Formulate extensively in an answer-forcing manner, rather than open-ended questions

[llarsson]

In as great an extent as possible, re-formulate the document into a "yes or no" manner (implying there could be checkboxes one could tick or not tick), rather than open-ended questions, or ones that ask "when did you last X", so that it forces the reader to answer truthfully and with data.

For instance, "Describe your access control system for Kubernetes?" is very open-ended. It would be better broken down into questions regarding whether there is an identity provider, if there is a clear policy regarding who gets what access, if RBAC is used, to enforce that policy, and so on.

It requires more thinking on our part, but helps the customer immensely to see the value we can help them achieve.

[llarsson]

Assigned @cristiklein instead, because currently has more time to take a stab at this.

[jakubkrzywda]

I have created the Cloud Information Security Review Checklist following the suggestions from this issue, however Kubernetes checklist still needs to be improved.