Free CCSP Legal, Risk and Compliance Practice Test 2026 — Aug 2026 Outline Questions

This free CCSP Legal, Risk and Compliance practice test covers cloud legal frameworks, privacy regulations (GDPR, CCPA), audits and assurance, cloud risk management, contracts and SLAs, eDiscovery, and vendor governance. Each question includes a detailed explanation aligned to the ISC² CCSP Aug 2026 outline — perfect for cloud security exam prep.

Key Topics in CCSP Legal, Risk and Compliance

6 Free CCSP Legal, Risk and Compliance Practice Questions with Answers

Each question below includes 4 answer options, the correct answer, and a detailed explanation. These are real questions from the FlashGenius CCSP (Aug 2026) question bank for the Legal, Risk and Compliance domain (13% of the exam).

Sample Question 1 — Legal, Risk and Compliance

A company is adopting a SaaS human resources platform to store employee records. During the risk review, the provider shares a recent independent attestation report and the HR director says, "They are certified, so our compliance obligation is covered." What is the BEST response from the cloud security manager?

  1. A. Accept the provider's certification as sufficient because SaaS shifts compliance accountability to the provider
  2. B. Explain that the provider's assessment supports due diligence, but the company still remains accountable for how it classifies data, grants access, sets retention, and uses the service (Correct answer)
  3. C. Require the provider to sign the company's acceptable use policy because that transfers legal accountability for employee data handling
  4. D. Move the application to IaaS instead, because customer accountability is eliminated only when the company controls the infrastructure

Correct answer: B

Explanation: Correct answer (B): A provider attestation or certification is useful evidence for due diligence, but it does not transfer the customer's legal accountability. In SaaS, the provider may operate many underlying controls, yet the customer still remains accountable for governance decisions such as data classification, user access, retention, lawful processing, and validating that the service is used in a compliant way. Why the other options are wrong: - Option A: Incorrect. SaaS changes operational responsibility, but it does not remove the customer's accountability for its own data handling and compliance decisions. - Option C: Incorrect. Having the provider sign an acceptable use policy does not transfer the customer's legal accountability for employee data processing. - Option D: Incorrect. Moving to IaaS would generally increase the customer's operational responsibility, not eliminate accountability.

Sample Question 2 — Legal, Risk and Compliance

A procurement team is finalizing a contract with a cloud-based document management provider. The legal department is most concerned about breach notification obligations, restrictions on provider use of stored files, evidence access during investigations, and handling of customer data at termination. Which document should the security architect prioritize to address these concerns?

  1. A. The service level agreement, because it defines all measurable and legal obligations for the service
  2. B. The master service agreement and related security or data processing addenda, because they govern legal rights and obligations beyond service performance (Correct answer)
  3. C. The monthly invoice terms, because they control liability and document preservation requirements
  4. D. The product availability dashboard, because uptime transparency replaces the need for contractual security terms

Correct answer: B

Explanation: Correct answer (B): SLAs mainly define measurable service commitments and remedies, such as uptime or response times. Broader legal, privacy, and compliance requirements—such as breach notification, data use restrictions, evidence access, audit-related rights, and termination handling—belong in the contract and associated security or data processing addenda. Why the other options are wrong: - Option A: Incorrect. An SLA is important for service performance, but it is not the primary vehicle for detailed legal rights and compliance obligations. - Option C: Incorrect. Invoice terms are not the normal mechanism for defining core security, privacy, and investigation rights. - Option D: Incorrect. Operational transparency about availability does not replace contractual obligations for security, privacy, and legal evidence access.

Sample Question 3 — Legal, Risk and Compliance

An internal audit team asks for direct on-site audits of a large public cloud provider hosting the company's regulated workloads. The provider does not allow unrestricted customer audits because of the scale of its multitenant environment. The company still needs defensible annual evidence that key controls are operating. What is the BEST approach?

  1. A. Rely on the provider's marketing security whitepaper and accept that no further evidence is practical in shared cloud environments
  2. B. Insist on a full customer-led on-site audit and delay all use of the provider until unrestricted access is granted
  3. C. Use independent third-party assurance reports, contractually defined evidence access, and targeted questionnaires to validate the relevant controls (Correct answer)
  4. D. Depend only on uptime statistics from the service dashboard because operational availability demonstrates control effectiveness

Correct answer: C

Explanation: Correct answer (C): In large multitenant cloud environments, unrestricted customer audits are often impractical. A defensible approach is to combine independent assurance reports with contractual evidence-access provisions and targeted questionnaires focused on the controls relevant to the customer's scope. This is a realistic CCSP answer because it balances audit needs with the operating realities of public cloud providers. Why the other options are wrong: - Option A: Incorrect. A marketing whitepaper is not a sufficient assurance artifact for regulated workloads. - Option B: Incorrect. This may be unrealistic in large multitenant cloud environments and is not the best practical assurance strategy. - Option D: Incorrect. Availability metrics alone do not demonstrate the broader security, compliance, and governance controls under review.

