Press Release


 5 Hidden Costs of Cloud Migration: New ISACA White Paper 

“Calculating Cloud ROI” Cuts Through Hype

Rolling Meadows, IL, USA (1 August 2012)—Cloud computing promises a low cost of entry and fast return on investment, but that ROI can fall short of expectations if hidden costs are left out of the equation. A new white paper from global IT association ISACA, “Calculating Cloud ROI: From the Customer Perspective,” takes a close look at the true costs of cloud migration and offers a practical framework for calculating returns on migrating to the cloud.

The free white paper outlines five hidden costs that enterprises may fail to anticipate when moving quickly to cloud-based services:

  • Cost of bringing services back in-house due to regulatory change (e.g., stricter data privacy laws)
  • Cost of implementing and operating countermeasures to mitigate risk
  • Unexpected expenses involved in initial migration of systems
  • Loss of internal IT knowledge providing competitive differentiation
  • Lock-in with specific cloud provider or proprietary service model, which may slow down future adoption of open standards-based services

“According to the hype, cloud computing makes it easy to offer IT users the same self-service that people love when they turn on their lights or air-conditioning—it’s limitless, on-demand and pay as you go,” says Marc Vael, CISA, CISM, CGEIT, CRISC, international vice president of ISACA. “But in reality, cloud computing is like every other IT innovation. Security, cost and complexity don’t disappear— they just need to be managed and accounted for.”

Enterprises are increasingly turning to public, private or hybrid cloud models to achieve such benefits as shifting cost from capital to operational, becoming more agile, and redeploying IT resources to higher-value-added activities. While these benefits are achievable, this latest guidance from ISACA details a 12-step process that takes a frank look at the complexity of cloud computing options and the importance of making an informed decision about long-term costs and payback.

An example of positive ROI as a result of cloud migration is CA Technologies, which uses a private cloud to enable resource pooling and on-demand and scheduled resource acquisition, and to support data center consolidation and standardization.

“Early in our deployment we consolidated 44 locations and were able to drive millions in real estate savings and in productivity gains, as well as a 25 percent reduction in budget,” said George Watt, vice president of strategy, CA Technologies, who led the cloud deployment. “Yet, our newfound agility was the unsung hero. From our perspective, one of the most important steps in calculating ROI is ensuring second-order costs are considered so there is a legitimate understanding of the complete cost of cloud and non-cloud options.”

To help more companies effectively calculate the ROI for their cloud initiatives, the “Calculating Cloud ROI” white paper offers the following practical tips:

  • Balance the need to be accurate with the need to reach a decision. An overly complex ROI calculation can make it hard to understand why a decision was made or measure its effects. Do as thorough a job as possible, but don’t let perfect be the enemy of good.
  • Cloud is not right for every organizational need. The type of cloud service selected—and the decision to use cloud computing services—depends on the specific enterprise’s risk appetite.
  • ROI is a good start, but other financial indicators should also be calculated. ROI coupled with total cost of ownership (TCO), net present value (NPV), internal rate of return (IRR), or payback period will provide a more accurate financial picture across the life span of the cloud investment.
  • It is far easier and less costly to change a decision when it is still on the drawing board. The time an enterprise spends considering the ROI of various options and selecting the best fit for its needs is time well spent.

Calculating Cloud ROI: From the Customer Perspective” is available as a complimentary download at

About ISACA’s Cloud Computing Initiative
ISACA has been a pioneer in cloud governance, risk and compliance (GRC). A member of the Cloud Security Alliance, the association has published IT Control Objectives for Cloud Computing, a cloud computing audit program and cloud-related white papers, and holds cloud-related education sessions worldwide. Its flagship COBIT 5 framework for the governance and management of IT helps enterprises worldwide with effective governance of cloud initiatives. Members can take advantage of this extensive body of cloud knowledge through the ISACA Knowledge Center Cloud Computing group, which offers expert-led discussions, peer networking, publications, survey data, wikis and online learning.


With more than 100,000 constituents in 180 countries, ISACA ( is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) designations.

ISACA continually updates and expands the practical guidance and product family based on the COBIT framework. COBIT helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.




ISACA Knowledge Center:


Kristen Kessinger, +1.847.660.5512,
Marv Gellman, +646.935.3907,