When offering cloud services, the organisation must clearly and actively inform the customer of the organisation’s geographic location and the countries where the customer's data is stored.
This information can help the customer e.g. in determining the relevant supervisory authorities and jurisdictions when utilizing the cloud service.
When utilizing or offering cloud services, both service provider and customer can have security responsibilities. Service provider may be responsible for technical cyber security but e.g. customer for access management and providing user guidelines for secure usage.
Responsibilities for shared information security roles towards offered cloud services and utilizing cloud-based data systems must be clearly defined and documented by both the cloud service customer and provider.
The organization must maintain a list of digital services provided and the owners designated for them. The owner is responsible for completing the information in the service and for any other security measures that are closely related to the service.
The documentation related to the digital service includes e.g. the following information: