Practice CCSP Legal, Risk and Compliance questions with full explanations on every answer.
Start practicing
Legal, Risk and Compliance — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company's cloud infrastructure is subject to GDPR. The DPO requires that all customer personal data be encrypted at rest and in transit. The cloud provider offers SSE-S3 for object storage and enforces TLS 1.2 for API calls. Which additional control should the company implement to meet GDPR accountability requirements?
2A financial institution uses a multi-cloud strategy with AWS and Azure. They must comply with PCI DSS. The security team found that a developer accidentally stored a file with credit card numbers in an S3 bucket that is publicly readable. Which immediate action should be taken to contain the breach?
3A cloud service provider (CSP) offers a shared responsibility model. According to this model, who is responsible for patching the hypervisor?
4A company is migrating to the cloud and must comply with the Health Insurance Portability and Accountability Act (HIPAA). They plan to store electronic protected health information (ePHI) in a cloud database. Which of the following is a mandatory requirement for the cloud service agreement?
5An e-commerce company uses a cloud-based web application firewall (WAF) to protect against common web exploits. The security team notices that a specific IP address is sending a high volume of requests that appear to be a DDoS attack. What is the best immediate response to mitigate the attack while minimizing impact on legitimate users?
6A company is conducting a risk assessment for a new cloud service. They identify a vulnerability that could lead to a data breach. The likelihood is low, but the impact is high. According to common risk management frameworks, how should this risk be addressed?
7A cloud customer wants to ensure that their data is not accessible to the cloud provider's employees. Which of the following controls would best address this requirement?
8Which TWO of the following are required elements of a valid Business Continuity Plan (BCP) in the cloud?
9Which THREE of the following are typical responsibilities of a cloud customer under the shared responsibility model?
10Which TWO of the following are key components of an Information Security Management System (ISMS) as defined by ISO 27001?
11Refer to the exhibit. A security engineer discovers that the S3 bucket policy allows public read access from the entire corporate network (10.0.0.0/16). However, the company wants to restrict access only to the security team's subnet (10.0.1.0/24). What modification should be made to the policy?
12Refer to the exhibit. A cloud administrator sees this error log from AWS CloudTrail. The user [email protected] is a member of the 'Analysts' group. Which of the following is the most likely cause of the AccessDenied error?
13A healthcare organization is migrating its electronic health record (EHR) system to a public cloud. The system stores sensitive patient data subject to HIPAA. The cloud architect has designed a multi-tier architecture with load balancers, web servers, application servers, and a PostgreSQL database. The database contains ePHI. To meet compliance, the architect plans to encrypt the database at rest using AWS RDS encryption with KMS. However, during a security review, the compliance officer notes that the database backups are stored in an S3 bucket that is not encrypted. Additionally, the application logs, which may contain patient data, are sent to CloudWatch Logs without encryption. The compliance officer insists that all data stores containing ePHI must be encrypted at rest. Which action should the architect take to ensure compliance?
14A multinational corporation is migrating its customer data to a cloud provider that operates data centers in multiple jurisdictions. To comply with the General Data Protection Regulation (GDPR), the company must ensure that customer data remains within the European Economic Area (EEA) unless adequate safeguards are in place. The cloud provider offers data residency options but does not guarantee that data will never be accessed from outside the EEA. What is the BEST course of action for the company?
15A cloud service provider (CSP) is designing a multi-tenant infrastructure and needs to ensure that a security incident in one tenant's environment does not compromise the confidentiality or integrity of other tenants. The CSP plans to use a combination of network segmentation, hypervisor isolation, and encryption. Which additional control is MOST critical to prevent side-channel attacks that could leak cryptographic keys or other sensitive data across tenants?
16A cloud architect is designing a disaster recovery (DR) plan for a financial services application hosted on a public cloud. The plan must meet a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour. The application uses a relational database and stores files in object storage. Which TWO strategies should the architect recommend to meet these objectives?
17A large healthcare organization uses a hybrid cloud environment with on-premises systems and Microsoft Azure. They store protected health information (PHI) in Azure Blob Storage and use Azure SQL Database for transactional data. The organization must comply with HIPAA and has implemented encryption at rest using Azure Storage Service Encryption and Transparent Data Encryption (TDE) for SQL. During a recent audit, the security team discovered that the organization does not have a formal process to identify and respond to security incidents that involve PHI. Additionally, the organization's backup strategy stores encrypted backups in a separate Azure region, but the backup encryption keys are managed by Azure and are not customer-controlled. The compliance officer is concerned about the ability to demonstrate HIPAA compliance in the event of an audit. Which of the following actions should the organization take FIRST to address the most critical gap?
