Indonesian Cloud Market Context
Indonesia's cloud adoption is accelerating. Hyperscalers including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform maintain significant presence in Southeast Asia. Concurrently, local and regional cloud providers — including Indonesian companies — are expanding cloud service offerings. Enterprise clients spanning financial services, manufacturing, e-commerce, and government are increasingly adopting cloud infrastructure for workload migration, application development, and data analytics.
This creates a differentiated opportunity for locally certified cloud providers. Indonesian enterprises and government agencies increasingly prefer cloud providers with local presence, local data residency capability, and independently verified security and service management posture. OJK's cloud guidance for financial institutions creates a regulatory preference for providers with formal IT service management and security certification. Local providers with ISO 20000 and ISO 27001 certification gain competitive advantage over uncertified competitors.
The Badan Siber dan Sandi Negara (BSSN) has elevated interest in cloud security and service management standards for government workloads. Government cloud procurement increasingly includes ISO 20000 and ISO 27001 certification as qualification criteria.
How ISO 20000 Applies to Cloud Service Providers
A fundamental principle: ISO 20000 applies to any organization providing services. Cloud services — Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) — are services in the ISO 20000 sense. The SMS governs how cloud services are managed, not how the underlying technology works.
A cloud provider's SMS does not need to address hypervisor technology, container orchestration, or virtualization architecture in detail. Rather, the SMS addresses how customer incidents are detected and resolved, how customer changes are managed, how service availability is monitored and reported, and how service continuity is planned. The SMS is about service governance, not technology management.
Service Portfolio for Cloud Services
Defining cloud services in the service portfolio requires clarity about service boundaries. A cloud provider typically offers multiple service types: IaaS compute (virtual machines), IaaS storage (object storage, block storage), IaaS networking (virtual networks, load balancers), PaaS database services (managed relational and NoSQL databases), PaaS application services (container platforms, message queues), and SaaS applications (email, productivity suites).
Each service type should be described in the service portfolio with clarity about what the service includes and what is the customer's responsibility. For example, an IaaS compute service description might read: "Managed virtual machine instances with customer choice of operating system, CPU/memory sizing, and region placement. Includes hypervisor availability, automatic failover within region, and 99.9% monthly uptime SLA. Customer responsible for guest OS patching, application patching, and configuration hardening."
Service tiers (standard, premium, dedicated) should be described separately in the service portfolio, with different SLA targets and pricing for each tier. The relationship between the cloud service catalogue and the ISO 20000 service portfolio is direct — the service portfolio documents what is formally managed through the SMS.
SLA Design for Cloud Services
Cloud service SLAs typically express availability as monthly uptime percentage (e.g., 99.9% uptime = maximum 43 minutes downtime per month). Support SLAs specify incident response and resolution by severity level. Maintenance windows are typically excluded from SLA uptime calculation.
SLA design for cloud providers must be competitive with hyperscaler SLAs while reflecting local provider capabilities. AWS Lambda offers 99.99% availability; a local provider offering 99.5% availability will struggle to compete for availability-sensitive workloads. However, a local provider can differentiate on support responsiveness, local presence, and regulatory alignment rather than trying to match global hyperscaler availability targets.
SLA credit regimes are important. If a cloud provider commits to 99.9% uptime, what happens if actual uptime is 99.8%? The SLA should define a credit formula — for example, "If monthly uptime is below 99.9% but at least 99.0%, customer receives 10% service credit; if below 99.0%, customer receives 30% service credit." This aligns provider incentives with customer expectations.
Availability Management for Cloud
Cloud services operate on a multi-tier availability model. Physical infrastructure (power, cooling, networking) must be available. Virtualization and orchestration systems (hypervisors, container platforms) must be available. Customer workloads must be deployed with appropriate redundancy. Each tier has failure modes that may impact customer service availability.
Availability management must monitor all tiers. If a physical network switch fails, that is an infrastructure incident that may be invisible to customers if redundancy is correctly configured. If a hypervisor fails, automatic workload failover may keep services running from a customer perspective. If a customer's workload crashes, that is a customer responsibility unless the customer has purchased high-availability services.
The incident management process must identify the failure layer to enable root cause analysis and repeat prevention. The availability reporting process must distinguish infrastructure availability (the percentage of time that the infrastructure layers are providing service) from service availability (the percentage of time that customer workloads are running). This distinction is critical for setting realistic SLA targets and for managing customer expectations.
Capacity Management for Cloud
Capacity management for cloud has unique challenges. Cloud services are elastic — customers provision and deprovision capacity on demand. The cloud provider must manage the underlying physical infrastructure capacity (data center space, power, cooling) to support aggregate customer demand without over-provisioning idle infrastructure.
