Companies are rapidly migrating workloads from data centers to the cloud, leveraging technologies such as serverless computing, containers, AI, and machine learning to achieve greater efficiency, improved scalability, and faster deployments. However, cloud security concerns remain significant as the adoption of public cloud computing continues to grow.
The Certificate of Cloud Auditing Knowledge (CCAK) is developed by the Cloud Security Alliance (CSA) and ISACA. This certificate fills a gap in the market for vendor-neutral, technical education for IT audit, security, and risk professionals to understand unique cloud terminology, challenges, and solutions.
This study guide will share how to prepare and pass the Certificate of Cloud Auditing Knowledge (CCAK) exam by the Cloud Security Alliance and ISACA.
Table of Contents
Introduction
Information Security (IS) profoundly contributes to business development by ensuring reliable operations and new opportunities for qualitative differentiation. It is increasingly seen as a value creator or facilitator of operations in new business models.
As the cloud comes into the picture, this raises new questions for the board of directors: is our data secure up there? Do we have control? We heard that we would be secure if we moved to the cloud; is that true? What about privacy, compliance, and data regulation? Cloud Security is a shared responsibility; what does that mean? The list of questions goes on and on… For this reason, it is imperative that before adopting cloud computing, organizations must first understand the security considerations that the cloud computing model inherits. These considerations must be revised before starting — ideally during the planning process.
Security in the realm of information technology has fascinated me for a long time. After passing the Swiss federal exam as an Information Security Manager, I decided to gain more experience with Cloud Security.
Starting this journey, I decided to go with neutral vendor certifications for Cloud Security: the Certificate of Cloud Security Knowledge (CCSK) by Cloud Security Alliance (CSA), the Certified Cloud Security Professional (CCSP) certification by the International Information System Security Certification Consortium ISC2, and the Certified Information Security Manager (CISM) certification by ISACA.
I believe in vendor-neutral certifications, and I don’t trust marketing. The good news is that the knowledge you acquire by attaining any of these neutral vendor certifications will help you apply, secure, and audit your cloud workloads, whether running on Microsoft Azure, Google GCP, or Amazon AWS.
After four months of intense preparation, I am so happy and grateful now that I passed the Certificate of Cloud Auditing Knowledge (CCAK) exam on the first attempt.

About the CCAK Certification
The Certificate of Cloud Auditing Knowledge (CCAK) is a professional certification demonstrating a comprehensive understanding of auditing cloud computing systems. It is designed for auditors, risk management professionals, and other stakeholders who need to evaluate cloud computing environments’ security and compliance.
The CCAK certification covers cloud-specific auditing principles, concepts, and practices, including cloud service and deployment models, cloud risk management, compliance frameworks, and audit processes. The certification ensures that professionals have the knowledge and skills necessary to conduct a thorough and effective audit of cloud computing environments.
The CCAK certification is offered by the Cloud Security Alliance (CSA) and ISACA, a non-profit organization dedicated to promoting best practices and standards for cloud computing security. The certification is recognized globally and designed to validate cloud auditing professionals’ knowledge and expertise. It is an excellent way for professionals to demonstrate their commitment to the security and compliance of cloud computing environments.
To become a CCAK professional, you must study and prepare (more on this in the next section), pay the exam fee, and pass the exam without any prerequisites.
The good news is that to remain CCAK certified, you don’t need to pay Continuing Professional Education (CPE) maintenance fees each year or any membership!
Now, if you pass the CCAK exam, you will obtain 4 CPEs (Hours), and you can apply them to any of your ISACA certifications like CISM, CISA, CRISC, etc, as shown in the figure below.

Exam Target Audience
The exam target audience for this certificate is candidates who understand core cloud concepts, including:
- Assessing and auditing cloud environments versus traditional IT infrastructure & services.
- Using cloud security assessment methods and techniques to evaluate a cloud service before and during the provision of the service.
- How existing governance policies and frameworks are affected by the introduction of cloud into the ecosystem.
- The unique requirements of compliance in the cloud due to shared responsibility between cloud providers and customers.
- How to use a cloud-specific security controls framework to ensure security within your organization.
