ISO/IEC TR 20000-9:2015

TECHNICAL ISO/IEC TR
REPORT 20000-9
First edition
2015-02-15
Information technology — Service
management —
Part 9:
Guidance on the application of ISO/IEC
20000-1 to cloud services
Technologies de l’information — Gestion des services —
Partie 9: Application de l’ISO/IEC 20000-1 au services de cloud
Reference number
©
ISO/IEC 2015
© ISO/IEC 2015
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2015 – All rights reserved

Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Applying ISO/IEC 20000-1 to cloud services . 2
4.1 Delivering and managing cloud services . 2
4.2 Scenarios . 2
5 Scenarios . 2
5.1 Identify the context for service management of cloud services . 2
5.2 Establish strategy and plan for management of cloud services . 3
5.3 Provide a catalogue of cloud services . 5
5.4 Identify and manage service requirements for cloud services . 6
5.5 Design and develop a new cloud service . 8
5.6 Establish a service relationship with the cloud customer .11
5.7 Establish a cloud service agreement .12
5.8 Onboarding the customer .14
5.9 Deliver and operate the cloud services .16
5.10 Monitor and report cloud services .18
5.11 Manage resources for cloud services .20
5.12 Check and improve the SMS and cloud services .22
5.13 Terminate a cloud service contract .24
5.14 Transfer a cloud service .25
5.15 Remove a cloud service .27
Bibliography .30
© ISO/IEC 2015 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
Details of any patent rights identified during the development of the document will be in the Introduction
and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 40, IT Service
Management and IT Governance.
ISO/IEC 20000 consists of the following parts, under the general title Information technology —
Service management:
— Part 1: Service management system requirements
— Part 2: Guidance on the application of service management systems
— Part 3: Guidance on scope definition and applicability of ISO/IEC 20000-1
— Part 4: Process reference model [Technical Report]
— Part 5: Exemplar implementation plan for ISO/IEC 20000-1 [Technical Report]
— Part 9: Guidance on the application of ISO/IEC 20000-1 to cloud services [Technical Report]
— Part 10: Concepts and terminology [Technical Report]
The following parts are under preparation:
— Part 6: Requirements for bodies providing audit and certification of service management systems
— Part 11: Guidance on the relationship between ISO/IEC 20000-1:2011 and related service management
frameworks [Technical Report]
iv © ISO/IEC 2015 – All rights reserved

Introduction
ISO/IEC 20000 is the International Standard for service management. It is based on practical industry
experience and includes information to support identifying, planning, designing, changing, deploying,
operating, supporting, and improving services for the business and customers. ISO/IEC 20000-1 specifies
a service management system (SMS) as the means to achieve the integrated management of the service
management policies, objectives, plans, processes, process interfaces, documentation, and resources. A
key focus of the SMS is to fulfil the service requirements and to deliver value.
The implementation and coordinated integration of an SMS provides ongoing control, greater
effectiveness, efficiency and opportunities for continual improvement. It enables an organization to
work effectively with a shared vision.
The guidance in this part of ISO/IEC 20000 can be used by organizations that are involved in the provision
or management of services that include cloud services. It can also be of interest to organizations that
are faced with changes to their existing services and support arrangements as part of a move to cloud
computing. ISO/IEC 20000 can be used by service providers that offer dedicated or shared services to
internal and external customers.
Key benefits of adopting ISO/IEC 20000 for service providers that offer cloud services can include:
a) greater credibility with internal or external customers of the organization, through delivery of
reliable and cost effective services;
b) the opportunity to build a service management system that is based on a tried and proven best
practice approach;
c) ongoing control, greater effectiveness and efficiency as well as prioritized continual improvement
of services and processes;
d) improved communication within the cloud service provider organization, including a greater
understanding by service management and specialist technical personnel of each other’s viewpoints;
e) improved communication between the cloud service provider organization and cloud customers
and users;
Cloud services primarily focus on enabling access to shared resources, physical or virtual, that are
scalable with on-demand self-service provisioning and administration. The cloud services can be used
without the cloud customer having any knowledge of the location and other details of the infrastructure
supporting those services. These services and resources can include networks, servers and storage
systems and applications that can be rapidly provisioned and released with minimal management effort
or service provider interaction. Typical attributes of cloud environments include the ability to support
dynamic establishment and modification of services and capabilities in a multi-provider environment
and a focus on automation to reduce manual intervention.
The delivery and management of cloud services can require coordinated integration to ensure visibility
and control of all the elements that contribute to services, including technology, processes, people and
partners, or suppliers.
An SMS that conforms to the requirements specified in ISO/IEC 20000-1 can be a powerful tool for
service providers delivering cloud services to achieve high service quality, delivery of value, increased
agility, and reduced risk.
An SMS can be integrated with an information security management system based in ISO/IEC 27001, which
includes requirements for information security in more detail than those specified in ISO/IEC 20000-1.
© ISO/IEC 2015 – All rights reserved v

