Information technology — Cloud computing — Service level agreement (SLA) framework — Part 1: Overview and concepts

ISO/IEC 19086-1:2016 seeks to establish a set of common cloud SLA building blocks (concepts, terms, definitions, contexts) that can be used to create cloud Service Level Agreements (SLAs). This document specifies a) an overview of cloud SLAs, b) identification of the relationship between the cloud service agreement and the cloud SLA, c) concepts that can be used to build cloud SLAs, and d) terms commonly used in cloud SLAs. ISO/IEC 19086-1:2016 is for the benefit and use of both cloud service providers and cloud service customers. The aim is to avoid confusion and facilitate a common understanding between cloud service providers and cloud service customers. Cloud service agreements and their associated cloud SLAs vary between cloud service providers, and in some cases different cloud service customers can negotiate different contract terms with the same cloud service provider for the same cloud service. This document aims to assist cloud service customers when they compare cloud services from different cloud service providers. ISO/IEC 19086-1:2016 does not provide a standard structure that can be used for a cloud SLA or a standard set of cloud service level objectives (SLOs) and cloud service qualitative objectives (SQOs) that will apply to all cloud services or all cloud service providers. This approach provides flexibility for cloud service providers in tailoring their cloud SLAs to the particular characteristics of the offered cloud services. ISO/IEC 19086-1:2016 does not supersede any legal requirement.

Technologies de l'information — Informatique en nuage — Cadre de travail de l'accord du niveau de service — Partie 1: Aperçu général et concepts

General Information

Status
Published
Publication Date
20-Sep-2016
Current Stage
9093 - International Standard confirmed
Start Date
03-Dec-2021
Completion Date
03-Dec-2021
Ref Project

Buy Standard

Standard
ISO/IEC 19086-1:2016 - Information technology -- Cloud computing -- Service level agreement (SLA) framework
English language
34 pages
sale 15% off
Preview
sale 15% off
Preview
Standard
ISO/IEC 19086-1:2016 - Information technology -- Cloud computing -- Service level agreement (SLA) framework
English language
34 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO/IEC
STANDARD 19086-1
First edition
2016-09-15
Information technology — Cloud
computing — Service level agreement
(SLA) framework —
Part 1:
Overview and concepts
Technologies de l’information — Informatique en nuage — Cadre de
travail de l’accord du niveau de service —
Partie 1: Aperçu général et concepts
Reference number
ISO/IEC 19086-1:2016(E)
ISO/IEC 2016
---------------------- Page: 1 ----------------------
ISO/IEC 19086-1:2016(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2016, Published in Switzerland

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form

or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior

written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of

the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2016 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 19086-1:2016(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Symbols and abbreviated terms ........................................................................................................................................................... 4

5 Overview of SLAs for cloud services ................................................................................................................................................. 5

6 Relationship between the cloud service agreement and cloud SLAs .............................................................6

7 Cloud SLA management best practices .......................................................................................................................................... 7

7.1 General ........................................................................................................................................................................................................... 7

7.2 Design ............................................................................................................................................................................................................. 7

7.3 Evaluation and acceptance ........................................................................................................................................................... 7

7.4 Implementation and execution ................................................................................................................................................. 8

7.5 Changes to the cloud SLA ............................................................................................................................................................... 8

8 The role of cloud service level objectives, cloud service qualitative objectives,

metrics, remedies and exceptions in the cloud SLA ......................................................................................................... 8

8.1 General ........................................................................................................................................................................................................... 8

8.2 Metrics ............................................................................................................................................................................................................ 8

8.3 SLOs and SQOs ......................................................................................................................................................................................... 9

8.3.1 Service levels ....................................................................................................................................................................... 9

8.3.2 Cloud service level objectives ............................................................................................................................... 9

8.3.3 Cloud service qualitative objectives ................................................................................................................ 9

8.4 Remedies and claims ......................................................................................................................................................................10

8.4.1 Remedies .............................................................................................................................................................................10

8.4.2 Claims process ................................................................................................................................................................10

8.5 Exceptions ................................................................................................................................................................................................10

9 Cloud SLA components ................................................................................................................................................................................10

9.1 General ........................................................................................................................................................................................................10

9.2 Covered services component ...................................................................................................................................................10

9.2.1 Description .................. .................................................... ...................................................................................................10

9.2.2 Relevance ...................................................................... .......................................................................................................11

9.3 Cloud SLA definitions component .......................................................................................................................................11

