Module 1 Assessment
Overview
This assessment evaluates your understanding of the foundational concepts covered in Module 1: Cloud Security Foundations. It includes multiple-choice questions, scenario-based questions, and practical exercises to test your comprehension of ISO 27017 basics, cloud service models, shared responsibility, cloud security challenges, and the relationship between ISO standards.
Assessment Structure
- Part A: Multiple Choice Questions (40 questions)
- Part B: Scenario-Based Questions (10 scenarios)
- Part C: Practical Exercise (1 comprehensive exercise)
- Passing Score: 80% overall
- Time Limit: 120 minutes (recommended)
Part A: Multiple Choice Questions
Questions 1-10: Introduction to ISO 27017
1. What is the primary purpose of ISO 27017? a) To certify cloud service providers b) To provide cloud-specific information security controls guidance c) To replace ISO 27001 for cloud environments d) To regulate cloud computing services
2. ISO 27017 addresses which stakeholder groups? a) Only cloud service providers b) Only cloud service customers c) Both cloud service providers and customers d) Only regulatory authorities
3. Which statement about ISO 27017 certification is TRUE? a) Organizations can get certified to ISO 27017 alone b) ISO 27017 is not independently certifiable c) Only cloud providers can be ISO 27017 certified d) Certification is mandatory for cloud services
4. How many control domains are covered in ISO 27017? a) 10 b) 11 c) 14 d) 20
5. What year was ISO 27017 published? a) 2013 b) 2015 c) 2017 d) 2020
6. What is the relationship between ISO 27017 and ISO 27018? a) ISO 27018 replaces ISO 27017 b) ISO 27017 focuses on general cloud security, 27018 on PII protection c) They are the same standard d) ISO 27017 is for SaaS only, 27018 for IaaS
7. Which is NOT a business benefit of implementing ISO 27017 for CSPs? a) Demonstrates security commitment b) Automatic regulatory compliance c) Enhanced customer trust d) Competitive differentiation
8. The shared responsibility model in cloud computing means: a) All security is the provider's responsibility b) All security is the customer's responsibility c) Security responsibilities are divided between provider and customer d) Only shared controls need to be implemented
9. Which cloud service model is covered by ISO 27017? a) Only SaaS b) Only IaaS and PaaS c) IaaS, PaaS, and SaaS d) Only hybrid cloud
10. What type of document is ISO 27017? a) Legal requirement b) Certifiable standard c) Code of practice d) Government regulation
Questions 11-20: Cloud Service Models
11. In IaaS, who is responsible for operating system security? a) Cloud service provider b) Cloud service customer c) Shared equally d) Neither - it's automatic
12. Which service model provides the MOST customer control? a) SaaS b) PaaS c) IaaS d) All provide equal control
13. In SaaS, the customer is primarily responsible for: a) Application security b) Infrastructure security c) Data governance and access management d) Operating system patching
14. Which is an example of PaaS? a) Amazon EC2 b) Google App Engine c) Microsoft 365 d) Physical servers
15. In which service model does the provider manage the operating system? a) IaaS only b) PaaS and SaaS c) SaaS only d) None - customer always manages OS
16. Which service model requires the MOST in-house technical expertise? a) SaaS b) PaaS c) IaaS d) All require the same expertise
17. Salesforce CRM is an example of: a) IaaS b) PaaS c) SaaS d) On-premises software
18. Who manages the hypervisor in IaaS? a) Customer b) Provider c) Shared responsibility d) Third-party vendor
19. Which responsibility is ALWAYS the customer's regardless of service model? a) Physical security b) Network infrastructure c) Data classification and governance d) Hypervisor security
20. In PaaS, the customer typically manages: a) Operating system and application b) Application only c) Operating system only d) Infrastructure only
Questions 21-30: Shared Responsibility Model
21. What does "security OF the cloud" mean? a) Customer's responsibility b) Provider's responsibility for cloud infrastructure c) Shared responsibility d) Third-party responsibility
22. What does "security IN the cloud" mean? a) Provider's responsibility b) Customer's responsibility for their data and applications c) Automatic security d) No one's responsibility
23. In IaaS, who is responsible for data encryption? a) Always the provider b) Always the customer c) Customer implements, provider provides capability d) Automatic - no action needed
