Many organisations have recently adopted variants of cloud computing. Many of them have done so with considerable enthusiasm, but with very little reflection. Commentators have warned of uncertain benefits, predictable disbenefits and a wide range of risks. A study of IT media reports shows that cloud outages are frequent, and that at least some of the theoretical risks are very real. This paper draws on the accumulated bodies of theory on outsourcing and information and IT security in order to propose an evaluation framework. This instrument supports an organisation's executives in evaluating proposals for cloud computing, and assists their governing Boards to fulfil their legal obligations to ensure that choices are informed by business case analysis and risk assessment.