Practice CCSP Legal, Risk, and Compliance questions with full explanations on every answer.
Start practicing
Legal, Risk, and Compliance — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A multinational company operating in the EU uses a cloud service provider based in the US to process personal data of EU data subjects. The company is considered a data controller under the GDPR. Which of the following must the company ensure is in place to lawfully transfer personal data from the EU to the US?
2A covered entity under HIPAA is planning to migrate electronic protected health information (ePHI) to a public cloud environment. Which of the following is a mandatory requirement before using the cloud service?
3A financial institution subject to SOX is migrating its general ledger system to a SaaS provider. Which of the following IT general controls is most critical to ensure the integrity of financial data in the cloud?
4A cloud customer receives a litigation hold notice requiring preservation of data stored in an object storage service. Which service feature should the customer use to ensure data cannot be modified or deleted until the hold is released?
5A company is negotiating a cloud service agreement and wants to ensure it can verify the provider's security controls independently. Which contractual clause is essential for this purpose?
6A cloud customer needs to comply with PCI DSS for a cardholder data environment (CDE) hosted on an IaaS platform. According to PCI DSS Appendix A3, which document is critical to define the security responsibilities between the customer and the cloud provider?
7A cloud provider's data center is located in Country A, but the customer's data is subject to litigation in Country B. The court in Country B orders the cloud provider to produce data. The cloud provider refuses, citing Country A's laws that prohibit disclosure. This situation best illustrates which challenge in eDiscovery?
8When assessing cloud risk, an organization identifies that if a single cloud provider fails, the organization cannot operate. This risk is known as:
9A company using a SaaS application for HR management receives a data subject access request (DSAR) under GDPR from an employee. The cloud provider is the data processor. The company as data controller must respond within what timeframe?
10A cloud customer is considering adopting a multi-cloud strategy to avoid vendor lock-in. Which risk is this strategy primarily intended to mitigate?
11Under the CSA STAR program, which tier involves a third-party assessment resulting in a certification based on ISO 27001?
12A cloud customer is terminating its contract with a cloud provider and needs to ensure all data, including backups, is permanently deleted. Which contractual clause is most relevant?
13A cloud customer must comply with GDPR's right to erasure (right to be forgotten). Which TWO of the following are technical challenges the customer faces when the data is stored in a cloud object storage service with versioning and cross-region replication?
14A cloud customer is selecting a cloud provider for hosting payment card data and must comply with PCI DSS. Which THREE of the following are valid considerations when assessing the provider's PCI DSS compliance?
15A company subject to SOX is using a cloud ERP system. Which THREE of the following IT general controls are essential for SOX compliance?
16A multinational company headquartered in the US processes personal data of EU data subjects using a cloud service provider hosted in Singapore. Under GDPR, which legal mechanism is most appropriate for lawful transfer of personal data from the EU to Singapore?
17A covered entity under HIPAA is moving electronic protected health information (ePHI) to a public cloud. What is the primary requirement before the cloud provider hosts ePHI?
18A company subject to PCI DSS is considering a cloud provider to process credit card transactions. What must the cloud provider present to demonstrate compliance with PCI DSS?
19A company that must comply with SOX is migrating its financial systems to a cloud service. Which of the following IT general controls is most critical for SOX compliance in the cloud?
20During an eDiscovery process, a company needs to preserve data stored in AWS S3 that may be relevant to a lawsuit. Which AWS feature should be used to implement a legal hold?
21A cloud customer is negotiating a contract and wants to ensure they have the right to verify the cloud provider's security controls. Which contractual provision is most important?
22Which CSA STAR tier involves a third-party assessment and results in a certification based on ISO 27001?
23A company is using a single cloud provider for all critical services. What is the primary risk this company faces?
24Under GDPR, a cloud data controller must notify the supervisory authority of a personal data breach within what timeframe?
25A cloud customer wants to ensure that when the contract ends, the cloud provider deletes all customer data, including from backups. Which contractual clause is essential?
26A cloud customer is concerned about the risk of unauthorized access to data due to the shared infrastructure of a public cloud. What type of risk does this represent?
27A company needs to export data from a cloud service in a machine-readable format to comply with a data subject's right to data portability under GDPR. Which format is most appropriate?
28A cloud customer is evaluating a provider's compliance with PCI DSS. Which two components are part of the PCI DSS shared responsibility model as referenced in Appendix A3? (Choose two.)
29A global company uses a cloud provider that stores data in multiple jurisdictions. During an eDiscovery request from a US court, which three challenges are most likely to arise? (Choose three.)
30A company is adopting a multi-cloud strategy to reduce concentration risk. Which two benefits are directly associated with this approach? (Choose two.)
31A healthcare organization stores protected health information (PHI) in a cloud environment. Under HIPAA, what must the organization obtain from the cloud provider before processing PHI?
32A multinational corporation collects personal data of EU residents and uses a cloud provider with data centers in the US and Asia. Under GDPR, which mechanism is appropriate for transferring data from the EU to the US data center, assuming no adequacy decision exists?
33Under GDPR, what is the maximum time allowed for a data controller to notify the supervisory authority of a personal data breach?
