ISO/IEC TR 23187:2020

TECHNICAL ISO/IEC TR
REPORT 23187
First edition
Information technology — Cloud
computing — Interacting with cloud
service partners (CSNs)
PROOF/ÉPREUVE
Reference number
ISO/IEC TR 23187:2020(E)
©
ISO/IEC 2020

---------------------- Page: 1 ----------------------
ISO/IEC TR 23187:2020(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii PROOF/ÉPREUVE © ISO/IEC 2020 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC TR 23187:2020(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 2
5 Structure of this document . 2
6 Relationship of roles and activities, and managing risks in cloud services .3
6.1 Overview . 3
6.2 Scope in relation to the cloud computing reference architecture (ISO/IEC 17789). 4
7 Overview of roles, sub-roles, and responsibilities of cloud service partners (CSNs) .4
7.1 Relationship between roles, activities and responsibilities . 4
7.2 Roles and sub-roles . 5
7.3 Cloud service provider (CSP) . 6
7.4 Cloud service customer (CSC) and Cloud service user (CSU) . 6
7.4.1 Cloud service customer (CSC) . 6
7.4.2 Cloud service user (CSU) . 6
7.5 Cloud service partner (CSN) . 6
7.5.1 Overview . 6
7.5.2 Cloud auditor . 7
7.5.3 Cloud service broker. 8
7.5.4 Cloud service developer . 9
7.6 Relationships between CSNs, and other roles and sub-roles .11
7.6.1 Differences between CSNs, CSCs and CSPs .11
7.6.2 CSNs and inter-cloud providers .11
8 Overview and description of types and interactions between cloud service partners
(CSNs) with CSPs, CSCs, and CSNs .11
8.1 General .11
8.2 Interaction between CSNs and CSCs .12
8.2.1 Overview .12
8.2.2 CSN managing CSC’s cloud adoption .13
8.3 Interaction between CSNs and CSPs .13
8.4 Interaction between CSNs and other CSNs .14
8.4.1 Description of types of CSNs interactions .14
8.4.2 CSN – interaction and responsibilities .14
9 Elements of cloud service agreements (CSAs) relating to CSN interactions .14
9.1 General principles .14
9.2 Role, relationship and agreement .15
9.2.1 Overview .15
9.2.2 Cloud migrations and cloud deployment models .17
9.3 Cloud service level agreement (Cloud SLA) .18
9.3.1 Overview .18
9.3.2 SLA terminology .18
9.3.3 Roles and responsibilities .19
10 Examples of scenarios illustrating CSN activities .19
10.1 Introduction .19
10.2 Reselling of cloud service.20
10.3 Cloud service exchange .21
10.4 Management of cloud service .23
10.4.1 CSN – CSC: Managing the CSC use of cloud service .23
© ISO/IEC 2020 – All rights reserved PROOF/ÉPREUVE iii

---------------------- Page: 3 ----------------------
ISO/IEC TR 23187:2020(E)

10.4.2 CSN – CSP: partnership with a CSP to deliver cloud service .24
10.5 Cloud data management service .26
10.6 Shared services management .27
11 Issues on roles and sub-roles (as illustrated in examples) .28
11.1 General .28
11.2 Cloud computing environment .29
11.3 CSN roles and sub-roles.30
11.3.1 Overview .30
11.3.2 Responsibilities and risks .30
11.4 Cloud service activity and functional components .31
11.5 Supplier relationship in cloud services .31
12 Available standards .32
Bibliography .34
iv PROOF/ÉPREUVE © ISO/IEC 2020 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC TR 23187:2020(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC
list of patent declarations received (see http:// patents .iec .ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 38, Cloud computing and distributed platforms.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO/IEC 2020 – All rights reserved PROOF/ÉPREUVE v

---------------------- Page: 5 ----------------------
ISO/IEC TR 23187:2020(E)

