ISO/IEC TR 23187:2020

TECHNICAL ISO/IEC TR
REPORT 23187
First edition
2020-06
Information technology — Cloud
computing — Interacting with cloud
service partners (CSNs)
Reference number
©
ISO/IEC 2020
© ISO/IEC 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 2
5 Structure of this document . 2
6 Relationship of roles and activities, and managing risks in cloud services .3
6.1 Overview . 3
6.2 Scope in relation to the cloud computing reference architecture (ISO/IEC 17789). 4
7 Overview of roles, sub-roles, and responsibilities of cloud service partners (CSNs) .4
7.1 Relationship between roles, activities and responsibilities . 4
7.2 Roles and sub-roles . 5
7.3 Cloud service provider (CSP) . 6
7.4 Cloud service customer (CSC) and Cloud service user (CSU) . 6
7.4.1 Cloud service customer (CSC) . 6
7.4.2 Cloud service user (CSU) . 6
7.5 Cloud service partner (CSN) . 6
7.5.1 Overview . 6
7.5.2 Cloud auditor . 7
7.5.3 Cloud service broker. 8
7.5.4 Cloud service developer . 9
7.6 Relationships between CSNs, and other roles and sub-roles .11
7.6.1 Differences between CSNs, CSCs and CSPs .11
7.6.2 CSNs and inter-cloud providers .11
8 Overview and description of types and interactions between cloud service partners
(CSNs) with CSPs, CSCs, and CSNs .11
8.1 General .11
8.2 Interaction between CSNs and CSCs .12
8.2.1 Overview .12
8.2.2 CSN managing CSC’s cloud adoption .13
8.3 Interaction between CSNs and CSPs .13
8.4 Interaction between CSNs and other CSNs .14
8.4.1 Description of types of CSNs interactions .14
8.4.2 CSN – interaction and responsibilities .14
9 Elements of cloud service agreements (CSAs) relating to CSN interactions .14
9.1 General principles .14
9.2 Role, relationship and agreement .15
9.2.1 Overview .15
9.2.2 Cloud migrations and cloud deployment models .17
9.3 Cloud service level agreement (Cloud SLA) .18
9.3.1 Overview .18
9.3.2 SLA terminology .18
9.3.3 Roles and responsibilities .19
10 Examples of scenarios illustrating CSN activities .19
10.1 Introduction .19
10.2 Reselling of cloud service.20
10.3 Cloud service exchange .22
10.4 Management of cloud service .23
10.4.1 CSN – CSC: Managing the CSC use of cloud service .23
© ISO/IEC 2020 – All rights reserved iii

10.4.2 CSN – CSP: partnership with a CSP to deliver cloud service .24
10.5 Cloud data management service .26
10.6 Shared services management .27
11 Issues on roles and sub-roles (as illustrated in examples) .28
11.1 General .28
11.2 Cloud computing environment .29
11.3 CSN roles and sub-roles.30
11.3.1 Overview .30
11.3.2 Responsibilities and risks .30
11.4 Cloud service activity and functional components .31
11.5 Supplier relationship in cloud services .31
12 Available standards .32
Bibliography .34
iv © ISO/IEC 2020 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC
list of patent declarations received (see http:// patents .iec .ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 38, Cloud computing and distributed platforms.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO/IEC 2020 – All rights reserved v

Introduction
The purpose of this document is to expand on the understanding of the interactions between cloud
service partners (CSNs) and cloud service customers (CSCs), and between CSNs and cloud service
providers (CSPs).
Cloud computing offers solutions to many emerging technologies and it offers many benefits to all cloud
service users (CSUs) and CSCs. The broader requirement for cloud computing solutions is to ensure
organizations have the best capabilities to fulfil their business missions. This has helped to drive the
adoption of cloud services and the marketplace is adjusting to the increasing demands.
