Domain 6 of 6 · Chapter 5 of 5

Outsourcing & Cloud Contracts

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.

Included in this chapter:

  • MSA, SOW, and SLA: three documents, three jobs
  • Reading an SLA: credits, exclusions, and what it does not cover
  • Vendor management: lock-in, viability, and escrow
  • What a cloud contract must contain
  • Supply-chain management with ISO/IEC 27036 and exam patterns

MSA vs SOW vs SLA: which document owns which term

AspectMSA (Master Service Agreement)SOW (Statement of Work)SLA (Service Level Agreement)
PurposeOverarching legal relationshipScope of one specific engagementMeasurable performance commitment
Typical contentsLiability, indemnity, IP ownership, confidentiality, terminationDeliverables, milestones, timeline, acceptance criteriaUptime %, response/resolution times, metrics
Remedy when breachedLegal remedies / damages per contractNon-acceptance, rework, payment holdService credit (% of fee), rarely damages
FrequencySigned once, reused across projectsOne per project / deliverableOften per service tier, attached to MSA
LifespanLong-term umbrellaEnds when deliverable acceptedContinuous while service runs

Decision tree

Where does this clause go?classify by what it controlsLegal term?Liability, IP, confidentiality,governing law?YesMSAumbrella legal contractScope of work?Deliverables, milestones,acceptance criteria?YesSOWscopes one engagementMeasurable target?Uptime %, response time,with a service credit?YesSLAcredit, not damagesMost distractors put the right concept in the wrong documentclassify by what the clause controls, not by where it sounds plausible

Cheat sheet

  • MSA is the umbrella legal contract, signed once and reused
  • SOW scopes one engagement's deliverables and acceptance criteria
  • SLA is the measurable performance contract, and its remedy is a service credit
  • Read an SLA's exclusions before its uptime number
  • Vendor lock-in is mitigated by portability, interoperability, and reversibility
  • Reversibility is the property that actually lets you execute an exit
  • Assess vendor viability, not just security, before signing
  • Software escrow protects you when you could self-host the vendor's code
  • Match the exit control to the dependency: escrow for code, reversibility for SaaS data
  • A cloud contract must reserve a right-to-audit, usually met by third-party attestations
  • The contract must state the customer owns the data and the provider only processes it
  • Define a breach-notification timeline in the contract
  • Termination clauses must guarantee data return and verifiable deletion, including backups
  • Cyber insurance transfers the residual risk the SLA cannot cover
  • Specify governing law, venue, and e-discovery obligations
  • ISO/IEC 27036 governs information security in supplier relationships
  • Flow security and breach-notification requirements down to subcontractors
  • SLIs measure, SLOs target, and the SLA is the binding contract with remedies
  • An earn-back clause lets the provider recover credits by sustaining performance
  • SLA metrics must be objectively measurable, independently verifiable, and within the provider's control
  • Composite availability of services in series is the product of their SLAs, so it is lower than any one

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. CCSP Certification Exam Outline (Domain 6.5: Outsourcing and Cloud Contract Design)