ISO/IEC 19086-1:2016

DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 19086-1
ISO/IEC JTC 1/SC 38 Secretariat: ANSI
Voting begins on: Voting terminates on:
2016-01-04 2016-04-04
Information technology — Cloud computing — Service
level agreement (SLA) framework —
Part 1:
Overview and concepts
Titre manque
ICS: 35.020
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 19086-1:2015(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
©
PROVIDE SUPPORTING DOCUMENTATION. ISO/IEC 2015

---------------------- Page: 1 ----------------------
ISO/IEC DIS 19086-1:2015(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2015 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC DIS 19086-1
Contents Page
Foreword v

1
  Scope 1

2
  Normative references . 1

3
  Terms and definitions . 1

4
  Symbols and abbreviated terms . 4

5
  Overview of SLAs for cloud services . 5

6
  Relationship between the cloud service agreement and SLAs . 6

7
  Cloud SLA management best practices . 7

7.1
  General . 7

7.2
  Design . 7

7.3
  Evaluation and acceptance . 7

7.4
  Implementation and execution . 8

7.5
  Changes to the cloud SLA . 8

8
  The role of cloud service level objectives, cloud service qualitative objectives, metrics,
remedies, and exceptions in the SLA . 8

8.1
  General . 8

8.2
  Metrics . 8

8.3
  Service levels . 9

8.3.1
  Cloud service level objectives . 9

8.3.2
  Cloud service qualitative objectives . 9

8.4
  Remedies . 10

8.4.1
  Claims process . 10

8.5
  Exceptions . 10

9
  Cloud SLA components . 10

9.1
  General . 10

9.2
  Covered services component . 10

9.2.1
  Description . 10

9.2.2
  Relevance . 11

9.3
  Cloud SLA definitions component . 11

9.3.1
  Description . 11

9.3.2
  Relevance . 11

9.4
  Service monitoring component . 11

9.4.1
  Description . 11

9.4.2
  Relevance . 11

9.4.3
  Cloud service qualitative objectives . 11

9.5
  Roles and responsibilities component . 11

9.5.1
  Description . 11

9.5.2
  Relevance . 12

10
  Cloud SLA content areas . 12

10.1
  General . 12

10.2
  Accessibility content area . 12

10.2.1
  Accessibility component . 12

10.3
  Availability content area . 13

10.3.1
  Availability component . 13

10.4
  Cloud service performance content area . 13

10.4.1
  General . 13

10.4.2
  Cloud service response time component . 13

© ISO/IEC 2015 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC DIS 19086-1
10.4.3
  Cloud service capacity component . 14

10.4.4
  Elasticity component . 15

10.5
  Protection of personally identifiable information (PII) content area . 16

10.5.1
  Protection of PII component . 16

10.6
  Information Security content area . 17

10.6.1
  Information Security component . 17

10.7
  Termination of service content area . 18

10.7.1
  Termination of service component . 18

10.8
  Cloud service support content area . 20

10.8.1
  Cloud service support component . 20

10.9
  Governance content area . 22

10.9.1
  Governance component . 22

10.10
  Changes to the cloud service features and functionality content area . 23

10.10.1
 Changes to the cloud service features and functionality component . 23

10.11
  Service reliability content area . 24

10.11.1
 General . 24

10.11.2
 Service resilience/fault tolerance component . 24

10.11.3
 Customer data backup and restore component . 24

10.11.4
 Disaster recovery component . 26

10.12
  Data management content area . 27

10.12.1
 General . 27

10.12.2
 Intellectual property rights (IPR) component . 27

10.12.3
 Cloud service customer data component . 28

10.12.4
 Cloud service provider data componen . 28

10.12.5
 Account data component . 29

10.12.6
 Derived Data component . 29

10.12.7
 Data portability component . 30

10.12.8
 Data deletion component . 30

10.12.9
 Data location component . 31

10.12.10
  Data examination component . 31

10.12.11
  Law enforcement access component . 32

10.13
  Attestations, certifications and audits content area . 32

10.13.1
 Attestations, certifications and audits component . 32

Bibliography . 34


iv © ISO/IEC 2015 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC DIS 19086-1
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 19086-1 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 38, Cloud Computing and Distributed Platforms.
ISO/IEC 19086 consists of the following parts, under the general title Information technology — Cloud
computing ─ Service Level Agreement (SLA) framework:
⎯ Part 1: Overview and concepts
⎯ Part 2: Metrics
⎯ Part 3: Core requirements
⎯ Part 4: Security & Privacy

