Most businesses will, at some point, need to consider changing software providers, or implementing a new software solution. This checklist will guide businesses in addressing the key considerations when moving to a new software provider, as well as when reviewing agreements with existing providers.
The majority of software is now cloud-based, and somewhere in the region of 96% of organisations are using some form of cloud services.
However, in the process of selecting a piece of software and its provider, no decisions should be taken for granted. Each part of this checklist takes into account the key strategic, risk, legal and data criteria when looking at software, whether that’s as part of a procurement process, or in reviewing your existing solutions. Working through this checklist alongside the Cloud Computing Guidance will help organisations make informed, secure, and strategic decisions.
Strategic approach
1. Does your business and/or technology strategy include principles and priorities around software selection? If not, have these been articulated and agreed? Considerations should include:
- Cloud-first or on-premise
- Off-the-shelf, customisable or bespoke
- All-in-one solutions or a range of specialist tools
- Perpetual or subscription-based licensing
- Pricing and attitude towards open-source solutions
2. What software capabilities and functionality are most important to your organisation?
- Internal user experience
- Customer/client experience
- Built-in reporting capabilities
- Data accessibility and export capabilities
- Integrations and APIs
- Automation and AI
- Security and compliance
3. Have you reviewed the software vendor’s roadmap and ability to deliver on it? Does it align with your requirements?
4. Have you evaluated your key software dependencies and critical interfaces? Do you have governance processes in place over these? How might they impact your ability to change software provider?
5. Do you have internal capabilities to implement new software, including migration from previous solutions? Consider the implementation requirements, on top of the skills needed to use the software itself.
Contractual and legal
1. Does the software meet all regulatory and legal requirements? Will you be able to provide historic information to relevant authorities (for example HMRC), if called upon to do so?
2. What is the pricing for the software? Consider the following.
- Trial periods
- Notice periods
- Contract duration
- Automatic renewals
- Risk of mid or post-contract price increases
3. Are the software terms transparent and clear, or open to interpretation?
4. Are you considering any M&A activity? If so, how can you align your software contracts to minimise complexity in this process?
5. Where a software platform is managed/supported by the vendor or a third party, what are the SLAs? What is and is not included in the SLA agreement, and what will they charge extra for? Some areas to consider include:
- data access fees;
- development of bespoke reports;
- support for audits including the right to audit the vendor’s controls and/or the availability of information required for audits.
6. If the software is used by customers/clients, can they contact the vendor directly for support?
7. If there is key functionality that you depend upon, what guarantees do you have that it will not be changed or deprecated without notice?
8. Where a software subscription ceases, what are your termination rights? Consider the following.
- What is the notice period? Does it change depending upon who initiates the termination?
- Do you have an ability to maintain access to the software on a read-only basis? Are there fees for this?
- Can the software be reactivated and data restored, if cessation was accidental?
9. Have you considered setting up a software escrow agreement to ensure data recovery if the service is discontinued?
10. What is the contractual extent of liability in the event of significant financial losses attributable to an issue with the software, and does your own insurance (including cyber insurance) cover for third-party liability costs?
Data and migration
1. Can data be provided outside of the platform in an actionable and useable format? Is it only possible to access the data using the vendor’s software? Can the data be accessed in at least one of the following:
- Excel files (noting potential size limitations)
- Text/CSV files
- Database backups (e.g. SQL)
- XML/JSON
- API
2. Exactly what data is provided in an export? Does it include everything you may need to meet legal/regulatory requirements? Consider entire process lifecycles.
3. Is there an ability to ‘bulk’ process, update or export data through the software?
4. How easy is it to migrate between platforms, and is there any option to perform simulated migration exercises during trial phases? Are there tools available to assist with this, including third party solutions?
5. Are there limitations on data volumes and storage cost implications?
6. What are the data ownership and accessibility terms for the software? Per UK/EU GDPR, who is considered the data controller and data processor?
7. Does the software allow you to meet all relevant data protection requirements, including fulfilling ‘subject access requests’ and ‘right to be forgotten’ requests?
8. Where will your data be stored? Will it be subject to the laws of other jurisdictions?
Software risk
1. What are the historical availability and performance service levels of the software (particularly if it is cloud-hosted). Is there any opportunity for recompense in the event of prolonged service unavailability, and if so is it automatic?
2. Is it possible to restrict or monitor access to the software to minimise unauthorised logins?
3. What security is in place around platform and data accessibility? Consider the following:
- encryption;
- access controls such as multi-factor authentication, new login notifications, single sign-on, IP or asset logging/blocking;
- restrictions on privileged/admin access, including by employees of the software vendor;
- audit/activity logs; and
- security assessments and certifications such as Cyber Essentials, ISO27001 and ISAE3402.
4. Do you have a business continuity plan and/or disaster recovery plan that reflects your software landscape? To what extent do you require buy-in from the software vendor to enact that plan successfully?
5. What backup options are available for the software? Here are examples for what questions to ask.
- Does the vendor include backups as part of their service or is it an optional extra?
- Are the backups intended purely for continuity of service, or designed to support ‘rollback’ functionality in the event of errors or accidental data loss?
- How often are backups taken and how long are they available for?
- Exactly what is backed up? What data is covered, are there key non-data elements that need to be backed up (eg, system configurations), is there anything excluded from the backup?
- Is there a service cost associated with requiring access to a backup?
- Do you require your own, separately hosted backups, for business-critical data? And is this technically feasible for the software platform?
- Can you test the ability to restore from backup?
6. Have you performed a disaster recovery test, cyber attack simulation or other form of modelling of incident response in relation to specific software or your whole IT environment?