ISO/IEC 19086-1:2016
(Main)Information technology — Cloud computing — Service level agreement (SLA) framework — Part 1: Overview and concepts
Information technology — Cloud computing — Service level agreement (SLA) framework — Part 1: Overview and concepts
ISO/IEC 19086-1:2016 seeks to establish a set of common cloud SLA building blocks (concepts, terms, definitions, contexts) that can be used to create cloud Service Level Agreements (SLAs). This document specifies a) an overview of cloud SLAs, b) identification of the relationship between the cloud service agreement and the cloud SLA, c) concepts that can be used to build cloud SLAs, and d) terms commonly used in cloud SLAs. ISO/IEC 19086-1:2016 is for the benefit and use of both cloud service providers and cloud service customers. The aim is to avoid confusion and facilitate a common understanding between cloud service providers and cloud service customers. Cloud service agreements and their associated cloud SLAs vary between cloud service providers, and in some cases different cloud service customers can negotiate different contract terms with the same cloud service provider for the same cloud service. This document aims to assist cloud service customers when they compare cloud services from different cloud service providers. ISO/IEC 19086-1:2016 does not provide a standard structure that can be used for a cloud SLA or a standard set of cloud service level objectives (SLOs) and cloud service qualitative objectives (SQOs) that will apply to all cloud services or all cloud service providers. This approach provides flexibility for cloud service providers in tailoring their cloud SLAs to the particular characteristics of the offered cloud services. ISO/IEC 19086-1:2016 does not supersede any legal requirement.
Technologies de l'information — Informatique en nuage — Cadre de travail de l'accord du niveau de service — Partie 1: Aperçu général et concepts
General Information
Buy Standard
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 19086-1
First edition
2016-09-15
Information technology — Cloud
computing — Service level agreement
(SLA) framework —
Part 1:
Overview and concepts
Technologies de l’information — Informatique en nuage — Cadre de
travail de l’accord du niveau de service —
Partie 1: Aperçu général et concepts
Reference number
ISO/IEC 19086-1:2016(E)
©
ISO/IEC 2016
---------------------- Page: 1 ----------------------
ISO/IEC 19086-1:2016(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2016, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2016 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 19086-1:2016(E)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 4
5 Overview of SLAs for cloud services . 5
6 Relationship between the cloud service agreement and cloud SLAs .6
7 Cloud SLA management best practices . 7
7.1 General . 7
7.2 Design . 7
7.3 Evaluation and acceptance . 7
7.4 Implementation and execution . 8
7.5 Changes to the cloud SLA . 8
8 The role of cloud service level objectives, cloud service qualitative objectives,
metrics, remedies and exceptions in the cloud SLA . 8
8.1 General . 8
8.2 Metrics . 8
8.3 SLOs and SQOs . 9
8.3.1 Service levels . 9
8.3.2 Cloud service level objectives . 9
8.3.3 Cloud service qualitative objectives . 9
8.4 Remedies and claims .10
8.4.1 Remedies .10
8.4.2 Claims process .10
8.5 Exceptions .10
9 Cloud SLA components .10
9.1 General .10
9.2 Covered services component .10
9.2.1 Description . . .10
9.2.2 Relevance . .11
9.3 Cloud SLA definitions component .11
9.3.1 Description . . .11
9.3.2 Relevance . .11
9.4 Service monitoring component .11
9.4.1 Description . . .11
9.4.2 Relevance . .11
9.4.3 Cloud service qualitative objectives .11
9.5 Roles and responsibilities component .11
9.5.1 Description . . .11
9.5.2 Relevance . .12
10 Cloud SLA content areas and their components .12
10.1 General .12
10.2 Accessibility content area .12
10.2.1 Accessibility component .12
10.3 Availability content area .13
10.3.1 Availability component .13
10.4 Cloud service performance content area .13
10.4.1 General.13
10.4.2 Cloud service response time component .13
© ISO/IEC 2016 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 19086-1:2016(E)
10.4.3 Cloud service capacity component.14
10.4.4 Elasticity component . .15
10.5 Protection of personally identifiable information (PII) content area.16
10.5.1 Protection of PII component .16
10.6 Information Security content area .17
10.6.1 Information Security component .17
10.7 Termination of service content area .18
10.7.1 Termination of service component .18
10.8 Cloud service support content area .19
10.8.1 Cloud service support component .19
10.9 Governance content area . .21
10.9.1 Governance component .21
10.10 Changes to the cloud service features and functionality content area .22
10.10.1 Changes to the cloud service features and functionality component .22
10.11 Service reliability content area .23
10.11.1 General.23
10.11.2 Service resilience/fault tolerance component .23
10.11.3 Customer data backup and restore component .24
10.11.4 Disaster recovery component.25
10.12 Data management content area .26
10.12.1 General.26
10.12.2 Intellectual property rights (IPR) component .27
10.12.3 Cloud service customer data component .27
10.12.4 Cloud service provider data component .28
10.12.5 Account data component .28
10.12.6 Derived Data component .28
10.12.7 Data portability component .29
10.12.8 Data deletion component .29
10.12.9 Data location component.30
10.12.10 .
