60 questions to ask for a Cloud Vendor Assessment


Cloud computing is highly sought after by all companies who want to take advantage of scalable resources, efficient IT operations, and access to software enterprise-style tools, which are otherwise not available without an enterprise network infrastructure.

Amid almost deafening hype surrounding software as a service (SaaS) and cloud computing, companies tend to make a lot of mistakes while they choose a cloud vendor, mostly due to their inflated expectations, misunderstandings, and even disillusionment. Each cloud provider is unique, serving a specific function.

This post will present 60 basic questions you must ask for a complete Cloud Vendor Assessment, while you assess and choose your cloud vendor, best suited for your business, both functionally and economically.

Cloud Vendor Assessment – 60 questions


  • How long have you been in the market?
  • What industry is the solution designed for?
  • Are there current issues of concern, e.g., negative media/press, data breach, etc.?
  • Do you have any examples of software customers successfully using the solution?
  • How is your solution superior, both functionally and economically, to other available solutions?
  • Can you give us at least three blind references?
  • Can you demonstrate similar deployments to the ones we are planning?
  • Can you show us relevant examples of functional proof points and ROI?
  • Can you show us how other customers have used its solution to solve the same business challenges you’re looking to address?


  • Do you run a pilot program and test the concept first before making a substantial investment?
  • Is it possible to configure your solution to fit my requirements without the need for writing code?
  • Do you have service-level agreements (SLAs)?
  • How is your availability service level agreement (SLA) superior to your competitors?
  • Do you establish SLAs with real penalties for failure?
  • Can I add and remove services as needed?
  • Do you use a third party to provide the required services?
  • What happens to our data when the service is terminated?

Security / Audit

  • Do you perform regular vulnerability assessments/penetration tests to determine security gaps? If so, can you state the date of the most recent vulnerability assessment and provide a comprehensive list of all security risks identified?
  • Do we have the right to audit the cloud provider?
  • Where are your data centers located, and how are they secured?
  • Are there sufficient controls to ensure that data can only be entered and changed by authorized personnel?
  • Is privileged access restricted?
  • Is the system secured by unique IDs and passwords?
  • Do you use encryption to protect data and virtual machine images during data movement across and between networks and hypervisor instances?
  • Can you list your current security features? Are they supported by an independent information security management certification (e.g., ISO/IEC 27001)?
  • Do your logging and monitoring framework allow isolation of an incident to specific tenants?
  • Who has access to these logs, and how long are logs maintained?
  • Is a third-party involved in the integration process?

Disaster, recovery, and compliance

  • Do you have an effective and comprehensive disaster recovery plan in place?
  • Is the proposed architecture sufficiently diversified to mitigate risk?
  • Does your solution meet critical security and compliance requirements?
  • What are the capabilities and policies for protecting our data (both physically and procedurally)?
  • Do you meet general and industry-specific security and compliance standards, such as the Payment Card Industry (PCI) Security Standards Council or the National Institute of Standards and Technology (NIST)?
  • Does your cloud solution comply with the Statement on Auditing Standards No. 70 (SAS70), HIPAA, or DIACAP?
  • Do you have cyber risk insurance in place?
  • Do you have an audit trail for critical data and activities?
  • Can the audit trail be reviewed for irregularities?
  • What are the procedures in place to ensure business continuity and disaster recovery? Have these procedures been tested?
  • Do you perform backups? How often?
  • How often do service outages occur, and how long do they last?
  • Do you have a guaranteed uptime?
  • Tell us how you ensure the resilience of your application?
  • Are data back-ups stored on-site or off-site?


  • Do you monitor service continuity with upstream providers in the event of provider failure?
  • Do you have a downtime plan (e.g., service upgrade, patch, etc.)?
  • How is your support team structured and bonused?
  • Do you have any quality measurement programs?
  • What is your emergency response process?
  • What is your post-emergency response process for root cause analysis?
  • Show us your reporting mechanism for security and other incidents.


  • Do you offer price protection and contractual flexibility?
  • Do you provide a standard annual termination for convenience?
  • Do you allow for annual usage-level alignment (up or down) based on business needs, and can I apply monthly “rollover” usage to address seasonal peaks?
  • Do you provide long-term price protection?
  • Do you offer a single bill for all services?