As you are creating a list of questions for information security, what questions should you ask? Here is a list from Net Security from Creating a cloud security policy.

Perhaps a differentiation is the level of the organisation such as small business vs corporate. These considerations mainly apply to corporate organisations.

* Define who, when and under what circumstances changes can be made. Defining the "who" is often the hardest part of establishing a cloud security policy. 

* Do we have a good data classification policy and procedure and what type of data will we allow in the cloud, sensitive corporate data, protected data such as PII, SSNs or HIPAA related, day-to-day operational data?

* Do you allow application developers to make changes to security settings in the cloud to improve performance?

* For applications in the cloud, who in organization is allowed to modify settings on the cloud that affect performance?

* How should we manage administrative privileges to the cloud provider?

* How well does the cloud provider’s security policies and procedures align with organizations? The organization may already have a level of security appropriate for cloud transactions or a new policy needs to be developed.

* What do we want to put in the cloud (data, applications or both)?

* What existing policy does the company have that applies to what we want to do in the cloud?

* What have others in industry done and what can we borrow?

* What is exit strategy and policy for removing data or application from this cloud provider?

* Where can my data or application be physically located?

* Where your data lives and where it could be moved to have legal and privacy implications.

* Who can set up an application in or move data to the cloud and with whom should it be approved beforehand?

* Who has authority to negotiate SLA’s?

* Who in organization is allowed to enter into agreements with cloud providers?