9.3.1 Description .................. .................................................... ...................................................................................................11

9.3.2 Relevance ...................................................................... .......................................................................................................11

9.4 Service monitoring component .............................................................................................................................................11

9.4.1 Description .................. .................................................... ...................................................................................................11

9.4.2 Relevance ...................................................................... .......................................................................................................11

9.4.3 Cloud service qualitative objectives .............................................................................................................11

9.5 Roles and responsibilities component ............................................................................................................................11

9.5.1 Description .................. .................................................... ...................................................................................................11

9.5.2 Relevance ...................................................................... .......................................................................................................12

10 Cloud SLA content areas and their components ...............................................................................................................12

10.1 General ........................................................................................................................................................................................................12

10.2 Accessibility content area ...........................................................................................................................................................12

10.2.1 Accessibility component ........................................................................................................................................12

10.3 Availability content area ..............................................................................................................................................................13

10.3.1 Availability component ...........................................................................................................................................13

10.4 Cloud service performance content area ......................................................................................................................13

10.4.1 General...................................................................................................................................................................................13

10.4.2 Cloud service response time component .................................................................................................13

© ISO/IEC 2016 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 19086-1:2016(E)

10.4.3 Cloud service capacity component................................................................................................................14

10.4.4 Elasticity component ........................................................................................................................................... ......15

10.5 Protection of personally identifiable information (PII) content area...................................................16

10.5.1 Protection of PII component ...............................................................................................................................16

10.6 Information Security content area ......................................................................................................................................17

10.6.1 Information Security component ...................................................................................................................17

10.7 Termination of service content area .................................................................................................................................18

10.7.1 Termination of service component ...............................................................................................................18

10.8 Cloud service support content area ...................................................................................................................................19

10.8.1 Cloud service support component ................................................................................................................19

10.9 Governance content area ......... ....................................................................................................................................................21

10.9.1 Governance component ..........................................................................................................................................21

10.10 Changes to the cloud service features and functionality content area ................................................22

10.10.1 Changes to the cloud service features and functionality component .............................22

10.11 Service reliability content area ..............................................................................................................................................23

10.11.1 General...................................................................................................................................................................................23

10.11.2 Service resilience/fault tolerance component ....................................................................................23

10.11.3 Customer data backup and restore component .................................................................................24

10.11.4 Disaster recovery component............................................................................................................................25

10.12 Data management content area ............................................................................................................................................26

10.12.1 General...................................................................................................................................................................................26

10.12.2 Intellectual property rights (IPR) component ....................................................................................27

10.12.3 Cloud service customer data component ................................................................................................27

10.12.4 Cloud service provider data component ..................................................................................................28

10.12.5 Account data component .......................................................................................................................................28

10.12.6 Derived Data component .......................................................................................................................................28

10.12.7 Data portability component ................................................................................................................................29

10.12.8 Data deletion component ......................................................................................................................................29

10.12.9 Data location component.......................................................................................................................................30

10.12.10 ........................................................................................................................................................

Data examination component ...........................................................................................................................31

10.12.11 ........................................................................................................................................................

Law enforcement access component ..........................................................................................................31

10.13 Attestations, certifications and audits content area ............................................................................................31

10.13.1 Attestations, certifications and audits component..........................................................................31

Bibliography .............................................................................................................................................................................................................................33

iv © ISO/IEC 2016 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 19086-1:2016(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work. In the field of information technology, ISO and IEC have established a joint technical committee,

ISO/IEC JTC 1.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the meaning of ISO specific terms and expressions related to conformity

assessment, as well as information about ISO’s adherence to the WTO principles in the Technical

Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information

The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee

SC 38, Cloud computing and distributed platforms.
A list of all parts in the ISO/IEC 19086 series can be found on the ISO website.
© ISO/IEC 2016 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 19086-1:2016(E)
Introduction

This document provides an overview, foundational concepts, and definitions for the cloud SLA

framework. ISO/IEC 19086 builds on the cloud computing concepts defined in ISO/IEC 17788 and

ISO/IEC 17789. This document establishes a common framework for helping organizations to

understand the purpose of all the parts of ISO/IEC 19086 and the relationships between those parts.

It also identifies other documents that have relationships with ISO/IEC 19086 and which are useful in

understanding cloud SLAs.