TECHNICAL REPORT ISO/IEC TR 20000-9:2015(E)
Information technology — Service management —
Part 9:
Guidance on the application of ISO/IEC 20000-1 to cloud
services
1 Scope
This part of ISO/IEC 20000 provides guidance on the use of ISO/IEC 20000-1:2011 for service providers
delivering cloud services. It is applicable to different categories of cloud service, such as those defined in
ISO/IEC 17788/ITU-T Y.3500 and ISO/IEC 17789/ITU-T Y.3502, including, but not limited to, the following:
a) infrastructure as a service (IaaS);
b) platform as a service (PaaS);
c) software as a service (SaaS).
It is also applicable to public, private, community, and hybrid cloud deployment models.
The applicability of ISO/IEC 20000-1 is independent of the type of technology or service model used to
deliver the services. All requirements in ISO/IEC 20000-1 can be applicable to cloud service providers.
The structure of this part of ISO/IEC 20000 does not follow the structure of ISO/IEC 20000-1. The
guidance is presented as a set of scenarios that can address many of the typical activities of a cloud
service provider. The guidance in this part of ISO/IEC 20000 can also be useful for customers of cloud
service providers.
This part of ISO/IEC 20000 can be used as guidance for a cloud service provider in designing, managing,
or improving an SMS to support cloud services.
This part of ISO/IEC 20000 does not add any requirements to those stated in ISO/IEC 20000-1 and does
not state explicitly how evidence can be provided to an assessor or auditor. The scope of this part of
ISO/IEC 20000 excludes any specifications for products or tools.
NOTE Additional guidance on the application of ISO/IEC 20000-1 can be found in ISO/IEC 20000-2:2012.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 20000-1:2011, Information technology — Service management — Part 1: Service management
system requirements
ISO/IEC/TR 20000-10:2012, Information technology — Service management — Concepts and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions provided in ISO/IEC/TR 20000-10 apply.
© ISO/IEC 2015 – All rights reserved 1

4 Applying ISO/IEC 20000-1 to cloud services
4.1 Delivering and managing cloud services
A cloud service provider should define the services using terminology that customers and other interested
parties, such as suppliers, can understand. For cloud services this should take into account that many
cloud customers can have little knowledge or understanding of technology. Defining different cloud
services or providing a cloud service with several different options can help both service providers and
customers make the best decision about which services are best aligned to their service requirements.
Alignment between services delivered, service requirements, contractual obligations, business needs
and customer requirements can enable cloud service providers and their customers to establish and
maintain a successful relationship. Cloud service providers and cloud customers can share responsibility
for the relationship and each party should take the necessary actions to achieve the results desired by
the customer.
Unambiguous service definitions can reduce discrepancies between customer expectations and service
provider intention for the service. The service provider can find it easier to perform service management
activities with the knowledge that the customer understands what is being delivered.
By fulfilling the requirements specified in ISO/IEC 20000-1, the cloud service provider should be able to
deliver services in alignment with both service targets and customer expectations.
The cloud service provider wishing to demonstrate conformity to ISO/IEC 20000-1 should review its
applicability using the guidance provided in ISO/IEC 20000-3.
NOTE 1 Cloud service providers might find it helpful to refer to ISO/IEC 17788, which provides an overview of
cloud computing along with a set of terms and definitions.
NOTE 2 Cloud service providers might find it helpful to refer to ISO/IEC 17789, which specifies the cloud
computing reference architecture.
4.2 Scenarios
The scenarios in this part of ISO/IEC 20000 describe the service lifecycle utilizing terminology and
examples familiar to cloud service providers.
Each scenario includes references to the most relevant requirements specified by ISO/IEC 20000-1.
There can be additional considerations for each of the scenarios beyond those referenced. Each scenario
includes recommendations and examples of how the referenced clauses in ISO/IEC 20000-1 can be
applicable to cloud services.
All processes specified in ISO/IEC 20000-1 have been included in one or more of the scenarios described
in this part of ISO/IEC 20000.
5 Scenarios
5.1 Identify the context for service management of cloud services
S01 Identify the context for service management of cloud services
Description A cloud service provider should understand the business and technical context for manag-
ing and delivering cloud services. A cloud service provider should ensure that its services,
including cloud services, achieve business objectives and customer requirements while
adhering to the service provider’s principles, rules, and necessary statutory requirements,
regulatory requirements and contractual obligations.
Outcomes — The business and technical environment and context for cloud service delivery is
defined and communicated.
2 © ISO/IEC 2015 – All rights reserved

S01 Identify the context for service management of cloud services
Applicable clauses — Clause 4.1, Management responsibility
in ISO/IEC 20000-1
— Clause 7.1, Business relationship management
Guidance on the Service providers and customers should seek opportunities to create value with cloud
application to services while optimizing resources and risk. To realize the benefits of delivering cloud
cloud services services, effective decision-making regarding the context and scope of the SMS and
services should be incorporated into the cloud service provider’s strategy and plan. Risk
management, cost models, service delivery planning and any impact on other activities of
the service provider and customer should be taken into consideration.
The ability to ensure governance of any processes operated by other parties, such as sup-
pliers, should be considered in regard to cloud services.
The cloud service provider should determine what categories of cloud services to provide
based on the market demand, opportunities and its own capability.
Multi-tenancy, location and other attributes of cloud services can introduce new gov-
ernance requirements, management and maintenance issues for service providers and
customers that should be considered.
Agreements and contracts can become more complicated for cloud services where the
customer and supplier are located in different countries and different jurisdictions.
Examples Typical service management objectives of cloud service providers can include:
— optimize the cost of cloud services and technology;
— offer a more effective and economic method of providing higher quality services at a
lower cost;
— generate business value from cloud service investments through innovation and value
creation;
— achieve operational excellence through the reliable and efficient management of cloud
services;
— maintain cloud service related risk at an acceptable level;
— comply with relevant laws, regulations and contractual agreements.
The cloud service provider should consider any statutory and regulatory requirements, as
well as financial, safety, data protection, information security, privacy, intellectual prop-
erty, business continuity and sustainability policies and objectives.
Scenario 1: Identify the context for service management of cloud services
5.2 Establish strategy and plan for management of cloud services
S02 Establish strategy and plan for management of cloud services
Description The service management plan should define the way the cloud service provider intends
to provide services. A service strategy can also define how the cloud service provider
intends to provide services to achieve both the desired outcomes for the customer and the
service provider’s own objectives, within known limitations and documented constraints.
The purpose of strategy and planning is to define and plan how the cloud service provider
intends to deliver value for its own organization as well as for different customers and
interested parties using the service provider’s capabilities and resources.
Outcomes — Service management plans are structured to cascade down from a top-level plan to
detailed plans for operation and improvement of the SMS and delivery of the services.
— Service management and process specific policies (examples include: information secu-
rity policy, change management policy, release policy).
— Defined and agreed service management objectives.
© ISO/IEC 2015 – All rights reserved 3