Introduction
The purpose of this document is to expand on the understanding of the interactions between cloud
service partners (CSNs) and cloud service customers (CSCs), and between CSNs and cloud service
providers (CSPs).
Cloud computing offers solutions to many emerging technologies and it offers many benefits to all cloud
service users (CSUs) and CSCs. The broader requirement for cloud computing solutions is to ensure
organizations have the best capabilities to fulfil their business missions. This has helped to drive the
adoption of cloud services and the marketplace is adjusting to the increasing demands.
In finding and applying appropriate solutions and leveraging the many benefits of using cloud services,
many CSCs use multiple CSPs and various deployment models. In using, sharing, and assessing data,
an understanding and clarification of roles, activities and responsibilities will help to maintain the
security, privacy, confidentiality and integrity of cloud services.
Interactions of CSCs and CSPs with the various CSNs have caused a degree of concern and confusion
in the cloud service marketplace. In some cases, causing harm to CSCs through inappropriate security
controls and the lack of proper cloud service agreements relating to the cloud services being used.
This is in part caused by an inadequate understanding of the relationships involved and by the lack of
standards which might apply to those relationships.
Interactions between CSCs and CSPs have been described in detail in standards documents –
ISO/IEC 17789, ISO 19011, ISO/IEC 19941, ISO/IEC 27017, ISO/IEC 27018 and the ISO/IEC 19086 series.
Interactions of CSNs, a key role in the cloud service environment, with CSCs and CSPs have not been
described in similar detail. This document provides further clarity about those interactions.
This document provides clarification of the concepts provided in ISO/IEC 17788, ISO/IEC 17789, the
ISO/IEC 19086 series, and ISO/IEC 19941 regarding CSNs, and CSN interactions with CSCs and CSPs
with the help of a few exemplary market scenarios. Building on an expanded description of sub-roles
and activities, this document provides guidance on using cloud service agreements (CSAs) and cloud
service level agreements (cloud SLAs) to provide more clarity for CSN interactions.
vi PROOF/ÉPREUVE © ISO/IEC 2020 – All rights reserved

---------------------- Page: 6 ----------------------
TECHNICAL REPORT ISO/IEC TR 23187:2020(E)
Information technology — Cloud computing — Interacting
with cloud service partners (CSNs)
1 Scope
This document provides an overview of and guidance on interactions between cloud service partners
(CSNs), specifically cloud service brokers, cloud service developers and cloud auditors, and other cloud
service roles. In addition, this document describes how cloud service agreements (CSAs) and cloud
service level agreements (cloud SLAs) should be used to address those interactions, including the
following:
— definition of terms and concepts, and provision of an overview for interactions between CSNs and
CSCs and CSPs;
— description of types of CSN interactions;
— description of interactions between CSNs and CSCs;
— description of interactions between CSNs and CSPs;
— description of elements of CSAs and Cloud SLAs for CSN interactions, both with CSPs and with CSCs.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 17788, Information technology — Cloud computing — Overview and vocabulary
ISO/IEC 17789, Information technology — Cloud computing — Reference architecture
ISO/IEC 19086-1, Information technology — Cloud computing — Service level agreement (SLA)
framework — Part 1: Overview and concepts
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 17788, ISO/IEC 17789,
ISO/IEC 19086-1, and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
audit
systematic, independent and documented process for obtaining objective evidence and evaluating it
objectively to determine the extent to which the audit criteria (3.2) are fulfilled
Note 1 to entry: Internal audits, sometimes called first party audits, are conducted by, or on behalf of, the
organization itself.
© ISO/IEC 2020 – All rights reserved PROOF/ÉPREUVE 1

---------------------- Page: 7 ----------------------
ISO/IEC TR 23187:2020(E)