In finding and applying appropriate solutions and leveraging the many benefits of using cloud services,
many CSCs use multiple CSPs and various deployment models. In using, sharing, and assessing data,
an understanding and clarification of roles, activities and responsibilities will help to maintain the
security, privacy, confidentiality and integrity of cloud services.
Interactions of CSCs and CSPs with the various CSNs have caused a degree of concern and confusion
in the cloud service marketplace. In some cases, causing harm to CSCs through inappropriate security
controls and the lack of proper cloud service agreements relating to the cloud services being used.
This is in part caused by an inadequate understanding of the relationships involved and by the lack of
standards which might apply to those relationships.
Interactions between CSCs and CSPs have been described in detail in standards documents –
ISO/IEC 17789, ISO 19011, ISO/IEC 19941, ISO/IEC 27017, ISO/IEC 27018 and the ISO/IEC 19086 series.
Interactions of CSNs, a key role in the cloud service environment, with CSCs and CSPs have not been
described in similar detail. This document provides further clarity about those interactions.
This document provides clarification of the concepts provided in ISO/IEC 17788, ISO/IEC 17789, the
ISO/IEC 19086 series, and ISO/IEC 19941 regarding CSNs, and CSN interactions with CSCs and CSPs
with the help of a few exemplary market scenarios. Building on an expanded description of sub-roles
and activities, this document provides guidance on using cloud service agreements (CSAs) and cloud
service level agreements (cloud SLAs) to provide more clarity for CSN interactions.
vi © ISO/IEC 2020 – All rights reserved

TECHNICAL REPORT ISO/IEC TR 23187:2020(E)
Information technology — Cloud computing — Interacting
with cloud service partners (CSNs)
1 Scope
This document provides an overview of and guidance on interactions between cloud service partners
(CSNs), specifically cloud service brokers, cloud service developers and cloud auditors, and other cloud
service roles. In addition, this document describes how cloud service agreements (CSAs) and cloud
service level agreements (cloud SLAs) can be used to address those interactions, including the following:
— definition of terms and concepts, and provision of an overview for interactions between CSNs and
CSCs and CSPs;
— description of types of CSN interactions;
— description of interactions between CSNs and CSCs;
— description of interactions between CSNs and CSPs;
— description of elements of CSAs and Cloud SLAs for CSN interactions, both with CSPs and with CSCs.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 17788, Information technology — Cloud computing — Overview and vocabulary
ISO/IEC 17789, Information technology — Cloud computing — Reference architecture
ISO/IEC 19086-1, Information technology — Cloud computing — Service level agreement (SLA)
framework — Part 1: Overview and concepts
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 17788, ISO/IEC 17789,
ISO/IEC 19086-1, and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
audit
systematic, independent and documented process for obtaining objective evidence and evaluating it
objectively to determine the extent to which the audit criteria (3.2) are fulfilled
Note 1 to entry: Internal audits, sometimes called first party audits, are conducted by, or on behalf of, the
organization itself.
© ISO/IEC 2020 – All rights reserved 1

Note 2 to entry: External audits include those generally called second and third party audits. Second party audits
are conducted by parties with an interest in the organization, such as customers, or by other individuals on
their behalf. Third party audits are conducted by independent auditing organizations, such as those providing
certification/registration of conformity or governmental agencies.
[SOURCE: ISO 19011:2018, 3.1]
3.2
audit criteria
set of requirements used as a reference against which objective evidence is compared
Note 1 to entry: If the audit criteria are legal (including statutory or regulatory) requirements, the words
“compliance” or “non-compliance” are often used in an audit finding.
Note 2 to entry: Requirements may include policies, procedures, work instructions, legal requirements,
contractual obligations, etc.