This document can be used by any organization or individual involved in the creation, modification

or understanding of a cloud service level agreement which conforms to ISO/IEC 19086. The cloud SLA

should account for the key characteristics of a cloud computing service and needs to facilitate a common

understanding between cloud service providers and cloud service customers.

In particular, it defines the following fundamental concepts of the cloud SLA framework:

— Cloud Service Agreement (CSA)
— Cloud Service Level Agreement (SLA)
— Cloud Service Level Objectives (SLO)
— Cloud Service Qualitative Objectives (SQO)

This document also describes the content areas and components that consist of a list of SLOs and SQOs.

— ISO/IEC 19086-2 provides the metrics model to be used for creating metrics used in SLOs and SQOs.

— ISO/IEC 19086-3 provides the core conformance requirements derived from the SLOs and SQOs

defined in this document.

— ISO/IEC 19086-4 builds upon the foundational concepts and definitions described by this document

by describing specific components and the conformance requirements for SLOs and SQOs in the

area of Security and Privacy.
More specifically, this document

a) promotes cohesion between the parts of ISO/IEC 19086 by explaining the concepts and terminology

used across all parts,

b) contributes to the understanding of ISO/IEC 19086 by clarifying the relationships between all the

parts, and

c) provides an overview of other International Standards which can be used in combination with

ISO/IEC 19086.

Figure 1 represents an overview of the content of ISO/IEC 19086 and the relationships between the

parts of ISO/IEC 19086 and other key International Standards relating to cloud computing.

vi © ISO/IEC 2016 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC 19086-1:2016(E)

Figure 1 — Relationship of parts of ISO/IEC 19086 and other cloud computing standards

This document addresses the contents of a cloud SLA in two main groupings: SLA Components,

addressed in Clause 9, and SLA Content Areas, addressed in Clause 10, as shown in Figure 2.

Figure 2 — SLA components and SLA content areas
© ISO/IEC 2016 – All rights reserved vii
---------------------- Page: 7 ----------------------
INTERNATIONAL STANDARD ISO/IEC 19086-1:2016(E)
Information technology — Cloud computing — Service
level agreement (SLA) framework —
Part 1:
Overview and concepts
1 Scope

This document seeks to establish a set of common cloud SLA building blocks (concepts, terms,

definitions, contexts) that can be used to create cloud Service Level Agreements (SLAs).

This document specifies
a) an overview of cloud SLAs,

b) identification of the relationship between the cloud service agreement and the cloud SLA,

c) concepts that can be used to build cloud SLAs, and
d) terms commonly used in cloud SLAs.

This document is for the benefit and use of both cloud service providers and cloud service customers.

The aim is to avoid confusion and facilitate a common understanding between cloud service providers

and cloud service customers. Cloud service agreements and their associated cloud SLAs vary between

cloud service providers, and in some cases different cloud service customers can negotiate different

contract terms with the same cloud service provider for the same cloud service. This document aims

to assist cloud service customers when they compare cloud services from different cloud service

providers.

This document does not provide a standard structure that can be used for a cloud SLA or a standard set

of cloud service level objectives (SLOs) and cloud service qualitative objectives (SQOs) that will apply

to all cloud services or all cloud service providers. This approach provides flexibility for cloud service

providers in tailoring their cloud SLAs to the particular characteristics of the offered cloud services.

This document does not supersede any legal requirement.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 17788:2014, Information technology — Cloud computing — Overview and vocabulary

ISO/IEC 17789,Information technology — Cloud computing — Reference architecture
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 17788 and the

following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— IEC Electropedia: available at http://www.electropedia.org/
© ISO/IEC 2016 – All rights reserved 1
---------------------- Page: 8 ----------------------
ISO/IEC 19086-1:2016(E)
— ISO Online browsing platform: available at http://www.iso.org/obp
3.1
accessibility

usability of a product, service, environment or facility by people within the widest range of capabilities

Note 1 to entry: The concept of accessibility addresses the full range of user capabilities and is not limited to

users who are formally recognized as having disability.

Note 2 to entry: The usability-oriented concept of accessibility aims to achieve levels of effectiveness, efficiency

and satisfaction that are as high as possible considering the specified context of use, while paying attention to

the full range of capabilities within the user population.