S02 Establish strategy and plan for management of cloud services
Applicable clauses — Clause 4.1, Management responsibility
in ISO/IEC 20000-1
— Clause 4.3, Documentation management
— Clause 4.4, Resource management
— Clause 4.5.1, Define scope
— Clause 4.5.2, Plan the SMS
— Clause 5.2, Plan new or changed services
— Clause 6.4, Budgeting and accounting for services
— Clause 6.6, Information security management
— Clause 7.1, Business relationship management
Guidance on the Cloud service provider’s top management should:
application to
— define desired outcomes and service management objectives to deliver those desired
cloud services
outcomes and service management objectives;
— define what services and capabilities are needed to deliver those desired outcomes and
service management objectives;
— determine how the service provider and customer(s) will know if desired outcomes
have been achieved;
— agree measurement and reporting of delivery against plan and desired outcomes;
— assess and analyse the current state – what exists and what can be leveraged/reused;
— analyse customers, suppliers, competitors, regulatory requirements and contractual
obligations, policies.
When the desired outcomes have been defined, the next step should be to determine the
services and service components needed to deliver those outcomes. The services should
be categorized in a way that captures the service requirements for people (e.g., skills and
competencies), process, technology and organizational structure.
The service management plan can then further categorize and schedule the delivery of the
agreed services, including improvements, into releases. These releases should have agreed
timeframes and targets. Resources should be allocated to achieve the agreed release tar-
gets. The service management plan should make it possible to easily identify dependencies
between different services or service components, to facilitate decisions about priority
and resourcing and to accurately measure delivery of business value. Service components
include all components, both technical and non-technical, necessary to deliver and manage
the service. Examples of how dependencies between service components should be consid-
ered in regard to planning can include:
a) agreements and contracts with suppliers which should be in place before the service is
commercially available;
b) training for service support personnel which should be completed before the service is
commercially available;
c) allocation of specialist personnel across multiple projects;
d) dependencies on hardware components being in place before service components can
be implemented.
4 © ISO/IEC 2015 – All rights reserved

S02 Establish strategy and plan for management of cloud services
Examples The service provider’s top management should understand the business objectives, con-
straints, risks and priorities in developing the strategy for cloud services. Considerations
should include the resources and capabilities of the service provider and other interested
parties such as cloud service partners, as well as other service requirements. Top manage-
ment should prioritise the cloud services to be introduced, changed or retired.
In addition to improving service quality, reducing cost and risk, top management should
identify strategic opportunities to optimise services through innovation, increasing stand-
ardization, sharing, automation and self-service provisioning. There can be significant
opportunities for growth from increases in competitive advantage, geographical reach,
innovation, value creation and customer satisfaction.
When the desired business outcomes are understood, the service provider can prioritise
the services, including the capabilities and resources used to plan, design, transition and
deliver those services. The service provider can then invest accordingly.
Strategies and plans for introducing, changing or retiring cloud services should consider
the following:
a) changes to the business environment;
b) the context of use of the cloud services including the typical roles of users who will
access the cloud services, the types of user computing devices and geographical locations;
c) changes to the existing services, changes to any cloud services plus any service capabili-
ties and resources required to deliver all the services across the catalogue of services;
d) standard mechanisms to provide access to the cloud services;
e) the impact on the service management system and its resources and capabilities such
as organizational aspects, processes, documentation, education, training, competence of
personnel;
f) automation, self-service provisioning and administration;
g) sharing geographically distributed computing resources that can change dynamically;
h) automatic provisioning of resources in any quantity at any time, subject to constraints
of service agreements;
i) pooling resources in a location independent fashion, in order to serve multiple custom-
ers through multi-tenancy;
j) maintenance of shared services that potentially impact many organizations, their cus-
tomers and large volumes of users;
k) requirements for transparency and access to customer information to enable customers
to optimize and validate their cloud services.
Scenario 2: Establish strategy and plan for management of cloud services
5.3 Provide a catalogue of cloud services
S03 Provide a catalogue of cloud services
Description A catalogue of cloud services should be made available to prospective and existing cloud
customers. If applicable, this can also be part of a general catalogue of services. Information
should be provided to communicate any relevant options for use of the services.
The catalogue can be either specific to cloud services or can include both cloud and other
services.
Outcomes — Catalogue of cloud services that is understandable to the parties involved.
Applicable clauses — Clause 4.3, Documentation Management
in
— Clause 6.1, Service level management
ISO/IEC 20000-1
— Clause 7.1, Business relationship management
© ISO/IEC 2015 – All rights reserved 5