[SOURCE: ISO 19011:2018, 3.7]
4 Symbols and abbreviated terms
CCRA cloud computing reference architecture
Cloud SLA cloud service level agreement
CSA cloud service agreement
CSC cloud service customer
CSN cloud service partner
CSP cloud service provider
CSU cloud service user
IaaS infrastructure as a service
PaaS platform as a service
PII personally identifiable information
SaaS software as a service
SLA service level agreement
SLO service level objective
SQO service qualitative objective
5 Structure of this document
In supporting the scope presented in Clause 1, this document is faithful to the existing descriptions
of roles and sub-roles as presented in ISO/IEC 17789:2014, 7.2.2 and cloud computing activities in
ISO/IEC 17789:2014, 7.2.1. This document explains the relationship between cloud service partners
(CSNs), specifically cloud service brokers, cloud service developers and cloud auditors, and other cloud
service roles:
Clause 6 – presents the challenges of managing risks relating to roles and activities in cloud services.
Clause 7 – provides an overview of the roles, sub-roles, and responsibilities of cloud service partners
and provide the essential connection to the reference material in ISO/IEC 17789.
2 © ISO/IEC 2020 – All rights reserved

Clause 8 – building on Clause 7 and the exemplary scenarios in Clause 10, this clause discusses an
overview and description of the types of interactions between cloud service partners (CSNs) and CSPs,
CSCs and other CSNs.
Clause 9 – provides guidance on the use and tailoring of cloud service level agreements (cloud SLAs)
and other agreements with the understanding of the roles, sub-roles and activities of CSNs in relation to
the use of cloud services.
Clause 10 – presents examples that involve CSCs, CSPs, CSNs and demonstrates how different
sub-roles can share the cloud computing activities associated with a given role as described in
ISO/IEC 17789:2014, 7.2.2.
Clause 11 – presents issues relating the roles, activities and responsibilities.
Clause 12 – identifies existing relevant standards.
6 Relationship of roles and activities, and managing risks in cloud services
6.1 Overview
Cloud computing embraces different cloud service categories, cloud deployment models, cloud
capabilities types, and cloud computing cross cutting aspects. To this end, roles and activities are
critical contributors, and it is often necessary to differentiate requirements and issues for certain
parties (see ISO/IEC 17021-1).
The cloud computing roles and their associated activities and components are defined in ISO/IEC 17788
and ISO/IEC 17789 (CCRA). One of the goals of ISO/IEC 17789, as specified in Clause 6, is “to specify
basic cloud computing activities and functional components, and describe their relationships to each other
and to the environment.” For example, a cloud service broker is a sub-role of a cloud service partner
(CSN) as defined in ISO/IEC 17788 and ISO/IEC 17789. These standards make it clear that a CSN does
not provide cloud services. On the other hand, an inter-cloud provider is a sub-role of a CSP that can and
does provide cloud services.
Note that ISO/IEC 17788 and ISO/IEC 17789 do not claim to describe all possible sub-roles of CSN,
and initially identified the three sub-roles a cloud service broker, cloud service developer and cloud
auditor. This document extends the ISO/IEC 17789 description of CSNs based on a survey of recent
developments in cloud computing.
The CSP’s role and all its sub-roles when providing cloud services to a CSC are not only just delivering
cloud services but are also carrying out all activities necessary to safeguard its delivery and
maintenance of those cloud services. ISO/IEC 27017 provides guidelines for the provision and use of
cloud services specifically for CSPs and CSCs. ISO/IEC 27036-4 addresses relationships of CSPs and
1)
CSCs with suppliers of cloud service products .
In a cloud computing environment, CSC data is stored, transmitted and processed by one or more cloud
services. A CSC's business processes depend upon the information security of those cloud services.
Without sufficient control over the cloud services, the CSC might need to take extra precautions with its
information security practices.
It is necessary for a CSC or any potential user to be concerned about protecting their data and to have an
appreciation of both the benefits and risks of cloud computing. It would be prudent to have requirements
for higher assurance for data security and privacy regardless of whether they are accessing cloud
services from a CSP or are working with a CSN. The roles and related activities in handling CSC’s data
when delivering cloud services should be understood by all parties to ensure appropriate precautions
and safeguards are in place. When using the service of a CSN, it is pertinent to have some form of
1) ISO/IEC 17789:2014, 3.2.2 cloud service product: A cloud service, allied to the set of business terms under
which the cloud service is offered. NOTE – Business terms can include pricing, rating and service levels.
