When to assess the risks of using a public cloud service
You need to assess risks when looking for or starting to use services — and when there are significant changes or new risks.
Looking for or starting to use services
Risk assessments must be done when adopting:
- all-of-government agreements
- Marketplace contracts
- individual services — including free trials
- contract renewals.
Significant changes to your services
You may need to re-assess the risks to your information if either your organisation or the service provider has, for example, new:
- terms and conditions — this may require renegotiating or cancelling the service
- changes to the information being stored or managed by the public cloud service
- or modified purposes for using the service.
Government organisations should be regularly monitoring and reviewing risks and security controls. These reviews might reveal concerns that require re-assessing the risks to your information in a public cloud service.