24. Account and access management in SaaS is typically: a) Fully provider responsibility b) Fully customer responsibility c) Shared responsibility d) Not applicable to SaaS
25. A common responsibility gap occurs when: a) Provider clearly documents all responsibilities b) Customers assume provider handles all security c) Both parties communicate effectively d) SLAs are comprehensive
26. In incident response, who typically responds to infrastructure incidents? a) Customer b) Provider c) Third-party d) Regulatory authority
27. Which document should clearly define shared responsibilities? a) Marketing materials b) Service Level Agreement (SLA) c) User manual d) Press releases
28. What is a RACI matrix used for in cloud security? a) Calculating costs b) Defining responsibility assignments c) Measuring performance d) Encrypting data
29. Who is responsible for compliance with regulations like GDPR? a) Always the provider b) Always the customer (as data controller) c) Depends on the regulation d) Not applicable in cloud
30. Virtual network security in IaaS is: a) Provider's full responsibility b) Customer's full responsibility c) Shared - provider provides capability, customer configures d) Not necessary in cloud
Questions 31-40: Cloud Challenges and ISO Standards
31. What is the most common cause of cloud data breaches? a) Sophisticated hacking b) Misconfiguration c) Natural disasters d) Employee sabotage
32. Multi-tenancy risk refers to: a) Having multiple cloud providers b) Multiple customers sharing infrastructure c) Multiple data centers d) Multiple administrators
33. Which ISO standard provides the ISMS framework? a) ISO 27000 b) ISO 27001 c) ISO 27002 d) ISO 27017
34. Which ISO standard provides general security control guidance? a) ISO 27000 b) ISO 27001 c) ISO 27002 d) ISO 27017
35. How does ISO 27017 relate to ISO 27002? a) It replaces ISO 27002 b) It extends ISO 27002 with cloud-specific guidance c) They are unrelated d) ISO 27002 extends ISO 27017
36. Cloud-specific controls in ISO 27017 are designated with which prefix? a) CSP b) CSC c) CLD d) SEC
37. What is vendor lock-in? a) Security feature b) Dependency on specific provider making switching difficult c) Type of encryption d) Access control mechanism
38. Which is NOT a typical cloud security challenge? a) Data breaches b) Loss of control c) Lower costs d) Compliance complexity
39. API security is important in cloud because: a) APIs are not used in cloud b) APIs are the primary interface to cloud services c) APIs are automatically secure d) APIs are only for developers
40. What does CASB stand for? a) Cloud Access Security Broker b) Customer Account Security Baseline c) Certified Application Security Business d) Central Authentication Service Branch
Part B: Scenario-Based Questions
Scenario 1: Healthcare Migration
Context: A healthcare provider is migrating patient records to AWS. They must comply with HIPAA regulations.
Question 1.1: Which service model would provide the best balance of control and management overhead for storing encrypted patient records? a) SaaS (use a healthcare-specific SaaS) b) PaaS (use managed database service) c) IaaS (full control over encryption) d) On-premises only (cloud is not HIPAA compliant)
Question 1.2: Who is responsible for ensuring patient data is encrypted at rest? a) AWS (as the cloud provider) b) The healthcare provider (as the customer) c) Automatically handled by HIPAA compliance d) Not necessary in the cloud
Question 1.3: What document must the healthcare provider have with AWS for HIPAA compliance? a) Service Level Agreement (SLA) b) Business Associate Agreement (BAA) c) Non-Disclosure Agreement (NDA) d) Memorandum of Understanding (MOU)
Scenario 2: E-commerce Platform
Context: An online retailer uses a PaaS solution for their e-commerce platform, including a managed database for customer and order data.
Question 2.1: Who is responsible for database engine patching? a) Retailer b) PaaS provider c) Shared equally d) Database vendor
Question 2.2: Who is responsible for securing the application code? a) Retailer b) PaaS provider c) Both equally d) Not applicable in PaaS
Question 2.3: If customer credit card data is stolen, who is primarily liable? a) Always the PaaS provider b) The retailer (as data controller) c) The database vendor d) No one - it's force majeure
Scenario 3: SaaS Adoption
Context: A financial services company adopts Salesforce for CRM. They handle sensitive customer financial information.