© ISO/IEC 2015 – All rights reserved v

---------------------- Page: 5 ----------------------
COMMITTEE DRAFT ISO/IEC DIS 19086-1

1 Information technology — Cloud computing ─ Service Level
2 Agreement (SLA) framework — Part 1: Overview and concepts
3 1 Scope
4 This International Standard specifies an overview of Service Level Agreements (SLA)s for cloud services,
5 identification of the relationship between the cloud service agreement and the SLA, concepts that can be
6 used to build cloud SLAs, and terms commonly used in SLAs for cloud services. This standard is for the
7 benefit and use of both cloud service provider and cloud service customer.
8 This International Standard does not provide a standard structure that can be used for a cloud SLA or a
9 standard set of cloud service level objectives (SLOs) and cloud service qualitative objectives (SQOs) that
10 will apply to all cloud services or all cloud service providers. Contracts vary between cloud service providers,
11 and in some cases different cloud service customers can negotiate different contract terms with the same
12 cloud service provider for the same cloud service, so this standard seeks to establish a set of common
13 cloud SLA building blocks (concepts, terms, definitions, contexts) that can then be used to create cloud
14 SLAs that help avoid confusion and facilitates a common understanding between cloud service providers
15 and cloud service customers.
16 This International Standard does not supersede any legal requirement.
17 2 Normative references
18 The following referenced documents are indispensable for the application of this document. For dated
19 references, only the edition cited applies. For undated references, the latest edition of the referenced
20 document (including any amendments) applies.
21 Recommendation ITU-T Y.3500 | ISO/IEC 17788:2014, Information technology — Cloud computing —
22 Overview and vocabulary
23 Recommendation ITU-T Y.3502 | ISO/IEC 17789:2014, Information technology — Cloud computing —
24 Reference architecture
25 3 Terms and definitions
26 For the purposes of this document, the terms and definitions given in Rec. ITU-T Y.3500 | ISO/IEC 17788
27 and the following definitions apply.
28 3.1
29 accessibility
30 usability of a product, service, environment or facility by people within the widest range of capabilities
31 Note 1 to entry: The concept of accessibility addresses the full range of user capabilities and is not limited
32 to users who are formally recognized as having disability.
© ISO/IEC 2015 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/IEC DIS 19086-1
33 Note 2 to entry: The usability-oriented concept of accessibility aims to achieve levels of effectiveness,
34 efficiency and satisfaction that are as high as possible considering the specified context of use, while
35 paying attention to the full range of capabilities within the user population.
36 Note 3 to entry: It is important in the context of ISO/IEC 19086 to distinguish between the specialized
37 meaning of “accessibility” as defined here and the term “accessible” which is used with its dictionary
38 meaning of “able to be reached or entered”.
39 [SOURCE: ISO 9241-171:2008, 3.2]
40 3.2
41 cloud service agreement
42 documented agreement between the cloud service provider and cloud service customer that governs the
43 covered service(s)
44
45 Note 1 to entry: A cloud service agreement can consist of one or more parts recorded in one or more
46 documents
47
48 3.3
49 failure notification policy
50 policy specifying the processes by which the cloud service customer and cloud service partner can notify
51 the cloud service provider of a service outage and by which the cloud service provider can notify the cloud
52 service customer and cloud service partner that a service outage has occurred.
53 Note 1 to entry: The policy may also include the process for providing updates on service outages, who
54 receives notifications and updates, the maximum time between the detection of a service outage and the
55 issuance of a notice of service outage, the maximum time interval between service outage updates and
56 how service outage updates are described
57 3.4
58 remedy
59 compensation available to the cloud service customer in the event the cloud service provider fails to meet a
60 specified cloud service level objective.
61 3.5
62 resilience
