Cloud contracts, SLAs, shared responsibility, and continuous cloud monitoring.
This chapter focuses on the governance side of cloud adoption rather than cloud terminology alone. ISC emphasizes responsibility allocation, contractual risk, and the controls needed when systems are managed across external providers and mixed environments.
Cloud governance questions usually ask who is responsible for a control, what the provider has promised, and how the organization verifies performance. The shared-responsibility model does not eliminate management accountability; it reallocates specific control activities across the customer and provider.
| Governance issue | What to verify | Common ISC trap |
|---|---|---|
| Shared responsibility | Which controls belong to the provider, customer, or both. | Assuming outsourced infrastructure means outsourced accountability. |
| Contract and SLA terms | Availability, security, incident, data, audit, and termination obligations. | Relying on generic vendor assurances instead of enforceable terms. |
| Multi-cloud or hybrid design | Whether inconsistent tools, identities, logging, or policies create gaps. | Evaluating each environment in isolation while missing cross-platform risk. |
| Continuous monitoring | Whether telemetry, alerts, and review procedures detect changing conditions. | Treating a point-in-time review as enough for a dynamic cloud environment. |
| Step | What to establish | Governance implication |
|---|---|---|
| Map the service model | IaaS, PaaS, SaaS, private, public, hybrid, or multi-cloud. | Service model determines shared responsibility. |
| Review contract commitments | SLA, security, privacy, incident, audit, data ownership, and termination terms. | Governance depends on enforceable obligations. |
| Assign control ownership | Customer controls, provider controls, and shared controls. | Outsourcing does not remove management accountability. |
| Monitor operating evidence | Logs, dashboards, exceptions, SOC reports, incidents, and remediation. | Dynamic environments need ongoing oversight. |
| Plan exit and resilience | Portability, backup, continuity, vendor change, and concentration risk. | Cloud governance includes recovery and exit planning. |
| Checkpoint | Customer focus | Provider focus |
|---|---|---|
| Identity and access | User provisioning, privileged access, MFA, and access reviews. | Platform identity features, logging capabilities, and administrative boundaries. |
| Data protection | Classification, encryption choices, retention, backups, and permitted use. | Storage durability, platform encryption support, availability, and contractual safeguards. |
| Change and configuration | Customer-managed configuration, deployment pipelines, and approved changes. | Platform patching, service changes, and infrastructure maintenance. |
| Monitoring and incidents | Alert review, escalation, remediation, and evidence retention. | Service telemetry, incident notification, and SLA reporting. |
| Exit and resilience | Portability, concentration risk, backup ownership, and continuity planning. | Termination assistance, data return, deletion, and service recovery commitments. |