Question 3.1: Who manages the application infrastructure and security? a) The financial services company b) Salesforce c) Shared equally d) A third-party integrator
Question 3.2: What is the company's PRIMARY security responsibility? a) Patching the Salesforce application b) Managing user access and permissions c) Securing the data center d) Managing the database engine
Question 3.3: How should the company verify Salesforce's security controls? a) Physical data center inspection b) Review certifications (SOC 2, ISO 27001) and security documentation c) Penetration testing of Salesforce infrastructure d) Installing their own security software on Salesforce servers
Scenario 4: Multi-Cloud Strategy
Context: A company uses AWS for IaaS, Azure for PaaS, and multiple SaaS applications (Microsoft 365, Slack, DocuSign).
Question 4.1: What is the PRIMARY challenge with this multi-cloud approach? a) Cost savings b) Consistency in security policy enforcement c) Too much redundancy d) Lack of available services
Question 4.2: Which tool would help provide unified visibility and control? a) VPN b) Cloud Access Security Broker (CASB) c) Antivirus software d) Firewall
Question 4.3: How should the company approach ISO 27017 implementation? a) Separately for each provider b) Only for the primary provider c) Integrated approach covering all cloud services d) ISO 27017 doesn't apply to multi-cloud
Scenario 5: Data Breach Investigation
Context: A company using IaaS detects potential unauthorized access to customer data stored in their virtual machines.
Question 5.1: Who should lead the investigation? a) The cloud provider (IaaS) b) The customer's security team c) Law enforcement immediately d) No investigation needed
Question 5.2: What is the cloud provider's role? a) Full investigation and response b) Provide logs and support as needed c) No role - it's customer data d) Notify all affected parties
Question 5.3: Which ISO 27017 control is most relevant? a) A.16.1.1 - Responsibilities and procedures for incident management b) A.9.2.1 - User registration c) A.12.1.3 - Capacity management d) A.14.2.1 - Secure development policy
Scenario 6: Compliance Challenge
Context: A European company must comply with GDPR and wants to use a US-based cloud provider.
Question 6.1: What is the PRIMARY concern? a) Time zone differences b) Data transfer outside the EU/EEA c) Language barriers d) Currency conversion
Question 6.2: What mechanism can legitimize the data transfer? a) Standard Contractual Clauses (SCCs) b) Verbal agreement c) Email confirmation d) No mechanism needed
Question 6.3: Who is responsible for GDPR compliance? a) The US cloud provider b) The European company (as data controller) c) The EU d) Not applicable for cloud services
Scenario 7: Access Control
Context: A SaaS provider needs to implement access controls for their multi-tenant application.
Question 7.1: What is the PRIMARY ISO 27017 concern? a) User authentication only b) Tenant isolation and data segregation c) Password complexity d) Login page design
Question 7.2: Which control is most relevant? a) A.9.4.1 - Information access restriction (with cloud guidance) b) A.12.3.1 - Information backup c) A.18.1.1 - Applicable legislation d) A.14.1.1 - Information security requirements
Question 7.3: What should be implemented to prevent cross-tenant access? a) Strong passwords b) Multi-factor authentication c) Application-level tenant isolation with testing d) Antivirus software
Scenario 8: Vendor Evaluation
Context: A company is evaluating cloud providers for hosting a new application containing trade secrets.
Question 8.1: Which should be the HIGHEST priority in evaluation? a) Lowest cost b) Security certifications and controls c) Fastest deployment d) Largest company
Question 8.2: What certifications would be most relevant? a) ISO 9001 (Quality Management) b) ISO 27001, SOC 2 Type II c) ISO 14001 (Environmental) d) Any certification is sufficient
Question 8.3: What contractual element is critical? a) Payment terms b) Marketing rights c) Security responsibilities and SLA d) Company history
Scenario 9: Encryption Strategy
Context: A company using PaaS needs to determine their encryption strategy for sensitive customer data.
