ISO/IEC TS 7339:2024

Technical
Specification
ISO/IEC TS 7339
First edition
Information technology —
2024-12
Cloud computing — Overview of
platform capabilities type and
platform as a service
Technologies de l'information — Informatique en nuage — Vue
d'ensemble des types de ressources et des services de plateformes
à la demande
Reference number
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2024 – All rights reserved
ii
Contents Page
Foreword .vi
Introduction .vii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 3
5 Overview of platform capabilities type . 4
5.1 General .4
5.2 Examples of capabilities .4
5.3 Capabilities not included in the platform capabilities type . .5
5.4 The legal status of CSC-provided code as customer data .5
5.5 Intellectual property considerations .5
5.6 Cloud service agreement elements for the platform capabilities type.6
6 The cloud service developer sub-role (CSD) . 7
6.1 The definition of cloud service developer .7
6.2 CSD activities .7
6.3 CSDs and the CSC application code lifecycle .7
7 Platform as a Service (PaaS) concepts . . 8
7.1 PaaS as a cloud service category .8
7.2 Benefits of choosing PaaS .8
7.2.1 General .8
7.2.2 Reduced maintenance . .8
7.2.3 Scalability .8
7.2.4 Access to advanced features .8
7.3 The “fuzzy” boundaries between IaaS, PaaS, and SaaS .9
7.3.1 General .9
7.3.2 IaaS vs PaaS .11
7.3.3 PaaS vs SaaS .11
7.3.4 DSaaS as an example .11
7.3.5 Relevance of the boundaries . 12
7.3.6 Selective use of the boundaries . 12
7.3.7 Implications . 12
7.4 Common functions included within a PaaS . 12
7.4.1 General . 12
7.4.2 Documentation of CSP-provided interfaces . 12
7.4.3 CSC-provided code lifecycle management . 13
7.4.4 Identity and access management (IAM) . 13
7.4.5 Message queuing . 13
7.4.6 Load balancing . 13
7.5 Life-cycle of a CSC application on PaaS .14
7.5.1 General .14
7.5.2 Conceptualisation .14
7.5.3 Requirements analysis .14
7.5.4 Code development .14
7.5.5 Application integration.14
7.5.6 Staging and Deployment of an application on PaaS . 15
7.5.7 Operation of an application on PaaS . 15
7.5.8 Scaling of an application on PaaS . 15
7.5.9 Maintenance of an application running on PaaS .16
7.5.10 Disposal of an application running on PaaS .16
7.5.11 Evolution of a CSC application over time .17
7.6 Evolution of a PaaS cloud service implementation over time .17

© ISO/IEC 2024 – All rights reserved
iii
7.7 The use of PaaS to build SaaS offerings for others .17
8 Architectures for PaaS . 17
8.1 PaaS as a category of pure platform cloud service .17
8.1.1 General .17
8.1.2 General layering .18
8.1.3 Generic architecture for PaaS cloud services .18
8.1.4 Example illustration of the generic PaaS architecture using Kubernetes .19
8.2 Microservice architectures . 20
8.3 Native PaaS .21
8.4 PaaS over an IaaS .21
8.5 PaaS within a SaaS .21
8.6 PaaS linked with a SaaS .21
8.7 User interfaces for PaaS .21
9 Serverless architectures .22
9.1 General . 22
9.2 Function as a Service (FaaS) . 22
9.3 Stateless functions . 22
10 Applications that leverage cloud native computing .23
10.1 Background . 23
10.2 Intended Advantages . 23
10.3 Orchestration . 23
10.4 Architecture . 23
11 General considerations for platform capabilities and PaaS .24
11.1 General .24
11.2 Auditability .24
11.3 Availability .24
11.4 Governance .24
11.5 Interoperability.24
11.6 Maintenance and Versioning . 25
11.7 Performance . 25
11.8 Portability . 25
11.9 Protection of PII (privacy) . 25
11.10 Regulatory . 25
11.11 Resiliency . 25
11.12 Reversibility . 25
11.13 Security . 25
11.13.1 General . 25
11.13.2 Malware avoidance . 26
11.13.3 Code access to resources . 26
11.14 Service levels and service level agreements . 26
11.15 Sustainability . 26
12 Portability between PaaS Cloud services .26
12.1 General . 26
12.2 Endpoint identification . 26
12.3 Portability-ready development .27
12.4 Addressing “Exit strategy” requirements .27
12.5 Portability through container orchestration .27
13 Related technologies and platform capabilities type .28
13.1 General . 28
13.2 Artificial Intelligence (AI) . 28
13.3 PaaS and generative AI . 29
13.4 Quantum Computing (QC) . 30
14 Other cloud services exhibiting the platform capabilities type.31
14.1 General .31
14.2 Table of examples .31

