Cloud Services Due Diligence Checklist
A move to the cloud raises important strategic issues for an organization: How will data be secured, where will it be located, and how available will it be when it is no longer on premises? How will the organization continue to meet regulatory obligations? How will the privacy of sensitive customer and employee data be protected?
The critical first step for organizations, before they can assess and compare the level of service offered by different cloud service providers, is to clearly identify their own objectives and requirements. Only then can they create the formalized service specifications that address their business needs, and that cloud service providers require so they can build an appropriate response.
Unfortunately, many organizations lack a structured way to determine these objectives and to get the guidance they need to make good decisions. Without a standardized approach, such organizations might enter agreements that aren’t in their best interests. In fact, according to a recent study more than 94 percent of organizations would change some terms in their current cloud agreement.
Microsoft created the Cloud Services Due Diligence Checklist to meet the business need for a standardized approach.
Download the Cloud Services Due Diligence Checklist
Download the Cloud Services Due Diligence Checklist instructions
Download the Cloud Services Due Diligence Worksheet
How the checklist helps organizations exercise due diligence
The checklist promotes a thoroughly vetted move to the cloud, providing structured guidance and a consistent, repeatable approach for choosing a cloud service provider.
Cloud adoption is no longer simply a technology decision. Because checklist requirements touch on every aspect of an organization, they serve to convene all key internal decision-makers—the CIO and CISO as well as legal, risk management, procurement, and compliance professionals. This will increase the efficiency of the decision-making process and ground decisions in sound reasoning, thereby reducing the likelihood of unforeseen roadblocks to adoption. In the case of Convergent Computing, a San Francisco-based IT consulting firm, they used the checklist to bring consensus to an otherwise chaotic decision process and reduced the decision cycle from a six-month process down to six weeks.
In addition, the checklist:
- Exposes key discussion topics for decision-makers at the beginning of the cloud adoption process.
- Supports thorough business discussions about regulations and the organization’s own objectives for privacy, personally identifiable information (PII), and data security.
- Helps organizations identify any potential issues that could affect a cloud project.
- Provides a consistent set of questions, with the same terms, definitions, metrics, and deliverables for each provider, to simplify the process of comparing offerings from different cloud service providers.
Learn How the Cloud Services Due Diligence Checklist helps protect you.Download how the checklist helps protect organizations
Forrester Research: Cloud service agreements omit key considerations
Microsoft commissioned Forrester Consulting to evaluate the current state of cloud agreements against the elements of the ISO/IEC 19086-1 Standard. Learn about the results.
Why Microsoft created the Due Diligence Checklist
Microsoft developed the Cloud Services Due Diligence Checklist to help organizations exercise due diligence as they consider a move to the cloud. It provides a structure for an organization of any size and type—private businesses and public sector organizations, including government at all levels and nonprofits—to identify their own performance, service, data management, and governance objectives and requirements. This allows them to compare the offerings of different cloud service providers, ultimately forming the basis for a cloud service agreement.
The checklist provides a framework that aligns clause-by-clause with a new international standard for cloud service agreements, ISO/IEC 19086. This standard offers a unified set of considerations for organizations to help them make decisions about cloud adoption, as well as create a common ground for comparing cloud service offerings.
Microsoft has been an active member of the panel of experts that developed this standard over a three-year period. The checklist distills the standard’s 37 pages into a simpler, two-page document that organizations can use to negotiate a cloud service agreement that meets their business objectives. Because it is grounded in the new standard, the checklist is service- and provider-neutral, applying to any organization requiring cloud services and any cloud service provider.
Frequently asked questions
ISO/IEC 19086-1 is the first of a new four-part international standard that establishes a framework and terminology for cloud service level agreements (SLAs). It offers a unified set of considerations for organizations considering cloud adoption, and common terminology so they can more easily compare cloud services and providers to ultimately establish an SLA.
The standard was created by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The ISO is an independent non-governmental organization and the world’s largest developer of voluntary international standards; the IEC is the world’s leading organization for the preparation and publication of international standards for electronic, electrical, and related technologies. Over a period of years, a joint ISO/IEC subcommittee created ISO/IEC 19086-1; Microsoft was one of many member organizations that participated.
The goal was to create a simpler document that organizations considering a move to the cloud, as well as cloud service providers, could use to create a cloud service agreement. Microsoft has been involved with the panel of experts that developed the ISO/IEC 19086 standard, and took on the work of distilling the 37 pages of the standard into the two-page Cloud Services Due Diligence Checklist. Note, however, that this is not a Microsoft-specific checklist; it applies to all organizations and cloud service providers.
Organizations should convene stakeholders from across the company to discuss how each checklist item applies to the organization, and specifically to the cloud project. The team can determine minimal requirements, weigh the importance of each item in the list, and assign responsibility for each item. Organizations are then in a better position to ask providers to respond to each of the considerations in the checklist, compare responses, and decide which provider best meets their organizational objectives.