Certified: The ISACA CISA Prepcast

Welcome to The Bare Metal Cyber CISA Prepcast. This series helps you prepare for the exam with focused explanations and practical context.
Cloud computing has transformed the way organizations deploy infrastructure, store data, and deliver services, but it has also introduced a new landscape of risks and security responsibilities. In a traditional on-premises environment, the organization controls every layer of the technology stack. In the cloud, however, some layers are abstracted or managed by third parties, creating shared responsibilities and shifting control boundaries. Misconfigurations, unauthorized access, and vendor service failures are among the leading causes of cloud-related breaches. Because data, applications, and infrastructure can reside outside of direct IT control, security must be approached differently. Auditors must adapt their techniques for distributed, virtualized, and dynamic environments where visibility is often limited. On the CISA exam, you should expect questions that test your ability to identify security control differences between cloud and on-premise deployments and to evaluate whether appropriate audit measures have been adapted to fit cloud-specific risk profiles.
There are three main types of cloud service models, each with its own security implications. Infrastructure as a Service provides foundational components like virtual machines, storage, and networking. Examples include Amazon EC2 or Google Compute Engine. In this model, the customer has broad responsibility, including the security of operating systems, installed applications, and user access. Platform as a Service abstracts the underlying infrastructure and provides managed development environments. Services like Azure App Service or Google App Engine reduce operational overhead, but customers still manage their code, user permissions, and data security. Software as a Service offers fully hosted applications such as Google Workspace or Salesforce, where most of the infrastructure and application stack is managed by the provider. Even in SaaS, customers are responsible for data security, identity controls, and user behavior. On the exam, you may be tested on who is responsible for which controls in each cloud model. Auditors must ensure these distinctions are clearly understood and properly implemented.
The shared responsibility model defines the division of security obligations between the cloud provider and the customer. Cloud providers are typically responsible for securing the physical infrastructure, hypervisors, and other underlying systems. Customers, meanwhile, are responsible for securing their data, user accounts, configurations, and any additional layers they control. The level of customer responsibility depends on the service type. In IaaS, customers manage more layers; in SaaS, fewer. A common audit finding is that organizations misunderstand where their responsibilities begin and end, resulting in control gaps. For example, assuming a cloud provider manages encryption or patching for systems that the customer actually controls. Auditors must assess whether the shared responsibility model is formally documented, clearly understood by stakeholders, and enforced through policy and process. The CISA exam often includes scenarios where confusion about shared roles leads to a breach, making this a key concept to master.
Cloud access and identity management is one of the most important areas for cloud security auditing. Because cloud platforms are often accessed remotely and from multiple locations, centralized and federated identity control becomes essential. Using protocols such as SAML, OAuth, or OpenID Connect, organizations can implement single sign-on across cloud services, reducing the attack surface created by weak or reused passwords. Multi-factor authentication must be enforced, especially for privileged accounts and administrative roles. Access should follow the principle of least privilege, and permissions must be reviewed regularly. Orphaned accounts and unused credentials in cloud tenants pose a major risk and must be removed promptly. Monitoring user sessions, login patterns, and escalation attempts helps identify suspicious activity. On the CISA exam, candidates may encounter identity misconfiguration scenarios, such as excessive privileges or failure to disable accounts after employee departures. Auditors must verify that identity governance extends fully into the cloud environment.
Protecting data in the cloud requires both encryption and data governance. Cloud providers typically offer native tools for encrypting data at rest and in transit, but it is up to the customer to configure and manage them properly. Data classification and loss prevention policies must be applied consistently across cloud storage and collaboration platforms. Monitoring data transfers between cloud regions, tenants, and services helps detect policy violations or potential leaks. Retention policies and secure deletion controls must also be enforced to ensure compliance with privacy regulations and to avoid unauthorized data persistence. Encryption keys must be governed effectively, whether managed by the provider or brought into the environment by the customer. Logging access to sensitive data and reviewing those logs regularly is essential for detecting inappropriate use. Auditors evaluate how data protection is implemented across different services and whether encryption and classification align with legal and contractual obligations.