S03 Provide a catalogue of cloud services
Guidance on the A catalogue should be defined that contains cloud and potentially other services. For exam-
application to ple, customers receiving both cloud and other services from a service provider can find it
cloud services easier if the service provider has combined all services offered into a single catalogue. This
catalogue should be aligned with the requirements specified in ISO/IEC 20000-1, 6.1.
The catalogue of services should be the foundation both for the definition of cloud services
to be provided and for the contracts and SLAs between the service provider and the cloud
customer.
The cloud service provider should have visibility of the dependencies between services and
service components which can be technical and non-technical and that are necessary to
deliver and manage the services. Cloud services and the service components can be grouped
together into categories that possess some characteristics in common with each other. This
can help to structure the catalogue of services and can minimise duplication of information.
Examples A cloud service provider offering cloud services to the general public has defined a cata-
logue with all the available service offerings using terms aligned to the customer’s expecta-
tion of the services. It has been published on the internet so that the customer can select the
desired services using a self-service mechanism.
Apart from the standard content for a catalogue of services described in ISO/IEC 20000-
2:2012, 6.1.3.2, the cloud service provider in this example also defines other aspects of the
cloud service, including:
a) cloud service category, such as IaaS, PaaS, SaaS;
b) service deployment options;
c) applicable policies, e.g. data retention policies;
d) applicable standards e.g. minimum technical configuration standards;
e) information security policies and procedures, e.g. privileged user access, risk control, and
access control for other parties;
f) controls to support statutory and regulatory compliance;
g) controls to support contractual obligations;
h) ordering and provisioning procedures;
i) relevant financial information, including pricing, accounting and billing methods;
j) resources and data location;
k) legal issues, i.e. privacy and data protection;
Examples of components that a cloud service can depend on include:
— functional components such as hardware, software, documentation, communications;
— resources required for implementation, i.e. human, financial, information and technical
resources.
Information about the cost of increasing service levels or adding additional resources has
been included in the catalogue of cloud services. Information about the minimum periods of
service provision or the cost of the early termination of a service has also been included.
Scenario 3: Provide a catalogue of cloud services
5.4 Identify and manage service requirements for cloud services
S04 Identify and manage service requirements for cloud services
Description The service requirements should be identified and documented for the SMS and the cloud
services.
Activities are identified to manage the service requirements for the service provider and
interested parties that have a valid interest in the cloud services.
6 © ISO/IEC 2015 – All rights reserved

