CCAK

Explanation:
ISO/IEC 27017:2015 is a standard that provides guidelines for information security controls applicable to the provision and use of cloud services by providing additional implementation guidance for relevant controls specified in ISO/IEC 27002, as well as additional controls with implementation guidance that specifically relate to cloud services1. ISO/IEC 27017:2015 is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an information security management system based on ISO/IEC 270011. ISO/IEC 27001 is a standard that specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.
ISO/IEC 27002 is a standard that provides a code of practice for information security controls, but it does not provide specific guidance for cloud services. NIST SP 800-146 is a publication that provides an overview of cloud computing, its characteristics, service models, deployment models, and security considerations, but it does not provide a standard for selecting controls for cloud services. CSA CCM is a framework that provides detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains, but it is not a standard that is based on ISO/IEC 27001.
Reference: ISO/IEC 27017:2015
[ISO/IEC 27001:2013]
[ISO/IEC 27002:2013]
[NIST SP 800-146]
[CSA CCM]

Explanation:
According to the ISACA Cloud Auditing Knowledge Certificate Study Guide, the final decision to include a material finding in a cloud audit report should be made by the cloud auditor1. A material finding is a significant error or risk in the cloud service that could affect the achievement of the audit objectives or the cloud customer’s business outcomes. The cloud auditor is responsible for identifying, evaluating, and reporting the material findings based on the audit criteria, methodology, and evidence. The cloud auditor should also communicate the material findings to the auditee and other relevant stakeholders, and obtain their feedback and responses.
The other options are not correct.
Option A is incorrect, as the auditee’s senior management is not in charge of the audit report, but rather the subject of the audit. The auditee’s senior management should provide their perspective and action plans for the material findings, but they cannot decide whether to include or exclude them from the report.
Option B is incorrect, as the organization’s CEO is not involved in the audit process, but rather the ultimate recipient of the audit report. The organization’s CEO should review and act upon the audit report, but they cannot influence the content of the report.
Option D is incorrect, as the organization’s CISO is not an independent party, but rather a stakeholder of the audit. The organization’s CISO should support and collaborate with the cloud auditor, but they cannot make the final decision on the material findings.
Reference: ISACA Cloud Auditing Knowledge Certificate Study Guide, page 19-20.

Explanation:
According to the CCAK Study Guide, the business continuity management and operational resilience strategy of the cloud customer should be formulated jointly with the cloud service provider, as they share the responsibility for ensuring the availability and recoverability of the cloud services. The strategy should cover all aspects of business continuity and resilience planning, taking inputs from the assessed impact and risks, to consider activities for before, during, and after a disruption. These activities include prevention, mitigation, response, recovery, restoration, and improvement. The strategy should also define the roles and responsibilities of both parties, the communication channels and escalation procedures, the testing and exercising plans, and the review and update mechanisms1
The other options are not correct because:
Option B is not correct because the strategy should not only be developed within the acceptable limits of the risk appetite, but also aligned with the business objectives and stakeholder expectations of both parties. The risk appetite is only one of the factors that influence the strategy formulation1 Option C is not correct because the strategy should not only cover the activities required to continue and recover prioritized activities within identified time frames and agreed capacity, but also consider the activities for before and after a disruption, such as prevention, mitigation, improvement, etc. The strategy should also include other elements such as roles and responsibilities, communication channels, testing plans, etc1
Reference: 1: ISACA, Cloud Security Alliance. Certificate of Cloud Auditing Knowledge (CCAK) Study Guide. 2021. pp. 83-84.

Explanation:
A corrective control is a measure taken to correct or reduce the impact of an error, deviation, or unwanted activity1. Corrective control can be either manual or automated, depending on the type of control used. Corrective control can involve procedures, manuals, systems, patches, quarantines, terminations, reboots, or default dates1. A Business Continuity Plan (BCP) is an example of a corrective control.
Unsuccessful access attempts being automatically logged for investigation is an example of a corrective control because it is a response to a potential security incident that aims to identify and resolve the cause and prevent future occurrences2. Logging and investigating failed login attempts can help detect unauthorized or malicious attempts to access sensitive data or systems and take appropriate actions to mitigate the risk.
The other options are examples of preventive controls, which are designed to prevent problems from occurring in the first place3. Preventive controls can include:
A central antivirus system installing the latest signature files before allowing a connection to the network: This is a preventive control because it prevents malware infection by blocking potentially harmful connections and updating the antivirus software regularly4.
All new employees having standard access rights until their manager approves privileged rights: This is a preventive control because it prevents unauthorized access by enforcing the principle of least privilege and requiring approval for granting higher-level permissions5.
Privileged access to critical information systems requiring a second factor of authentication using a soft token: This is a preventive control because it prevents credential theft or compromise by adding an extra layer of security to verify the identity of the user.
Reference: What is a corrective control? - Answers1, section on Corrective control
Detective controls - SaaS Lens - docs.aws.amazon.com2, section on Unsuccessful login attempts Internal control: how do preventive and detective controls work?3, section on Preventive Controls What Are Security Controls? - F54, section on Preventive Controls
The 3 Types of Internal Controls (With Examples) | Layer Blog5, section on Preventive Controls What are the 3 Types of Internal Controls? ― RiskOptics - Reciprocity, section on Preventive Controls

Explanation:
According to the ISACA Cloud Auditing Knowledge Certificate Study Guide, the auditor should review the relationship between the cloud service provider and its service provider to help direct and estimate the level of effort and analysis the auditor should apply1. The auditor should understand the nature and scope of the services provided by the service provider, the contractual obligations and service level agreements, the security and compliance requirements, and the monitoring and reporting mechanisms. The auditor should also assess the risks and controls associated with the service provider, and determine if additional audit procedures are needed to obtain sufficient assurance.
The other options are not the best approach for the auditor.
Option A is too strict and might not be feasible or necessary, depending on the type and level of services provided by the service provider.
Option C is too lax and might overlook significant risks and gaps in the cloud service.
Option D is too narrow and might ignore the impact of the service provider on the cloud customer’s business context.
Reference: ISACA Cloud Auditing Knowledge Certificate Study Guide, page 13-14.