© ISO/IEC 2020 – All rights reserved 3

agreement or understanding, to clarify data ownership, who has access to the data, and how data is
being accessed and handled.
The role and responsibilities of PII processors for protection of personally identifiable information (PII)
in public clouds are specified in ISO/IEC 27018. ISO/IEC 27018 also emphasizes the responsibilities of
the CSP, especially for a public CSP who is processing PII for a CSC, and the contractual relationship
between CSC and CSP. To articulate consistently how data is to be collected and used, the taxonomy and
structured data use statements defined in ISO/IEC 19944 are recommended.
When a potential user or CSC uses direct or indirect contact to search for cloud service products to
meet its mission, the CSC will find offerings from businesses of various sizes with different cloud
deployment models, cloud services, and different cloud capabilities types, such as IaaS, PaaS and SaaS.
The quandary is in determining the providers of the services and their roles in delivering the services,
and the roles and activities of those involved in delivering and using the cloud services.
Following this thought, interactions between CSNs specifically cloud service brokers, cloud service
developers and cloud auditors are the focus of the discussion in this document. Interactions in the
delivery and use of cloud services are related activities initiated by one party that influence responsive
activities from another party or parties. The fluidity of the cloud marketplace embraces the flexibility
of all parties and different sub-roles to play multiple and interchanging roles in delivering and using
cloud services.
6.2 Scope in relation to the cloud computing reference architecture (ISO/IEC 17789)
The focus of this document is on roles and related activities, and specifically interactions between cloud
service partners (CSNs) such as cloud service brokers, cloud service developers and cloud auditors,
with other cloud service roles and their related activities. ISO/IEC 17789 (cloud computing reference
architectural /CCRA) covers roles and activities through the lens of the reference architecture user
and functional views. The functional view includes a layering framework that makes up the user layer,
access layer, service layer and resource layer as described in ISO/IEC 17789:2014, 9.1.1. The CCRA also
includes cross cutting aspects, layering framework and operational support systems components and
components relating to the user and functional views. The approach of this document is not to redefine
roles, sub-roles and activities as laid out in ISO/IEC 17789, but it is important to emphasize that roles
can change through interaction of stakeholders during the use of cloud services, and that it may be
possible to expand on these roles and sub-roles in the future. While this document will align closely
to the roles and activities described ISO/IEC 17789, it is not necessary to include all components from
ISO/IEC 17789 to support the scope of this document.
7 Overview of roles, sub-roles, and responsibilities of cloud service partners
(CSNs)
7.1 Relationship between roles, activities and responsibilities
As the use of cloud computing increases, the cloud service products evolve and adapt to meet the
demand. Technological development is evolving, and cloud computing is becoming part of the solutions
for the Internet of Things (IoT), edge computing, and artificial intelligence (see ISO/IEC 23167 and
ISO/IEC 23188). To meet the changing environment and increasing demands, the roles, responsibilities
and activities in providing cloud services need to be re-examined in relation to the technological
development and growing adoption of cloud computing.
The diversity of different cloud service offerings is accelerating the need for additional standards. Some
roles and the associated responsibilities described in existing standards need to be further expanded
for the spectrum of offerings as discussed in Clause 12. A party is not defined by a set of activities,
and at any time, can assume more than one role and can take on a specific subset of activities of that
role. Understanding the roles and associated activities for the use of cloud computing is necessary for
clarifying gaps in responsibility, specifically for security, privacy and the key characteristics described in
ISO/IEC 17788, when building applicable agreements including cloud service level agreements (see 9.2).
4 © ISO/IEC 2020 – All rights reserved

7.2 Roles and sub-roles
This document focuses on the same three cloud computing roles as in ISO/IEC 17789 but examines
the evolving relationship and sub-roles of these roles as they interact in a cloud service environment.