63 ability of a cloud service to recover operational condition quickly after a fault occurs
64 3.6
65 cloud service level objective
66 SLO
67 commitment a cloud service provider makes for a specific, quantitative characteristic of a cloud service,
68 where the value follows the interval or ratio scale
69
70 Note 1 to entry: an SLO commitment may be expressed as a range
71 3.7
72 cloud service qualitative objective
73 SQO
74 commitment a cloud service provider makes for a specific, qualitative characteristic of a cloud service,
75 where the value follows the nominal or ordinal scale
76 Note 1 to entry: a cloud service qualitative objective may be expressed as an enumerated list
77 Note 2 to entry: qualitative characteristics typically require human interpretation
78 Note 3 to entry: The ordinal scale allows for existence/nonexistence
2 © ISO/IEC 2015 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC DIS 19086-1
79 3.8
80 metric
81 a standard of measurement that defines the conditions and the rules for performing the measurement and
82 for understanding the results of a measurement.
83 Note 1 to entry: A metric implements a particular abstract metric concept.
84 Note 2 to entry: A metric is to be applied in practice within a given context that requires specific properties
85 to be measured, at a given time(s) for a specific goal.
86 3.9
87 disaster recovery
88 ability of the ICT elements of an organization to support its critical business functions to an acceptable level
89 within a predetermined period of time following a disaster
90 [SOURCE: ISO/IEC 27031:2011, 3.7]
91 3.10
92 personally identifiable information (PII)
93 any information that (a) can be used to identify the PII principal to whom such information relates, or
94 (b) is or might be directly or indirectly linked to a PII principal
95
96 Note to entry: To determine whether a PII principal is identifiable, account should be taken of all the means
97 which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to identify
98 that natural person.
99 [SOURCE: ISO/IEC 29100:2011, 2.9]
100
101 3.11
102 PII processor
103 privacy stakeholder that processes personally identifiable information (PII) on behalf of and in accordance
104 with the instructions of a PII controller
105 [SOURCE: ISO/IEC 29100, 2.12]
106 3.12
107 service level agreement (SLA)
108 part of the cloud service agreement that includes cloud service level objectives and cloud service qualitative
109 objectives for the covered service(s)
110
111 3.13
112 business continuity
113 capability of the organization to continue delivery of products or services at acceptable predefined levels
114 following disruptive incident
115 [SOURCE: ISO/IEC 22301:2012(en), 3.3]
116 3.14
117 PII controller
118 privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing
119 personally identifiable information (PII) other than natural persons who use data for personal purposes
120 [SOURCE: ISO/IEC 29100:2011, 2.10]
121 3.15
122 PII principal
123 natural person to whom the personally identifiable information (PII) relates
124 [SOURCE: ISO/IEC 29100:2011, 2.11]
© ISO/IEC 2015 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/IEC DIS 19086-1
125 3.16
126 nominal scale
127 scale with unordered labelled categories or ordered by convention
128
129 [SOURCE: ISO 3534-2:2006(en), 1.1.6]
130
131 3.17
132 ordinal scale
133 scale with ordered labelled categories
134 [SOURCE: ISO 3534-2:2006(en), 1.1.7]
135 3.18
136 interval scale
137 continuous scale or discrete scale with equal sized scale values and an arbitrary zero
138 [SOURCE: ISO 3534-2:2006(en), 1.1.8]
139 3.19
140 ratio scale
141 continuous scale with equal sized scale values and an absolute or natural zero point
142 [SOURCE: ISO 3534-2:2006(en), 1.1.9]
143 4 Symbols and abbreviated terms
144 For the purposes of this document, the following abbreviations apply:
145 AUP Acceptable Use Policy
146 BLOB Binary Large Object
147 CSA Cloud Service Agreement
148 CSC Cloud Service Customer
149 CSP Cloud Service Provider
150 DDoS Distributed Denial of Service
151 IaaS Infrastructure as a Service
152 ICT Information and Communications Technology
153 IPR Intellectual Property Rights
154 IT Information Technology
155 KPI Key Performance Indicator
156 MBRT Maximum Batch Response Time
157 MTTSR Maximum Time to Service Recovery
158 PaaS Platform as a Service
159 PII Personally Identifiable Information
