ISC2 CCSP — Certified Cloud Security Professional · Domain 6 · 13% of exam

Legal, Risk and Compliance

Drill 16 practice questions focused entirely on Legal, Risk and Compliance for the ISC2 CCSP exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer16 questions
Question 1 of 16

A financial services company is preparing for its annual ISO 27001 certification audit of its cloud-hosted trading platform. The compliance manager wants an internal review conducted first to identify areas where current controls fall short of the standard's requirements before the external certification body arrives, so that remediation can occur in advance. Which audit activity best fits this objective?

Reviewed for accuracy · Report an issue
Question 2 of 16

A financial services firm is negotiating a contract with a large public IaaS provider. The firm's internal audit team insists on including a traditional 'right-to-audit' clause that would allow their auditors physical, on-site access to the provider's data centers to inspect controls whenever needed. The provider refuses this specific demand, citing the multitenant nature of its facilities. As the cloud security advisor, what should you recommend as the most practical way for the firm to obtain the required assurance over the provider's control environment?

Reviewed for accuracy · Report an issue
Question 3 of 16

A financial services firm is being audited against its own controls, many of which now depend on a SaaS provider that hosts customer transaction data. The firm's auditor requests to physically inspect the provider's data centers and run vulnerability scans against the provider's shared infrastructure. The provider refuses both requests, citing multitenancy and its own security policies. What is the MOST appropriate way for the firm to satisfy the auditor's need for assurance over the outsourced controls?

Reviewed for accuracy · Report an issue
Question 4 of 16

A financial services firm is negotiating a contract with a SaaS provider for a core analytics platform. During legal review, the risk officer wants to ensure the firm can retrieve all its data in a usable, non-proprietary format and migrate to another provider if the relationship ends. Which contractual provision most directly addresses this concern?

Reviewed for accuracy · Report an issue
Question 5 of 16

A U.S. company using a SaaS collaboration platform receives a litigation hold notice requiring it to preserve all relevant emails, chat messages, and shared documents. The legal team is concerned because the data is stored and processed entirely by the cloud provider across multiple regions, and the provider's standard retention policy auto-deletes chat logs after 90 days. What is the MOST important action the company must take to meet its eDiscovery preservation obligations?

Reviewed for accuracy · Report an issue
Question 6 of 16

A financial services firm is completing a vendor risk assessment on a SaaS provider that will process regulated customer data. During the review, the security team discovers the SaaS provider relies on a separate third-party analytics company to enrich data, and that analytics company in turn uses an offshore IaaS provider for compute. The firm's regulator holds it accountable for the full processing chain. Which action best addresses the enterprise risk this arrangement creates?

Reviewed for accuracy · Report an issue
Question 7 of 16

A financial services firm relies on a SaaS trading-analytics platform. During a 14-hour provider outage, the firm lost an estimated $2.3 million in trading opportunities. When the firm reviewed the signed contract to recover damages, it found the SLA guaranteed 99.9% monthly availability with a remedy of 'service credits equal to 10% of the monthly fee for each hour of downtime beyond the commitment.' The firm's risk committee is frustrated that recovery is limited to a few thousand dollars in credits. From an enterprise risk management perspective, what is the MOST important lesson for the firm's future cloud vendor negotiations?

Reviewed for accuracy · Report an issue
Question 8 of 16

A financial services company migrates a customer-facing application to a public IaaS provider. After implementing all agreed technical and contractual controls, the risk assessment shows a small amount of remaining risk related to a rare provider outage scenario. The cost of further mitigation would exceed the projected loss, and the residual risk falls within the board-approved risk appetite. According to enterprise risk management principles, what is the appropriate next step for handling this remaining risk?

Reviewed for accuracy · Report an issue
Question 9 of 16

A US-headquartered company is subject to a US court order requiring production of documents stored by its cloud provider in a data center located in France. Company counsel notes that French blocking statutes and EU data protection law restrict the transfer of the requested personal data outside the EU. What is the MOST appropriate first step for the organization to take when responding to the eDiscovery request?

Reviewed for accuracy · Report an issue
Question 10 of 16

A European retailer engages a cloud-based marketing analytics SaaS to run campaigns. The retailer decides which customer datasets to upload, the campaign objectives, and the retention periods. The SaaS provider stores and processes the data strictly according to the retailer's documented instructions and does not use the data for its own purposes. Under GDPR, how should the parties' roles be classified, and what is the primary compliance consequence?

Reviewed for accuracy · Report an issue
Question 11 of 16

A European healthcare company processes patient PII in a SaaS platform hosted in the EU. The vendor announces that it will begin replicating backup data to a data center in a country that the European Commission has NOT recognized as providing adequate data protection. The company's DPO must ensure the transfer remains lawful under GDPR. Which action is the MOST appropriate to enable this cross-border transfer to proceed?

Reviewed for accuracy · Report an issue
Question 12 of 16

A European retailer (the data controller) uses a SaaS marketing platform (the data processor) to store customer contact details subject to GDPR. The processor detects unauthorized access to a database containing this personal data. Under GDPR, what is the processor's primary legal obligation regarding this incident?

Reviewed for accuracy · Report an issue
Question 13 of 16

A data subject in the EU submits a valid GDPR Article 17 (right to erasure) request to an online retailer that operates entirely on a public cloud SaaS platform. The privacy officer confirms the request is legitimate and that no legal exemption to retain the data applies. When the DPO instructs the operations team to comply, the team reports that the customer's personal data also exists in encrypted incremental backups that are retained on a 90-day rolling cycle and cannot be selectively edited without corrupting the backup chain. What is the MOST appropriate way to handle the erasure obligation with respect to these backups?

Reviewed for accuracy · Report an issue
Question 14 of 16

A financial services company is negotiating with a cloud IaaS provider and wants third-party assurance that the provider has implemented cloud-specific security controls beyond the generic information security controls found in ISO/IEC 27002. The procurement team asks the security architect which certification or standard specifically extends the baseline controls with cloud-oriented implementation guidance and additional controls for both providers and customers. Which standard best meets this requirement?

Reviewed for accuracy · Report an issue
Question 15 of 16

A healthcare analytics company is evaluating a SaaS provider that will process regulated patient PII on the company's behalf. The compliance officer wants independent, standards-based assurance that the provider has implemented specific controls for protecting personally identifiable information as a processor in the public cloud — including restrictions on using PII for the provider's own marketing and commitments to notify the customer of any government data disclosure requests. Which assurance artifact BEST demonstrates that these specific PII-processing controls are in place?

Reviewed for accuracy · Report an issue
Question 16 of 16

A financial services company is onboarding a SaaS payroll provider and needs assurance that the provider's controls over data confidentiality and processing integrity are not only suitably designed but have also operated effectively over the past year. The vendor offers to share several attestation reports. The company will use the report internally to satisfy its own auditors and risk committee, and does not intend to distribute it publicly. Which report best meets these requirements?

Reviewed for accuracy · Report an issue

More CCSP practice

Keep going with the other ISC2 CCSP — Certified Cloud Security Professional domains, or take a full timed mock exam.

← Back to CCSP overview