A multi-national corporation uses a cloud storage service to store files that are subject to data residency requirements. Data must remain within a specific geographic region. Which of the following controls provides the STRONGEST assurance that data does not leave the region?
Technical enforcement provides strong assurance.
Why this answer
Option C is correct because using the cloud provider's data residency policy with region-restricted storage buckets enforces data at rest to be physically stored only in the specified geographic region. This is a technical control implemented at the infrastructure layer, ensuring that the cloud provider's storage service will not replicate or move data outside the designated region, providing the strongest assurance against data leaving the region.
Exam trap
ISC2 often tests the distinction between legal/administrative controls (contracts, IAM) and technical controls (region-restricted storage), where candidates mistakenly believe that encryption or access policies can enforce data residency, but only infrastructure-level location restrictions provide the strongest assurance.
How to eliminate wrong answers
Option A is wrong because contractual clauses are legal agreements that rely on trust and enforcement after a breach; they do not provide technical enforcement and cannot prevent accidental or malicious data movement. Option B is wrong because IAM policies control who can access data, not where data is stored or replicated; they do not restrict the geographic location of data. Option D is wrong because client-side encryption protects data confidentiality but does not control the physical storage location; encrypted data can still be stored or replicated in any region the cloud provider supports.