CCSP · topic practice

Legal, Risk, and Compliance practice questions

Practise Certified Cloud Security Professional CCSP Legal, Risk, and Compliance practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Legal, Risk, and Compliance

What the exam tests

What to know about Legal, Risk, and Compliance

Legal, Risk, and Compliance questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Legal, Risk, and Compliance exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Legal, Risk, and Compliance questions

20 questions · select your answer, then reveal the explanation

A multinational company operating in the EU uses a cloud service provider based in the US to process personal data of EU data subjects. The company is considered a data controller under the GDPR. Which of the following must the company ensure is in place to lawfully transfer personal data from the EU to the US?

A covered entity under HIPAA is planning to migrate electronic protected health information (ePHI) to a public cloud environment. Which of the following is a mandatory requirement before using the cloud service?

A financial institution subject to SOX is migrating its general ledger system to a SaaS provider. Which of the following IT general controls is most critical to ensure the integrity of financial data in the cloud?

A cloud customer receives a litigation hold notice requiring preservation of data stored in an object storage service. Which service feature should the customer use to ensure data cannot be modified or deleted until the hold is released?

A company is negotiating a cloud service agreement and wants to ensure it can verify the provider's security controls independently. Which contractual clause is essential for this purpose?

A cloud customer needs to comply with PCI DSS for a cardholder data environment (CDE) hosted on an IaaS platform. According to PCI DSS Appendix A3, which document is critical to define the security responsibilities between the customer and the cloud provider?

A cloud provider's data center is located in Country A, but the customer's data is subject to litigation in Country B. The court in Country B orders the cloud provider to produce data. The cloud provider refuses, citing Country A's laws that prohibit disclosure. This situation best illustrates which challenge in eDiscovery?

When assessing cloud risk, an organization identifies that if a single cloud provider fails, the organization cannot operate. This risk is known as:

A company using a SaaS application for HR management receives a data subject access request (DSAR) under GDPR from an employee. The cloud provider is the data processor. The company as data controller must respond within what timeframe?

A cloud customer is considering adopting a multi-cloud strategy to avoid vendor lock-in. Which risk is this strategy primarily intended to mitigate?

Under the CSA STAR program, which tier involves a third-party assessment resulting in a certification based on ISO 27001?

A cloud customer is terminating its contract with a cloud provider and needs to ensure all data, including backups, is permanently deleted. Which contractual clause is most relevant?

A cloud customer must comply with GDPR's right to erasure (right to be forgotten). Which TWO of the following are technical challenges the customer faces when the data is stored in a cloud object storage service with versioning and cross-region replication?

A cloud customer is selecting a cloud provider for hosting payment card data and must comply with PCI DSS. Which THREE of the following are valid considerations when assessing the provider's PCI DSS compliance?

A company subject to SOX is using a cloud ERP system. Which THREE of the following IT general controls are essential for SOX compliance?

A multinational company headquartered in the US processes personal data of EU data subjects using a cloud service provider hosted in Singapore. Under GDPR, which legal mechanism is most appropriate for lawful transfer of personal data from the EU to Singapore?

A covered entity under HIPAA is moving electronic protected health information (ePHI) to a public cloud. What is the primary requirement before the cloud provider hosts ePHI?

A company subject to PCI DSS is considering a cloud provider to process credit card transactions. What must the cloud provider present to demonstrate compliance with PCI DSS?

A company that must comply with SOX is migrating its financial systems to a cloud service. Which of the following IT general controls is most critical for SOX compliance in the cloud?

During an eDiscovery process, a company needs to preserve data stored in AWS S3 that may be relevant to a lawsuit. Which AWS feature should be used to implement a legal hold?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Legal, Risk, and Compliance sessions

Start a Legal, Risk, and Compliance only practice session

Every question in these sessions is drawn from the Legal, Risk, and Compliance domain — nothing else.

Related practice questions

Related CCSP topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CCSP exam test about Legal, Risk, and Compliance?
Legal, Risk, and Compliance questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Legal, Risk, and Compliance questions in a focused session?
Yes — the session launcher on this page draws every question from the Legal, Risk, and Compliance domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CCSP topics?
Use the topic links above to move to related areas, or go back to the CCSP question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CCSP exam covers. They are not copied from any real exam or dump site.