prEN ISO 22123-2

SLOVENSKI STANDARD
01-februar-2026
Informacijska tehnologija - Računalništvo v oblaku - 2. del: Koncepti (ISO/IEC
22123-2:2023)
Information technology - Cloud computing - Part 2: Concepts (ISO/IEC 22123-2:2023)
Informationstechnologie - Cloud Computing - Teil 2: Konzepte (ISO/IEC 22123-2:2023)
Technologies de l'information - Informatique en nuage - Partie 2: Concepts (ISO/IEC
22123-2:2023)
Ta slovenski standard je istoveten z: prEN ISO 22123-2
ICS:
01.040.35 Informacijska tehnologija. Information technology
(Slovarji) (Vocabularies)
35.210 Računalništvo v oblaku Cloud computing
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

INTERNATIONAL ISO/IEC
STANDARD 22123-2
First edition
2023-09
Information technology — Cloud
computing —
Part 2:
Concepts
Technologies de l'information — Informatique en nuage —
Partie 2: Concepts
Reference number
ISO/IEC 22123-2:2023(E)
© ISO/IEC 2023
ISO/IEC 22123-2:2023(E)
© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2023 – All rights reserved

ISO/IEC 22123-2:2023(E)
Contents Page
Foreword .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms.2
5 Cloud computing foundational concepts . 3
5.1 General . 3
5.2 Key characteristics of cloud computing . 3
5.2.1 General . 3
5.2.2 Broad network access . 3
5.2.3 Measured service . 4
5.2.4 Multi-tenancy . 4
5.2.5 On-demand self-service . . 4
5.2.6 Rapid elasticity and scalability . 4
5.2.7 Resource pooling . 5
5.3 Cloud capabilities types . 5
5.4 Cloud service categories . 6
5.4.1 General . 6
5.4.2 Software as a service (SaaS) . 6
5.4.3 Platform as a service (PaaS) . 6
5.4.4 Infrastructure as a service (IaaS) . 7
5.4.5 Network as a service (NaaS) . 7
5.4.6 Communications as a service (CaaS) . 8
5.4.7 Compute as a service (CompaaS) . 9
5.4.8 Data storage as a service (DSaaS) . 9
5.5 Cloud deployment models . 9
5.5.1 General . 9
5.5.2 Private cloud deployment model . 10
5.5.3 Public cloud deployment model . 11
5.5.4 Community cloud deployment model .12
5.5.5 Hybrid cloud deployment model . 14
6 Cloud computing parties and roles .15
6.1 Cloud computing parties. 15
6.2 Cloud computing roles .15
6.2.1 General .15
6.2.2 Cloud service customer role . 16
6.2.3 Cloud service provider role . 16
6.2.4 Cloud service partner role . 16
7 Cloud computing cross-cutting aspects .16
7.1 General . 16
7.2 Auditability . 17
7.3 Availability . 17
7.4 Governance . 17
7.5 Interoperability. 18
7.6 Maintenance and versioning . 18
7.7 Performance . 19
7.8 Portability . 19
7.9 Protection of PII . 19
7.10 Regulatory . 20
7.11 Resiliency . 21
7.12 Reversibility . 21
7.13 Security . 22
iii
© ISO/IEC 2023 – All rights reserved

ISO/IEC 22123-2:2023(E)
7.14 Service levels and service level agreement . 22
8 Data and cloud services .22
8.1 General .22
8.2 Data processing within cloud services . 23
8.3 Data flow .23
8.4 Processing of data from multiple sources . 23
8.5 Data sharing . 24
9 Virtualization concepts .24
9.1 General . 24
9.2 System hardware virtualization . 24
9.2.1 General . 24
9.2.2 Virtual machines . 24
9.2.3 Hypervisors . 25
9.3 Containers . 25
9.4 Serverless computing .25
9.5 Virtualized networking .25
9.6 Virtualized DSaaS . 25
10 Concepts of cloud computing involving multiple CSPs .26
10.1 General . 26
10.2 Types of cloud computing involving multiple CSPs . 26
10.2.1 General . 26
10.2.2 Multi-cloud computing .26
10.2.3 Inter-cloud computing . 26
10.2.4 Other types of cloud computing involving multiple CSPs .26
10.3 Considerations when using multiple CSPs . 27
10.3.1 Identity and access management . 27
10.3.2 Policy considerations . 27
10.3.3 Management . 27
10.3.4 Operations . 27
11 Organization of cloud computing .27
11.1 Logical organization of cloud computing . 27
11.1.1 Cloud service instance . 27
11.1.2 Multiple cloud services .28
11.2 Physical organization of cloud computing .29
11.2.1 General .29
11.2.2 Cloud service provider .30
11.2.3 Cloud service resources .30
11.2.4 Cloud region . 30
11.2.5 Availability domain or zone .30
11.2.6 Edge computing . 31
11.2.7 Affinity . 31
11.2.8 Geo-dispersion of cloud service instances . 31
Annex A (informative) Cloud service categories .32
Bibliography .34
iv
© ISO/IEC 2023 – All rights reserved

