Shared roles and responsibilities within a cloud computing environment

Organisation must define

• stakeholders relevant to the information security management system
• information security requirements set by these stakeholders

Customer groups or individual significant customers that are important to the organization's operations are usually one of the most important stakeholders, also from the point of view of information security. Other stakeholders are treated through other tasks.

When utilizing or offering cloud services, both service provider and customer can have security responsibilities. Service provider may be responsible for technical cyber security but e.g. customer for access management and providing user guidelines for secure usage.

Responsibilities for shared information security roles towards offered cloud services and utilizing cloud-based data systems must be clearly defined and documented by both the cloud service customer and provider.

The organization must maintain a list of digital services provided and the owners designated for them. The owner is responsible for completing the information in the service and for any other security measures that are closely related to the service.

The documentation related to the digital service includes e.g. the following information:

• The type of digital service offered, the service category and the purpose of use
• Data controller and related processing agreements
• Key partners in the service supply chain and the distribution of security responsibilities (discussed in more detail in a separate task)