* Determine exactly what data or function is being considered for the cloud.
* Assess how important the data or function is to the organization.
* Determine which of the following cloud options are acceptable: public; private (internal); private, (external); community; hybrid.
* Evaluate the degree of control available to implement risk mitigations.
* Map out the flow of data in and out of the cloud to identify points of exposure to risk.