© ISO/IEC 2024 – All rights reserved
iv
15 Recommendations for CSPs and CSCs .31
15.1 Transparency of status and rights pertaining to CSC or CSN sourced artefacts .31
15.2 Performance reporting .31
15.3 Security reporting .32
15.4 Accessibility of CSD-created user interfaces .32
Annex A (Informative) Platform as a Service in a multiple CSP environment .33
Annex B (Informative) Example of cloud native computing using Docker and Kubernetes .36
Bibliography .38

© ISO/IEC 2024 – All rights reserved
v
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 38, Cloud computing and distributed platforms.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2024 – All rights reserved
vi
Introduction
Many cloud services allow a cloud service customer (CSC) to develop, upload, and execute their own code,
rather than uploading a complete virtual machine image, or being confined to software provided by the
cloud service provider.
This ability to write and execute their own code allows CSCs and others to develop or customise their own
applications without having to run their own private datacentres, and without having to install, patch and
manage operating systems and other elements typically required in legacy IaaS services. This approach
allows the CSC to concentrate on the code that directly meets their business need rather than having to
create a lot of peripheral code just to make things work.
While some cloud services are specifically designed as Platform as a Service (PaaS) wherein the execution
of CSC-provided code is the primary purpose of the cloud service, others include a greater or lesser amount
of “platform capabilities type” as a feature or supplement to the main function of the cloud service. These
platform capabilities can be as basic as telephone call routing scripts or database stored procedures or can
be as extensive as large function libraries or microservices for use in other applications. The full range of
possibilities is too extensive to list exhaustively and is constantly growing as new ideas emerge.
In addition, the world of cloud computing is seeing wholly new developments and technologies added all the
time. Many of these include the execution of CSC-provided code, or its equivalent for a different paradigm.
For example, Artificial Intelligence (AI) services (e.g. machine learning) can be deployed as cloud services,
and in this case the “CSC-provided code” can include both training data and procedural code. As another
example, the world is preparing for the availability of Quantum Computing (QC) technology which (like AI)
will probably be exposed to CSCs as various forms of cloud services. Both AI and QC technologies appear
as services that can be incorporated within more traditional application designs, thus contributing their
specialised and unique capabilities.
It is therefore useful to describe both the purpose-built PaaS concept, and the more general “platform
capabilities type” as it appears in other cloud services beyond PaaS. This document explains the differences
between PaaS and other services, the types of CSC-provided code that such platforms can support, the general
approaches to development of code for such services, common platform architectural approaches, and how
cloud computing platforms can support new technology paradigms such as AI and QC in a consistent manner.
In particular, this document provides an introduction to the “cloud native computing” concept as a pattern
of platform capabilities type, providing an architectural pattern that is focused on cloud-first development
and that offers greater flexibility and modularity than many older software design patterns.
It is also important to define some general recommendations to promote good practice in the provision
and use of digital technology platforms of these kinds especially with respect to transparency of platform
service offerings to existing and potential CSCs.
Throughout this document, unless otherwise explicitly stated, the term “platform” is always used in
the engineering sense, specifically referring to the “digital technology platform” in accordance with
ISO/IEC TS 5928 as implemented in cloud services, edge services, mobile services, and other distributed
platforms.
The common engineering usage of "digital technology platform" includes:
— operating systems,
— “platform as a service” cloud services in accordance with ISO/IEC 22123-1,
— other cloud services that exhibit “platform capabilities type” in accordance with ISO/IEC 22123-2.
As such, this usage of platform refers to cloud services that enable a CSC to create and maintain their own
hosted application, rather than using digital technology for the creation of a multi-sided market as typically
used by economists and competition regulators.
However, as described in ISO/IEC TS 5928, some types of cloud services (typically various forms of SaaS)
that are implemented on top of the digital technology platform can also exhibit the characteristics of

