← Back to all blogs

Louise Cermak | 17 July 2026

Cloud Migration Assessment. 9 Questions to Ask Before Moving a Legacy System

Five Considerations When Choosing a Cloud Provider

A cloud migration assessment should tell you whether a legacy system is ready to move, needs fixing first, should be re-scoped, or should not move yet. Cloud migration does not automatically remove legacy risk. It can carry old architecture, poor data, brittle integrations and weak ownership into a new environment.

For CIOs and CTOs, the risk is not simply that migration becomes technically difficult. It is committing budget, suppliers and executive confidence before the organisation fully understands what the system contains, how it supports the business and what risks will move with it.

In short, assess the system’s business value, dependencies, data, security, performance, technical debt, operating model and migration options before deciding whether it should move. The outcome should be a clear business decision, not simply a technical assessment.

Book a No-Obligation Advisory Session

What is a cloud migration assessment?

A cloud migration assessment is a structured review of an application or workload, its dependencies, data, risks and business case before deciding how, or whether, it should move to the cloud.

It is more than an infrastructure inventory. A comprehensive assessment should evaluate:

  • The application or workload itself
  • Upstream and downstream dependencies
  • Data quality, ownership and migration complexity
  • Security, identity and compliance requirements
  • Performance, resilience and recovery expectations
  • Technical debt that will survive migration
  • Cloud costs, operating model and organisational readiness
  • The most appropriate migration approach – rehost, re-platform, refactor, replace, retire or retain

Microsoft, AWS and IBM all position assessment as an early stage of cloud migration because it provides the evidence needed before planning, investment and delivery begin. In practical terms, the assessment should identify what should move, what should change, what should remain and which risks need managing before architecture, budget and delivery decisions are made.

Catapult’s cloud migration services follow the same principle. Assess first, then decide the safest and most commercially appropriate route forward.

Cloud migration assessment v cloud migration strategy

Cloud migration assessment and cloud migration strategy are closely related, but they answer different questions.

Question Cloud migration assessment Cloud migration strategy
Core question What are we dealing with? What should we do with it?
Main focus Current-state risk and readiness Target-state plan and sequencing
Output Findings, constraints, risks and options Migration roadmap, priorities and delivery approach
Failure mode Missed dependencies and hidden risk Poor sequencing, weak governance and an unrealistic business case

A cloud migration assessment identifies the current state, risks and constraints. A cloud migration strategy uses those findings to define the migration approach, priorities and roadmap.

A migration strategy developed without a thorough assessment is built on assumptions. It may appear logical on paper, but it can overlook the factors that ultimately determine whether migration succeeds, including data quality, integration complexity, unsupported components, poor observability, security controls, operating model gaps and organisational readiness.

Catapult CX explores the strategic decisions involved in planning and sequencing migration in its article on cloud migration strategy. This article focuses on the stage that comes before migration – understanding the current environment well enough to make those strategic decisions with confidence.

Why legacy system migration needs assessment before cloud migration

Legacy systems need careful assessment because they are rarely just old pieces of software. They are often business-critical systems that have evolved over many years, supporting essential processes through a combination of documented functionality, operational workarounds, fragile integrations and accumulated technical debt.

That does not mean they should be replaced. Many legacy systems continue to run critical business operations reliably. The challenge is understanding the constraints they introduce, the risks they carry and whether those risks will improve, remain or become worse after migration.

Before moving a legacy system to the cloud, leaders need to understand:

  • What business capability the system supports
  • Who depends on it
  • What systems and services it integrates with
  • What data it creates, stores and exchanges
  • What happens if it becomes unavailable
  • What can move without change and what cannot
  • What business, operational or technical risks could increase if migration starts too soon

This matters commercially because migration failure is not simply a technical issue. It can disrupt business operations, delay transformation programmes, increase supplier costs, undermine executive confidence and force expensive remediation after migration is already underway.

A cloud migration assessment exists to answer one fundamental question – is migration the right decision for this system, at this point in time? Only once that question has been answered should the organisation decide how the migration should proceed.

Where the assessment concludes that the challenge extends beyond hosting, architecture or infrastructure, legacy system modernisation may be the more appropriate next step.

The 9 cloud migration assessment questions to ask

Use these questions before committing to a migration approach. Weak answers do not automatically mean ‘do not migrate’. They mean the risks need to be understood and addressed before the migration begins.

1. What business outcome is migration meant to improve?

Do not start with the platform. Start with the business outcome.

A cloud migration should deliver measurable improvements, such as:

  • Resilience
  • Scalability
  • Speed of change
  • Security posture
  • Cost control
  • Compliance confidence
  • Customer or employee experience
  • Vendor flexibility
  • Release frequency

If the expected outcome is vague, the migration business case is weak. ‘Move to the cloud’ is not a business objective. ‘Reduce infrastructure fragility while improving release speed for a customer-facing system’ is.