ISO/IEC 22123-2:2023(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of
any claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC
had not received notice of (a) patent(s) which may be required to implement this document. However,
implementers are cautioned that this may not represent the latest information, which may be obtained
from the patent database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall
not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 38, Cloud computing and distributed platforms.
This first edition of ISO/IEC 22123-2, together with ISO/IEC 22123-1 cancels and replaces
ISO/IEC 17788:2014, which has been technically revised.
The main changes are as follows:
— cloud computing terminology has been moved to ISO/IEC 22123-1;
— the descriptions of the key characteristics have been expanded;
— the number and descriptions of the cloud service categories have been expanded;
— the cloud deployment model descriptions have been expanded and corrected;
— added differentiation between cloud computing parties and role;
— the descriptions of the cross-cutting aspects have been expanded;
— a new Clause 8 was added to address data and cloud services concepts;
— a new Clause 9 was added to address virtualization concepts;
— a new Clause 10 was added to address considerations when using multiple CSPs;
— a new Clause 11 was added to address logical and physical organization of cloud computing;
— Annex A was expanded to identify additional cloud service categories, not described in this
document.
v
© ISO/IEC 2023 – All rights reserved

ISO/IEC 22123-2:2023(E)
A list of all parts in the ISO/IEC 22123 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
vi
© ISO/IEC 2023 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 22123-2:2023(E)
Information technology — Cloud computing —
Part 2:
Concepts
1 Scope
This document specifies concepts used in the field of cloud computing. These concepts expand upon the
cloud computing vocabulary defined in ISO/IEC 22123-1 and provide a foundation for other documents
that are associated with cloud computing.
This document also provides detailed descriptions on the application of these concepts in cloud
computing.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 22123-1, Information technology — Cloud computing — Part 1: Vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 22123-1 and the following
apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
PII principal
natural person to whom the personally identifiable information (PII) relates
Note 1 to entry: Depending on the jurisdiction and the particular data protection and privacy legislation, the
synonym “data subject” can also be used instead of the term “PII principal.”
[SOURCE: ISO/IEC 29100:2011, 2.11]
3.2
PII controller
privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing
personally identifiable information (PII) other than natural persons who use data for personal purposes
Note 1 to entry: A PII controller sometimes instructs others [e.g. PII processors (3.3)] to process PII on its behalf
while the responsibility for the processing remains with the PII controller.
[SOURCE: ISO/IEC 29100:2011, 2.10]
© ISO/IEC 2023 – All rights reserved

ISO/IEC 22123-2:2023(E)
3.3
PII processor
privacy stakeholder that processes personally identifiable information (PII) on behalf of and in
accordance with the instructions of a PII controller (3.2)
[SOURCE: ISO/IEC 29100:2011, 2.12]
4 Symbols and abbreviated terms
API application programming interface
CaaS communications as a service
CDN content distribution network
CompaaS compute as a service
CPU central processing unit
CSA cloud service agreement
CSC cloud service customer
CSN cloud service partner
CSP cloud service provider
CSU cloud service user
DSA data sharing agreement
DSaaS data storage as a service
FaaS function as a service
IaaS infrastructure as a service
ICT information and communication technology
NaaS network as a service
PaaS platform as a service
PII personally identifiable information
PIMS privacy information management system
PSTN public switched telephone network
RAM random access memory
SaaS software as a service
SLA service level agreement
SLO service level objective
SQO service qualitative objective
TCP/IP transmission control protocol/internet protocol
© ISO/IEC 2023 – All rights reserved

