TECHNICAL ISO/IEC TR REPORT 22678 First edition 2019-01 Information technology Cloud computing Guidance for policy development Reference number IEC ISO/IEC TR 22678:2019(E) @IS0/IEC2019 IS0/IEC TR 22678:2019(E) COPYRIGHTPROTECTEDDOCUMENT @ IS0/IEC 2019 All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either IsO at the address below or Iso's member body in the country of the requester. ISO copyright office CP 401 : Ch. de Blandonnet 8 CH-1214 Vernier, Geneva Phone: +4122 749 0111 Fax: +41 22 749 09 47 Email: [email protected] Website: www.iso.org Published in Switzerland ii @ IS0/IEC 2019 - All rights reserved IS0/IEC TR 22678:2019(E) Contents Page Foreword ..V Introduction. ...vi 1 Scope 2 Normative references 3 Terms and definitions 4 Abbreviated terms ..2 5 Summary of this document ..3 5.1 Purpose of this document. .3 5.2 Intendedaudience ..3 5.3 How to use this document .4 6 Understanding cloud computing aspects for policy development .4 6.1 Introduction.. ..4 6.2 Cloud computing essential characteristics .4 6.2.1 Standard definition of cloud computing.. ..4 6.2.2 Essential characteristics of cloud computing (from IS0/IEC 17788) 4 6.3 Majorbenefitsofcloudcomputing. ..5 6.3.1 Benefits for cloud service customers (CSCs) .5 6.3.2 Benefits for society 6.4 Implications for policy makers .7 6.4.1 Shared responsibilities 7 6.4.2 Cloud services which are deployed and managed across multiple jurisdictions... 6.4.3 Economics of managing a global cloud service .8 6.4.4 What global, scalable public cloud computing makes possible 6.4.5 Implications of service scale and velocity .9 6.4.6 Implications of continuous development. 10 6.4.7 Implications of multi-tenant cloud services. .10 6.4.8 Implications of geographical restrictions ..10 6.4.9 The need for cloud service data categorisation and classification ..11 6.4.10 Interoperability and portability. ..12 6.4.11 Trust and transparency. .13 6.4.12 Exceptional circumstances .14 6.4.13 Compliance, certification, audit ..15 6.4.14 Challenges for small and medium sized enterprise (SME) adoption ..15 7 Using international standards to assist in developing policies that cover cloud .16 computing 7.1 International standards relevant to cloud computing policy development. .16 7.1.1 IS0/IEC 19086 series of standards as applicable to trust and transparency .19 7.1.2 ISo/IEC 19944 as applicable to clarify data concepts. 20 7.1.3 ISo/IEC 27552, Privacy information management systems. .21 7.2 Other significant standards, specifications, and documents. .22 8 Considerations when developing policy .22 8.1 Considerations for regulatory policy .22 8.1.1 General. 22 8.1.2 Multi-tenant issues .23 8.1.3 Avoiding unnecessary barriers to cloud adoption. 23 8.1.4 Trust and transparency. 24 8.1.5 Interoperability and portability 24 8.1.6 Security and privacy .25 8.2 Considerations for advisory policy 25 8.2.1 General. 25 8.2.2 Promotion of cloud technology adoption .26 @ IS0/IEC 2019 - All rights reserved iii