Without a clear business outcome, the programme quickly becomes infrastructure activity rather than business transformation. That makes it harder to justify investment, control scope and demonstrate success.

2. Is this system worth migrating to the cloud?

Not every system should be migrated.

A cloud migration assessment should first establish whether migration is the right investment. Some systems create a genuine constraint on the business. Others continue to deliver value, despite their age and may not justify the cost, disruption or risk of migration.

The assessment should consider factors such as:

  • The business value the system delivers
  • The cost and complexity of migration
  • The operational and technical risks involved
  • The cost of leaving the system where it is
  • Whether the current platform genuinely limits future business objectives

A low-value system with high migration complexity may be a candidate for retirement.

A business-critical system with significant architectural constraints may require modernisation before migration.

Equally, a stable system that continues to meet business needs may be better left where it is until there is a stronger commercial case for change.

Answering this question early helps organisations avoid investing in migration programmes that deliver little business value. Instead, they can focus investment where migration will have the greatest commercial impact.

Where migration is justified, the next question becomes how the system should move safely and effectively.

3. Do we understand every dependency?

Unknown dependencies are one of the fastest ways to turn a cloud migration into a business disruption.

A comprehensive assessment should identify and map:

  • Databases
  • APIs
  • Authentication services
  • SaaS applications
  • Partner systems
  • Batch jobs
  • ETL processes
  • Reporting feeds
  • Shared services
  • Manual workarounds
  • File transfers
  • Monitoring and alerting dependencies
  • Licensing and third-party service dependencies

The objective is not simply to produce a system diagram. It is to understand which components must move together, which can be separated safely and what could fail if latency, availability or access patterns change.

Automated discovery tools provide valuable insight, but they rarely tell the whole story. Legacy systems often rely on undocumented knowledge held by application owners, support teams and business users.

Missing dependencies increase the risk of outages, migration delays, supplier change requests and costly rework. They also make it much harder to plan migration waves and validate a successful cutover.

4. Is the data ready to move?

Data migration is far more than a copy-and-paste exercise. It is one of the highest-risk aspects of moving a legacy system because poor-quality data can undermine the value of the migration from day one.

The assessment should establish:

  • What data exists
  • Who owns it
  • What is duplicated
  • What is incomplete or inconsistent
  • What needs cleaning
  • What must be retained
  • What must not move
  • What regulatory or contractual controls apply
  • How source data maps to the target environment
  • How migrated data will be validated

The practical question is simple – are you migrating trusted business data, or are you transferring years of accumulated inconsistency into a new platform?

Poor data readiness means organisations often preserve the same reporting errors, compliance risks and operational workarounds after migration. The platform changes, but the underlying data problems remain, limiting confidence in reporting, decision-making and day-to-day operations.

Catapult CX’s cloud migration services include source-to-target data mapping, dependency analysis and data validation planning. For a deeper look at managing complex migrations, including hidden dependencies and incremental migration approaches, see our guide to building a flexible data migration strategy.

5. What security, identity and compliance risks change in the cloud?

Cloud platforms can support stronger security, but only when they are configured, governed and operated appropriately.

A cloud migration assessment should review:

  • Identity and access models
  • Privileged accounts
  • Service accounts
  • API keys
  • Encryption
  • Audit logging
  • Firewall rules
  • Data classification
  • Compliance obligations
  • Shared responsibility model (customer and cloud provider)
  • Operational security controls
  • Incident response requirements

The question is not whether cloud is secure in general. It is whether this application, with its data, users and security controls, can move without introducing new risks or reducing compliance.

Weak security and compliance planning can delay approvals, trigger late-stage risk objections and force costly redesign after migration work has already begun.

In regulated sectors such as financial services and government, the assessment should also consider governance, auditability, exit planning, supplier risk and evidence that cloud controls meet regulatory obligations. This does not mean the workload should not move. It means the compliance model must be understood before migration planning begins.

The assessment should identify which security and compliance controls need to be designed into the migration from the outset, rather than retrofitted later.

Book a No-Obligation Advisory Session

6. What performance, resilience and recovery standards must the system meet?

A system is not ready to migrate if nobody can define how it needs to perform after migration. Assessment should establish both the current performance baseline and the minimum business outcomes the migrated system must continue to support.

The assessment should establish:

  • Response times
  • Throughput
  • Peak usage
  • CPU and memory patterns
  • Storage and network behaviour
  • Service availability
  • Acceptable downtime
  • Backup requirements
  • Recovery time objective (RTO)
  • Recovery point objective (RPO)

RTO is the maximum acceptable time to restore service after disruption. RPO is the maximum acceptable amount of data loss measured in time.

