+SSO-06 Contract Termination Strategy for Service Organisations
---+SSO-06.01B
---+SSO-06.02B

1. Übersicht

SSO-06 Contract Termination Strategy for Service Organisations

-
SSO-06.01B The cloud service provider has defined and documented contract termination or exit strategies for the purchase of services where the risk assessment of the service organisations regarding the scope, complexity and uniqueness of the service provided resulted in a very high dependency (cf. Supplementary Information).

A very high dependency can be assumed in particular if the purchased service is indispensable for the provision of the cloud service. This situation is the case if the cloud service provider:

1. Provides the cloud service from data centres operated by service organisations; or
2. Provides a SaaS service and uses the IaaS or PaaS of another cloud service provider.

A very high dependency can also be assumed if the service cannot be obtained within one month from an alternative service organisation, as:

1. It is unique on the market and no other service organisation can deliver it;
2. It is strongly individualised by the service organisation and/or the cloud service provider;
3. It cannot be supplied by any other service organisation in the required quality of service; or
4. It requires specific knowledge that is only/mainly available to the current service organisation and not to the cloud service provider.

Exit strategies may vary in complexity based on the nature and degree of dependency of the cloud service on third party services and service organisations. Using a cloud service broker is an example of a complex scenario. Aspects listed in SSO-06.02B should be considered based on the results of the cloud service provider's risk assessment. Where a lower degree of dependency has been identified, exit strategies or individual aspects thereof are not mandatory in the sense of this criterion.
SSO-06.02B Exit strategies are aligned with operational continuity plans and include the following aspects:

1. Analysis of the potential costs, impacts, resources and timing of the transition of a purchased service to an alternative service organisation;
2. Definition and allocation of roles, responsibilities and sufficient resources to perform the activities for a transition;
3. Definition of success criteria for the transition; and
4. Definition of indicators for monitoring the performance of services, which should initiate the withdrawal from the service if the results are unacceptable.


A very high dependency can be assumed in particular if the purchased service is indispensable for the provision of the cloud service. This situation is the case if the cloud service provider:

1. Provides the cloud service from data centres operated by service organisations; or
2. Provides a SaaS service and uses the IaaS or PaaS of another cloud service provider.

A very high dependency can also be assumed if the service cannot be obtained within one month from an alternative service organisation, as:

1. It is unique on the market and no other service organisation can deliver it;
2. It is strongly individualised by the service organisation and/or the cloud service provider;
3. It cannot be supplied by any other service organisation in the required quality of service; or
4. It requires specific knowledge that is only/mainly available to the current service organisation and not to the cloud service provider.

Exit strategies may vary in complexity based on the nature and degree of dependency of the cloud service on third party services and service organisations. Using a cloud service broker is an example of a complex scenario. Aspects listed in SSO-06.02B should be considered based on the results of the cloud service provider's risk assessment. Where a lower degree of dependency has been identified, exit strategies or individual aspects thereof are not mandatory in the sense of this criterion.

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen

3. Related Regulations

Regulations
Impressum