Question 9.1: Who can implement encryption in PaaS? a) Only the provider b) Only the customer c) Both - provider offers capabilities, customer configures d) Encryption is automatic
Question 9.2: For maximum control over encryption keys, what should the company use? a) Provider-managed keys b) Customer-managed keys (BYOK) c) No encryption d) Shared keys
Question 9.3: Which ISO 27017 control provides guidance? a) A.10.1.1 - Policy on use of cryptographic controls b) A.9.2.1 - User registration c) A.15.1.1 - Supplier policy d) A.12.1.3 - Capacity management
Scenario 10: Business Continuity
Context: A company's critical application runs on a single cloud provider's IaaS in one region.
Question 10.1: What is the PRIMARY risk? a) Too expensive b) Single point of failure - provider or region outage c) Too fast d) No risk - cloud is always available
Question 10.2: What should be implemented? a) Nothing - trust the provider b) Multi-region or multi-cloud disaster recovery c) More servers in same region d) Backups only
Question 10.3: Which ISO 27017 control addresses this? a) A.17.1.1 and A.17.2.1 - Business continuity planning b) A.9.1.1 - Access control policy c) A.14.2.1 - Secure development d) A.13.1.1 - Network controls
Part C: Practical Exercise
Exercise: Cloud Security Assessment and Planning
Scenario:
You are the Information Security Manager for TechCorp, a software development company with 500 employees. TechCorp is planning to migrate from on-premises infrastructure to the cloud. Currently, TechCorp has:
- Development environment: Used by 100 developers
- Production web applications: Serving 50,000 customers
- Customer database: PostgreSQL with 5TB of customer data
- File storage: 20TB of documents and code repositories
- Email and productivity: Currently on-premises Exchange
- HR system: Legacy on-premises application
Current Security Posture:
- No ISO 27001 certification
- Basic security controls in place
- No formal ISMS
- Compliance requirements: GDPR (operates in EU), SOC 2 (customer requirement)
Cloud Migration Plan:
- Move email and productivity to Microsoft 365 (SaaS)
- Move development environment to AWS EC2 (IaaS)
- Move production applications to AWS Elastic Beanstalk (PaaS)
- Move database to AWS RDS PostgreSQL (PaaS)
- Move file storage to AWS S3 (IaaS/PaaS hybrid)
- Evaluate SaaS HR solution (considering Workday)
Your Tasks:
Task 1: Service Model Analysis (20 points)
Create a table analyzing each planned cloud service:
| Service | Service Model | Provider Responsibilities | Customer Responsibilities | Key Security Concerns |
|---|---|---|---|---|
| Microsoft 365 | ||||
| AWS EC2 (Dev) | ||||
| AWS Elastic Beanstalk | ||||
| AWS RDS | ||||
| AWS S3 | ||||
| Workday (if adopted) |
Task 2: ISO 27017 Control Mapping (25 points)
Identify the 10 most critical ISO 27017 controls for TechCorp's migration. For each:
- List the control number and title
- Explain why it's critical for TechCorp
- Describe how it should be implemented
- Identify whether it applies to CSP, CSC, or both
Format:
| # | Control | Criticality Reason | Implementation Approach | Applies To |
|---|---|---|---|---|
| 1 | ||||
| ... |
Task 3: Shared Responsibility Matrix (20 points)
Create a detailed shared responsibility matrix for the production application environment (Elastic Beanstalk + RDS):
| Security Domain | AWS Responsibility | TechCorp Responsibility | Shared Activities |
|---|---|---|---|
| Infrastructure Security | |||
| Network Security | |||
| Platform Security | |||
| Application Security | |||
| Data Security | |||
| Access Management | |||
| Logging and Monitoring | |||
| Incident Response | |||
| Compliance |
Task 4: Risk Assessment (20 points)
Identify and assess 5 major risks associated with the cloud migration:
| Risk | Likelihood (1-5) | Impact (1-5) | Risk Score | ISO 27017 Controls to Mitigate | Mitigation Strategy |
|---|---|---|---|---|---|
