* Determine exactly what data or function is being considered for the cloud.

* Assess how important the data or function is to the organization.

* Determine which of the following cloud options are acceptable: public; private (internal); private, (external); community; hybrid.

* Evaluate the degree of control available to implement risk mitigations.

* Map out the flow of data in and out of the cloud to identify points of exposure to risk.