ISO/IEC 17789 specifies the basic cloud computing activities to establish the requirements of “what”
cloud services provide. A role is defined by a set of cloud computing activities but some of the activities
with one role can be shared or performed by other roles to facilitate and enable the delivery and use of
cloud services (see ISO/IEC 17789:2014, 7.2.2).
From selection through eventual uses of a cloud service there are many components, such as the cross-
cutting aspects, that require coordination across roles and need to be implemented consistently in a
cloud computing system. A clear understanding of roles and the representative sets of cloud computing
activities is necessary to avoid any misunderstanding of responsibilities and to facilitate a mutual
agreement for the use of cloud services.
Within the context of cloud computing, it is nec-
essary to differentiate among the requirements
and issues for certain parties ISO/IEC 17788.
These parties are entities that play roles (and
sub-roles). A role is described as a set of cloud
computing activities performed by a party that
serve a common purpose. The three roles identi-
fied in ISO/IEC 17789 are cloud service provider
(CSP), cloud service customer (CSC) and cloud
service partner (CSN), as described in Figure 1. A
sub-role is a subset of the cloud computing activi-
ties for a given role. Different sub-roles can share
the cloud computing activities associated with a
given role. A party can play more than one role at
any given point in time and can only engage in a
specific subset of activities of that role.
Figure 1 — Common roles of cloud computing
A party can play more than one role. For example,
a CSP can provide an application capabilities type
service to CSCs using the infrastructure capabili-
ties type service from another CSP. In this scenar-
io, as shown in Figure 2, this party is performing
the roles of CSP and CSC, and its responsibilities
change depending on its engagement.
NOTE ISO/IEC 27017 provides guidelines for
the implementation of information security controls
based on the roles and responsibilities of CSPs and
CSCs. A clear definition of roles and responsibilities
supports the segregation of duties in the cloud
environment and establishes the applicable security
controls to address cloud-specific information
security threats and risks considerations.
Figure 2 — A party can play more than one role
© ISO/IEC 2020 – All rights reserved 5

7.3 Cloud service provider (CSP)
A CSP is specifically responsible for making cloud services available. The role of providing cloud services
focuses on the activities necessary to ensure services are delivered to the intended CSC or CSU. Some of
the necessary activities are identified in ISO/IEC 17789 for the various CSP sub-roles.
The CSP can supply its cloud service products in co-operation with one or more CSNs who are
responsible for different aspects such as control, security and configuration of the cloud services.
7.4 Cloud service customer (CSC) and Cloud service user (CSU)
7.4.1 Cloud service customer (CSC)
The CSC is a party which is in a business relationship for the purpose of using cloud services. For the
activities of using cloud services, a CSC can be an individual person, a person using multiple different
CSPs and even as one of the tenants sharing access to a set of cloud physical and virtual resources.
The CSC may acquire cloud services directly from one or more CSPs or through a CSN. In addition, the
CSC may choose to engage another party to be responsible for the cloud services and for a variety of
activities relating to cloud service usage. In doing so, the CSC allows this party to assume many of the
CSC’s sub-roles and associated activities.
7.4.2 Cloud service user (CSU)
The cloud service user (CSU) is defined in ISO/IEC 17788:2014, 3.2.17, as a natural person, or entity
acting on their behalf, associated with a cloud service customer (CSC) that uses cloud services. A CSU
is also recognized as a tenant sharing access to a set of physical and virtual resources of a CSC’s cloud
service. A CSC may have many different CSUs using the cloud services to which it has access. The CSU is
not described as one of the three main cloud computing roles in either ISO/IEC 17788 or ISO/IEC 17789.
A CSU is associated to the CSC for the use of cloud services and is likely to have some form of permission
or authorization with the CSC governing the CSU’s use of the cloud services the CSC is accessing.
