Auditing, CCM Auditing Guidelines, Continuous Assurance, and STAR Program

Time Limit

2 hours

Passing Score

70%

Exam Fee

$395 member / $495 non-member (ISACA / PSI online)

ISACA CCAK Exam Content Outline

11%

Cloud Governance

ISO/IEC 38500, COBIT 2019 EDM/PBRM and goals cascade, NIST CSF 2.0 (Govern function added 2024), NIST SP 800-30 risk assessment, FAIR quantitative risk, accountability vs responsibility, multi-tenancy risk, cloud governance committees, KPIs/KRIs

11%

Cloud Compliance Program

Compliance program design and scoping, PCI DSS, HIPAA Privacy/Security/BAA, GDPR controller/processor, FedRAMP Tailored/Low/Moderate/High, SOC 1/2/3 Type 1 vs Type 2, AICPA Trust Services Criteria, ISO 27001/27017/27018/27701, control mapping, compliance by design

11%

CCM and CAIQ: Goals, Objectives, and Structure

CCM v4 17 domains (A&A, AIS, BCR, CCC, CEK, DSP, DCS, GRC, HRS, IAM, IPY, IVS, LOG, SEF, STA, TVM, UEM), control IDs, IaaS/PaaS/SaaS applicability, Shared Security Responsibility Matrix (SSRM), CAIQ v4 Yes/No/NA/NK

11%

A Threat Analysis Methodology for Cloud Using CCM

STRIDE (Spoofing/Tampering/Repudiation/Information disclosure/Denial of service/Elevation of privilege), NIST SP 800-154 data-centric threat modeling, data flow diagrams and trust boundaries, mapping STRIDE to CCM domains, CSA Top Threats research

11%

Evaluating a Cloud Compliance Program

Audit scope and period, evidence types (inquiry, observation, inspection, reperformance), sampling methodology, compensating controls, control inheritance, SOC 2 report sections, right-to-audit vs reliance, program metrics (MTTD/MTTR, exception aging)

11%

Cloud Auditing

Cloud audit objectives and lifecycle (planning, fieldwork, reporting, follow-up), CSP datacenter access limitations, technical configuration review, log integrity testing, evidence sufficiency/reliability/relevance, third-party reliance with carve-outs

11%

CCM Auditing Guidelines

CCM Auditing Guidelines purpose, CCM v4 cross-mappings to ISO 27001/27017/27018, NIST SP 800-53, PCI DSS, AICPA TSC, HIPAA, CIS Controls, ENISA, gap analysis, testing per CCM domain (IAM, CCC, CEK, BCR, DCS, STA)

11%

Continuous Assurance and Compliance

Continuous controls monitoring, AWS Config, Azure Policy, Google Cloud Security Command Center, OpenSCAP, Chef InSpec, policy-as-code with OPA/Conftest, shift-left security, DevSecOps CI/CD gates, MTTD/MTTR KPIs, CSPM and data fragmentation

11%

STAR Program

CSA STAR Registry, STAR Level 1 Self-Assessment with CCM/CAIQ, STAR Level 2 Attestation (SOC 2 + CCM) and Certification (ISO 27001 + CCM), STAR Level 3 Continuous, Trusted Cloud Provider, Open Certification Framework, BSI C5 mapping

How to Pass the ISACA CCAK Exam

What You Need to Know

  • Passing score: 70%
  • Assessment: 76 multiple-choice questions across 9 weighted domains: Cloud Governance, Cloud Compliance Program, CCM and CAIQ, Threat Analysis Methodology, Evaluating Compliance, Cloud Auditing, CCM Auditing Guidelines, Continuous Assurance, and STAR Program
  • Time limit: 2 hours
  • Exam fee: $395 member / $495 non-member

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

ISACA CCAK Study Tips from Top Performers

1Memorize the 17 CCM v4 domain codes (A&A, AIS, BCR, CCC, CEK, DSP, DCS, GRC, HRS, IAM, IPY, IVS, LOG, SEF, STA, TVM, UEM) — control IDs in CCAK questions assume you know them
2Drill the STAR levels: Level 1 = self-assessment (free, CSP-published CAIQ), Level 2 = third-party Attestation (SOC 2 + CCM) or Certification (ISO 27001 + CCM), Level 3 = STAR Continuous (ongoing assurance)
3Understand the Shared Security Responsibility Matrix (SSRM) added in CCM v4 — what shifts between CSP, customer, and shared responsibility across IaaS, PaaS, and SaaS
4Know SOC 2 well: mandatory Security TSC (Common Criteria), optional Availability/Processing Integrity/Confidentiality/Privacy, and Type 1 (point-in-time) vs Type 2 (over a period)
5Practice CCM cross-mappings: ISO 27001/27017/27018, NIST SP 800-53, PCI DSS, AICPA TSC, HIPAA, CIS Controls — CCAK frequently asks how a CCM control maps to other frameworks
6Study NIST CSF 2.0's six functions (Govern, Identify, Protect, Detect, Respond, Recover) — Govern was added in 2024 and is highly relevant to CCAK

Frequently Asked Questions

What is the ISACA + CSA Certificate of Cloud Auditing Knowledge (CCAK)?

CCAK is the first global, vendor-neutral cloud-audit credential, co-issued by ISACA and the Cloud Security Alliance. It validates an auditor's ability to evaluate cloud compliance and conduct audits using the CSA Cloud Controls Matrix (CCM) v4, the CAIQ v4 questionnaire, and the CSA STAR program (Levels 1-3). The exam covers cloud governance, compliance program design, threat analysis, audit methodology, CCM cross-mappings, continuous assurance, and the STAR Registry.

How many questions are on the CCAK exam and how long is it?

The CCAK exam contains 76 multiple-choice questions to be completed in 2 hours (120 minutes). The passing score is 70%. The exam is delivered online with PSI proctoring through ISACA / CSA, so candidates can test from a quiet, private location with a webcam and stable internet.

How much does the CCAK exam cost?

The CCAK exam fee is $395 USD for ISACA members and $495 USD for non-members. Vouchers and bundled training packages are sometimes offered through ISACA or CSA promotions. Retake fees follow the same pricing structure under ISACA's published policy.

What domains are covered on the CCAK exam?

CCAK covers nine roughly equally weighted (~11% each) domains: Cloud Governance; Cloud Compliance Program; CCM and CAIQ Goals, Objectives, and Structure; A Threat Analysis Methodology for Cloud Using CCM; Evaluating a Cloud Compliance Program; Cloud Auditing; CCM Auditing Guidelines; Continuous Assurance and Compliance; and the STAR Program.

Are there prerequisites to take the CCAK?

There are no formal prerequisites for CCAK. ISACA recommends candidates have working knowledge of cloud computing, IT audit, and information security. Many candidates already hold CISA, CCSK, CCSP, or similar credentials, but those are not required. The exam is challenging without practical exposure to cloud audit concepts.

Does CCAK expire? Is there a CPE requirement?

CCAK is currently issued as a non-expiring certificate without an annual continuing professional education (CPE) requirement, unlike CISA. ISACA recommends that holders refresh their knowledge as CCM versions, STAR program features, and cloud regulations evolve to keep skills relevant in audit engagements.

How is CCAK different from CCSK and CCSP?

CCSK (CSA Certificate of Cloud Security Knowledge) covers cloud security foundations broadly. CCSP (ISC2 Certified Cloud Security Professional) is a wide cloud security professional credential requiring 5 years of experience. CCAK is narrower than both — focused specifically on auditing cloud compliance using CCM, CAIQ, and STAR. Many auditors hold CISA + CCAK, while CCSK and CCSP target broader security roles.