18A company is moving its customer database to a public cloud provider. The database contains personally identifiable information (PII) of European Union citizens. Which legal framework imposes requirements on the cloud customer regarding data protection and privacy in this scenario?
19A cloud service provider (CSP) is undergoing a SOC 2 Type II audit. The auditor reviews the CSP's access control policies and identifies that user access reviews are performed quarterly. However, the auditor notes that there is no automated termination of access for terminated employees. Which TWO of the following control objectives are likely to be non-compliant based on this finding?
20An administrator applies the above S3 bucket policy to a bucket named 'data-bucket' that contains sensitive logs. The policy is intended to allow uploads only over HTTPS. After applying, the administrator finds that uploads using the AWS CLI without HTTPS still succeed. What is the most likely reason?
21Drag and drop the steps for setting up a cloud access security broker (CASB) in a SaaS environment into the correct order.
22Drag and drop the steps for setting up a virtual private cloud (VPC) with public and private subnets in AWS into the correct order.
23Match each IAM term to its definition.
24Match each cloud security tool to its primary purpose.
25A healthcare organization is migrating patient data to a public cloud. Which legal framework most directly governs the protection of this data?
26During a cloud migration, a company discovers that data stored in a specific region must remain there per contract. The cloud provider offers data replication across regions. What is the best practice to ensure compliance?
27A cloud service provider (CSP) includes a limitation of liability clause capped at the total fees paid in the past 12 months. A customer suffers a data breach due to provider negligence, losing $2M in business. The customer's annual spend is $500K. What is the customer's likely recovery?
28A company wants to use a cloud service to store financial records. Which compliance framework most likely applies?
29A cloud customer receives a legal hold notice for pending litigation. The data resides in multi-tenant storage. What is the most appropriate initial action?
30A company uses a cloud-based intrusion detection system (IDS) that generates logs containing IP addresses. The company is headquartered in a country with data localization laws. What is the primary compliance risk?
31Which risk assessment method uses subjective scales to assign probabilities and impacts?
32An organization stores customer data in a cloud that is subject to GDPR. The organization uses a cloud provider that does not allow audits of its data centers. What is the best way to satisfy GDPR audit requirements?
33A company is required to retain logs for 7 years per regulation. The cloud provider's default retention is 90 days. What is the most effective approach?
34Which TWO of the following are key elements of a cloud service agreement (CSA) for legal compliance?
35Which THREE of the following are typical requirements for compliance with eDiscovery in a cloud environment?
36Which THREE of the following are commonly required when conducting a cloud vendor risk assessment?
37A customer discovers the provider added a new sub-processor without notification. Which compliance risk is most directly exposed?
38A company uses this IAM policy on an S3 bucket containing logs with personally identifiable information (PII). What is the most immediate compliance risk?
39A customer relies on this SOC 2 Type II report to assess a cloud provider's controls. What is the primary limitation of this report?
40A company is contracting with a cloud provider and wants to ensure they have visibility into the provider's security controls. Which contract clause is most important to include?
41A financial services company must store customer transaction data in a cloud that complies with PCI DSS. Which of the following is a primary requirement for the cloud environment?
42A multinational corporation uses a SaaS application that stores data in multiple jurisdictions. The company's legal team is concerned about cross-border data transfers under the GDPR. What is the recommended mechanism to legitimize such transfers?
43A company has a contractual requirement that the CSP must delete all customer data within 30 days of contract termination. Which document should specify this requirement?
44An organization wants to assess the security controls of a cloud provider before entering into a contract. What is the most efficient method?
45A cloud customer is subject to the EU General Data Protection Regulation (GDPR) and uses a cloud provider that subcontracts data processing to a third party without notification. Which GDPR requirement is violated?
46Which of the following is a key consideration when defining a cloud provider's liability for data breaches?
47A company needs to ensure that its cloud-stored data is retained only for a specific period due to legal requirements. Which process should be automated?
48An organization wants to ensure that its CSP does not access customer data for any purpose other than providing the service. Which clause should be included?
49A company is evaluating cloud providers for compliance with the GDPR. Which TWO of the following are mandatory data protection roles under the GDPR?
50A company is implementing a cloud risk management program. Which THREE of the following are essential components of a risk assessment according to NIST SP 800-30?
51Which THREE of the following are typical data privacy principles found in most regulations?
52Refer to the exhibit. A security analyst sees this alert. According to the shared responsibility model, who is primarily responsible for ensuring that the IAM policy correctly restricts access?
53Refer to the exhibit. A cloud administrator is reviewing this bucket policy. What is the most significant security concern?
54Refer to the exhibit. A company uses AWS Config to evaluate compliance with a rule that requires S3 buckets to enforce SSL. What should the administrator do next?
55A company stores PII in the cloud and needs to ensure compliance with GDPR. What is the first step they should take?