Note 3 to entry: It is important in the context of ISO/IEC 19086 to distinguish between the specialized meaning

of “accessibility” as defined here and the term “accessible” which is used with its dictionary meaning of “able to

be reached or entered.”
[SOURCE: ISO 9241-171:2008, 3.2]
3.2
business continuity

capability of the organization to continue delivery of products or services at acceptable predefined

levels following disruptive incident
[SOURCE: ISO/IEC 22301:2012, 3.3]
3.3
cloud service agreement

documented agreement between the cloud service provider and cloud service customer that governs

the covered service(s)

Note 1 to entry: A cloud service agreement can consist of one or more parts recorded in one or more documents.

3.4
cloud service level agreement
cloud SLA

part of the cloud service agreement (3.3) that includes cloud service level objectives (3.5) and cloud

service qualitative objectives (3.6) for the covered cloud service(s)
3.5
cloud service level objective
SLO

commitment a cloud service provider makes for a specific, quantitative characteristic of a cloud service,

where the value follows the interval scale (3.9) or ratio scale (3.17)
Note 1 to entry: An SLO commitment may be expressed as a range.
3.6
cloud service qualitative objective
SQO

commitment a cloud service provider makes for a specific, qualitative characteristic of a cloud service,

where the value follows the nominal scale (3.11) or ordinal scale (3.12)

Note 1 to entry: A cloud service qualitative objective may be expressed as an enumerated list.

Note 2 to entry: Qualitative characteristics typically require human interpretation.

Note 3 to entry: The ordinal scale allows for existence/non-existence.
2 © ISO/IEC 2016 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 19086-1:2016(E)
3.7
disaster recovery

ability of the ICT elements of an organization to support its critical business functions to an acceptable

level within a predetermined period of time following a disaster
[SOURCE: ISO/IEC 27031:2011, 3.7]
3.8
failure notification policy

policy specifying the processes by which the cloud service customer and cloud service partner can

notify the cloud service provider of a service outage and by which the cloud service provider can notify

the cloud service customer and cloud service partner that a service outage has occurred.

Note 1 to entry: The policy may also include the process for providing updates on service outages, who receives

notifications and updates, the maximum time between the detection of a service outage and the issuance of a

notice of service outage, the maximum time interval between service outage updates and how service outage

updates are described.
3.9
interval scale

continuous scale or discrete scale with equal sized scale values and an arbitrary zero

[SOURCE: ISO 3534-2:2006, 1.1.8]
3.10
metric

standard of measurement that defines the conditions and the rules for performing the measurement

and for understanding the results of a measurement
Note 1 to entry: A metric implements a particular abstract metric concept.

Note 2 to entry: A metric is to be applied in practice within a given context that requires specific properties to be

measured, at a given time(s) for a specific goal.
3.11
nominal scale
scale with unordered labelled categories or ordered by convention
[SOURCE: ISO 3534-2:2006, 1.1.6]
3.12
ordinal scale
scale with ordered labelled categories
[SOURCE: ISO 3534-2:2006, 1.1.7]
3.13
personally identifiable information
PII

any information that (a) can be used to identify the PII principal to whom such information relates, or

(b) is or might be directly or indirectly linked to a PII principal

Note 1 to entry: To determine whether a PII principal is identifiable, account should be taken of all the means

which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to identify that

natural person.
[SOURCE: ISO/IEC 29100:2011, 2.9]
© ISO/IEC 2016 – All rights reserved 3
---------------------- Page: 10 ----------------------
ISO/IEC 19086-1:2016(E)
3.14
PII controller

privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing

personally identifiable information (PII) other than natural persons who use data for personal purposes

[SOURCE: ISO/IEC 29100:2011, 2.10]
3.15
PII principal
natural person to whom the personally identifiable information (PII) relates
[SOURCE: ISO/IEC 29100:2011, 2.11]
3.16
PII processor

privacy stakeholder that processes personally identifiable information (PII) on behalf of and in

accordance with the instructions of a PII controller
[SOURCE: ISO/IEC 29100:2011, 2.12]
3.17
ratio scale

continuous scale with equal sized scale values and an absolute or natural zero point

[SOURCE: ISO 3534-2:2006, 1.1.9]
3.18
remedy
compensation available to the cloud service customer in the event the cloud serv
...

DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 19086-1
ISO/IEC JTC 1/SC 38 Secretariat: ANSI
Voting begins on: Voting terminates on:
2016-01-04 2016-04-04
Information technology — Cloud computing — Service
level agreement (SLA) framework —
Part 1:
Overview and concepts
Titre manque
ICS: 35.020
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 19086-1:2015(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. ISO/IEC 2015
---------------------- Page: 1 ----------------------
ISO/IEC DIS 19086-1:2015(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2015, Published in Switzerland

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form

or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior

written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of

the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2015 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC DIS 19086-1
Contents Page
Foreword v
  Scope 1

  Normative references .................................................................................................................................. 1

  Terms and definitions ................................................................................................................................. 1

  Symbols and abbreviated terms ................................................................................................................ 4

  Overview of SLAs for cloud services ........................................................................................................ 5

  Relationship between the cloud service agreement and SLAs .............................................................. 6

  Cloud SLA management best practices .................................................................................................... 7

7.1

  General ...................................................................................................................................................... 7

7.2

  Design ....................................................................................................................................................... 7

7.3

  Evaluation and acceptance ..................................................................................................................... 7

7.4

  Implementation and execution ................................................................................................................ 8

7.5

  Changes to the cloud SLA ....................................................................................................................... 8

  The role of cloud service level objectives, cloud service qualitative objectives, metrics,

remedies, and exceptions in the SLA ................................................................................................. 8

8.1

  General ...................................................................................................................................................... 8

8.2

  Metrics ....................................................................................................................................................... 8

8.3

  Service levels ............................................................................................................................................ 9

8.3.1

  Cloud service level objectives ............................................................................................................. 9

8.3.2

  Cloud service qualitative objectives ................................................................................................... 9

8.4

  Remedies ................................................................................................................................................ 10

8.4.1

  Claims process .................................................................................................................................... 10

8.5

  Exceptions .............................................................................................................................................. 10

  Cloud SLA components ............................................................................................................................ 10

9.1

  General .................................................................................................................................................... 10

9.2

  Covered services component ............................................................................................................... 10

9.2.1

  Description ........................................................................................................................................... 10

9.2.2

  Relevance ............................................................................................................................................. 11

9.3

  Cloud SLA definitions component ....................................................................................................... 11

9.3.1

  Description ........................................................................................................................................... 11

9.3.2

  Relevance ............................................................................................................................................. 11

9.4

  Service monitoring component ............................................................................................................ 11

9.4.1

  Description ........................................................................................................................................... 11

9.4.2

  Relevance ............................................................................................................................................. 11

9.4.3

  Cloud service qualitative objectives ................................................................................................. 11

9.5

  Roles and responsibilities component ................................................................................................ 11

9.5.1

  Description ........................................................................................................................................... 11

9.5.2

  Relevance ............................................................................................................................................. 12

  Cloud SLA content areas ........................................................................................................................ 12

10.1

  General .................................................................................................................................................. 12

10.2

  Accessibility content area ................................................................................................................... 12

10.2.1

  Accessibility component ................................................................................................................... 12

10.3

  Availability content area ...................................................................................................................... 13

10.3.1

  Availability component ...................................................................................................................... 13

10.4

  Cloud service performance content area ........................................................................................... 13

10.4.1

  General ................................................................................................................................................ 13

10.4.2

  Cloud service response time component ........................................................................................ 13

© ISO/IEC 2015 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC DIS 19086-1
10.4.3

  Cloud service capacity component ................................................................................................... 14

10.4.4

  Elasticity component .......................................................................................................................... 15

10.5

  Protection of personally identifiable information (PII) content area ............................................... 16

10.5.1

  Protection of PII component .............................................................................................................. 16

10.6

  Information Security content area ...................................................................................................... 17

10.6.1

  Information Security component ....................................................................................................... 17

10.7

  Termination of service content area ................................................................................................... 18

10.7.1

  Termination of service component ................................................................................................... 18

10.8

  Cloud service support content area ................................................................................................... 20

10.8.1

  Cloud service support component .................................................................................................... 20

10.9

  Governance content area .................................................................................................................... 22

10.9.1

  Governance component ..................................................................................................................... 22

10.10

  Changes to the cloud service features and functionality content area ......................................... 23

10.10.1

 Changes to the cloud service features and functionality component ........................................... 23

10.11

  Service reliability content area .......................................................................................................... 24

10.11.1

 General ................................................................................................................................................ 24

10.11.2

 Service resilience/fault tolerance component .................................................................................. 24

10.11.3

 Customer data backup and restore component .............................................................................. 24

10.11.4

 Disaster recovery component ........................................................................................................... 26

10.12

  Data management content area ......................................................................................................... 27

10.12.1

 General ................................................................................................................................................ 27

10.12.2

 Intellectual property rights (IPR) component ................................................................................... 27

10.12.3

 Cloud service customer data component ........................................................................................ 28

10.12.4

 Cloud service provider data componen ........................................................................................... 28

10.12.5

 Account data component ................................................................................................................... 29

10.12.6

 Derived Data component ................................................................................................................... 29

10.12.7

 Data portability component ............................................................................................................... 30

10.12.8

 Data deletion component ................................................................................................................... 30

10.12.9

 Data location component ................................................................................................................... 31

10.12.10

  Data examination component ...................................................................................................... 31

10.12.11

  Law enforcement access component .......................................................................................... 32

10.13

  Attestations, certifications and audits content area ....................................................................... 32

10.13.1

 Attestations, certifications and audits component ......................................................................... 32

Bibliography ..................................................................................................................................................... 34

iv © ISO/IEC 2015 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC DIS 19086-1
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are members of

ISO or IEC participate in the development of International Standards through technical committees

established by the respective organization to deal with particular fields of technical activity. ISO and IEC

technical committees collaborate in fields of mutual interest. Other international organizations, governmental

and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information

technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.

The main task of the joint technical committee is to prepare International Standards. Draft International

Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as

an International Standard requires approval by at least 75 % of the national bodies casting a vote.

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent

rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

ISO/IEC 19086-1 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 38, Cloud Computing and Distributed Platforms.

ISO/IEC 19086 consists of the following parts, under the general title Information technology — Cloud

computing ─ Service Level Agreement (SLA) framework:
⎯ Part 1: Overview and concepts
⎯ Part 2: Metrics
⎯ Part 3: Core requirements
⎯ Part 4: Security & Privacy
© ISO/IEC 2015 – All rights reserved v
---------------------- Page: 5 ----------------------
COMMITTEE DRAFT ISO/IEC DIS 19086-1
1 Information technology — Cloud computing ─ Service Level
2 Agreement (SLA) framework — Part 1: Overview and concepts
3 1 Scope

4 This International Standard specifies an overview of Service Level Agreements (SLA)s for cloud services,

5 identification of the relationship between the cloud service agreement and the SLA, concepts that can be

6 used to build cloud SLAs, and terms commonly used in SLAs for cloud services. This standard is for the

7 benefit and use of both cloud service provider and cloud service customer.

8 This International Standard does not provide a standard structure that can be used for a cloud SLA or a

9 standard set of cloud service level objectives (SLOs) and cloud service qualitative objectives (SQOs) that

10 will apply to all cloud services or all cloud service providers. Contracts vary between cloud service providers,

11 and in some cases different cloud service customers can negotiate different contract terms with the same

12 cloud service provider for the same cloud service, so this standard seeks to establish a set of common

13 cloud SLA building blocks (concepts, terms, definitions, contexts) that can then be used to create cloud

14 SLAs that help avoid confusion and facilitates a common understanding between cloud service providers

15 and cloud service customers.
16 This International Standard does not supersede any legal requirement.
17 2 Normative references

18 The following referenced documents are indispensable for the application of this document. For dated

19 references, only the edition cited applies. For undated references, the latest edition of the referenced

20 document (including any amendments) applies.

21 Recommendation ITU-T Y.3500 | ISO/IEC 17788:2014, Information technology — Cloud computing —

22 Overview and vocabulary

23 Recommendation ITU-T Y.3502 | ISO/IEC 17789:2014, Information technology — Cloud computing —

24 Reference architecture
25 3 Terms and definitions

26 For the purposes of this document, the terms and definitions given in Rec. ITU-T Y.3500 | ISO/IEC 17788

27 and the following definitions apply.
28 3.1
29 accessibility

30 usability of a product, service, environment or facility by people within the widest range of capabilities

31 Note 1 to entry: The concept of accessibility addresses the full range of user capabilities and is not limited

32 to users who are formally recognized as having disability.
© ISO/IEC 2015 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC DIS 19086-1

33 Note 2 to entry: The usability-oriented concept of accessibility aims to achieve levels of effectiveness,

34 efficiency and satisfaction that are as high as possible considering the specified context of use, while

35 paying attention to the full range of capabilities within the user population.

