ISO 27001Cloud

How to vet a cloud provider under ISO 27001

Fourteen questions to ask a cloud provider during selection. Which answers are acceptable, which should stop the deal.

2 min read

TL;DR

14 key questions to vet a cloud provider during ISO 27001 selection. Acceptable answers and the ones that should stop the deal.

The 14 questions

Certifications and governance

  1. Do you hold ISO 27001:2022, 27017, 27018, 9001? Can you show me the certificates?
  • Acceptable: all 4 with consistent scope.
  • Stop: less than 27001 + 27017.
  1. Which certification body? When was the last audit?
  • Acceptable: accredited body (TÜV, DNV, Bureau Veritas) and audit within 12 months.
  • Stop: non-accredited body, audit > 18 months.
  1. Do you have a published security policy?
  • Acceptable: PDF available or public summary.
  • Stop: generic refusal.

Datacentre and operations

  1. Where are the datacentres physically?
  • Acceptable: Italy or EU with explicit declaration.
  • Stop: extra-EU without SCCs or EU-US DPF.
  1. Who controls the operating company?
  • Acceptable: EU corporate registration.
  • Stop: undisclosed non-EU control.
  1. Support staff and SOC?
  • Acceptable: Italian or EU, trained.
  • Stop: extra-EU outsourcing without disclosure.

Business continuity

  1. RTO and RPO documented in your SLAs?
  • Acceptable: yes, contract.
  • Stop: only "best effort".
  1. Off-site backup frequency? Integrity verification?
  • Acceptable: every N hours + automatic verification.
  • Stop: unverified backup.
  1. How often do you drill your DR?
  • Acceptable: quarterly or more often.
  • Stop: generic annual, undocumented.

Technical security

  1. At-rest encryption? In-transit?
  • Acceptable: AES-256 + TLS 1.3.
  • Stop: none or only at-rest.
  1. Key management? HSM?
  • Acceptable: HSM or dedicated KMS.
  • Stop: manually managed keys.
  1. MFA? For all accounts or admins only?
  • Acceptable: all, at least recommended.
  • Stop: admin only.

Incident handling

  1. Customer notification procedure?
  • Acceptable: written SLA (e.g. 4-24h).
  • Stop: no written commitment.
  1. Sub-suppliers? Who and what?
  • Acceptable: transparent list.
  • Stop: refusal to disclose.

Selection workflow

  1. send the questionnaire to the provider (max 1 week to respond);
  2. evaluate responses: 12 of 14 green = OK; 2 red = stop;
  3. request proof (certificates, drill logs);
  4. sign only after all 14 are covered.

FAQ

The provider refuses to answer 14 questions, what to do?

Switch providers. A serious cloud provider responds in 2-3 days.

Can I accept a provider with limited certification scope?

Only if the scope covers the specific service you will buy. Verify.

For the continuity cluster guide, ISO 27001:2022 and continuity. For ISO comparison, ISO 27001 vs 27017 vs 27018.

Want to see Sefthy in action?

Same IP, same subnet, RTO in minutes. Try it free for 7 days or talk to one of our specialists.

See pricing Request a demo