cisa-d5-protection-info-assets-cloud-and-virtualized-environments

Cloud and Virtualized Environments

isaca-cisa · framework · Gold standard

Drawn fromCISA Review Manual · ISACA peer-reviewed case sets·Reviewed May 4, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Cloud and Virtualized Environments

Cloud and Virtualized Environments is the ISACA-CISA knowledge domain covering security controls, audit responsibilities, and risk management obligations that arise when information assets are hosted on shared, abstracted, or remotely managed infrastructure. It encompasses three cloud service models (IaaS, PaaS, SaaS), four deployment models (public, private, hybrid, multi-cloud), and the full virtualization stack—from hypervisors and virtual machines to containers, serverless functions, and orchestration platforms such as Kubernetes. From a CISA auditor's perspective, the domain defines how organizations establish, verify, and continuously monitor security controls in environments where physical infrastructure is abstracted away and the security boundary shifts from the server room to identity, configuration, and data policy. The Shared Responsibility Model is the foundational construct: cloud providers secure the infrastructure 'of' the cloud (physical facilities, hypervisor, managed network fabric); customers secure everything 'in' the cloud—workloads, data, identities, and configurations.

Where it stops · what it isn't

—IS: Security governance, risk assessment, and audit of IaaS, PaaS, and SaaS environments, including hypervisor and container layers
—IS: Shared Responsibility Model mapping for AWS, Azure, and GCP; cloud IAM, encryption, network segmentation (VPCs/security groups), and logging controls
—IS: Compliance verification against NIST CSF 2.0, CIS Controls v8.1, CISA SCuBA, FedRAMP, SOC 2, GDPR, PCI DSS v4.0, HIPAA, and DORA as applied to cloud environments
—IS: Incident response and digital forensics procedures adapted for cloud-native and virtualized architectures
—IS NOT: Deep engineering implementation (e.g., writing Terraform scripts or configuring load balancers)—the auditor validates controls, not builds them
—IS NOT: Network and Endpoint Security (covered in sibling competency), though cloud network controls (VPCs, security groups, WAF) remain within scope
—IS NOT: AI/ML model security as a specialized domain—foundational cloud IAM, data protection, and monitoring principles apply, but AI-specific governance is outside this cubelet
—IS NOT: Physical data center security—virtualization abstracts the physical layer, which is the cloud provider's responsibility under the shared model

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

CISA Domain 5: Protection of Information Assets

REQUIRES

Network and End-Point SecurityIdentity and Access Management (IAM)

RELATED TO

Data Loss Prevention and EncryptionSecurity Monitoring and Incident Response

ENABLES

Cloud Compliance Auditing (SOC 2, FedRAMP, DORA)Third-Party and Vendor Risk Management

CONSTRAINS

Cloud Cost Optimization (FinOps)—security controls must not be traded away for cost reduction

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.