Domain 6: Legal, Risk & Compliance Module 69 of 70

Module 69: Outsourcing and Cloud Contracts

CCSP Domain 6 — Legal, Risk & Compliance Section C 6 min read
The CCSP exam treats cloud contracts as risk management documents, not just legal agreements. Every contractual provision — or absence of one — either mitigates or creates risk. The exam expects you to evaluate contracts for security adequacy, not just legal completeness.

Cloud as Outsourcing

Cloud computing is a form of outsourcing. You are entrusting business-critical data and processes to a third party. The CCSP exam tests whether you apply the same due diligence to cloud adoption that you would to any outsourcing arrangement — perhaps more, because cloud providers often have non-negotiable terms of service.

Due Diligence Before Contracting

The exam expects due diligence before signing cloud agreements:

  • Security assessment: Review the provider's security certifications, audit reports, and incident history. The exam tests whether you verify claims independently.
  • Financial viability: Assess the provider's financial stability. A provider that goes bankrupt creates data availability and recovery risks.
  • Regulatory compatibility: Verify that the provider can support your regulatory requirements — data residency, audit rights, breach notification, and data deletion.
  • Exit strategy: Before you enter a cloud relationship, plan how you will leave. The exam tests whether you consider data portability and migration feasibility during due diligence, not after lock-in.

Essential Cloud Contract Provisions

The exam tests specific contractual provisions that should appear in cloud agreements:

Service Level Agreements

SLAs define performance expectations. The exam tests whether SLAs include security-specific terms beyond uptime:

  • Incident response and breach notification timelines
  • Availability targets with defined measurement methodology
  • Security event reporting obligations
  • Remedies and service credits for SLA breaches

Data Handling

  • Data ownership: The contract must explicitly state that the customer owns their data. The exam tests this as non-negotiable.
  • Data location: Where will data be stored and processed? Can it move without notification?
  • Data return and deletion: What happens to data at contract end? The exam tests whether contracts require data return in a portable format and verified deletion, including from backups.
  • Data isolation: How is customer data isolated from other tenants?

Audit Rights

The right to audit or receive audit reports. The exam tests whether contracts include audit provisions that allow meaningful verification of the provider's security controls.

Exam trap: Many cloud providers offer "take it or leave it" terms of service with no negotiation. The exam expects you to evaluate these standard terms against your requirements and to recognize gaps. If a standard contract does not meet your security requirements, you need a provider that offers negotiable terms or you need compensating controls.

Subcontractor Management

Contracts should address whether the provider can use subcontractors, notification requirements when subcontractors change, and security requirements that flow down to subcontractors.

Liability and Indemnification

The exam tests whether liability provisions are proportional to risk. Cloud providers typically limit their liability to the contract value. The exam expects you to evaluate whether this limitation is acceptable given the potential impact of a breach.

Contract Termination and Transition

The exam heavily tests the contract termination phase:

  • Data retrieval: Sufficient time and mechanism to extract all data before it is deleted.
  • Transition assistance: Provider cooperation during migration to a new service.
  • Data destruction verification: Certified evidence that data has been deleted from the provider's systems, including backups.
  • Portability: Data returned in standard formats that can be used elsewhere.

Regulatory and Compliance Provisions

Contracts must address compliance obligations: the provider's commitment to maintain certifications, notification of compliance changes, cooperation with regulatory investigations, and privacy-specific provisions (data processing agreements under GDPR, for example).

Common Exam Traps

  • Accepting default terms: Standard terms of service may not meet your security or compliance requirements. The exam tests whether you identify gaps.
  • Forgetting exit planning: The time to negotiate data return and deletion is before signing, not at contract end.
  • Liability caps: A provider's limited liability may be far below your potential loss. The exam tests whether you recognize this gap.
  • Assuming contract compliance: A contract provision is only effective if it is enforced and verified through audits.

Key Takeaways for the Exam

Cloud contracts are risk management documents. Due diligence precedes contracting. Essential provisions include data ownership, location, return, deletion, audit rights, breach notification, and subcontractor management. SLAs must include security terms. Exit planning starts before the contract is signed. Liability limitations must be evaluated against potential loss. Non-negotiable terms must be assessed for security adequacy.

Next Module Module 70: Vendor Management and Supply Chain Security