- Measuring control effectiveness through metrics ultimately leads to continuous monitoring.
CCAK Exam Overview
How do you prepare for the CCAK exam?
While preparing to take this exam, I would like to share with you how to successfully prepare and pass the Certificate of Cloud Auditing Knowledge (CCAK) exam. To prepare for this exam, I usually use a couple of online resources and reading materials, which I will share with you in the next section.
How many questions are on the CCAK exam?
The number of questions you will see for this exam is 76 multiple-choice questions, and the total time for this exam is 120 minutes (2 hours); you might think you have enough time to finish it. However, this is not the case; the exam is long, and you must read the questions and answers multiple times to choose the BEST answer! So, you have around 1.5 minutes per question to answer it.
I finished the exam in 1h.45 min to review all the 76 questions quietly. The minimum passing score for the CCAK exam is 70%.
The current exam fee is $395 for ISACA members and $495 for non-members. Once ISACA processes your payment, you’ll receive an email with further instructions. Next, once you are ready, you can schedule your exam within one year (365 days from the date of purchase to take the exam).
You can choose the testing facility in your local area and a convenient time for your schedule. You can also take the exam at Home/Office under the online supervision of a live proctor.
If you decide to take the exam at home, you must install the PSI Secure Browser by PSI Exams and close all applications running in the background. Online supervision is very strict; you must give yourself around 20 minutes to complete the check-in before starting the exam, and they might check your room multiple times.
Skills measured on this exam
This exam measures your ability to know and understand the nine domains listed below based on the latest Cloud Security Alliance (CSA) and ISACA updates.
Below is the information on how I received the examination questions across these domains, but of course, this may vary slightly case by case. The questions do pretty much match the list of domains and skills measured below with their weights:
DOMAIN 1: Cloud Governance (18%)
This domain covers an overview of corporate governance and then lays out how cloud governance generally fits into it. It also will look at governance frameworks in general and the necessity of cloud security governance frameworks in particular. Risk consideration will make clear the need for trust, transparency, and assurance when organizations engage in the services of cloud service providers.
- Cloud Governance Overview
- Cloud Trust Transparency and Assurance
- Cloud Governance Framework
- Cloud Governance Requirements
- Cloud Risk Management
- Cloud Compliance
- Cloud Governance Tools: Cloud Policy Enforcement
- Cloud Governance Tools: Cloud Contracts
- Cloud Governance Tools: Security Assessments
Domain 1 aims to describe cloud governance concepts, explain cloud trust, transparency, and assurance, identify cloud governance frameworks and requirements, discuss cloud risk management and compliance considerations, and distinguish between cloud governance tools and their use.
DOMAIN 2: Cloud Compliance Program (21%)
This domain covers specific aspects of cloud compliance programs, mainly from the perspective of cloud service customers. It also covers the cloud service provider perspective to clarify what the customer should expect regarding compliance support and inheritance from a provider.
- Fundamental Criteria for Cloud Compliance Programs
- How to Design a Cloud Compliance Program
- How to Build a Cloud Compliance Program
- Legal and Regulatory Requirements, Standards, and Security Frameworks
- Defining Controls
- Identifying Technical and Process Controls
- Measuring Effectiveness Through Metrics
- Cloud Security Certification, Attestation, and Validation
Domain 2 aims to explain the fundamental criteria for cloud compliance programs. Build and design a cloud compliance program. Describe legal and regulatory requirements standards, as well as security frameworks. Define controls and identify technical and process controls. Recall certifications, attestation, and validations.
DOMAIN 3: CCM and CAIQ Goals, Objectives, & Structure (12%)
This domain examines Cloud Security Alliance’s Cloud Controls Matrix (CCM) and Consensus Assessment Initiative Questionnaire (CAIQ). It explores how the CCM and CAIQ are structured and how to use them as tools to benefit an organization’s cloud governance and compliance programs.
- What is the Cloud Controls Matrix (CCM)?