Configuration management is one of the leading concerns in cloud security. Misconfigured storage buckets, overly permissive firewall rules, or exposed administrative interfaces can all lead to major breaches. Cloud Security Posture Management tools help automate the detection of these risks by scanning for deviations from best practices and organizational baselines. Security Information and Event Management platforms should aggregate logs from cloud environments and correlate them with other activity across the enterprise. This includes login events, configuration changes, API calls, and anomaly detection. Cloud service providers offer default templates and tools, but customers must customize and enforce security baselines for network access, virtual machine setup, and storage controls. Auditors must confirm that cloud configurations are reviewed regularly and that findings are remediated promptly. The CISA exam may present scenarios where a misconfiguration goes undetected, and you must determine where the audit process failed and what controls were missing.
Third-party risk and service-level agreement review are critical components of cloud auditing. Cloud providers may be responsible for key infrastructure components, so understanding their controls is essential. Organizations should review independent assessments such as SOC 2 reports, ISO 27001 certifications, or other relevant audits. SLAs must include terms that define availability guarantees, incident response timelines, breach notification procedures, and audit rights. Contractual clauses should specify who owns the data, where it resides, and how it will be handled in the event of contract termination. Financial stability, legal compliance, and operational resilience of the vendor must also be evaluated. Auditors verify that due diligence was performed before onboarding a cloud provider and that SLAs are monitored and enforced over time. The CISA exam may include third-party governance questions, especially related to oversight of SaaS or managed services.
Business continuity and availability in cloud environments require coordinated planning across both customer and provider responsibilities. Recovery Time Objectives and Recovery Point Objectives must be clearly defined and matched to the capabilities of the cloud provider. Some services offer built-in redundancy, failover, or zone replication, but others may require customer-side backups or manual configuration. Organizations must understand which responsibilities are theirs and which are the provider’s. Backup policies must address frequency, coverage, encryption, and testability. Cloud-based disaster recovery plans must be documented and tested under real-world conditions to ensure that services can be restored within expected timelines. Audit procedures include reviewing backup configurations, replication policies, and results from restoration tests. On the CISA exam, be prepared to assess cloud disaster readiness and understand how to evaluate whether business continuity expectations are met in multi-tenant or shared infrastructure scenarios.
Cloud environments are also subject to a wide range of compliance and regulatory requirements. Understanding where data is physically stored is critical for meeting data residency and sovereignty rules. In some jurisdictions, storing personal or financial data outside national borders may trigger compliance violations. Industry-specific standards such as HIPAA, PCI-DSS, or GDPR all apply to cloud platforms and must be included in your control framework. Documentation of compliance controls and proof of enforcement must be available for both internal and external auditors. Cloud environments must be included in the organization’s formal audit program and subjected to the same rigor as on-premise systems. Tools that support control mapping, evidence collection, and policy validation can assist in maintaining continuous compliance. On the CISA exam, expect to answer questions about regional data laws, cloud audit readiness, and the challenges of ensuring consistent policy enforcement across a distributed architecture.
For CISA candidates, the cloud presents both a powerful opportunity and a complex auditing challenge. You must understand how shared responsibility models shift control between provider and customer. Be prepared to assess cloud access management, encryption, monitoring, backup, and vendor oversight. Know how misconfigurations, identity issues, or weak SLAs can lead to risk amplification. You will be tested on which party is responsible for different security functions depending on the cloud service model in use. A scalable cloud environment can deliver performance, efficiency, and resilience—but only if risk is managed at the same scale. Auditors must ensure that cloud policies are enforced, configurations are hardened, and contractual responsibilities are understood and documented. Strong cloud security posture requires proactive auditing, continuous monitoring, and a deep understanding of how abstracted services interact. In the end, your job is to verify that cloud adoption supports—not undermines—the organization’s security, compliance, and operational integrity.
Thanks for joining us for this episode of The Bare Metal Cyber CISA Prepcast. For more episodes, tools, and study support, visit us at Baremetalcyber.com.