The Certificate of Cloud Auditing Knowledge (CCAK) has been launched by the Cloud Security Alliance (CSA) and ISACA. Importantly, it is a vendor-neutral technical credential for auditing cloud environments. Its neutrality makes it especially appealing as it offers potential candidates a route to auditing multi-cloud environments.
Daniele Catteddu, Chief Technology Officer, CSA, said: “The historic shift to cloud has created a new technology foundation for our global economy. Trusting this computing infrastructure is one of our most fundamental challenges. The introduction of the Certificate of Cloud Auditing Knowledge (CCAK) is an important milestone in delivering the necessary expertise to enable professionals to objectively evaluate critical cloud assurance issues.
“Cloud Security Alliance is proud of our collaboration with ISACA to create this high-quality credential which will be leveraged by individuals, businesses and regulatory bodies around the world to raise the baseline of security, governance and compliance in cloud computing.”
CCAK seeks to close a skills gap
Auditors often have a problem when it comes to cloud environments. Many of the controls that they would use to investigate on-premises systems don’t work. One reason for this is that administrators enjoy less access to a cloud environment’s underlying mechanics than they do an on-premises one. Scale that to a multi-cloud environment, and the ability to deploy and monitor compliance becomes increasingly limited.
The CCAK seeks to make significant changes to that. It is providing more tools to help auditors get greater insight into cloud environments. It also helps them design and build compliance programmes that can be deployed across cloud and hybrid environments.
Among the topics it addresses are:
- Building and executing a cloud audit plan and applying auditing as an assurance tool
- The impact of cloud automation, native development, and integration models on auditing and compliance
- Key concepts and tools of cloud governance and risk management
- Designing and building a cloud compliance program
- Compliance requirements, control objectives and frameworks, certification, attestation, and authorizations
How do you take the Certificate of Cloud Auditing Knowledge?
The CCAK is a combination of a study guide, a self-paced online course and a two-day instructor-led virtual course. At the end of this, candidates take an exam consisting of 76 multiple-choice questions. The pass rate is set at 70% for those who take the exam.
Later this year, ISACA will release study games to help reinforce the course materials.
The costs of the various materials are:
- $59 for members/$70 for non-members for the Certificate of Cloud Auditing Knowledge Study Guide/Body of Knowledge.
- US$395 (CSA and ISACA members) and US$495 (non-members) for the CCAK exam.
Registration for the exam is on the ISACA website.
Enterprise Times: What does this mean?
Auditing is a key part of any enterprise compliance programme. The problem for many organisations is that cloud limits their access to the underlying technologies, and that impacts compliance. Those who have hybrid and multi-cloud environments often have a growing gap between processes, compliance, and implementation.
This move by ISACA is just part of its cloud certification model, but it is a key part. It builds on the Certificate of Cloud Security Knowledge (CCSK). It also complements the Certified Information Systems Auditor (CISA) and several other certifications.
Perhaps the most important thing of all is that this the vendor neutrality. Too many certificates at present are vendor focused. It limits the impact of taking courses and pushes people into spending their free time chasing certifications. There is a related problem for employers. If you have a multi-vendor environment, do you want to add to your skills gap by having lots of single vendor experts, or do you want your staff to be able to deal with your whole environment?