Sample Question 4 — Legal, Risk and Compliance

A company uses a SaaS collaboration platform with a policy that deletes chat messages after 30 days to support data minimization. The legal team issues a legal hold for messages involving three employees tied to active litigation. What should the cloud security manager recommend?

  1. A. Suspend deletion for the relevant messages and custodians covered by the legal hold, while allowing normal deletion to continue for unrelated data (Correct answer)
  2. B. Continue the 30-day deletion policy because privacy-driven minimization takes priority over litigation preservation needs
  3. C. Export the current messages once and then let the standard deletion policy continue because the provider remains the system of record
  4. D. Disable all deletion across the entire tenant indefinitely so no potentially relevant information is ever removed

Correct answer: A

Explanation: Correct answer (A): A legal hold suspends normal deletion for relevant data, even when the organization normally deletes data for minimization or retention reasons. The best response is targeted preservation for the specific custodians and data in scope, while normal lifecycle management continues for unrelated information. This reconciles legal preservation with sound data governance. Why the other options are wrong: - Option B: Incorrect. Legal hold overrides normal deletion for relevant data. - Option C: Incorrect. A one-time export does not replace preserving the relevant records under hold, especially if completeness or chain-of-custody later matters. - Option D: Incorrect. Blanket indefinite preservation is overbroad and is not the best answer when the hold is limited to specific data and custodians.

Sample Question 5 — Legal, Risk and Compliance

A product team wants to move customer analytics data into a cloud platform. The dataset will be encrypted at rest and in transit, and the team plans to use customer-managed keys. The product owner argues that these measures alone satisfy the company's privacy commitments. What is the BEST response?

  1. A. Agree, because encryption with customer-managed keys is normally sufficient to meet privacy and contractual obligations
  2. B. Agree, provided the provider's independent assurance report states that encryption controls were tested during the review period
  3. C. Disagree, because privacy obligations may also require lawful processing, purpose limitation, retention controls, access logging, and restrictions on provider use of the data (Correct answer)
  4. D. Disagree, because privacy obligations can only be met when all analytics processing stays entirely on-premises

Correct answer: C

Explanation: Correct answer (C): Encryption and customer-managed keys are valuable confidentiality controls, but privacy and compliance obligations extend beyond encryption. The organization must also address lawful processing, purpose limitation, retention, access governance, logging, and contractual restrictions on how the provider may use the data. CCSP expects candidates to recognize that encryption alone is not the full compliance answer. Why the other options are wrong: - Option A: Incorrect. Encryption alone does not satisfy all privacy, regulatory, or contractual obligations. - Option B: Incorrect. Evidence that encryption controls were tested does not eliminate the need to address broader privacy requirements. - Option D: Incorrect. Privacy obligations do not inherently require on-premises processing; cloud use can be acceptable if the required controls and terms are in place.

Sample Question 6 — Legal, Risk and Compliance

A project team wants to launch a cloud-hosted customer portal before a planned logging enhancement is implemented. The residual risk has been documented, the business owner understands the gap, and the security team believes the risk is within the company's tolerance if management approves it. What is the BEST next step?

  1. A. Proceed immediately because business urgency implies acceptance when the risk is believed to be low
  2. B. Ask the cloud provider to acknowledge the gap so responsibility for the residual risk is transferred externally
  3. C. Obtain explicit, documented risk acceptance from the appropriate accountable authority in line with risk appetite (Correct answer)
  4. D. Treat the issue as resolved because the missing control is planned for a later release

Correct answer: C

Explanation: Correct answer (C): Risk acceptance is a valid treatment option only when it is explicit, documented, aligned to organizational risk appetite, and approved by the appropriate accountable authority. It should not be assumed from schedule pressure, future plans, or provider involvement. CCSP emphasizes accountability and governance discipline in residual risk decisions. Why the other options are wrong: - Option A: Incorrect. Project urgency does not constitute formal risk acceptance. - Option B: Incorrect. The provider cannot simply absorb the customer's governance decision or accountability for the residual risk. - Option D: Incorrect. A planned future improvement does not eliminate the current residual risk.

How to Study CCSP Legal, Risk and Compliance

Combine these CCSP Legal, Risk and Compliance practice questions with the ISC² Official Study Guide, hands-on labs in AWS, Azure, and GCP security services, and the Cloud Controls Matrix (CCM). The CCSP exam is vendor-neutral, so understanding cloud security concepts that apply across all three major hyperscalers is more important than deep expertise in any single one.

About the CCSP (August 2026 New Outline) Exam

Other CCSP Domains

Start the free CCSP Legal, Risk and Compliance practice test now | 10-question quick start | All CCSP domains | CCSP Cheat Sheet