7.5 Cloud service partner (CSN)
7.5.1 Overview
A CSN is recognized as a party which is engaged in
support of, or auxiliary to, the activities of either the
CSP or CSC, or both. It may be true that CSNs are not
providing cloud services. However, in recognizing
that any party can play more than one role at any
given point and different sub-roles can share the
cloud computing activities associated with a given
role, CSNs can perform various activities needed in
support of CSCs and CSUs in their usage of cloud ser-
vices. In their interaction with CSCs and CSPs, the
sub-roles of CSNs are changing, and many activities
and functions morph smoothly with those of the
CSCs and CSPs in responding to the support needed.
A CSN might perform various cloud computing
activities depending on the types of partnership
and their relationship with the CSP and the CSC, as
shown in Figure 3.
Figure 3 — Cloud Service Partner (CSN)
6 © ISO/IEC 2020 – All rights reserved

The CSPs work with various partners to serve CSCs and to expand more offerings to meet the needs
and demands of their CSCs. The CSNs, in partnering with CSPs, are not constrained to prescribed
activities and can respond by assuming activities that are otherwise described for sub-roles of CSCs
and CSPs in ISO/IEC 17789. Consequently, to strategically expand a customer base, the CSPs empower
CSNs to expand their activities to include providing customized services such as localization, while not
providing a comprehensive cloud service.
Some cloud services utilize third-party cloud services to augment functionality and the flow of data.
The roles and responsibilities of CSNs might need to go beyond a supporting role to CSPs and CSCs.
Defining roles and responsibilities that CSNs can perform will not only help to establish the appropriate
components in the agreements, but most importantly, determine the security safeguards.
Depending on the type of partnership with CSP and CSC, the CSN can perform one or more sub-roles,
including cloud auditor, cloud service broker and cloud service developer.
7.5.2 Cloud auditor
The cloud auditor is responsible for conducting an independent audit of the provision and use of
cloud services as defined in ISO/IEC 17789:2014, 8.4.1.2. A cloud audit typically covers operations,
performance, privacy impact and security and examines whether a specified set of audit criteria (see
definition below – ISO 19011:2018, 3.7) are met.
The cloud auditor is a sub-role of the CSN and performs the following cloud computing activities:
— Perform audit (ISO/IEC 17789:2014, 8.4.2.4)
The audit objectives, specifications, policies and agreement can be established in the cloud service
agreement, which is addressed in Clause 9 of this document.
— Report audit results (ISO/IEC 17789:2014, 8.4.2.5)
In this document, two types of cloud auditor are considered;
1) External cloud auditor
An organization commissioned by an independent accreditation body (e.g. a government)
conducts audits from the perspective of a third party. The external cloud auditor can also be
called “Third-party cloud auditor” (see Table 1).
For example, in order to ensure cloud services procured by a government meet their control
measures, there are three main entities for consideration: (1) the government as the CSC
using cloud services; (2) the CSP which provides the cloud services; and (3) the external cloud
auditor that audits the cloud services provided by the CSP and used by the CSC. The government
needs to specify a set of control measures required by the government based on their level of
acceptable risk, and the CSP is required to meet the specified set of control measures. The role
of the external cloud auditor is to confirm that the CSP's individual control measures meet the
control criteria properly.
In another case the cloud audit is performed by a partner that makes an alliance with a CSP for
their business. The partner audits the cloud services to obtain the partner viewpoint. This can
also be treated as an internal audit.
For another case, multiple external cloud auditors can be auditing one cloud service
simultaneously. The auditors will need to coordinate audits collaboratively while meeting
independent Cloud SLAs made between the CSP and CSC.
Some information, such as actual audit data shared between the external cloud auditor, CSC
and CSP, may be confidential information belonging to the CSP. It may therefore be subject to a
non-disclosure agreements (NDA) between the relevant parties.
2) Internal cloud auditor
© ISO/IEC 2020 – All rights reserved 7

An internal audit as shown in Table 1 is referred to as a first party audit and can be conducted
on the CSC’s use of cloud services or on the CSP’s anticipated cloud services. An internal auditor
can be an "in-house cloud auditor” within an organization or contracted third party. A CSP: cloud
service operations manager performing the sub-role as a cloud auditor (ISO/IEC 17789:2014,
8.3.1.1) provides audit data from an audit performed internally.