ISO/IEC 22123-2:2023(E)
TDM time division multiplexing
VM virtual machine
VPN virtual private network
5 Cloud computing foundational concepts
5.1 General
ISO/IEC 22123-1 defines cloud computing and notes that examples of resources include servers,
operating systems, networks, software, applications, and storage equipment.
The concepts in this document expand upon the cloud computing vocabulary defined in ISO/IEC 22123-1
and provide a foundation for other documents that are associated with cloud computing.
In this document, a name such as cloud service customer (CSC) or cloud service provider (CSP)
represents a cloud computing party while CSC role or CSP role indicates a cloud computing role.
5.2 Key characteristics of cloud computing
5.2.1 General
Subclauses 5.2.2 to 5.2.7 identify and describe key characteristics of cloud computing.
The concept of key characteristics refers to the fundamental properties of cloud computing that
differentiate it from other Information Technology paradigms. Each key characteristic covers specific
properties that are needed by users of cloud computing.
The key characteristics of cloud computing provide a high-level statement of the distinguishing features
of cloud computing. The key characteristics are decomposed in order to understand the concepts of
cloud computing for typical delivery scenarios.
The analysis of a key characteristic is not always definitive because the requirements for delivering a
cloud service can vary depending on the CSC. All the involved parties in the use and provision of cloud
services benefit from a verifiable statement describing what the characteristic means.
5.2.2 Broad network access
Broad network access is a characteristic in which the CSP’s physical and virtual resources are available
over a network and accessed through standard mechanisms that promote use the CSC. The focus of this
key characteristic is that cloud computing offers an increased level of convenience in that users can
access resources from wherever they work, as long as it is network accessible, using a wide variety of
devices such as mobile phones, tablets, laptops, and workstations.
Cloud services are widely accessible using network services from a variety of network providers.
This can include the public internet, an exchange provider’s network or the CSP’s own network.
This characteristic can apply to all cloud deployment models. Access is provided to cloud computing
resources at all required times and locations from any CSC, within policy and security constraints.
Broad network access includes accessibility and interoperability for many forms of cloud service
network including:
— user (client) access to cloud services;
— application access to cloud services;
— peer cloud service interaction (intra- and inter-cloud); and
© ISO/IEC 2023 – All rights reserved

ISO/IEC 22123-2:2023(E)
— cloud management and control interaction including the use of application programming interfaces
(APIs).
5.2.3 Measured service
Measured service is a characteristic in which the metered delivery of cloud services is such that usage
can be monitored, controlled, reported, and billed. This is an important feature needed to optimise and
validate the delivered cloud service. The focus of this key characteristic is that the customer only pays
for the resources that they use. From the customers’ perspective, cloud computing offers the users value
by enabling a switch from a low efficiency and asset utilization business model to a high efficiency one.
Measured service can refer to a wide variety of metering functions that can be required for service
operations, administration, maintenance, provisioning, and security. Consumption-based billing
requires that cloud service use be measured using an agreed upon measuring algorithm which can
be specified in a service level agreement (SLA) (see ISO/IEC 19086). Metered cloud services provide
sufficient detail to meet cloud SLA requirements. This can include measurements for the underlying
[15]
virtual and physical resources (see ISO/IEC TR 23613 ).
5.2.4 Multi-tenancy
Multi-tenancy is a characteristic in which physical or virtual resources are allocated in such a way that
multiple tenants and their computations and data are isolated from and inaccessible to one another.
Typically, and within the context of multi-tenancy, the group of cloud service users (CSUs) that form a
tenant all belong to the same CSC. Some cloud computing deployments, particularly public cloud and
community cloud, can have a group of CSUs that are from multiple different CSCs. However, a given
CSC can have many different tenancies with a single CSP representing different groups within the
organization such as by department, division, or subsidiary. In some cases, this is for internal security
and confidentiality. In other cases, it can be for regulatory compliance reasons. This can require identity
and access management.
5.2.5 On-demand self-service
On-demand self-service is a characteristic in which a CSC can provision cloud services, as needed,
automatically or with minimal interaction with the CSP. The focus of this key characteristic is that cloud
computing offers users a relative reduction in costs, time, and effort needed to take an action, since it
grants the user the ability to do what they need, when they need it, without requiring additional human
user interactions or overhead.
The cloud services can be provisioned and configured by the CSC without operator interaction with the
CSP. For example, changing the random access memory (RAM) available or disk space available can be
done without human intervention.
5.2.6 Rapid elasticity and scalability
Cloud services can be rapidly and elastically adjusted, in some cases automatically, to quickly increase
or decrease capacity. For the CSC, the resources of cloud services available for provisioning often appear
to be unlimited and can be purchased in any quantity at any time, subject to constraints of service
agreements. From the perspective of the CSC, there is no longer a concern about limited resources or
possibly capacity planning.
There are two possible directions for scalability with respect to cloud computing. Horizontal scaling is
the term used for scalability where more instances of a given resource are allocated [e.g. running more
virtual machines (VMs) or containers in parallel, each running an instance of the same application].
Vertical scaling is when an increase is made in the size of a resource allocated to a cloud service, for
example when the amount of RAM or the number of central processing units (CPUs) allocated to a single
virtual machine is increased, or the storage capacity of a single storage resource is increased. This can
sometimes necessitate some delay while new capacity is added to an existing resource, in contrast to
horizontal scaling which often has less latency. For a full description of elasticity and scalability, see
[11]
ISO/IEC TS 23167 .
© ISO/IEC 2023 – All rights reserved