© ISO/IEC 2024 – All rights reserved
vii
a digital economic platform by creating a multi-sided market. Such SaaS implementations by CSCs of the
digital technology platform are generally outside the control and responsibility of the digital technology
platform service operator.
The intended audience for this document is:
— businesses considering the use of technology platform capabilities for new cloud applications (both as
CSDs and as purchasers of installable cloud software)
— for those seeking to understand or describe the various cloud application development options available
— for those seeking to clearly describe digital technology platform services that they offer to CSCs
— for those developing governmental or procurement policies covering CSC-provided cloud applications
— those developing other standards that need to reference cloud technology platform capabilities and
approaches.
© ISO/IEC 2024 – All rights reserved
viii
Technical Specification ISO/IEC TS 7339:2024(en)
Information technology — Cloud computing — Overview of
platform capabilities type and platform as a service
1 Scope
Within the context of digital technology platforms as defined in ISO/IEC TS 5928, this document provides:
— a description of the concepts of the platform capabilities type as it appears in various cloud service
categories;
— a description of the specific cloud service category of platform as a service (PaaS);
— descriptions of common technology platform architectures, development approaches, and life cycles of
elements of technology platform services, including a high-level description of the popular cloud native
computing concept;
— recommendations for cloud services that include platform capabilities, including but not limited to PaaS.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 22123-1, Information technology — Cloud computing — Part 1: Vocabulary
ISO/IEC/TS 5928, Taxonomy for digital platforms
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 22123-1, ISO/IEC/TS 5928 and
the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
platform capabilities type
cloud capabilities type in which the cloud service customer can deploy, manage and run customer-created
or customer-acquired applications using one or more programming languages and one or more execution
environments supported by the cloud service provider
Note 1 to entry: In this context “applications” can include programs, software components (such as containers, code,
function libraries, and microservices, etc.), unfinished or incomplete programs (such as test versions or prototypes),
and other forms of source code or executable software code artefacts, with or without a user interface being included.
Note 2 to entry: This does not include any minimal scripting capability internal to a single application, such as simple
macros within a spreadsheet.
[SOURCE: ISO/IEC 22123-1:2023, 3.5.4, modified — Notes 1 and 2 to entry have been added.]

© ISO/IEC 2024 – All rights reserved
3.2
CSC-provided code
software code artefacts created by CSDs acting on the CSC’s behalf, that are designed to execute within a
cloud service to meet the needs of the CSC
Note 1 to entry: Such code artefacts can be supplemented by data or metadata.
Note 2 to entry: The CSDs creating the code can be employees or contractors of the CSC, or of another organization
such as a vendor, partner, or contractor to the CSC.
3.3
metadata
data that defines and describes other data
Note 1 to entry: Metadata can include many different kinds of attributes of the data it describes. Some metadata fields
are almost universal, such as date of creation and last change, type of file or object, permissions, and ownership. Other
metadata can be specific to the type of object, such as the camera settings of a digital image, the author’s name for a
document, the version of a code artefact, etc.
Note 2 to entry: Some metadata may be directly attached to (or embedded within) the data to which it relates and will
always move with it. Other metadata may be stored separately and associated with the data by reference or other means.
[SOURCE: ISO/IEC 11179-3:2022, 3.2.30, modified — The notes to entry have been added.]
3.4
cloud native
cloud native computing
approach and practices for developing, deploying, and running applications and services in cloud computing
systems with specific platform capabilities type which offer features such as functional decomposition,
containerization, orchestration, microservices for applications, automation, monitoring and logging, and
continuous operation
Note 1 to entry: Additional tools and technologies that support these capabilities include DevOps, CI-CD tools,
automation of orchestration etc., which individually and collectively, enable autoscaling, resilience, superior
performance, ease of portability and interoperability and ease of maintenance among other benefits.
Note 2 to entry: Orchestration refers to automatic or semi-automatic deployment, instantiation, interconnection, and
management of containerised software.
Note 3 to entry: This approach contrasts with more traditional virtualisation-based approaches based largely on
customer-managed Virtual Machines.
Note 4 to entry: See also Clause 10.
3.5
jurisdiction
geographical or corporate area over which a cloud computing policy extends
Note 1 to entry: In a government policy context this will generally be the geographical area over which the body
enacting the policy has legal authority either as government or as authorised regulator. However, in an enterprise or
government agency environment, the jurisdiction of a policy might cover a business function, department, agency, or
other organisational area of responsibility not tied to geography.
[SOURCE: ISO/IEC TR 22678:2019, 3.2]
3.6
cloud service developer
sub-role of the cloud service partner role, with the responsibility for designing, developing, testing and
maintaining the implementation of software that is either part of a cloud service, or is designed to run on a
cloud service
Note 1 to entry: The cloud service developer sub-role can be performed by any party, including CSN, CSP, and CSC.