One of the important rationales for internal audits is to monitor the ongoing status of the
results evaluated by external audits as the appropriate measures as necessary for the CSP to
demonstrate continued compliance.
From the perspective of conformity assessment, the definition for audit as per ISO 19011 is provided in
3.1.
The internal cloud auditor should perform the audit as the first party audit, and the external cloud
auditor should perform the audit as the second party audit and third party audit (see ISO 19011). While
ISO 19011 concentrates on internal audits (first party) and audits conducted by organizations on their
external providers and other external interested parties (second party), the document can also be useful
for external audits conducted for purposes other than third party management system certification. As
an additional reference, ISO/IEC 17021-1 provides requirements for auditing management systems for
third party certification.
Table 1 lists the three types of audit as referenced in ISO 19011.
Table 1 — Different types of audits (see ISO 19011)
First party audit Second party audit Third party audit
Certification and/or
Internal audit External provider audit
accreditation audit
Other external interested Statutory, regulatory and
party audit similar audit
Regardless of whether it is an internal or external audit, it is essential that the cloud auditor and the CSC
have a mutual and clear understanding of the scope of the cloud computing environment, the CSPs and
potential outsourcing partnership, and any third-party providers. Many audit standards exist within
ISO and external to ISO. The objectives and scope for the audits, identify the key roles and sub-roles
to be considered and included as part of the audit. ISO/IEC 27007 provides guidance on managing an
information security management system (ISMS) audit programme, on conducting audits, and on the
competence of ISMS auditors, in addition to the guidance contained in ISO 19011. The audit is applicable
to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS
audit programme.
Depending on the objectives and scope of the cloud computing audit, the cloud auditor interacts with
CSP, CSC, and CSN, i.e. the cloud service broker and cloud service developer, to produce the appropriate
audit results. For example, a cloud auditor may need to audit the service after the cloud service
developer has completed the test(s).
7.5.3 Cloud service broker
The cloud service broker negotiates business relationships between CSCs and CSPs as defined in
ISO/IEC 17789:2014, 8.4.1.3. Unlike the inter-cloud provider (CSP’s sub-role [ISO/IEC 17789:2014,
8.3.1.6]), the cloud service broker is not involved in providing the cloud service and is not itself a CSP.
The party assuming the sub-role of cloud service broker could operate independently or also assume
the sub-role by combining its activities with the CSP: inter -cloud provider and performing activities of
peering, intermediation, aggregation and managing peer cloud service (see 7.6).
The cloud computing activities of a cloud service broker include:
— acquire and assess customers (ISO/IEC 17789:2014, 8.4.2.6);
— assess marketplace (ISO/IEC 17789:2014, 8.4.2.7);
8 © ISO/IEC 2020 – All rights reserved

— set up legal agreement (ISO/IEC 17789:2014, 8.4.2.8).
A cloud service broker could set up a business solution to connect CSU or CSC to one or more CSPs as
shown in the scenarios in Clause 10. The CSCs could be in contact with a CSN offering cloud service
solutions that include offerings of cloud service products on behalf of CSPs. The marketplace assessment
can occur prior to CSU or CSC acquisition, allowing the creation of pre-agreements with CSPs. This
enables CSCs to select CSPs from a service catalogue, possibly negotiating service details (e.g., service
level objectives) at selection time.
The cloud service broker, acting as the intermediary between the CSC and the CSP, may expand its
activities and offerings to help CSCs with understanding the complexity of cloud service offerings and to
create added value for the cloud services. A cloud service broker may also be in the position to negotiate
contracts with the CSP on behalf of the CSC. Whether in support of the CSC or the CSP, the cloud service
broker only acts during the contracting phase of the service. The cloud service broker is not
...