Task 5: Implementation Roadmap (15 points)
Create a 12-month implementation roadmap that includes:
-
Month 1-3: Assessment and Planning
- Specific activities:
-
Month 4-6: Foundation and Quick Wins
- Specific activities:
-
Month 7-9: Core Implementation
- Specific activities:
-
Month 10-12: Validation and Certification
- Specific activities:
Include:
- Key milestones
- Dependencies
- Resource requirements
- Success criteria
Assessment Answer Key
Part A: Multiple Choice - Answer Key
- b) To provide cloud-specific information security controls guidance
- c) Both cloud service providers and customers
- b) ISO 27017 is not independently certifiable
- c) 14
- b) 2015
- b) ISO 27017 focuses on general cloud security, 27018 on PII protection
- b) Automatic regulatory compliance
- c) Security responsibilities are divided between provider and customer
- c) IaaS, PaaS, and SaaS
- c) Code of practice
- b) Cloud service customer
- c) IaaS
- c) Data governance and access management
- b) Google App Engine
- b) PaaS and SaaS
- c) IaaS
- c) SaaS
- b) Provider
- c) Data classification and governance
- b) Application only
- b) Provider's responsibility for cloud infrastructure
- b) Customer's responsibility for their data and applications
- c) Customer implements, provider provides capability
- c) Shared responsibility
- b) Customers assume provider handles all security
- b) Provider
- b) Service Level Agreement (SLA)
- b) Defining responsibility assignments
- b) Always the customer (as data controller)
- c) Shared - provider provides capability, customer configures
- b) Misconfiguration
- b) Multiple customers sharing infrastructure
- b) ISO 27001
- c) ISO 27002
- b) It extends ISO 27002 with cloud-specific guidance
- c) CLD
- b) Dependency on specific provider making switching difficult
- c) Lower costs
- b) APIs are the primary interface to cloud services
- a) Cloud Access Security Broker
Part B: Scenario-Based - Answer Key
Scenario 1: 1.1: b, 1.2: b, 1.3: b Scenario 2: 2.1: b, 2.2: a, 2.3: b Scenario 3: 3.1: b, 3.2: b, 3.3: b Scenario 4: 4.1: b, 4.2: b, 4.3: c Scenario 5: 5.1: b, 5.2: b, 5.3: a Scenario 6: 6.1: b, 6.2: a, 6.3: b Scenario 7: 7.1: b, 7.2: a, 7.3: c Scenario 8: 8.1: b, 8.2: b, 8.3: c Scenario 9: 9.1: c, 9.2: b, 9.3: a Scenario 10: 10.1: b, 10.2: b, 10.3: a
Part C: Grading Rubric
Task 1 (20 points):
- Correct service model identification (6 points)
- Complete responsibility breakdown (8 points)
- Relevant security concerns (6 points)
Task 2 (25 points):
- Relevance of selected controls (10 points)
- Quality of criticality reasoning (7 points)
- Implementation approach detail (8 points)
Task 3 (20 points):
- Accuracy of responsibility assignment (10 points)
- Completeness of domains covered (5 points)
- Clarity of shared activities (5 points)
Task 4 (20 points):
- Risk identification quality (8 points)
- Reasonable likelihood/impact assessment (6 points)
- Appropriate control mapping (6 points)
Task 5 (15 points):
- Logical phase progression (5 points)
- Specific, actionable activities (5 points)
- Realistic timeline and dependencies (5 points)
Congratulations!
You have completed Module 1: Cloud Security Foundations. Upon passing this assessment, you will:
- Understand the purpose and scope of ISO 27017
- Know the differences between IaaS, PaaS, and SaaS
- Comprehend the shared responsibility model
- Recognize major cloud security challenges
- Understand how ISO 27017 relates to ISO 27001 and 27002
Next Steps:
- Review any questions you missed
- Proceed to Module 2: Cloud Service Provider Controls
- Apply your knowledge to real-world scenarios
Minimum Passing Scores:
- Part A: 32/40 correct (80%)
- Part B: 24/30 correct (80%)
- Part C: 80/100 points (80%)
- Overall: 136/170 total points (80%)
This assessment is designed to validate your understanding of ISO 27017 foundations. Take your time, refer to lesson materials as needed, and apply critical thinking to scenario-based questions.