How to Evaluate Cloud Providers: Checklist Steps 3 and 4

December 5, 2023 | 5 minute read
Text Size 100%:

Welcome back to the blog series about how 123 Bank Corp, a financial service company, used a 5-step checklist to guide their adoption of cloud services. The first post introduced the case study, with their challenges and checklist. The second post discussed steps 1 and 2 for identifying security, privacy, compliance, and functional requirements.  


Step 3: Generate List of Top Potential Suppliers

123 Bank Corp broke down this aspect supplier selection into two distinct tasks. The first task was a broadly collaborative exercise to come up with a list of potential suppliers offering the targeted types of cloud services in the desired regions. In the second task, the team whittled the list down to the top 5 potential suppliers for each category of cloud services: cloud applications and cloud infrastructure. 

Task 1: Collect Nominations of Suppliers

Stakeholders from multiple teams and roles were invited to suggest IaaS and SaaS suppliers for consideration. For supplier nominations, contributors were responsible for performing high level validation that the potential supplier’s services were likely to be a reasonable fit for the company requirements documented in the previous steps. A challenge in this area was dealing with the personal preferences for certain vendors by stakeholders.

Based on experience with previous change management initiatives, 123 Bank Corp knew that a diversity of opinion and employee experience would not only help them deploy the best solution, but also yield the necessary buy-in across the organization. When obtaining feedback (both positive and negative) about potential suppliers, the executive sponsor encouraged employees to detail why they make certain recommendations, such as describing any direct experience using those services. Capturing the “why” was helpful for the project team to evaluate nominations and feedback, because people may identify a key benefit or issue which may – or may not – be relevant to the current needs. The team’s prioritization of requirements performed in step 2 proved to be critical in this step to settle differences of opinion among stakeholders.

Task 2: Refine List to Top Suppliers

When narrowing the potential supplier list, 123 Bank Corp considered insights from multiple internal and external sources:

123 Bank Corp leveraged the following resources for considering Oracle during that step:


Step 4: Research the Top Potential Suppliers

After 123 Bank Corp narrowed down the list of potential suppliers, the next step was to research the cloud providers as companies. To satisfy Board of Directors concerns about investing significant money in cloud services, the project team obtained their guidance about evaluation criteria based on the potential supplier’s financial foundation and reliability. Per that guidance, the bank’s analysis was informed by the financial viability of the top contenders, how cloud providers operate, and commitments made by cloud providers to their customers. Once again, 123 Bank Corp broke this evaluation into two separate tasks. This helped accelerate this process, because different team members had the requisite knowledge and expertise to evaluate different aspects of potential suppliers. Experts in security evaluated supplier practices. In parallel, Finance, Legal and business teams explored corporate operations.

Task 1: Evaluate Security, Privacy and Compliance

123 Bank Corp leveraged the public sites of its top contenders. The team initially learned about Oracle’s security practices by diving deep into Oracle’s Trust Center: team made an initial assessment of each contender after exploring the quality and depth of the information on each company’s site.  

While exploring Oracle’s Trust Center, the team found most of the necessary information about Oracle’s Corporate Security Practices easily because the topics align with the global ISO 27001 information security standard. Governance was explored first, since it is an essential requirement in the supplier selection criteria. Team members with development experience evaluated the relative apparent maturity of each top contenders’ development practices. When evaluating Oracle’s secure coding methodology, the team looked into areas such as:

  • Secure Coding Standards and Developer training
  • Analysis and Testing requirements
  • Security Fixing Policies
  • Source Code Protection

Task 2: Evaluate Corporate Operations

Several aspects of evaluating possible suppliers required specialized knowledge and expertise. 123 Bank Corp’s project leadership identified team members eligible to support each of their focus areas:

 Focus Area

Oracle Resources Used by 123 Bank Corp


Legal analyzed Oracle’s cloud contracts and Oracle Cloud Hosting and Delivery Policies, to determine the strength and scope of commitments


Finance advised the project team about the stability and viability of Oracle’s business based on financial reports, earnings and US SEC filings on the Investor Relations site

Social Impact

Business leaders determined alignment to 123 Bank Corp’s values by reading the Oracle CEO’s perspective on Oracle’s commitment to corporate responsibility and the social impact report

Data Centers

Project leadership matched their set target cloud service locations to Oracle’s data centers regions and confirmed availability of the relevant cloud services per target region by contacting Sales


Business teams validated that Oracle provides the Support they need, including 24x7x365 availability of Engineers

To be continued!  The final post in this series will cover checklist step 5 – evaluation of specific cloud services.

This blog entry is part of a 4-blog series:

  1. How to Evaluate Cloud Providers: Checklist and Case Study
  2. How to Evaluate Cloud Providers: Checklist Steps 1 and 2
  3. How to Evaluate Cloud Providers: Checklist Steps 3 and 4
  4. How to Evaluate Cloud Providers: Checklist Step 5



Nancy Kramer

With over 20 years of experience in managing risk, security, privacy and compliance audits relating to complex business processes and IT systems, Nancy Kramer helps define corporate information security policies and manages compliance and obligation management programs which oversee Oracle’s on-premises and cloud offerings. Nancy also provides thought leadership via engagement with industry organization such as Payment Card Industry Security Standards Council (PCI SSC).

Previous Post

Introducing a new dimension of flexibility with multiple clusters for Oracle Cloud VMware Solution

Next Post

Oracle recognized as a Leader in the 2023 Gartner® Magic Quadrant™ for Strategic Cloud Platform Services

Clay Magouyrk | 6 min read