© ISO/IEC 2024 – All rights reserved
Note 2 to entry: Normally software that is part of a cloud service will only be developed by a CSD under the control of
the CSP. Software that runs on top of a cloud service can be developed by a CSD under the control of a CSC (e.g. for IaaS
or PaaS).
Note 3 to entry: This definition supersedes the definition in ISO/IEC 22123-1:2023, 3.3.13.
4 Abbreviated terms
AI artificial intelligence
API application programming interface
CaaS communications as a service
CaaS container as a service
CDM cloud deployment model
CPU central processing unit
CSA cloud service agreement
CSC cloud service customer
CSD cloud service developer
CSN cloud service partner
CSP cloud service provider
CSU cloud service user
DBaaS database as a service
DSaaS data storage as a service
FaaS function as a service
FPGA field programmable gate array
GPU graphics processing unit
IaaS infrastructure as a service
IAM identity and access management
IDaaS identity as a service
IoT internet of things
ISV independent software vendor
LLM large language model
ML machine learning
MLaaS machine learning as a service
NaaS network as a service
PaaS platform as a service
© ISO/IEC 2024 – All rights reserved
PII personally identifiable information
QC quantum computing
QCaaS quantum computing as a service
SaaS software as a service
SBoM software bill of materials
SQL structured query language
UI user interface
W3C World Wide Web Consortium
WCAG web content accessibility guidelines
5 Overview of platform capabilities type
5.1 General
The definition of “platform capabilities type” means supporting the execution of CSC-provided software
code written in a programming language, whether the code is written by the CSC themselves or obtained
from another CSD (see 5.6), or perhaps from an open-source project. This can also include pre-compiled code
provided (created or purchased) by the CSC, such as bytecode, libraries, container images, or microservices
as described in ISO/IEC TS 23167.
NOTE This document considers platform capabilities in a top-down sense and shows how they fit within the
bigger picture of cloud services in general. By contrast ISO/IEC/TS 23167 took a more bottom-up approach, looking at
specific technologies and techniques individually rather than showing how they relate to one another or to the bigger
picture. As such, ISO/IEC/TS 23167 remains a useful reference for the details of some specific technologies, though
some of it has been somewhat overtaken by advances in technology and concepts since it was published. The two
documents do not conflict, but they are written from different viewpoints of the topics under discussion.
5.2 Examples of capabilities
Capabilities falling within the platform capabilities type include but are not limited to:
a) Capabilities to write, upload, compile, execute, monitor, and debug their own programming code within
the service;
b) Execution of CSC-provided code that operates on cloud data storage, such as SQL stored procedures for a
cloud database (DBaaS);
c) The provision of APIs that allow CSC-provided code to access functions and capabilities offered by the
cloud service. For example:
1) Connection routing APIs for Network as a Service (NaaS);
2) Call routing APIs for customer-support via Communication as a Service (CaaS);
d) The provision of APIs that allow CSC-provided code to communicate with external software functions
either within the same cloud service or elsewhere;
e) The provision of APIs that allow CSC-provided code to construct and offer one or more user interfaces
for communication with human users;
f) The provision of APIs that allow CSC-provided code to construct and expose one or more CSC-defined
APIs for communication with other software applications or cloud services;

© ISO/IEC 2024 – All rights reserved
g) The provision of APIs that allow CSC-provided code to be managed with respect to data security,
confidentiality, privacy, integrity, and accessibility for disabled persons;
h) The provision of APIs that allow CSC-provided code to manage and extract CSC data within and from the
cloud service, such as in preparation for moving to another cloud service.
5.3 Capabilities not included in the platform capabilities type
Capabilities falling outside the cloud computing platform capabilities type include but are not limited to:
a) Non-cloud capabilities:
1) Anything in which the hosting environment does not meet the definition of cloud computing in
accordance with ISO/IEC 22123-1;
b) Infrastructure capabilities:
1) “Bare metal” or virtualised computer hardware, such as the hosting of virtual machine images;
2) Scripting for the purpose of managing infrastructure resources such as virtual machines, network
configurations, basic storage, etc., since such code does not directly provide a user interface to a CSU;
c) Application capabilities:
1) Mathematical functions within spreadsheets;
2) Email sorting rules;
3) Macros within SaaS productivity applications (such as spreadsheets or presentation applications);
4) Scripting that works only within the closed context of a specific user-facing SaaS application, such
as animations within a presentation tool;
d) Others:
1) The execution of CSC-provided code for the sole purpose of education or training, such as in a
learning simulation;
2) The execution of CSC-provided code for the sole purpose of entertainment of the CSU, such as within
a puzzle game;
3) Generally, any programming capability wherein a CSC’s code executes in an environment in which it
is unable to interact with other system elements or connect beyond its own environment.
5.4 The legal status of CSC-provided code as customer data
It is important for CSCs and CSPs to recognise the legal status of all code and data provided by the CSC to the
CSP, as these will almost always be categorised as customer data as defined in ISO/IEC 22123-1, and as such
can be subject to applicable local jurisdictions and regulations.
CSC provided code or data that contains any personally identifiable information (PII) can be subject to
privacy regulations.
5.5 Intellectual property considerations
In most cases, the CSC (or another body) will hold copyright on the code artefacts, data, and metadata they
create and load to the cloud service. If the CSP wishes to claim any copyright on any such submissions, this
should be made very clear to potential CSCs before they commit to the cloud service. See 15.1.
If the CSC-provided code uses AI functionality through a PaaS-type cloud service to create any derivative
works of copyright material, it remains the CSC’s responsibility to ensure they have the appropriate rights
for their application to function in this way.
...