56A cloud service provider (CSP) experiences a security incident affecting customer data. The contract requires notification within 72 hours, but the CSP fails to notify. What is the most likely legal consequence for the CSP?
57An organization uses a multi-cloud strategy and wants to perform a risk assessment that accounts for the shared responsibility model. Which approach is most appropriate?
58A company is migrating healthcare data to the cloud and must comply with HIPAA. They need to sign a Business Associate Agreement (BAA) with the CSP. What key element must be included in the BAA?
59Which legal concept allows customers to retain ownership of data stored in the cloud regardless of where it is physically stored?
60During a cloud audit, the auditor finds that the CSP's data deletion process does not meet contractual requirements. The customer's data may still be recoverable after termination. What is the best next step for the customer?
61A company uses a cloud database that stores customer financial information. To ensure compliance with PCI DSS, which control is required?
62What is the primary purpose of a Data Processing Agreement (DPA) between a data controller and a cloud service provider?
63An organization experiences a data breach in the cloud. The CSP claims they are not liable because the breach was due to customer misconfiguration. The customer disagrees. What document should be reviewed to determine liability?
64Which TWO of the following are required for GDPR compliance when processing personal data in the cloud?
65Which THREE of the following are key considerations when conducting a cloud risk assessment?
66Which TWO of the following are examples of data sovereignty laws that directly affect cloud data storage?
67Refer to the exhibit. An organization has this S3 bucket policy for a bucket containing sensitive customer data. What is the primary risk associated with this policy?
68Refer to the exhibit. A security engineer reviews this CloudTrail log entry. The company has a policy that all deletion operations must be approved by the compliance team. What is the most likely compliance issue?
69Refer to the exhibit. A cloud administrator discovers this Azure role assignment in the Finance resource group. The role definition ID corresponds to 'Storage Blob Data Contributor'. What is the immediate compliance concern?
70A cloud service provider stores customer data in a multi-tenant environment. A customer from the European Union requests that all personal data be encrypted at rest to comply with GDPR. What is the primary reason for this requirement?
71A company identifies a high-risk vulnerability in a cloud application. The cost to remediate is significantly higher than the potential loss from exploitation. Which risk treatment strategy is most appropriate?
72During litigation, a company receives a legal hold notice for electronically stored information (ESI) in a cloud environment. The cloud provider's standard service agreement includes a clause that automatically deletes data 30 days after termination of service. What should the company do to ensure compliance?
73A US-based company uses a cloud provider with data centers in the US and Europe. To transfer personal data of EU citizens to the US, which mechanism is most appropriate under GDPR?
74A client is negotiating a cloud service agreement and wants to conduct on-site audits of the provider's data centers. The provider argues that on-site audits are unnecessary due to SOC 2 reports. Which is the best approach for the client?
75A cloud customer is subject to the Health Insurance Portability and Accountability Act (HIPAA). They are considering using a cloud provider that offers infrastructure as a service (IaaS). Which of the following is the customer's responsibility under the HIPAA shared responsibility model?
76A company is performing a risk assessment of its cloud environment. They have identified a risk with a likelihood of 4 (on a scale of 1-5) and an impact of 3 (on a scale of 1-5). The company decides to implement controls that will reduce the likelihood to 2 and impact to 1. What is the residual risk score after controls?
77A cloud provider experiences a data breach affecting customer data. Which of the following laws most likely requires the provider to notify affected customers within 72 hours?
78A company wants to ensure that its cloud provider's data deletion process is verifiable. Which of the following should the company require in the service level agreement?
79Which THREE of the following are key components of a data protection impact assessment (DPIA) under GDPR?
80Which TWO of the following are common risk treatment options in cloud risk management?
81Which TWO of the following are requirements for a cloud service agreement to comply with the European Data Protection Board (EDPB) guidelines on data processing?
82Refer to the exhibit. An administrator is reviewing an AWS S3 bucket policy. Based on the policy, which of the following is true?
83Your organization, a healthcare provider subject to HIPAA, has migrated electronic protected health information (ePHI) to a public cloud IaaS provider. The cloud provider offers default encryption at rest using their managed key service. During a recent audit, it was discovered that the encryption keys are generated and stored by the cloud provider without any customer involvement. The auditor states that this arrangement may violate HIPAA requirements because the covered entity does not have exclusive control over the keys. You need to ensure compliance while maintaining cost efficiency. After discussing with the cloud provider, they suggest the following options: A. Enable client-side encryption using a custom key management system (KMS) on the customer's premises. B. Use the provider's default encryption and rely on their BAA that states they will protect the keys. C. Implement a third-party key management solution that stores keys in the cloud but is controlled by the customer. D. Disable encryption and rely on access controls and auditing only. Which option best addresses the compliance requirement while considering the operational impact?
