Certificate of Cloud Auditing Knowledge

The industry's first global cloud auditing credential.

Certificate of Cloud Auditing Knowledge

The Certificate of Cloud Auditing Knowledge (CCAK) is the first credential that industry professionals can obtain to demonstrate their expertise in understanding the essential principles of auditing cloud computing systems. The CCAK credential and training program is being developed by the Cloud Security Alliance, the global leader in cloud security best practices, and ISACA, an international professional association focused on IT governance.
Because CCAK is intended to create a common cloud audit understanding, we anticipate it being a mandatory requirement for IT auditors and highly recommended for any IT manager and professional, especially for governance, risk management, compliance, and vendor/supply chain management. The CCAK is scheduled for completion in Q4 2020.

How is this certification program different from other IT audit certification programs?

Traditional IT audit education and certification programs have many excellent elements, but were not developed with an understanding of cloud computing and its many nuances.

An audited organization using cloud computing will have a very different approach to satisfying control objectives. A cloud tenant will certainly not have the same administrative access as in a legacy IT system and will employ a wide range of security controls that will be foreign to an audit and assurance professional that is grounded in traditional IT audit practices.

What are the benefits of earning your CCAK?

  • Assessment: Understand the difference in assessing and auditing cloud environments versus traditional IT infrastructure & services.
  • Evaluation: Discover how to use cloud security assessment methods and techniques to evaluate a cloud service prior to and during the provision of the service.
  • Governance: Learn how existing governance policies and frameworks are affected by the introduction of cloud into the ecosystem
  • Compliance: Understand the unique requirements of compliance in the cloud due to shared responsibility between cloud providers and customers.
  • Internal Security: Learn how to use a cloud-specific security controls framework to ensure security within your organization.
  • Continuous Monitoring: Architect in a way that allows you to measure control effectiveness through metrics and ultimately leads to continuous monitoring.

Who should earn the CCAK?

Modules Covered

Cloud Governance

Cloud Compliance Program

CCM and CAIQ: Goals, Objectives and Structure

A Threat Analysis Methodology for Cloud using CCM

Evaluating a Cloud Compliance Program

Cloud Auditing

CCM: Auditing controls

Continuous Assurance and Compliance

STAR Program

Study Materials

CCAK Guidance Document (Coming Soon)

This document is the main body of knowledge for the CCAK exam. It provides a common baseline of expertise and a shared nomenclature. Among other topics it covers governance, risk management, compliance, and vendor/supply chain management.

Cloud Controls Matrix (CCM)

The CCM is a cybersecurity control framework covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain.

CCM Auditing Guidelines (Coming Soon)

The CCM Auditing Guidelines provides a baseline understanding of the CCM audit areas and provides tools and resources to auditors when performing a CCM related assessment.

Consensus Assessments Initiative Questionnaire (CAIQ)

The CAIQ questionnaire is a set of Yes/No questions based on the CCM used to assess the security capabilities of a cloud service provider.

Security, Trust, Assurance & Risk (STAR)

STAR is a program for security assurance in the cloud. The STAR registry gives customers a clear understanding of a solution provider’s security posture as it relates to cloud security controls.

Top Threats to Cloud Computing Deep Dive

The CSA Top Threats report lists cloud computing’s most pressing threats. This case study contains nine real-life examples. Each example provides an attack-style synopsis of the actor, spanning from threats and vulnerabilities to end controls and mitigations.

Training & Exam Coming Soon

Want to know when the CCAK exam and training becomes available? Fill out this form and you will be the first to learn about the exam and courses as they become available.

Strategic Partnership with ISACA

Global technology association ISACA has formed a strategic partnership with CSA to collaborate closely on critical initiatives to transform the auditing and assurance of cloud computing. This includes the delivery of the CCAK portfolio giving a wide variety of audit, IT and cybersecurity professionals the opportunity to obtain the credential and raise the baseline of cloud assurance knowledge across the industry.

Find out more about this partnership. Read the press release

Cloud Audit Expert Group

Individuals who participate in the CSA Cloud Audit Expert Group provide a community perspective on key considerations for the CCAK by serving as a sounding board for project deliverables. They also serve as CCAK ambassadors. If you would be interested in joining, please reach out to [email protected].
This group and the CCAK are made possible through several partnerships CSA has with other organizations and associations.

The International Systems Security Association (ISSA), a nonprofit organization for the cyber professional community has also agreed to collaborate on the CCAK with the goal of both supporting and strengthening the cybersecurity profession.