Looking for or starting to use services

Risk assessments must be done when adopting:

• all-of-government agreements
• Marketplace contracts
• individual services — including free trials
• contract renewals.

Ways to buy public cloud services

Significant changes to your services

You may need to re-assess the risks to your information if either your organisation or the service provider has, for example, new:

• ownership
• terms and conditions — this may require renegotiating or cancelling the service
• changes to the information being stored or managed by the public cloud service
• or modified purposes for using the service.

Negotiate contracts for public cloud services

New risks

Government organisations should be regularly monitoring and reviewing risks and security controls. These reviews might reveal concerns that require re-assessing the risks to your information in a public cloud service.

Monitor and review risks to information systems

Next step — assess the risks

Assess the risks of using a public cloud service