Certified Cloud Security Professional – CCSP – Question303

During the course of an audit, which of the following would NOT be an input into the control requirements used as part of a gap analysis.

A.
Contractual requirements
B. Regulations
C. Vendor recommendations
D. Corporate policy

Correct Answer: C

Explanation:

Explanation: Vendor recommendations would not be pertinent to the gap analysis after an audit. Although vendor recommendations will typically play a role in the development of corporate policies or contractual requirements, they are not required. Regulations, corporate policy, and contractual requirements all determine the expected or mandated controls in place on a system.