How to Do a Landing Zone Assessment — Best Practices 2026

A cloud landing zone assessment reviews your current cloud environment against established architecture best practices. It identifies gaps in your subscription structure, network design, identity configuration, security posture and governance — before those gaps become expensive problems. This guide covers the complete process.

What is a Cloud Landing Zone Assessment?

A landing zone assessment evaluates your cloud environment against a reference architecture — typically the cloud provider's own framework (Azure CAF, AWS Control Tower, GCP Cloud Foundation). It scores your environment across 6-7 domains: subscription/account structure, network architecture, identity and access, security and governance, operations and monitoring, and AI readiness. The output is a maturity score (0-100) and prioritised recommendations.

When Do You Need a Landing Zone Assessment?

You need a landing zone assessment if: you have more than 2-3 subscriptions/accounts with no formal governance, your network has evolved organically with no hub-spoke design, different teams manage cloud independently with no central policy, you are preparing for a major compliance certification (ISO 27001, SOC 2, MAS TRM), you are planning to expand cloud usage significantly, or you have experienced a security incident and want to understand root cause.

The 7 Domains of a Landing Zone Assessment

Subscription/Account Structure: Management group hierarchy, subscription design, naming conventions. Network Architecture: Hub-spoke topology, firewall placement, connectivity. Identity and Access: Entra ID / IAM / Cloud Identity, MFA, conditional access. Security and Governance: CSPM, policies, threat detection. Operations: Monitoring, alerting, tagging, BCDR. AI Readiness: AI workload governance, Fabric landing zone. Maturity Scoring: Overall 0-100 score with label.

Landing Zone Assessment vs Cloud Security Assessment

These are related but different. A security assessment focuses specifically on security controls and compliance gaps (ISO 27001, SOC 2, encryption, threat detection). A landing zone assessment is broader — it covers the full foundation architecture including network topology, subscription structure, governance and operations, with security as one of several domains. For a complete picture, run both. TCOIQ offers both assessments.

How to Prioritise Remediation After Assessment

After a landing zone assessment, prioritise remediation by business risk: P1 (address within 4 weeks): No MFA on admin accounts, no CSPM, no network segmentation, no governance policies. P2 (address within 12 weeks): No hub-spoke network, incomplete identity federation, limited monitoring coverage. P3 (address within 20 weeks): Tagging strategy, cost allocation, AI landing zone, FinOps governance. TCOIQ produces a P1/P2/P3 recommendations list with CAF/WAF framework references automatically.