ISACA sets out five questions directors need to ask about cloud

A finger icon tapping on one of many question mark-shaped clouds.

Information security association ISACA has outlined five questions boards of directors need to ask about cloud governance in order to ensure a successful implementation.

The advice is delivered as part of the organisation’s Cloud Governance: Questions Boards of Directors Need to Ask whitepaper, in which ISACA urges directors to view cloud computing like any other investment and implement proper governance for it.

The association argues that poor cloud governance could lead businesses to incur unnecessary expense, due to services not being turned off once they are no longer needed.

It also claims a lack of cloud governance can lead organisations to experience threats to their security or regulatory non-compliance.

“The core goal of cloud computing is to turn enterprise computing into a fungible commodity,” the report’s authors claim.

“The challenge is for board members to have sufficient understanding of the opportunity that cloud presents so that they can effectively direct and monitor plans to leverage cloud and promote success,” they add.

According to ISACA, the first question directors should be asking is if management teams have a plan for cloud computing and if they have weighed the value and opportunity costs.

“The risk of cloud adoption may be inconsequential when compared to the lost opportunity to transform the enterprise with effective and strategic use of cloud computing,” the authors claim.

The second question should tackle how current cloud plans support the enterprise’s mission, ISACA says.

“Cloud initiatives should have a clear and traceable link to the enterprise strategy so that the value expected from cloud services is clearly defined, accepted and measureable,” the report says.

Thirdly, board members should ask whether executive teams have systematically evaluated organisational readiness for a move to the cloud. This, the organisation says, should include looking at organisational culture and behaviour.

The fourth question to ask, ISACA says, is whether management teams have considered what existing investments might be lost in their cloud planning.

“Cloud computing may not be an immediate and clean fit with the existing technology portfolio of the enterprise ... [and may] obviate already-made technology investments that have not reached their planned end date,” the association warns.

Finally, board members should ensure management teams have strategies to measure and track the value of cloud return vs risk.

“The answers to these questions can help to determine whether the enterprise is ready to adopt cloud computing and whether the value created will have a positive impact on enterprise goals and objectives,” the authors conclude.