UnixTime

Research Note

Cloud Security Requirements and Exit Checklist

Use this before acquiring a cloud service, during periodic cloud review, and before exiting or migrating from a cloud provider.

On this page

When to use this

Practical use

Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.

Use this before acquiring a cloud service, during periodic cloud review, and before exiting or migrating from a cloud provider.

Acquisition and use checklist

  • Business need documented.
  • Cloud service owner assigned.
  • Information classification and data exposure assessed.
  • Data storage, processing, backup, and support locations reviewed.
  • Shared responsibility matrix completed.
  • Identity and access integration defined.
  • MFA and privileged access requirements defined.
  • Encryption and key management requirements defined.
  • Logging, monitoring, and retention requirements defined.
  • Backup, recovery, and resilience expectations defined.
  • Provider assurance reviewed.
  • Incident notification route defined.
  • Security requirements included in agreement or risk-accepted.
  • Residual risks above tolerance approved by management.

Exit checklist

  • Export format and migration path defined.
  • Business continuity during migration assessed.
  • Data return/export tested where practical.
  • Data deletion/destruction evidence requirement defined.
  • Backup and retained-copy handling defined.
  • Identity/access removal steps defined.
  • Contract termination requirements reviewed.
  • Post-exit validation planned.