User organizations (Cloud Service Consumers, CSC) require detailed information about the IT security and compliance risks associated with the use of the cloud computing service. They require this information:
- for their standard IT security management activities such as assessments and risk management,
- to take purchase decisions,
- to prepare for performing security-related activities they are still responsible for,
- to pass audits and inform their stakeholders (e. g. shareholders, customers, governmental and regulatory authorities).
User organizations (Cloud Service Consumers, CSC) want this information to be
- tangible, precise, and contractually relevant,
- to the point, short, and easy to understand,
- clear, unambiguous and using a language that allows comparison of different services.
Information that contains marketing messages or arguments to convince users may not be that useful.