This is the title of the new ISACA document in relation with cloud computing that has been published last July. It addresses ROI calculating issue in order to evaluate in a right way an investment in this kind of service, considering all the costs and gains involved.
We would like to highlight some aspects of this document from our perspective as security rating agency that helps to simplify ICT services procurement processes, in general, and cloud computing services, specifically.
- "We must stay within the enterprise's risk tolerance". It means, as defined in the methodology proposal of ISACA, a risk analysis of current service model should be performed for including in the further cost estimation all the investments needed to assure that risk tolerance is the same at the end of the process (this is useful to assure that comparison is made between "apples and apples").
- Intangible risks and benefits should not be included in the formula, unless "the business is able to assign a value based on historical or statistical data.
You can follow us on twitter.com/leet_security