Risk appetite and budget constraints have the most substantial impact on how aggressive or

conservative the cloud approach of an organization will be. Risk appetite is the amount and type of

risk that an organization is willing to accept in pursuit of its objectives. Budget constraints are the

limitations on the financial resources that an organization can allocate to its cloud initiatives. Both

factors influence the organization’s strategic decisions on which cloud service models, deployment

models, providers, and solutions to adopt, as well as the level of security, compliance, and

performance to achieve. An organization with a high risk appetite and a large budget may opt for a

more aggressive cloud approach, such as moving critical applications and data to a public cloud

provider, while an organization with a low risk appetite and a small budget may opt for a more

conservative cloud approach, such as keeping sensitive information on-premises or using a private

cloud provider12.

Reference:

ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 17-18.

CSA, Cloud Controls Matrix (CCM) v4.0, 2021, p. 63.