34A company is subject to PCI DSS and plans to use a cloud provider to process credit card transactions. The cloud provider has been assessed by a Qualified Security Assessor (QSA). According to PCI DSS, what must the company obtain from the provider to demonstrate compliance?
35Under SOX, which of the following is an IT general control that must be implemented for financial data systems in a cloud environment?
36A company is subject to a legal hold order and uses a cloud storage service with object replication across multiple regions. Which cloud feature should the company use to prevent deletion or modification of relevant data?
37A cloud customer wants to ensure they can audit their cloud provider's security controls annually. Which contractual provision should be included in the cloud service agreement?
38Which CSA STAR tier involves a third-party assessment against ISO 27001?
39A company is evaluating the risk of using a single cloud provider for all critical workloads. Which risk is most directly associated with this scenario?
40In a cloud environment, a data subject exercises their right to erasure under GDPR. The cloud provider has multiple replicas and backups. What is the primary technical challenge in fulfilling this request?
41Under GDPR, what is the role of a cloud provider that processes personal data solely on behalf of a customer?
42A company wants to export its data from a cloud provider to another provider upon contract termination. Which contract clause is essential to ensure the data can be exported in a usable format?
43A company is negotiating a cloud contract and wants to ensure data ownership and deletion. Which TWO clauses should be included? (Select two.)
44A global enterprise is conducting a cloud risk assessment. Which THREE factors should be considered? (Select three.)
45According to GDPR, which THREE are data subject rights? (Select three.)
46A multinational corporation with its headquarters in the United States processes personal data of European Union data subjects using a cloud-based customer relationship management (CRM) system hosted in the United States. According to the General Data Protection Regulation (GDPR), which of the following is the company's primary obligation regarding the protection of that data?
47A healthcare provider is planning to migrate its electronic health records (EHR) system to a public cloud infrastructure. The system will store protected health information (PHI). Under HIPAA, what must the healthcare provider obtain from the cloud service provider before beginning the migration?
48A financial institution is required to comply with the Sarbanes-Oxley Act (SOX) for its cloud-hosted financial applications. The cloud provider is responsible for the underlying infrastructure. Which of the following controls is most likely the responsibility of the financial institution as part of IT general controls (ITGC)?
49A company is subject to PCI DSS because it processes credit card transactions. It plans to use a cloud provider that is not specifically listed as a PCI DSS validated service provider. What is the most important step the company must take to ensure compliance?
50Under the General Data Protection Regulation (GDPR), if a cloud service provider (acting as a data processor) suffers a personal data breach, what is the provider's obligation regarding notification?
51A cloud customer is preparing for litigation and needs to place a legal hold on specific data stored in an object storage service. The cloud provider offers features such as object lock and retention policies. What is the primary challenge the customer must address to ensure the legal hold is effective across all copies of the data?
52A company is negotiating a cloud service agreement and wants to ensure it can periodically assess the security of the cloud provider's operations. Which contractual clause is most directly relevant to this requirement?
53Which of the following is a key requirement for data portability under the General Data Protection Regulation (GDPR)?
54A multinational corporation uses multiple cloud service providers for its critical applications. The board is concerned about concentration risk. Which strategy would best address this risk?
55A cloud customer is subject to eDiscovery requirements in a lawsuit. The data resides in a cloud storage service that uses encryption. What is the primary challenge in collecting this data in a forensically sound manner?
56Which of the following best describes the purpose of the Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) program?
57A cloud customer is concerned about the right to erasure under GDPR because the cloud provider replicates data across multiple regions and keeps backups. What technical challenge does this create for complying with a erasure request?
58A company is drafting a cloud service contract and wants to ensure it can exit the provider without losing access to its data. Which TWO clauses are most important to include?
59A cloud customer is assessing the risk of using a cloud provider. Which THREE factors are most important in evaluating the inherent risk of migrating data and applications to the cloud?
60In the context of eDiscovery, a legal hold must be placed on data stored in a cloud environment. Which THREE actions should the cloud customer take to ensure the legal hold is effective?
61A financial services company is migrating its customer account management system to a public cloud provider. The company is subject to SOX compliance requirements for internal controls over financial reporting. Which TWO controls are essential for the cloud environment to meet SOX IT general control requirements? (Choose two.)
62A healthcare organization is planning to use a cloud provider to host protected health information (PHI) subject to HIPAA. Which THREE requirements must be addressed before the organization can lawfully use the cloud for PHI? (Choose three.)
63A multinational corporation is implementing a multi-cloud strategy to avoid concentration risk. The risk management team is evaluating the inherent risks of using multiple cloud providers. Which THREE risks are specifically associated with a multi-cloud strategy? (Choose three.)
64A cloud customer is negotiating a contract with a new cloud provider. The customer wants to ensure they can maintain control over their data and verify the provider's security posture. Which TWO contractual provisions are most critical for these purposes? (Choose two.)
The Legal, Risk, and Compliance domain covers the key concepts tested in this area of the CCSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CCSP domains — no account required.
The Courseiva CCSP question bank contains 64 questions in the Legal, Risk, and Compliance domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Legal, Risk, and Compliance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included