S04 Identify and manage service requirements for cloud services
Outcomes — The service requirements for the SMS are defined.
— The pre-requisites for deployment to the cloud service customer are specified.
— The required characteristics and context for the use of cloud services, delivery and oper-
ations are specified.
— Service requirements are traceable to their source.
Applicable clauses — Clause 4, General requirements
in
— Clause 5.2, Plan new or changed services
ISO/IEC 20000-1
— Clause 5.3, Design and development of new or changed services
— Clause 6.1, Service level requirements
— Clause 7.1, Business relationship management
— Clause 7.2, Supplier management
— Clause 9.1, Configuration management
— Clause 9.2, Change management
Guidance on the ISO/IEC 20000-1, 7.1, Business relationship management, specifies requirements for the
application to identification and documentation of the customers, users and interested parties of the ser-
cloud services vices. This usefully provides a visible record of the services used by each customer, as well
as the estimated number of users of each service. The service provider should communicate
with customers, users and interested parties to promote an understanding of the cloud ser-
vices and to establish that their requirements for cloud services are documented accurately.
ISO/IEC 20000-1, 4.5.2, Plan the SMS, specifies requirements for defining the statutory,
regulatory requirements and contractual obligations for services. If the cloud service
customer is located in a different country and/or different jurisdiction to the cloud service
provider there can be different statutory and regulatory requirements. ISO/IEC 20000-1,
Clause 4.5.2 also specifies requirements for identification of any known limitations which
can impact the SMS, or the outcome of management decisions and technical decisions. The
cloud service provider should analyse the service requirements and maintain all relevant
documentation, including traceability of each requirement to the originating source of the
requirement.
To enable service requirements to be traceable to their source, functional requirements can
be classified for different types of capability based on the resources used. Examples include:
application capability, platform capability and infrastructure capability.
The service requirements should include the definition of the anticipated customer inter-
action with the cloud services, the cloud service delivery models, cloud deployment models,
operational and support scenarios and environments.
Examples Examples of customer communications for a cloud service can include:
— Establishing the service requirements: The customer checks a box that confirms they
understand the terms of the agreement and the details about the service to be delivered;
— Establishing the statutory, regulatory requirements and contractual obligations: The
customer checks a box that confirms they have read and understood the statutory, regula-
tory requirements and contractual obligations that apply to users of the cloud service;
— Communication: The customer receives an automated notification that includes a link to
information on the service provider’s website with a call to action;
Service requirements for the quality of cloud service delivery are described by various
terms and criteria, including functionality, availability, scalability, resilience, information
security, privacy, portability, interoperability, performance and maintainability.
© ISO/IEC 2015 – All rights reserved 7

S04 Identify and manage service requirements for cloud services
Examples of functional requirements for users include: set up and administer users, login,
data entry, browse, search, report, payment and support for business activities. To achieve
the required functionality, some service components can need to be integrated.
Examples of functional requirements that support the management of cloud services
include:
— Business support: budgeting, accounting and charging for cloud services and assets;
— Administration support: administration of user identities and profiles, monitoring of
service activity and usage, event handling and problem reporting, provisioning and mainte-
nance
— Information security: authentication, authorization, auditing, validation, encryption,
privacy.
Scenario 4: Identify and manage service requirements for cloud services
5.5 Design and develop a new cloud service
S05 Design and develop a new cloud service
Description As with other types of services, a new cloud service should be planned, designed and devel-
oped in preparation for transition into the live environment.
Outcomes — A new cloud service is designed.
— Updated catalogue of services, including the new cloud service.
Applicable clauses — Clause 5.1, General (Design and transition of new or changed services)
in
— Clause 5.3, Design and development of new or changed services
ISO/IEC 20000-1
— Clause 5.4, Transition of new or changed services
— Clause 6.1, Service level management
— Clause 6.3, Service continuity and availability management
— Clause 6.5, Capacity management
— Clause 6.6, Information security management
— Clause 7.1, Business relationship management
— Clause 7.2, Supplier management
— Clause 9.1, Configuration management
— Clause 9.2, Change management
— Clause 9.3, Release and deployment management
8 © ISO/IEC 2015 – All rights reserved

S05 Design and develop a new cloud service
Guidance on the The SMS facilitates the coordination of all the components required for the design and
application to development of the cloud services.
cloud services
ISO/IEC 20000-1, 5.4, Transition of new or changed services, specifies requirements that
apply to the planning, design, development and transition of a new or changed cloud ser-
vice. Changes to the new cloud service as well as changes to existing services should be
controlled by the change management process.
Cloud services can introduce considerations such as resource sharing, so resource allo-
cation and multi-tenancy can become very important aspects. The cloud service provider
should be aware that the processes specified in ISO/IEC 20000-1, Clause 6 (service level
management, service continuity and availability management, capacity management and
information security management) should be taken into account during the design of cloud
services. For example,
a) during service design, existing service level agreements can be reviewed to determine
whether they can be reused for the new service or whether a new service level agreement
should be developed;
b) the service continuity and availability of the new service should be designed to ensure
that the delivered availability can fulfil the service requirements;
c) the design should consider the capacity requirements for the new service;
d) the design should consider the information security aspects of resource sharing and
privacy issues.
The cloud customer can expect cloud services to be easily scalable and accessible whenever
and wherever they are used, making activities of resource planning and allocation, capacity
management or performance monitoring especially relevant to cloud services.
For the transition of new or changed cloud services into the operational environment, the
requirements specified in ISO/IEC 20000-1, 5.3 and 5.4 should be considered. The cloud ser-
vice provider should ensure that the services fulfil the agreed service requirements and are
tested against the documented design. If the cloud services are acceptable they should be
deployed into the live environment using the release and deployment management process
specified in ISO/IEC 20000-1, 9.3.
The catalogue of services should be updated with details of the new service and the
dependencies between services and service components should be identified. This can also
be useful to identify where some service components support more than one service. The
configuration management database (CMDB) should be updated with details of any new or
changed configuration items.
Examples A cloud service provider is designing and developing a service for a medium-sized global
organization that wishes to concentrate on its own core area of business rather than deliv-
ering the service itself. The cloud customer wishes to use its existing business software
applications to avoid migration and training costs. However, they want the service provider
to host these applications for them as a private cloud service. For this example, the service
requirements for the cloud service include:
© ISO/IEC 2015 – All rights reserved 9