ISO/IEC 22123-2:2023(E)
The CSP describes the cloud services scalability features including any associated latency and any
limitations. The CSC determines that the cloud service’s scalability features, associated latency and
limitations meet its requirements based on the CSP’s description.
To the CSC, the resources available to a cloud service can be increased or decreased by any amount at
any time, subject to any limitations imposed by the CSP or according to the pre-arranged policies in a
[3]
cloud SLA. For the detailed information, refer to ISO/IEC 19086-1 .
5.2.7 Resource pooling
Resource pooling is a characteristic in which a CSP’s physical or virtual resources can be aggregated to
serve one or more CSCs. CSPs are able to support multi-tenancy while also using abstraction to mask
the complexity of the process from the CSC.
From the CSC’s perspective, all they know is that the service works; they generally have no control or
knowledge over how the resources are being provided or where the resources are located. This offloads
some of the CSC’s original workload, such as maintenance requirements, to the CSP.
Specifying a location at a higher level of abstraction is also possible in some environments.
Resources of a similar type (e.g. compute or storage) can be pooled in support of cloud service provision,
but resources of different types cannot be pooled. The CSC can stipulate that the cloud resources are
not shared by multiple CSCs or by multiple tenants.
Resource pooling includes but is not limited to:
— Two or more share cloud resources from a common resource pool.
— Two or more tenants share cloud resources from a common pool, using a multi-tenant model,
regardless of how many CSCs are served.
The cloud service can appear to the CSC to be location independent because the CSC generally has no
control or knowledge of the precise geographical location where the cloud service is being run. However,
CSCs can generally specify a location for their instances of the cloud service at an abstract level.
5.3 Cloud capabilities types
A cloud capabilities type is a classification of the functionality provided by a cloud service to the CSC,
based on the resources used. Cloud capabilities types follow the principle of separation of concerns, i.e.
they have minimal functionality overlap between each other.
The cloud capabilities types are:
— application capabilities type: A cloud capabilities type in which the CSC can use the CSP’s applications;
— infrastructure capabilities type: A cloud capabilities type in which the CSC can provision and use
processing, storage or networking resources;
— platform capabilities type: A cloud capabilities type in which the CSC can deploy, manage and run
customer-created or customer-acquired applications using one or more programming languages
and one or more execution environments supported by the CSP.
NOTE - In this context “applications” includes scripts, containers, complete programs, partial programs, code
and function libraries, microservices, AI training data, and other forms of compliable or executable software.
There are only three cloud capabilities types defined in this document. These cloud capabilities types should not
be confused with other categorizations of cloud services.
© ISO/IEC 2023 – All rights reserved

