ISO/IEC 22123-2

ISO/IEC 22123-2 is an international standard that specifies the core "concepts" in the field of cloud computing. It expands on the "vocabulary" defined in its first part, ISO/IEC 22123-1, providing a stable conceptual foundation for cloud service architecture, deployment models (e.g., public, private), roles, and cross-cutting aspects like security and PII protection. Its goal is to establish a common language and framework for communication, procurement, and regulatory compliance of cloud services globally.

As supply chains increasingly rely on cloud services, a lack of common definitions can create ambiguities in Service Level Agreements (SLAs) with cloud providers, leading to unclear liabilities during service disruptions or data breaches. For high-tech and financial industries, complying with Taiwan's Personal Data Protection Act and FSC regulations on cloud outsourcing is critical. Adopting international standards helps reduce communication costs, clarifies supervisory responsibilities for outsourcing, and ensures customer data is properly protected, thereby mitigating legal risks.

This conceptual standard is foundational for implementing other cloud security standards. It is directly related to: 1. **ISO/IEC 27017**: A code of practice for information security controls for cloud services, providing specific cloud security guidance and clarifying the shared responsibilities between customer and provider. 2. **ISO/IEC 27018**: A code of practice for the protection of Personally Identifiable Information (PII) in public clouds, crucial for handling personal data. 3. **ISO/IEC 27001**: The overall framework for Information Security Management Systems, which many cloud-related standards extend. 4. **Taiwan's Personal Data Protection Act** and specific industry regulations for cloud outsourcing in sectors like finance and insurance.

Winners Consulting is Taiwan's first management consulting firm to integrate ERM, technology law, and IT. Our interdisciplinary team, including ISO Lead Auditors and tech lawyers, helps clarify legal responsibilities with cloud providers and seamlessly integrates standards like ISO 27017 into your existing corporate governance and internal controls. Drawing on our experience with industry leaders like TSMC and MediaTek, we apply our founder's preventive law philosophy to cloud risk assessment, building a robust system that ensures both regulatory compliance and operational resilience, avoiding redundant frameworks.