- Cloud Controls Matrix (CCM) Domains
- The Consensus Assessment Initiative Questionnaire (CAIQ)
- CCM & CAIQ Structure
- CCM Relationship With Other Frameworks: The Mapping & Gap Analysis
- The Transition from CCM V3.0.1 to CCM V4
Domain 3 aims to learn and describe the CCM and CCM domains. Explain the Consensus Assessment Initiative Questionnaire (CAIQ). Outline the CCM—CAIQ structure. Recall the CCM relationship with other frameworks: the mapping and gap analysis. And compare transition changes from CCM V3.0.1 to CCM V4.
DOMAIN 4: A Threat Analysis Methodology for Cloud Using CCM (5%)
This domain focuses on post-incident analysis developed by Cloud Security Alliance (CSA). It intends to educate external auditors, cloud customers, internal auditors, risk managers, or other functions on assembling, identifying, and classifying an incident’s essential components. This methodology shows how to perform post-incident analysis, which will allow an organization to improve its cloud governance and compliance by uncovering needed changes to policies, processes, and controls.
- Threat Analysis Essentials
- Top Threat Analysis Methodology
- Threat Analysis Use Case
Domain 4 aims to describe threat analysis essentials. Use the Top Threat Analysis Methodology to analyze attack details. Document attack impacts based on the Top Threat Analysis Methodology. Apply Threat Analysis Methodology for the cloud using CCM. Evaluate an incident using the Top Threats Analysis Methodology.
DOMAIN 5: Evaluating a Cloud Compliance Program (9%)
This domain examines some of the complexities of evaluating a cloud compliance program. It considers the ongoing process of maintaining compliance with a changing landscape of laws, regulations, and standards and how new services impact compliance.
- Compliance Program Evaluation Approach
- The Governance Perspective
- Legal, Regulatory, and Standards Perspectives
- Risk Perspective
- Dealing with Service Changes
- Evaluate the Need for Continuous Assurance and Continuous Compliance
Domain 5 aims to describe the compliance program evaluation approach. Recall the governance perspective. Outline the perspective of legal, regulations, and standards. Define service changes. Explain the need for continuous assurance and continuous compliance.
DOMAIN 6: Cloud Auditing (15%)
This domain examines many aspects of assessing cloud environments and services. Topics include types of assessments, auditing against standards, on-premises versus cloud, and auditing of various cloud service models. It also focuses on understanding the context of auditing the cloud and planning, executing, and reporting for environments that include the cloud.
- Audit Characteristics, Criteria, and Principles
- Auditing Standards for Cloud Computing
- Auditing an On-Premises Environment vs. Cloud
- Differences in Assessing Cloud Services
- Understanding the Audit Context
- Audit Building and Planning
- Audit Execution
Domain 6 aims to outline audit characteristics, criteria, and principles. It describes auditing standards for cloud computing, defines auditing an on-premise environment versus the cloud, recalls differences in cloud services and cloud delivery models, and explains audit building, planning, and execution.
DOMAIN 7: CCM Auditing Controls (8%)
This domain examines how to utilize the Cloud Controls Matrix (CCM) to audit cloud environments. It also considers scoping and risk evaluation.
- Cloud Controls Matrix (CCM) Audit Scoping
- Cloud Controls Matrix (CCM) Risk Evaluation Guide
- Cloud Controls Matrix (CCM) Audit Workbook
- Applying the Cloud Controls Matrix (CCM) Auditing Guide
Domain 7 aims to describe CCM auditing guidelines. Define the CCM audit scoping guide. Explain the approach used in the CCM risk evaluation guide. Apply the CCM audit workbook and apply the CCM auditing guide.
DOMAIN 8: Continuous Assurance & Compliance (7%)
This domain briefly introduces DevOps and DevSecOps concepts and considers how they affect audit needs. A big part of this is looking at continuous integration/continuous deployment (CI/CD) use, considering automation, and gauging the maturity of an organization’s cloud environment.
- Concept of DevOps & DevSecOps
- Auditing Deployment and CI/CD Pipelines
- DevSecOps, Automation, and Maturity
Domain 8 aims to describe continuous assurance and compliance. Define DevOps and DevSecOps. Apply DevOps and DevSecOps to security. Outline auditing deployment CI/CD pipelines. Describe DevSecOps automation and maturity.
DOMAIN 9: Security, Trust, Assurance, and Risk (STAR) Program (5%)
This domain explains all aspects of the Cloud Security Alliance’s Security, Trust, Assurance, and Risk (STAR) program. It also looks deeper at the Open Certification Framework and the STAR Registry. Lastly, it looks at each STAR level and its purpose.
- The STAR Program Components
- STAR Level 1
- STAR Level 2
- STAR Level 3
Domain 9 aims to outline the components of the STAR program, explain its security and privacy implications, describe the Open Certification Framework, detail Cloud Security Alliance (CSA) STAR attestation and certification, and explain STAR continuous.
CCAK Exam Preparation
You have two options to prepare for the CCAK exam, either through self-study or enrolling in training. If you are interested in taking the Certificate of Cloud Auditing Knowledge (CCAK) exam, we recommend diving into the following resources, which will serve as a useful reference for understanding these aspects of auditing cloud computing systems and will be a valuable resource to prepare for taking the CCAK exam:
CCAK Study Guide
The CCAK book was developed in partnership between the Cloud Security Alliance and ISACA. The Certificate of Cloud Auditing Knowledge (CCAK) credential and training program is the first credential that industry professionals can obtain to demonstrate their expertise in understanding the essential principles of auditing cloud computing systems.
CCAK is intended to create a common understanding of cloud audits. Auditing an organization using cloud computing requires a very different approach to satisfying control objectives. A cloud tenant will not have the same administrative access as a legacy IT system and will employ a wide range of security controls beyond traditional IT audit practices.

The official study guide is 410 pages long. You can access the CCAK study guide directly by visiting the ISACA store.
I highly recommend reading the official study guide at least twice because the questions you’ll see in the real exam are based on the official study guide.
CCAK Training
The CCAK online review course was developed by the Cloud Security Alliance, a global leader in cloud security best practices, in partnership with ISACA, an international professional association focused on IT audit, security, cybersecurity, privacy, risk, and governance. This self-paced course includes interactive graphics and knowledge-based questions, and it allows you to:
- Follow a recommended structure for exam preparation.
- Revisit specific areas for further study.
- Start and stop the course as needed, picking up exactly where they left off.
- Use flashcards, memory games, and crosswords to test your understanding of the topics.
You can access the CCAK Online Course directly by visiting the ISACA store.
Note: If you registered for the CCAK Online Course, you will earn 12 Continuing Professional Education (CPEs) for free with no requirements to pass the CCAK exam, so you can redeem them toward any of your ISACA certifications like CISM, CISA, CRISC, etc.
If you prefer to enroll in a training program, you can also attend a virtual instructor-led training or in-person class format.

CCAK Practice Test
The CCAK Questions and Answers Collection can help you prepare for the exam by providing access to a database of over 200 sample questions. With a 12-month subscription to the ISACA Perform Platform, you can review the questions and answers by domain, allowing for focused study in specific areas. Each question-and-answer set includes a brief explanation for each answer choice, enabling you to understand the reasoning behind each correct and incorrect answer fully.

You can access the CCAK Questions and Answers Collection directly by visiting the ISACA store.
Must Read Artifacts
Here are a few of our most widely downloaded and foundational research artifacts I’d encourage you to get familiar with:
- Security Guidance v4.0 – Critical Areas of Focus in Cloud Computing
- Cloud Controls Matrix (CCM) v4 and Consensus Assessment Initiative Questionnaire (CAIQ) v4
- Enterprise Architecture to CCM Shared Responsibility Delivery Model
- Top Threats to Cloud Computing – Egregious 11 Deep Dive
- Software-Defined Perimeter Architecture Guide v2
- IoT Security Controls Framework v2
In Conclusion
The Cloud Auditing Knowledge (CCAK) certification was developed by ISACA and the Cloud Security Alliance® (CSA). The Certificate of Cloud Auditing Knowledge is the first-ever technical, vendor-neutral credential for cloud auditing. It prepares IT and security professionals to address the unique challenges of auditing the cloud, ensuring the right controls for confidentiality, integrity, and availability, and mitigating risks and costs of audit management and non-compliance.
__
Thank you for reading our blog.
Please let us know in the comments section below if you have any questions or feedback.
-Charbel Nemnom-