Capacity planning for a cloud provider includes forecasting aggregate customer demand, planning infrastructure procurement timelines, and managing oversubscription ratios. Most cloud providers over-subscribe: if a data center has 1000 CPU cores of physical capacity, the provider may sell 2000 CPU cores of virtual capacity, assuming that not all customers will fully utilize capacity simultaneously.
When customer demand approaches capacity limits, the provider must make decisions about rate-limiting new customer sign-ups, restricting existing customer growth, or deploying additional infrastructure. These decisions must be made transparently and must be documented in the SMS.
Service Continuity for Cloud
Service continuity for cloud services includes two distinct concepts. First, the cloud provider's own service continuity planning and testing (how the provider maintains service if a data center fails). Second, disaster recovery services that the provider offers to customers (customers can replicate their workloads to multiple regions for geographic redundancy).
The provider's SMS must address both. The provider must document its own business continuity plan, recovery time objective (RTO), and recovery point objective (RPO) in case of disaster. Customers will ask how long the provider will take to recover service if the primary data center fails.
The provider must also document the DR services available to customers — geographic replication, backup and restore, active-active configuration across regions. These services should be described in the service portfolio with clear SLA definitions for replication lag (RPO) and recovery time (RTO) if a region fails.
OJK Cloud Requirements Alignment
OJK has published guidance on cloud adoption by financial institutions. The guidance addresses cloud service provider selection, contract requirements, data sovereignty and residency, audit rights, incident reporting obligations, and service continuity expectations.
A financial institution evaluating a cloud provider must satisfy OJK that the provider meets baseline IT service management and security requirements. For IT service management, ISO 20000 certification provides the most credible evidence. For information security, ISO 27001 certification is the baseline. The combination of ISO 20000 and ISO 27001 certification is the strongest compliance foundation for cloud providers targeting financial sector clients.
OJK also requires that financial institutions maintain audit rights — the ability to audit the cloud provider's compliance with agreed terms. Cloud provider contracts must explicitly allow client audit and must allow audit by OJK examiners. ISO 20000 certification demonstrably reduces the frequency and burden of such audits because external auditors have already verified the SMS.
Multi-Tenant Service Management
Cloud services are typically multi-tenant — multiple customers' workloads co-reside on shared physical infrastructure. This creates operational and management challenges distinct from dedicated hosting environments.
Incident management in a multi-tenant environment must identify which tenant is affected. A hypervisor failure affects all customers' virtual machines on that hypervisor. A single customer's application crash affects only that customer. The incident record must clearly identify the scope of impact.
Impact assessment during a shared infrastructure incident requires care. If a storage array fails and multiple customers' data is affected, each customer must be notified of the incident impact on their workload specifically. Customer communication must be clear, timely, and must respect multi-tenant confidentiality — Customer A should not receive information about Customer B's data or infrastructure.
| KEY CONCEPT | Cloud providers must distinguish between infrastructure-level incidents (hypervisor failure, network outage) and customer-impacting incidents (a specific customer's workload is affected). ISO 20000 incident management must operate at the customer service level, not just the infrastructure level. |
| IMPORTANT | For cloud providers targeting OJK-regulated clients, audit rights provisions in contracts are a regulatory requirement — contracts must allow OJK or the regulated client's auditors to audit the cloud provider's SMS. ISO 20000 certification reduces the frequency and burden of such audits significantly. |
| BITLION INSIGHT | Bitlion GRC cloud service management templates and OJK cloud compliance mapping for Indonesian cloud providers. |
Cloud Service Portfolio Design
| Service Type | Service Description Template | Key SLOs | OJK Compliance Consideration |
|---|---|---|---|
| IaaS Compute | Virtual machine instances; customer selects OS; auto-failover within region; customer responsible for guest OS and application patching | 99.9% uptime SLA; <5min failover; 99.99% data durability | Document data residency (must be in Indonesia); clarify backup retention policy; define audit access rights |
| IaaS Storage (Object) | Highly available object storage; multiple geographic replication options; RESTful API access | 99.9% availability SLA; <100ms replication lag with active-active; versioning and point-in-time recovery | Ensure data encryption at rest and in transit; define data deletion confirmation process; audit trail logging |
| PaaS Database | Managed relational or NoSQL database; automated backup; point-in-time recovery; multi-AZ replication option | 99.95% uptime SLA; RPO <1 hour; RTO <15 min; automated patching without downtime | Support BSSN database security hardening; define data export capability for customer portability; backup encryption required |
| SaaS Application | Managed application service; customer data isolation; single-tenant database per customer or multi-tenant with encryption | 99.9% uptime SLA; <4 hour incident response; <24 hour resolution target | Document data location and residency; define incident notification process; maintain audit logs; support customer incident investigation |