S05 Design and develop a new cloud service
— remote access to the business software applications hosted as a cloud service;
— no data allowed to be stored outside the customer’s home country;
— secure storage access to the cloud customer’s data and records from both the cloud cus-
tomer’s offices and for personnel working outside of the office;
— at least the same or better transaction response times are guaranteed;
— cloud service transaction response time monitoring;
— data processing to be done as part of normal activities;
— self-service support for the customer on demand to increase efficiency;
— an easily scaled cloud service that can meet rapid changes in business demand;
— an efficient transition to live operation with a minimum investment by the customer.
The design and development requirements specified in ISO/IEC 20000-1, 5.3, should be
considered for a new cloud service.
Examples of the design aspects to consider for the design of a new cloud service to fulfil the
service requirements include:
a) the identification of policies and standards, contractual obligations, and other con-
straints;
b) the approach to meeting statutory and regulatory requirements of all countries where
the service is provided;
c) the design of the new cloud service and the capabilities required to deliver it;
d) authorities and responsibilities for delivery of the new cloud service;
e) resource sharing with other organizations;
f) new or changed agreements and contracts to align with the service requirements includ-
ing service targets for incident resolution, changes and service request fulfilment;
g) the functional components needed to engage in the cloud service activities including
business support, administration and information security components;
h) procedures, measures and knowledge required for delivery and operation of the new
cloud service;
i) provision of and access to service reports that enable the different parties to verify and
evaluate the quality of service, as well as identify opportunities for improvement;
j) plans to fulfil specific business and cloud service continuity requirements;
k) criteria for information security and integrity of infrastructure, data and communica-
tions;
l) protection of personnel and customer data;
m) procedures for archiving, back-up, recovery and controlling access to software products
and methods of control for virus protection;
n) availability of archived data, such as logs or backups, according to agreed requirements
and applicable policies;
o) automation and tools required for the development, transition, operation and improve-
ment of the new cloud service, including self-service;
p) standard service and configuration changes required to support any onboarding activi-
ties;
q) resource requirements to perform the activities to develop, transition, deliver and main-
tain the new cloud service including human, finance, information and technical resources;
r) risks of introducing cloud services and management of the risks;
10 © ISO/IEC 2015 – All rights reserved

S05 Design and develop a new cloud service
Examples of the design aspects to consider for changes to the design of the SMS include:
— the identification of policies, standards, rules, practices and conventions and methodolo-
gies that are applicable for the delivery of all cloud services;
— authorities and role definitions for managing cloud services, including the cloud service
provider, cloud customer and supplier roles;
— new or changed human resource requirements, including requirements for appropriate
education, training, skills and experience to manage, operate and improve cloud services.
Scenario 5: Design and develop a new or changed cloud service
5.6 Establish a service relationship with the cloud customer
S06 Establish a service relationship with the cloud customer
Description The relationship between the cloud service provider and the cloud customer should be
defined and agreed. A communication procedure should be established and responsibili-
ties for management of customer satisfaction should be assigne
...