Data examination component .31
10.12.11 .
Law enforcement access component .31
10.13 Attestations, certifications and audits content area .31
10.13.1 Attestations, certifications and audits component.31
Bibliography .33
iv © ISO/IEC 2016 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 19086-1:2016(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee
SC 38, Cloud computing and distributed platforms.
A list of all parts in the ISO/IEC 19086 series can be found on the ISO website.
© ISO/IEC 2016 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 19086-1:2016(E)
Introduction
This document provides an overview, foundational concepts, and definitions for the cloud SLA
framework. ISO/IEC 19086 builds on the cloud computing concepts defined in ISO/IEC 17788 and
ISO/IEC 17789. This document establishes a common framework for helping organizations to
understand the purpose of all the parts of ISO/IEC 19086 and the relationships between those parts.
It also identifies other documents that have relationships with ISO/IEC 19086 and which are useful in
understanding cloud SLAs.
This document can be used by any organization or individual involved in the creation, modification
or understanding of a cloud service level agreement which conforms to ISO/IEC 19086. The cloud SLA
should account for the key characteristics of a cloud computing service and needs to facilitate a common
understanding between cloud service providers and cloud service customers.
In particular, it defines the following fundamental concepts of the cloud SLA framework:
— Cloud Service Agreement (CSA)
— Cloud Service Level Agreement (SLA)
— Cloud Service Level Objectives (SLO)
— Cloud Service Qualitative Objectives (SQO)
This document also describes the content areas and components that consist of a list of SLOs and SQOs.
— ISO/IEC 19086-2 provides the metrics model to be used for creating metrics used in SLOs and SQOs.
— ISO/IEC 19086-3 provides the core conformance requirements derived from the SLOs and SQOs
defined in this document.
— ISO/IEC 19086-4 builds upon the foundational concepts and definitions described by this document
by describing specific components and the conformance requirements for SLOs and SQOs in the
area of Security and Privacy.
More specifically, this document
a) promotes cohesion between the parts of ISO/IEC 19086 by explaining the concepts and terminology
used across all parts,
b) contributes to the understanding of ISO/IEC 19086 by clarifying the relationships between all the
parts, and
c) provides an overview of other International Standards which can be used in combination with
ISO/IEC 19086.
Figure 1 represents an overview of the content of ISO/IEC 19086 and the relationships between the
parts of ISO/IEC 19086 and other key International Standards relating to cloud computing.
vi © ISO/IEC 2016 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC 19086-1:2016(E)
Figure 1 — Relationship of parts of ISO/IEC 19086 and other cloud computing standards
This document addresses the contents of a cloud SLA in two main groupings: SLA Components,
addressed in Clause 9, and SLA Content Areas, addressed in Clause 10, as shown in Figure 2.