ISO/IEC 22123-2:2023(E)
5.4 Cloud service categories
5.4.1 General
A cloud service category is a group of cloud services that possess some common set of qualities. A cloud
service category can include capabilities from one or more cloud capabilities types.
The primary determining factors for categorizing a cloud service are:
— the cloud computing capabilities types that are provisioned (application, platform or infrastructure);
— its intended use.
Cloud service categories are typically referred to using something “as a service.”
The three best known cloud service categories are:
— software as a service (SaaS), which offers application capabilities types (5.4.2);
— platform as a service (PaaS), which offers platform capabilities types (5.4.3);
— infrastructure as a service (IaaS), which offers infrastructure capabilities types (5.4.4).
However, there are many other examples of cloud service categories. One example often used in the
telecom industry is network as a service (NaaS) (5.4.5) which offers networking-related application,
platform or infrastructure capabilities types.
Some cloud service categories can offer two or all three of the cloud capabilities types. For example,
communications as a service (CaaS) (5.4.6) can offer both platform and application capabilities types
(see Annex A for more examples).
5.4.2 Software as a service (SaaS)
SaaS is a cloud service category in which the cloud capabilities type (5.3) provided to the CSC is an
application capabilities type.
The cloud service provisioned for the CSC uses the CSP’s software application running on CSP resources.
The use and provision of the cloud service category are in accordance with the cloud service agreement
and its associated cloud SLAs. The applications are accessible from various CSC devices through either
a thin client interface, such as a web browser (e.g. web-based email), or an Application Programming
Interface (API). The customer does not manage or control the underlying resources including network,
servers, operating systems, storage, or even individual application capabilities, with the possible
exception of limited user-specific application configuration settings.
The CSP providing the SaaS product is typically responsible for making all aspects of the software
service available including deploying, configuring, maintaining and updating the operation of the
software applications on the CSP resources. It is worth noting that the entity responsible for making
the service available can be different from the SaaS application developer.
Note that some SaaS services are extensible in that they include limited customer scripting or other
code execution within their own functionality, however the execution of such code is not central to the
service being offered.
5.4.3 Platform as a service (PaaS)
PaaS is a cloud service category in which the cloud capabilities type (5.3) provided to the CSC is a
platform capabilities type.
The capability provided to the CSC is to develop or deploy onto the CSP resources customer-created or
acquired applications created using programming languages, libraries, services, and tools supported
© ISO/IEC 2023 – All rights reserved

ISO/IEC 22123-2:2023(E)
by the CSP. This capability does not necessarily preclude the use of compatible programming languages,
libraries, services, and tools from other sources.
The term “platform” in the PaaS context refers to a development or deployment platform for cloud-
enabled applications. The term “platform” is broadly used in the computing industry. It therefore helps
to understand the context of the term regarding PaaS. PaaS is distinguished from an extensible SaaS or
web application by its primary customers: developers and operations staff versus end users.
The CSC does not manage or control the underlying resources including network, servers, operating
systems, or storage, but has control over the deployed applications and possibly configuration settings
for the application-hosting environment. The CSC can verify the service meets the requirements in
accordance with the cloud service agreement and its associated SLAs. The CSUs of the CSC primarily
design, implement, and deploy applications into the cloud computing environment.
5.4.4 Infrastructure as a service (IaaS)
IaaS is a cloud service category in which the cloud capabilities type (5.3) provided to the CSC is an
infrastructure capabilities type.
The capability provided to the CSC is to provision physical or virtual processing, storage, networks,
and other fundamental computing resources where the customer is able to deploy and run arbitrary
software, which can include operating systems and applications. The CSC does not manage or control
the underlying resources but has control over operating systems, storage, and deployed applications.
They possibly have limited control of select networking components (e.g. host firewalls).
An IaaS service provides, for example, hosting of CSC-defined virtual machine images on a CSP-provided
and operated hypervisor (see Clause 9). Because, in this example, each VM runs directly on virtualised
hardware, there are fewer limits on the software choices available to the CSC, however this flexibility
comes at the cost of requiring management and maintenance of all the software components they select
and deploy.
The CSCs can create, install, monitor, and manage applications deployed in an IaaS cloud service. The
CSC can verify the service meets their requirements in accordance with the cloud service agreement
and its associated SLAs.
The terms “software” and “application” in the IaaS context refers to software and applications sourced
and deployed by the CSC and which remain under the control of the CSC. It is typical that the CSP is
unaware of what this software is and has no control over it. The term “arbitrary software” in this
context means that the CSC can deploy and run any type of software, subject only to any limitations
imposed by the nature of the environment made available by the cloud service.
5.4.5 Network as a service (NaaS)
NaaS is a cloud service category in which the capability provided to the CSC is transport connectivity
and related network capabilities. NaaS can provide the application, platform and infrastructure cloud
capabilities types.
The capability provided to the CSC is to provision and manage physical or virtual network connections.
The CSC does not manage or control the underlying physical network infrastr
...