If the business cannot define its performance and recovery requirements, the migration team cannot design the right target environment. That creates unnecessary risk around customer experience, operational continuity and service-level commitments.

Resilience is not a technical preference. It is a business continuity requirement. A successful migration should improve resilience, not simply preserve it.

7. What technical debt will survive migration?

Cloud migration changes where software runs. It does not automatically improve how the software is designed, built or maintained.

Poor architecture, fragile code, outdated dependencies, manual release processes and weak observability can all follow a workload into the cloud. In some cases, cloud makes those problems more visible. In others, it makes them more expensive to operate.

The assessment should categorise technical debt into three groups:

Type of technical debt Assessment decision
Must fix before migration Blocks safe movement or creates unacceptable risk
Can fix during migration Best resolved as part of the target-state design
Can sequence after migration Known debt that can be accepted temporarily, provided it is tracked and owned

This avoids two common mistakes:

  1. Ignoring technical debt altogether, or
  2. Trying to eliminate every legacy issue before migration can begin.

Unaddressed technical debt often turns cloud migration into a more expensive way of running the same problems. Identifying what must be fixed now, what can wait and what can be accepted helps focus investment where it will have the greatest impact.

For organisations building the commercial case for remediation, Catapult CX’s guide to calculating the financial cost of technical debt explains how to quantify the ongoing cost of maintaining legacy systems.

8. Do we have the skills and operating model to run the migrated system?

Migration does not end at go-live. The long-term success of a cloud migration depends on whether the organisation is ready to operate, support and continuously improve the new environment.

A cloud migration assessment should determine whether the organisation has the operating model needed to support the migrated workload, including:

  • Monitoring and alerting
  • Incident response
  • Release management
  • Environment management
  • Security operations
  • Cost ownership
  • Supplier responsibilities
  • Platform ownership
  • Service ownership
  • DevOps maturity
  • Support handover

Cloud cost is not simply a finance issue. It is shaped by engineering decisions, architecture, usage patterns and operational discipline. This is where FinOps becomes important. Finance, engineering and business teams need shared ownership of cloud value and ongoing cost optimisation.

A successful migration requires more than technical readiness. It also requires clear ownership, defined ways of working and the capability to operate the platform effectively once it is live.

Without the right operating model, migration may succeed technically but fail commercially. Costs increase, incidents take longer to resolve and accountability for the new environment becomes unclear.

9. What is the safest migration path?

Once the decision to migrate has been made, the next question is how to do it safely.

The safest migration path is not always the fastest. It is the approach that delivers business value while managing technical, operational and commercial risk.

The assessment should determine whether the most appropriate approach is to:

  • Rehost
  • Re-platform
  • Refactor
  • Replace
  • Retire
  • Retain
  • Defer migration pending further discovery

It should also define migration waves, testing strategy, rollback plans, validation criteria and clear risk ownership.

Choosing the wrong migration approach can increase costs, delay future modernisation and leave the organisation with a migration programme that is technically successful but commercially disappointing.

If the assessment identifies a clear and manageable migration path, planning can begin with confidence. If it does not, further discovery is almost always a lower-risk and lower-cost option than committing too early.

What your assessment should decide

A cloud migration assessment should end with clear, evidence-based decisions, not simply a report. By the end of the assessment, leaders should understand whether the workload is ready to move, what risks remain and what needs to happen next.

Assessment finding What it means Likely action
Workload is stable, understood and low risk Migration risk is manageable Move now or rehost
Workload is valuable but technically constrained Migration alone will not resolve the underlying issues Re-platform or refactor
System is critical but poorly understood Current risk is too high Pause and complete further discovery
Data is poor or unmapped Migration may preserve or worsen data issues Clean, map or remediate first
Security model is unclear Controls may not survive the move Redesign controls before migration
System has low value and high cost Migration may not be justified Retire, replace or retain
Operating model is not ready Go-live may create operational fragility Fix ownership, monitoring and support first

The assessment should also define risk owners, migration waves, validation criteria and clear go/ no-go decision points.

Where the assessment identifies wider architectural uncertainty, legacy constraints or unresolved build-versus-buy decisions, a broader modernisation readiness review may be the more appropriate next step. That provides the evidence needed to evaluate strategic options before committing to a migration programme.