Figure 2 — SLA components and SLA content areas
© ISO/IEC 2016 – All rights reserved vii
---------------------- Page: 7 ----------------------
INTERNATIONAL STANDARD ISO/IEC 19086-1:2016(E)
Information technology — Cloud computing — Service
level agreement (SLA) framework —
Part 1:
Overview and concepts
1 Scope
This document seeks to establish a set of common cloud SLA building blocks (concepts, terms,
definitions, contexts) that can be used to create cloud Service Level Agreements (SLAs).
This document specifies
a) an overview of cloud SLAs,
b) identification of the relationship between the cloud service agreement and the cloud SLA,
c) concepts that can be used to build cloud SLAs, and
d) terms commonly used in cloud SLAs.
This document is for the benefit and use of both cloud service providers and cloud service customers.
The aim is to avoid confusion and facilitate a common understanding between cloud service providers
and cloud service customers. Cloud service agreements and their associated cloud SLAs vary between
cloud service providers, and in some cases different cloud service customers can negotiate different
contract terms with the same cloud service provider for the same cloud service. This document aims
to assist cloud service customers when they compare cloud services from different cloud service
providers.
This document does not provide a standard structure that can be used for a cloud SLA or a standard set
of cloud service level objectives (SLOs) and cloud service qualitative objectives (SQOs) that will apply
to all cloud services or all cloud service providers. This approach provides flexibility for cloud service
providers in tailoring their cloud SLAs to the particular characteristics of the offered cloud services.
This document does not supersede any legal requirement.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 17788:2014, Information technology — Cloud computing — Overview and vocabulary
ISO/IEC 17789,Information technology — Cloud computing — Reference architecture
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 17788 and the
following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http://www.electropedia.org/
© ISO/IEC 2016 – All rights reserved 1
---------------------- Page: 8 ----------------------
ISO/IEC 19086-1:2016(E)
— ISO Online browsing platform: available at http://www.iso.org/obp
3.1
accessibility
usability of a product, service, environment or facility by people within the widest range of capabilities
Note 1 to entry: The concept of accessibility addresses the full range of user capabilities and is not limited to
users who are formally recognized as having disability.
Note 2 to entry: The usability-oriented concept of accessibility aims to achieve levels of effectiveness, efficiency
and satisfaction that are as high as possible considering the specified context of use, while paying attention to
the full range of capabilities within the user population.
Note 3 to entry: It is important in the context of ISO/IEC 19086 to distinguish between the specialized meaning
of “accessibility” as defined here and the term “accessible” which is used with its dictionary meaning of “able to
be reached or entered.”
[SOURCE: ISO 9241-171:2008, 3.2]
3.2
business continuity
capability of the organization to continue delivery of products or services at acceptable predefined
levels following disruptive incident
[SOURCE: ISO/IEC 22301:2012, 3.3]
3.3
cloud service agreement
documented agreement between the cloud service provider and cloud service customer that governs
the covered service(s)
Note 1 to entry: A cloud service agreement can consist of one or more parts recorded in one or more documents.
3.4
cloud service level agreement
cloud SLA
part of the cloud service agreement (3.3) that includes cloud service level objectives (3.5) and cloud
service qualitative objectives (3.6) for the covered cloud service(s)
3.5
cloud service level objective
SLO
commitment a cloud service provider makes for a specific, quantitative characteristic of a cloud service,
where the value follows the interval scale (3.9) or ratio scale (3.17)
Note 1 to entry: An SLO commitment may be expressed as a range.
3.6
cloud service qualitative objective
SQO
commitment a cloud service provider makes for a specific, qualitative characteristic of a cloud service,
where the value follows the nominal scale (3.11) or ordinal scale (3.12)
Note 1 to entry: A cloud service qualitative objective may be expressed as an enumerated list.
Note 2 to entry: Qualitative characteristics typically require human interpretation.
Note 3 to entry: The ordinal scale allows for existence/non-existence.