Note 2 to entry: External audits include those generally called second and third party audits. Second party audits
are conducted by parties with an interest in the organization, such as customers, or by other individuals on
their behalf. Third party audits are conducted by independent auditing organizations, such as those providing
certification/registration of conformity or governmental agencies.
[SOURCE: ISO 19011:2018, 3.1]
3.2
audit criteria
set of requirements used as a reference against which objective evidence is compared
Note 1 to entry: If the audit criteria are legal (including statutory or regulatory) requirements, the words
“compliance” or “non-compliance” are often used in an audit finding (3.3).
Note 2 to entry: Requirements may include policies, procedures, work instructions, legal requirements,
contractual obligations, etc.
[SOURCE: ISO 19011:2018, 3.7]
4 Symbols and abbreviated terms
CCRA cloud computing reference architecture
Cloud SLA cloud service level agreement
CSA cloud service agreement
CSC cloud service customer
CSN cloud service partner
CSP cloud service provider
CSU cloud service user
IaaS infrastructure as a service
PaaS platform as a service
PII personally identifiable information
SaaS software as a service
SLA service level agreement
SLO service level objective
SQO service qualitative objective
5 Structure of this document
In supporting the scope presented in Clause 1, this document is faithful to the existing descriptions
of roles and sub-roles as presented in ISO/IEC 17789:2014, 7.2.2 and cloud computing activities in
ISO/IEC 17789:2014, 7.2.1. This document explains the relationship between cloud service partners
(CSNs), specifically cloud service brokers, cloud service developers and cloud auditors, and other cloud
service roles:
Clause 6 – presents the challenges of managing risks relating to roles and activities in cloud services.
Clause 7 – provides an overview of the roles, sub-roles, and responsibilities of cloud service partners
and provide the essential connection to the reference material in ISO/IEC 17789.
2 PROOF/ÉPREUVE © ISO/IEC 2020 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC TR 23187:2020(E)

Clause 8 – building on Clause 7 and the exemplary scenarios in Clause 10, this clause discusses an
overview and description of the types of interactions between cloud service partners (CSNs) and CSPs,
CSCs and other CSNs.
Clause 9 – provides guidance on the use and tailoring of cloud service level agreements (cloud SLAs)
and other agreements with the understanding of the roles, sub-roles and activities of CSNs in relation to
the use of cloud services.
Clause 10 – presents examples that involve CSCs, CSPs, CSNs and demonstrates how different
sub-roles can share the cloud computing activities associated with a given role as described in
ISO/IEC 17789:2014, 7.2.2.
Clause 11 – presents issues relating the roles, activities and responsibilities.
Clause 12 – identifies existing relevant standards.
6 Relationship of roles and activities, and managing risks in cloud services
6.1 Overview
Cloud computing embraces different cloud service categories, cloud deployment models, cloud
capabilities types, and cloud computing cross cutting aspects. To this end, roles and activities are
critical contributors, and it is often necessary to differentiate requirements and issues for certain
parties (see ISO/IEC 17021-1).
The cloud computing roles and their associated activities and components are defined in ISO/IEC 17788
and ISO/IEC 17789 (CCRA). One of the goals of ISO/IEC 17789, as specified in Clause 6, is “to specify
basic cloud computing activities and functional components, and describe their relationships to each other
and to the environment.” For example, a cloud service broker is a sub-role of a cloud service partner
(CSN) as defined in ISO/IEC 17788 and ISO/IEC 17789. These standards make it clear that a CSN does
not provide cloud services. On the other hand, an inter-cloud provider is a sub-role of a CSP that can and
does provide cloud services.
Note that ISO/IEC 17788 and ISO/IEC 17789 do not claim to describe all possible sub-roles of CSN,
and initially identified the three sub-roles a cloud service broker, cloud service developer and cloud
auditor. This document extends the ISO/IEC 17789 description of CSNs based on a survey of recent
developments in cloud computing.
The CSP’s role and all its sub-roles when providing cloud services to a CSC are not only just delivering
cloud services but are also carrying out all activities necessary to safeguard its delivery and
maintenance of those cloud services. ISO/IEC 27017 provides guidelines for the provision and use of
cloud services specifically for CSPs and CSCs. ISO/IEC 27036-4 addresses relationships of CSPs and
1)
CSCs with suppliers of cloud service products .
In a cloud computing environment, CSC data is stored, transmitted and processed by one or more cloud
services. A CSC's business processes depend upon the information security of those cloud services.
Without sufficient control over the cloud services, the CSC might need to take extra precautions with its
information security practices.
It is necessary for a CSC or any potential user to be concerned about protecting their data and to have an
appreciation of both the benefits and risks of cloud computing. It would be prudent to have requirements
for higher assurance for data security and privacy regardless of whether they are accessing cloud
services from a CSP or are working with a CSN. The roles and related activities in handling CSC’s data
when delivering cloud services should be understood by all parties to ensure appropriate precautions
and safeguards are in place. When using the service of a CSN, it is pertinent to have some form of
1) ISO/IEC 17789:2014, 3.2.2 cloud service product: A cloud service, allied to the set of business terms under
which the cloud service is offered. NOTE – Business terms can include pricing, rating and service levels.
© ISO/IEC 2020 – All rights reserved PROOF/ÉPREUVE 3

