When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this before acquiring a cloud service, during periodic cloud review, and before exiting or migrating from a cloud provider.
Acquisition and use checklist
- Business need documented.
- Cloud service owner assigned.
- Information classification and data exposure assessed.
- Data storage, processing, backup, and support locations reviewed.
- Shared responsibility matrix completed.
- Identity and access integration defined.
- MFA and privileged access requirements defined.
- Encryption and key management requirements defined.
- Logging, monitoring, and retention requirements defined.
- Backup, recovery, and resilience expectations defined.
- Provider assurance reviewed.
- Incident notification route defined.
- Security requirements included in agreement or risk-accepted.
- Residual risks above tolerance approved by management.
Exit checklist
- Export format and migration path defined.
- Business continuity during migration assessed.
- Data return/export tested where practical.
- Data deletion/destruction evidence requirement defined.
- Backup and retained-copy handling defined.
- Identity/access removal steps defined.
- Contract termination requirements reviewed.
- Post-exit validation planned.
Related notes
- Template
- Cloud security
- Supplier security
- Iso27001
Note Metadata
Aliases: Cloud Security Checklist, Cloud Exit Checklist
Source: 90 Templates/Cloud Security Requirements and Exit Checklist.md
Related Notes
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- ISO 27001 A.5.22 - Monitoring, Review and Change Management of Supplier Services
- ISO 27001 A.5.23 - Information Security for Use of Cloud Services
- ISO 27001 A.5.29 - Information Security During Disruption
- ISO 27001 A.5.30 - ICT Readiness for Business Continuity
- A.5.23 Audit Evidence Pack
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.23 Information Security for Use of Cloud Services
- A.5.23 Audit Checklist
- Cloud Service Register
- Templates MOC