2 © ISO/IEC 2016 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 19086-1:2016(E)
3.7
disaster recovery
ability of the ICT elements of an organization to support its critical business functions to an acceptable
level within a predetermined period of time following a disaster
[SOURCE: ISO/IEC 27031:2011, 3.7]
3.8
failure notification policy
policy specifying the processes by which the cloud service customer and cloud service partner can
notify the cloud service provider of a service outage and by which the cloud service provider can notify
the cloud service customer and cloud service partner that a service outage has occurred.
Note 1 to entry: The policy may also include the process for providing updates on service outages, who receives
notifications and updates, the maximum time between the detection of a service outage and the issuance of a
notice of service outage, the maximum time interval between service outage updates and how service outage
updates are described.
3.9
interval scale
continuous scale or discrete scale with equal sized scale values and an arbitrary zero
[SOURCE: ISO 3534-2:2006, 1.1.8]
3.10
metric
standard of measurement that defines the conditions and the rules for performing the measurement
and for understanding the results of a measurement
Note 1 to entry: A metric implements a particular abstract metric concept.
Note 2 to entry: A metric is to be applied in practice within a given context that requires specific properties to be
measured, at a given time(s) for a specific goal.
3.11
nominal scale
scale with unordered labelled categories or ordered by convention
[SOURCE: ISO 3534-2:2006, 1.1.6]
3.12
ordinal scale
scale with ordered labelled categories
[SOURCE: ISO 3534-2:2006, 1.1.7]
3.13
personally identifiable information
PII
any information that (a) can be used to identify the PII principal to whom such information relates, or
(b) is or might be directly or indirectly linked to a PII principal
Note 1 to entry: To determine whether a PII principal is identifiable, account should be taken of all the means
which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to identify that
natural person.
[SOURCE: ISO/IEC 29100:2011, 2.9]
© ISO/IEC 2016 – All rights reserved 3
---------------------- Page: 10 ----------------------
ISO/IEC 19086-1:2016(E)
3.14
PII controller
privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing
personally identifiable information (PII) other than natural persons who use data for personal purposes
[SOURCE: ISO/IEC 29100:2011, 2.10]
3.15
PII principal
natural person to whom the personally identifiable information (PII) relates
[SOURCE: ISO/IEC 29100:2011, 2.11]
3.16
PII processor
privacy stakeholder that processes personally identifiable information (PII) on behalf of and in
accordance with the instructions of a PII controller
[SOURCE: ISO/IEC 29100:2011, 2.12]
3.17
ratio scale
continuous scale with equal sized scale values and an absolute or natural zero point
[SOURCE: ISO 3534-2:2006, 1.1.9]
3.18
remedy
compensation available to the cloud service customer in the event the cloud serv
...
DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 19086-1
ISO/IEC JTC 1/SC 38 Secretariat: ANSI
Voting begins on: Voting terminates on:
2016-01-04 2016-04-04
Information technology — Cloud computing — Service
level agreement (SLA) framework —
Part 1:
Overview and concepts
Titre manque
ICS: 35.020
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 19086-1:2015(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
©
PROVIDE SUPPORTING DOCUMENTATION. ISO/IEC 2015
---------------------- Page: 1 ----------------------
ISO/IEC DIS 19086-1:2015(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2015 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC DIS 19086-1
Contents Page
Foreword v
1
Scope 1
2
Normative references . 1
3
Terms and definitions . 1
4
Symbols and abbreviated terms . 4
5
Overview of SLAs for cloud services . 5
6
Relationship between the cloud service agreement and SLAs . 6
7
Cloud SLA management best practices . 7
7.1
General . 7
7.2
Design . 7
7.3
Evaluation and acceptance . 7
7.4
Implementation and execution . 8
7.5
Changes to the cloud SLA . 8
8
The role of cloud service level objectives, cloud service qualitative objectives, metrics,