---------------------- Page: 9 ----------------------
ISO/IEC TR 23187:2020(E)

agreement or understanding, to clarify data ownership, who has access to the data, and how data is
being accessed and handled.
The role and responsibilities of PII processors for protection of personally identifiable information (PII)
in public clouds are specified in ISO/IEC 27018. ISO/IEC 27018 also emphasizes the responsibilities of
the CSP, especially for a public CSP who is processing PII for a CSC, and the contractual relationship
between CSC and CSP. To articulate consistently how data is to be collected and used, the taxonomy and
structured data use statements defined in ISO/IEC 19944 are recommended.
When a potential user or CSC uses direct or indirect contact to search for cloud service products to
meet its mission, the CSC will find offerings from businesses of various sizes with different cloud
deployment models, cloud services, and different cloud capabilities types, such as IaaS, PaaS and SaaS.
The quandary is in determining the providers of the services and their roles in delivering the services,
and the roles and activities of those involved in delivering and using the cloud services.
Following this thought, interactions between CSNs specifically cloud service brokers, cloud service
developers and cloud auditors are the focus of the discussion in this document. Interactions in the
delivery and use of cloud services are related activities initiated by one party that influence responsive
activities from another party or parties. The fluidity of the cloud marketplace embraces the flexibility
of all parties and different sub-roles to play multiple and interchanging roles in delivering and using
cloud services.
6.2 Scope in relation to the cloud computing reference architecture (ISO/IEC 17789)
The focus of this document is on roles and related activities, and specifically interactions between cloud
service partners (CSNs) such as cloud service brokers, cloud service developers and cloud auditors,
with other cloud service roles and their related activities. ISO/IEC 17789 (cloud computing reference
architectural /CCRA) covers roles and activities through the lens of the reference architecture user
and functional views. The functional view includes a layering framework that makes up the user layer,
access layer, service layer and resource layer as described in ISO/IEC 17789:2014, 9.1.1. The CCRA also
includes cross cutting aspects, layering framework and operational support systems components and
components relating to the user and functional views. The approach of this document is not to redefine
roles, sub-roles and activities as laid out in ISO/IEC 17789, but it is important to emphasize that roles
can change through interaction of stakeholders during the use of cloud services, and that it may be
possible to expand on these roles and sub-roles in the future. While this document will align closely
to the roles and activities described ISO/IEC 17789, it is not necessary to include all components from
ISO/IEC 17789 to support the scope of this document.
7 Overview of roles, sub-roles, and responsibilities of cloud service partners
(CSNs)
7.1 Relationship between roles, activities and responsibilities
As the use of cloud computing increases, the cloud service products evolve and adapt to meet the
demand. Technological development is evolving, and cloud computing is becoming part of the solutions
for the Internet of Things (IoT), edge computing, and artificial intelligence (see ISO/IEC 23167 and
ISO/IEC 23188). To meet the changing environment and increasing demands, the roles, responsibilities
and activities in providing cloud services need to be re-examined in relation to the technological
development and growing adoption of cloud computing.
The diversity of different cloud service offerings is accelerating the need for additional standards. Some
roles and the associated responsibilities described in existing standards need to be further expanded
for the spectrum of offerings as discussed in Clause 12. A party is not defined by a set of activities,
and at any time, can assume more than one rol
...