80 questions to ask for a cloud vendor assessment [Updated]


Cloud computing remains highly sought after by companies aiming to leverage scalable resources, efficient IT operations, and access to enterprise-style software tools without the need for a large network infrastructure.

Amid the continued buzz surrounding Software as a Service (SaaS) and cloud computing, businesses often make mistakes when selecting a cloud vendor due to inflated expectations, misunderstandings, and potential disillusionment. Each cloud provider offers unique capabilities tailored to specific needs.

This updated post presents critical questions for a comprehensive Cloud Vendor Assessment. These questions will help you evaluate and choose the best cloud vendor for your business, both functionally and economically.

Cloud Vendor Assessment – 80 Questions


  • How long have you been in the market?
  • What industry is the solution designed for?
  • Are there current issues of concern, e.g., negative media/press, data breaches, etc.?
  • Do you have any examples of software customers successfully using the solution?
  • How is your solution superior, both functionally and economically, to other available solutions?
  • Can you provide at least three blind references?
  • Can you demonstrate similar deployments to the ones we are planning?
  • Can you show us relevant examples of functional proof points and ROI?
  • How have other customers used your solution to solve similar business challenges?
  • How do you engage with your customers for feedback and improvements?


  • Do you run a pilot program and test the concept before making a substantial investment?
  • Is it possible to configure your solution to fit my requirements without writing code?
  • Do you have service-level agreements (SLAs)?
  • How is your availability SLA superior to your competitors?
  • Do you establish SLAs with real penalties for failure?
  • Can I add and remove services as needed?
  • Do you use a third party to provide the required services?
  • What happens to our data when the service is terminated?
  • Can your solution be integrated with our existing systems?
  • How scalable is your solution in terms of handling increased workloads?

Security / Audit

  • Do you perform regular vulnerability assessments/penetration tests? When was the most recent assessment, and what risks were identified?
  • Do we have the right to audit the cloud provider?
  • Where are your data centers located, and how are they secured?
  • Are there controls to ensure that data can only be entered and changed by authorized personnel?
  • Is privileged access restricted?
  • Is the system secured by unique IDs and passwords?
  • Do you use encryption to protect data and virtual machine images during data movement across and between networks and hypervisor instances?
  • Can you list your current security features? Are they supported by an independent information security management certification (e.g., ISO/IEC 27001)?
  • Do your logging and monitoring framework allow isolation of an incident to specific tenants?
  • Who has access to these logs, and how long are logs maintained?
  • Is a third-party involved in the integration process?
  • How do you handle data privacy regulations (e.g., GDPR, CCPA)?
  • What are your protocols for dealing with a data breach?

Disaster, Recovery, and Compliance

  • Do you have an effective and comprehensive disaster recovery plan?
  • Is the proposed architecture sufficiently diversified to mitigate risk?
  • Does your solution meet critical security and compliance requirements?
  • What are the capabilities and policies for protecting our data (both physically and procedurally)?
  • Do you meet general and industry-specific security and compliance standards, such as PCI-DSS or NIST?
  • Does your cloud solution comply with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18), HIPAA, or FedRAMP?
  • Do you have cyber risk insurance?
  • Do you have an audit trail for critical data and activities?
  • Can the audit trail be reviewed for irregularities?
  • What are the procedures in place to ensure business continuity and disaster recovery?
  • Have these procedures been tested?
  • Do you perform backups? How often?
  • How often do service outages occur, and how long do they last?
  • Do you have a guaranteed uptime?
  • How do you ensure the resilience of your application?
  • Are data backups stored on-site or off-site?
  • How do you handle compliance with emerging regulations?


  • Do you monitor service continuity with upstream providers in the event of provider failure?
  • Do you have a downtime plan (e.g., service upgrade, patch, etc.)?
  • How is your support team structured and incentivized?
  • Do you have quality measurement programs?
  • What is your emergency response process?
  • What is your post-emergency response process for root cause analysis?
  • Can you show us your reporting mechanism for security and other incidents?
  • What are your customer support response times for different severity levels?
  • Do you provide dedicated account managers?
  • How do you handle customer feedback and complaints?


  • Do you offer price protection and contractual flexibility?
  • Do you provide a standard annual termination for convenience?
  • Do you allow for annual usage-level alignment (up or down) based on business needs, and can I apply monthly “rollover” usage to address seasonal peaks?
  • Do you provide long-term price protection?
  • Do you offer a single bill for all services?
  • Are there any hidden fees or charges?
  • What is your policy for pricing changes over time?
  • Do you offer volume discounts or incentives for longer-term contracts?
  • How do you handle billing disputes?
  • Can you provide a detailed breakdown of costs for transparency?

These questions will help you thoroughly assess cloud vendors to ensure you choose a partner that meets your technical, security, compliance, and financial needs, keeping in mind the latest industry standards and trends.