36 Note 3 to entry: It is important in the context of ISO/IEC 19086 to distinguish between the specialized

37 meaning of “accessibility” as defined here and the term “accessible” which is used with its dictionary

38 meaning of “able to be reached or entered”.
39 [SOURCE: ISO 9241-171:2008, 3.2]
40 3.2
41 cloud service agreement

42 documented agreement between the cloud service provider and cloud service customer that governs the

43 covered service(s)

45 Note 1 to entry: A cloud service agreement can consist of one or more parts recorded in one or more

46 documents
48 3.3
49 failure notification policy

50 policy specifying the processes by which the cloud service customer and cloud service partner can notify

51 the cloud service provider of a service outage and by which the cloud service provider can notify the cloud

52 service customer and cloud service partner that a service outage has occurred.

53 Note 1 to entry: The policy may also include the process for providing updates on service outages, who

54 receives notifications and updates, the maximum time between the detection of a service outage and the

55 issuance of a notice of service outage, the maximum time interval between service outage updates and

56 how service outage updates are described
57 3.4
58 remedy

59 compensation available to the cloud service customer in the event the cloud service provider fails to meet a

60 specified cloud service level objective.
61 3.5
62 resilience

63 ability of a cloud service to recover operational condition quickly after a fault occurs

64 3.6
65 cloud service level objective
66 SLO

67 commitment a cloud service provider makes for a specific, quantitative characteristic of a cloud service,

68 where the value follows the interval or ratio scale
70 Note 1 to entry: an SLO commitment may be expressed as a range
71 3.7
72 cloud service qualitative objective
73 SQO

74 commitment a cloud service provider makes for a specific, qualitative characteristic of a cloud service,

75 where the value follows the nominal or ordinal scale

76 Note 1 to entry: a cloud service qualitative objective may be expressed as an enumerated list

77 Note 2 to entry: qualitative characteristics typically require human interpretation

78 Note 3 to entry: The ordinal scale allows for existence/nonexistence
2 © ISO/IEC 2015 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC DIS 19086-1
79 3.8
80 metric

81 a standard of measurement that defines the conditions and the rules for performing the measurement and

82 for understanding the results of a measurement.
83 Note 1 to entry: A metric implements a particular abstract metric concept.

84 Note 2 to entry: A metric is to be applied in practice within a given context that requires specific properties

85 to be measured, at a given time(s) for a specific goal.
86 3.9
87 disaster recovery

88 ability of the ICT elements of an organization to support its critical business functions to an acceptable level

89 within a predetermined period of time following a disaster
90 [SOURCE: ISO/IEC 27031:2011, 3.7]
91 3.10
92 personally identifiable information (PII)

93 any information that (a) can be used to identify the PII principal to whom such information relates, or

94 (b) is or might be directly or indirectly linked to a PII principal

96 Note to entry: To determine whether a PII principal is identifiable, account should be taken of all the means

97 which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to identify

98 that natural person.
99 [SOURCE: ISO/IEC 29100:2011, 2.9]
100
101 3.11
102 PII processor

103 privacy stakeholder that processes personally identifiable information (PII) on behalf of and in accordance

104 with the instructions of a PII controller
105 [SOURCE: ISO/IEC 29100, 2.12]
106 3.12
107 service level agreement (SLA)

108 part of the cloud service agreement that includes cloud service level objectives and cloud service qualitative

109 objectives for the covered service(s)
110
111 3.13
112 business continuity

113 capability of the organization to continue delivery of products or services at acceptable predefined levels

114 following disruptive incident
115 [SOURCE: ISO/IEC 22301:2012(en), 3.3]
116 3.14
117 PII controller

118 privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing

119 personally identifiable information (PII) other than natural persons who use data for personal purposes

120 [SOURCE: ISO/IEC 29100:2011, 2.10]
121 3.15
122 PII principal
123 natural person to whom the personally identifiable information (PII) relates
124 [SOURCE: ISO/IEC 29100:2011, 2.11]
© ISO/IEC 2015 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/IEC DIS 19086-1
125 3.16
126 nominal scale
127 scale with unordered labelled categories or ordered by convention
128
129 [SOURCE: ISO 3534-2:2006(en), 1.1.6]
130
131 3.17
132 ordinal scale
133 scale with ordered labelled categories
134 [SOURCE: ISO 3534-2:2006(en), 1.1.7]
135 3.18
136 interval scale

137 continuous scale or discrete scale with equal sized scale values and an arbitrary zero

138 [SOURCE: ISO 3534-2:2006(en), 1.1.8]
139 3.19
140 ratio scale

141 continuous scale with equal sized scale values and an absolute or natural zero point