84A multinational corporation uses a SaaS application for customer relationship management (CRM). The CRM application stores customer data including names, email addresses, and purchase history. The company has operations in the EU, California, and Japan. A new regulation in Japan requires that any transfer of personal data outside Japan must have the data subject's consent if the destination country does not have an adequacy decision. The company's cloud provider stores data in the United States. The company currently relies on the provider's data processing agreement that includes standard contractual clauses (SCCs). However, the Japanese regulator has stated that SCCs are not sufficient for transfers from Japan unless supplemented. You are tasked with ensuring compliance for Japanese data subjects. Which of the following is the most appropriate next step? A. Obtain explicit consent from each Japanese data subject for data transfer to the US. B. Move the data for Japanese subjects to a data center in Japan. C. Continue using SCCs as they are recognized internationally. D. Pseudonymize the data before transfer. Which option best addresses the compliance requirement while considering the operational impact?
85A regional bank is migrating its customer data to a cloud provider that offers services in multiple jurisdictions. The bank's legal team is concerned about compliance with data protection regulations, specifically regarding the right to be forgotten. During a review, the bank discovers that the cloud provider's data deletion process takes up to 90 days for archived data. The bank needs to ensure it can comply with customer deletion requests within 30 days as required by GDPR. What should the bank do?
86A financial services company uses a cloud-based logging service for audit trails. A regulatory investigation is initiated, and the company is required to preserve all logs from the past 18 months. The cloud provider's default retention policy is 12 months, and logs older than that are automatically deleted. The company did not configure custom retention. What is the most appropriate action to ensure compliance?
87A healthcare company uses a cloud-based patient management system. The cloud provider experiences a security incident that may have exposed protected health information (PHI). The provider notifies the company within 72 hours, as required by the service agreement. The company's internal breach response policy requires a legal review of the incident before notifying affected individuals. The legal review typically takes 48 hours. However, the company is required to notify patients within 60 days under HIPAA. With the 72-hour notification from the provider, the company has 60 days to notify patients. What is the most effective approach to meet the 60-day notification requirement while ensuring compliance with internal policy?
88A company receives an erasure request under GDPR. The cloud provider can delete from active storage within 24 hours but requires 90 days to delete from archives. The company has a contractual obligation to ensure deletion within 30 days. What should the company do?
89A defense contractor uses a cloud provider that is FedRAMP authorized at the Moderate impact level. The contractor's contract requires compliance with DFARS 252.204-7012, which mandates safeguarding covered defense information (CDI) and reporting cyber incidents. The contractor's security team wants to ensure the cloud provider's security controls are adequate. The provider offers a FedRAMP package that includes a System Security Plan (SSP) and a Security Assessment Report (SAR). The contractor's legal department has determined that if the provider is FedRAMP authorized, the audit requirements are satisfied. What is the most efficient way to verify compliance?
90Which TWO of the following are primary responsibilities of a cloud service customer under the shared responsibility model regarding compliance with regulations such as GDPR?
91A multinational corporation stores customer data in an AWS S3 bucket located in the US. The company's European customers' personal data must comply with GDPR. Which TWO actions should the company take to ensure compliance with GDPR data transfer requirements?
92Refer to the exhibit. A security analyst discovers this bucket policy attached to an S3 bucket containing sensitive customer data. What is the MOST significant security risk posed by this policy?
93A healthcare company, MedSecure, is migrating its critical patient record application to a public cloud IaaS environment. The application processes Protected Health Information (PHI) subject to HIPAA in the US and also includes some patient data from EU residents subject to GDPR. MedSecure has signed Business Associate Agreements (BAAs) with the cloud provider covering US HIPAA compliance. However, the compliance officer is concerned about GDPR requirements for EU patient data. The architecture uses AWS EC2 instances behind an Application Load Balancer, with data stored in Amazon RDS (MySQL) using encryption at rest and TLS for transmission. The company uses AWS CloudTrail for logging but only retains logs for 90 days. The compliance officer has identified that the current logging retention does not meet the GDPR requirement for logs to be retained for a minimum of 12 months for audit purposes. Additionally, the data stored in RDS is in a single AWS region in the US (us-east-1). The company plans to expand to EU customers. The GDPR requires that personal data of EU residents be stored in the EU or have adequate safeguards for transfer. Currently, the company has not implemented any data residency controls. What course of action should MedSecure take to address the most critical compliance gaps?
The Legal, Risk and Compliance domain covers the key concepts tested in this area of the CCSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CCSP domains — no account required.
The Courseiva CCSP question bank contains 93 questions in the Legal, Risk and Compliance domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Legal, Risk and Compliance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included