4 © ISO/IEC 2015 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC DIS 19086-1
160 RPO Recovery Point Objective
161 RTO Recovery Time Objective
162 SaaS Software as a Service
163 SCRUD search, create, read, update and delete
164 SLA Service Level Agreement
165 SLO Cloud Service Level Objective
166 SQO Cloud Service Qualitative Objective
167 TTSR  Time to Service Recovery
168 VM  Virtual Machine
169 WCAG W3C Web Content Accessibility Guidelines
170 5 Overview of SLAs for cloud services
171 A service level agreement (SLA) is a part of the cloud service agreement that includes cloud service level
172 objectives and cloud service qualitative objectives for the covered service(s). The cloud SLA should
173 account for the key characteristics of cloud computing as described in Clause 6.2 of Rec. ITU-T Y.3500 |
174 ISO/IEC 17788 that include:
175 ⎯ Self-service – A CSC may gain access to cloud services without human interaction with the CSP. The
176 cloud service agreement (CSA) (see Clause 6) and the associated cloud SLA may be presented and
177 agreed through software tools and financial arrangements that are automated.
178 ⎯ Resource pooling – The public cloud deployment models allow sharing resources across many CSCs
179 that do not have a relationship. The private cloud models allow users to share resources within the
180 same organization. The hybrid cloud models allow users to share some resources within the same
181 organization and some resources across many CSCs that do not necessarily have a relationship. The
182 community cloud deployment models allow sharing resources across CSCs that have some
183 relationship.
184 ⎯ Multi-tenancy – Cloud environments are enabled through the use of large-scale virtualization of
185 servers, storage and networks. Overall system usage is typically spread over many CSCs.  Cloud
186 environments typically have no persistent relationship between particular physical resources and their
187 use by CSCs. The CSCs are assigned virtual resources, and logging of usage is done at this level of
188 abstraction.
189 ⎯ Rapid elasticity and scaling – A characteristic of cloud computing where physical or virtual resources
190 can be rapidly and elastically adjusted, in some cases automatically, to quickly increase or decrease
191 resources.
192 ⎯ Tradeoff between cost and control – Large-scale, standardized cloud services may be provided on a
193 low unit cost, utility basis, in conjunction with standardized contracts and cloud SLAs. If a CSC requires
194 more control and customization of cloud services than is available from a standard utility service model,
195 then this may be provided at additional cost and with a specific cloud SLA.
196 ⎯ Measured service - A feature where the metered delivery of cloud services is such that usage can be
197 monitored, controlled, reported, and billed. This is an important feature needed to optimize and validate
198 the delivered cloud service. The focus of this key characteristic is that the CSC may only pay for the
199 resources that they use.
© ISO/IEC 2015 – All rights reserved 5

---------------------- Page: 10 ----------------------
ISO/IEC DIS 19086-1
200 ⎯ Broad network access – The capabilities of cloud services are made available over the network and
201 are typically accessed through standard mechanisms that promote use by heterogeneous client
202 platforms (for example, access through mobile phones, laptops and workstations).
203 Details of cloud SLAs, SLOs and SQOs can vary for different cloud service categories, cloud capabilities
204 types and different cloud deployment models (see Rec ITU-T Y.3500 | ISO/IEC 17788). Cloud SLAs in this
205 standard are intended to be useful for CSCs and CSPs across the variety of cloud service categories and
206 cloud deployment models. As the definition of cloud SLOs and SQOs is intended to be technology and
207 business model neutral, so not all of these SLOs or SQOs will apply to every cloud service, and those that
208 do apply may be structured and applied in different ways to specific cloud services. For example, service
209 availability can be measured in different ways, some of which depend on the specific cloud service; a
210 computational cloud service is different than an email cloud service and service availability for each will be
211 computed differently.
212 6 Relationship between the cloud service agreement and SLAs
213 Cloud s
...