Common signs you are not ready to migrate yet

You are probably not ready to migrate a legacy system if:

  • No-one can explain all upstream and downstream dependencies
  • Business users cannot define what success looks like after migration
  • There is no current performance baseline
  • Data ownership is unclear
  • Data quality issues are known but unquantified
  • The security model is poorly documented
  • Privileged access is not fully understood
  • Recovery and fix-forward procedures have not been planned or tested.
  • The migration business case is based only on infrastructure cost
  • There is no clear operating model or support model for the migrated workload
  • The target architecture has been chosen before the assessment is complete
  • The project team cannot explain which technical debt will be fixed, deferred or accepted
  • No-one has clear ownership of the migrated platform once it goes live

None of these signs automatically means the migration should stop. They mean the organisation needs more evidence before committing to the migration.

The biggest risk is not discovering problems during assessment. It is committing to migration before those problems are understood well enough to manage.

How Catapult CX approaches migration assessment

Catapult’s approach is built around a simple principle – understand before you migrate.

Our migration methodology follows three stages – Assess. Map. Move. It starts by understanding business objectives, processes, systems and data before identifying what should move, what needs to change and what risks must be managed.

The outcome is not simply a migration plan. It is an evidence-based decision about whether migration is the right course of action, how it should be approached and what needs to happen before delivery begins.

Where the assessment identifies wider legacy constraints or architectural uncertainty, Catapult CX also supports organisations through legacy system modernisation and modernisation readiness reviews.

The objective is not migration for its own sake. It is helping organisations make safer, commercially-informed decisions about what should move, what should change and what should remain where it is.

Questions to ask a cloud migration assessment partner

Before choosing a partner, ask:

  • Do you assess before recommending a migration approach?
  • How do you assess legacy systems with poor documentation, unknown dependencies or fragile integrations?
  • What does your data mapping and validation process include?
  • What happens if your assessment concludes the system should not move yet?
  • How do your findings translate into clear go/ no-go decisions, risk ownership and a practical migration roadmap?
  • Can you provide examples where your assessment recommended not migrating a workload?

A good assessment partner should not assume every system belongs in the cloud. They should help you understand what should move, what should change, what should remain and why.

Book a No-Obligation Advisory Session

FAQs about cloud migration assessment

What is a cloud migration assessment?

A cloud migration assessment is a structured review of an application or workload before it moves to the cloud. It examines the system, data, dependencies, security, performance, costs, compliance and operating model so leaders can decide whether to migrate, modernise, re-scope, replace, retire or pause.

What should be included in a cloud migration assessment?

A cloud migration assessment should include application architecture, dependencies, data quality, security and identity controls, compliance obligations, performance baselines, recovery requirements, cloud costs, technical debt, operating model readiness and migration options.

When should you carry out a cloud migration assessment?

A cloud migration assessment should be completed before selecting a migration approach, committing budget or beginning delivery. It is particularly valuable when migrating legacy systems, moving business-critical workloads or planning large-scale cloud transformation programmes.

What is the difference between cloud migration assessment and cloud migration strategy?

Assessment identifies the current-state risks, constraints and options. Strategy defines the target-state approach, migration sequencing, governance and delivery roadmap. Assessment tells you what you are dealing with. Strategy tells you what to do next.

Should legacy systems always be moved to the cloud?

No. Some legacy systems should be migrated, but others should be modernised, re-platformed, replaced, retired or retained. The right decision depends on business value, technical constraints, dependencies, data readiness, technical debt and operating model maturity.

How do you know if an application is ready for cloud migration?

An application is closer to migration-ready when its dependencies are understood, data quality is known, security controls are defined, performance baselines are established, recovery requirements are agreed, the business case is credible and the organisation has the operating model to support it after go-live.

Who should be involved in a cloud migration assessment?

A cloud migration assessment should involve technology leaders, application owners, security and compliance specialists, infrastructure teams, business stakeholders and operational teams. Legacy systems often rely on undocumented knowledge that sits outside the technology function.

What are the biggest risks in migrating a legacy system to the cloud?

The biggest risks include unknown dependencies, poor data quality, fragile integrations, weak security controls, unrealistic performance assumptions, hidden technical debt, unclear business objectives and a lack of operational ownership after migration.

Is lift-and-shift a bad cloud migration strategy?

No. Lift-and-shift can be the right approach where speed is the priority and the workload is suitable. It becomes risky when it is used to avoid understanding the system. A cloud migration assessment should determine whether rehosting is appropriate or whether re-platforming, refactoring, replacing or retiring the system would deliver a better long-term outcome.

How long does a cloud migration assessment take?

The duration depends on the size and complexity of the environment. A small assessment may take days, while large enterprise environments can require several weeks. The objective is to gather enough evidence to make confident migration decisions before planning begins.

How much does a cloud migration assessment cost?

The cost depends on the number of applications, the complexity of the environment and the level of technical and commercial analysis required. The focus should be on providing enough evidence to avoid costly migration decisions later.