IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service) describe three abstraction levels of cloud services. With IaaS you rent virtual machines and networks — you are responsible for the operating system and application. PaaS additionally provides the runtime environment so you can focus on application code. With SaaS you use a ready-made application through the browser. For your ISMS, the key question is which security responsibilities rest with you and which with the provider (Shared Responsibility Model). The higher the abstraction, the fewer technical controls you implement yourself — but supplier governance becomes more important. Document the service model of each cloud service in your asset inventory.