142 [SOURCE: ISO 3534-2:2006(en), 1.1.9]
143 4 Symbols and abbreviated terms
144 For the purposes of this document, the following abbreviations apply:
145 AUP Acceptable Use Policy
146 BLOB Binary Large Object
147 CSA Cloud Service Agreement
148 CSC Cloud Service Customer
149 CSP Cloud Service Provider
150 DDoS Distributed Denial of Service
151 IaaS Infrastructure as a Service
152 ICT Information and Communications Technology
153 IPR Intellectual Property Rights
154 IT Information Technology
155 KPI Key Performance Indicator
156 MBRT Maximum Batch Response Time
157 MTTSR Maximum Time to Service Recovery
158 PaaS Platform as a Service
159 PII Personally Identifiable Information
4 © ISO/IEC 2015 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC DIS 19086-1
160 RPO Recovery Point Objective
161 RTO Recovery Time Objective
162 SaaS Software as a Service
163 SCRUD search, create, read, update and delete
164 SLA Service Level Agreement
165 SLO Cloud Service Level Objective
166 SQO Cloud Service Qualitative Objective
167 TTSR Time to Service Recovery
168 VM Virtual Machine
169 WCAG W3C Web Content Accessibility Guidelines
170 5 Overview of SLAs for cloud services

171 A service level agreement (SLA) is a part of the cloud service agreement that includes cloud service level

172 objectives and cloud service qualitative objectives for the covered service(s). The cloud SLA should

173 account for the key characteristics of cloud computing as described in Clause 6.2 of Rec. ITU-T Y.3500 |

174 ISO/IEC 17788 that include:

175 ⎯ Self-service – A CSC may gain access to cloud services without human interaction with the CSP. The

176 cloud service agreement (CSA) (see Clause 6) and the associated cloud SLA may be presented and

177 agreed through software tools and financial arrangements that are automated.

178 ⎯ Resource pooling – The public cloud deployment models allow sharing resources across many CSCs

179 that do not have a relationship. The private cloud models allow users to share resources within the

180 same organization. The hybrid cloud models allow users to share some resources within the same

181 organization and some resources across many CSCs that do not necessarily have a relationship. The

182 community cloud deployment models allow sharing resources across CSCs that have some

183 relationship.

184 ⎯ Multi-tenancy – Cloud environments are enabled through the use of large-scale virtualization of

185 servers, storage and networks. Overall system usage is typically spread over many CSCs. Cloud

186 environments typically have no persistent relationship between particular physical resources and their

187 use by CSCs. The CSCs are assigned virtual resources, and logging of usage is done at this level of

188 abstraction.

189 ⎯ Rapid elasticity and scaling – A characteristic of cloud computing where physical or virtual resources

190 can be rapidly and elastically adjusted, in some cases automatically, to quickly increase or decrease

191 resources.

192 ⎯ Tradeoff between cost and control – Large-scale, standardized cloud services may be provided on a

193 low unit cost, utility basis, in conjunction with standardized contracts and cloud SLAs. If a CSC requires

194 more control and customization of cloud services than is available from a standard utility service model,

195 then this may be provided at additional cost and with a specific cloud SLA.

196 ⎯ Measured service - A feature where the metered delivery of cloud services is such that usage can be

197 monitored, controlled, reported, and billed. This is an important feature needed to optimize and validate

198 the delivered cloud service. The focus of this key characteristic is that the CSC may only pay for the

199 resources that they use.
© ISO/IEC 2015 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/IEC DIS 19086-1

200 ⎯ Broad network access – The capabilities of cloud services are made available over the network and

201 are typically accessed through standard mechanisms that promote use by heterogeneous client

202 platforms (for example, access through mobile phones, laptops and workstations).

203 Details of cloud SLAs, SLOs and SQOs can vary for different cloud service categories, cloud capabilities

204 types and different cloud deployment models (see Rec ITU-T Y.3500 | ISO/IEC 17788). Cloud SLAs in this

205 standard are intended to be useful for CSCs and CSPs across the variety of cloud service categories and

206 cloud deployment models. As the definition of cloud SLOs and SQOs is intended to be technology and

207 business model neutral, so not all of these SLOs or SQOs will apply to every cloud service, and those that

208 do apply may be structured and applied in different ways to specific cloud services. For example, service

209 availability can be measured in different ways, some of which depend on the specific cloud service; a

210 computational cloud service is different than an email cloud service and service availability for each will be

211 computed differently.
212 6 Relationship between the cloud service agreement and SLAs
213 Cloud s
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.