remedies, and exceptions in the SLA . 8
8.1
General . 8
8.2
Metrics . 8
8.3
Service levels . 9
8.3.1
Cloud service level objectives . 9
8.3.2
Cloud service qualitative objectives . 9
8.4
Remedies . 10
8.4.1
Claims process . 10
8.5
Exceptions . 10
9
Cloud SLA components . 10
9.1
General . 10
9.2
Covered services component . 10
9.2.1
Description . 10
9.2.2
Relevance . 11
9.3
Cloud SLA definitions component . 11
9.3.1
Description . 11
9.3.2
Relevance . 11
9.4
Service monitoring component . 11
9.4.1
Description . 11
9.4.2
Relevance . 11
9.4.3
Cloud service qualitative objectives . 11
9.5
Roles and responsibilities component . 11
9.5.1
Description . 11
9.5.2
Relevance . 12
10
Cloud SLA content areas . 12
10.1
General . 12
10.2
Accessibility content area . 12
10.2.1
Accessibility component . 12
10.3
Availability content area . 13
10.3.1
Availability component . 13
10.4
Cloud service performance content area . 13
10.4.1
General . 13
10.4.2
Cloud service response time component . 13
© ISO/IEC 2015 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC DIS 19086-1
10.4.3
Cloud service capacity component . 14
10.4.4
Elasticity component . 15
10.5
Protection of personally identifiable information (PII) content area . 16
10.5.1
Protection of PII component . 16
10.6
Information Security content area . 17
10.6.1
Information Security component . 17
10.7
Termination of service content area . 18
10.7.1
Termination of service component . 18
10.8
Cloud service support content area . 20
10.8.1
Cloud service support component . 20
10.9
Governance content area . 22
10.9.1
Governance component . 22
10.10
Changes to the cloud service features and functionality content area . 23
10.10.1
Changes to the cloud service features and functionality component . 23
10.11
Service reliability content area . 24
10.11.1
General . 24
10.11.2
Service resilience/fault tolerance component . 24
10.11.3
Customer data backup and restore component . 24
10.11.4
Disaster recovery component . 26
10.12
Data management content area . 27
10.12.1
General . 27
10.12.2
Intellectual property rights (IPR) component . 27
10.12.3
Cloud service customer data component . 28
10.12.4
Cloud service provider data componen . 28
10.12.5
Account data component . 29
10.12.6
Derived Data component . 29
10.12.7
Data portability component . 30
10.12.8
Data deletion component . 30
10.12.9
Data location component . 31
10.12.10
Data examination component . 31
10.12.11
Law enforcement access component . 32
10.13
Attestations, certifications and audits content area . 32
10.13.1
Attestations, certifications and audits component . 32
Bibliography . 34
iv © ISO/IEC 2015 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC DIS 19086-1
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 19086-1 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 38, Cloud Computing and Distributed Platforms.
ISO/IEC 19086 consists of the following parts, under the general title Information technology — Cloud
computing ─ Service Level Agreement (SLA) framework:
⎯ Part 1: Overview and concepts
⎯ Part 2: Metrics
⎯ Part 3: Core requirements
⎯ Part 4: Security & Privacy
© ISO/IEC 2015 – All rights reserved v
---------------------- Page: 5 ----------------------
COMMITTEE DRAFT ISO/IEC DIS 19086-1
1 Information technology — Cloud computing ─ Service Level
2 Agreement (SLA) framework — Part 1: Overview and concepts
3 1 Scope
4 This International Standard specifies an overview of Service Level Agreements (SLA)s for cloud services,
5 identification of the relationship between the cloud service agreement and the SLA, concepts that can be
6 used to build cloud SLAs, and terms commonly used in SLAs for cloud services. This standard is for the
7 benefit and use of both cloud service provider and cloud service customer.
8 This International Standard does not provide a standard structure that can be used for a cloud SLA or a
9 standard set of cloud service level objectives (SLOs) and cloud service qualitative objectives (SQOs) that
10 will apply to all cloud services or all cloud service providers. Contracts vary between cloud service providers,
11 and in some cases different cloud service customers can negotiate different contract terms with the same
12 cloud service provider for the same cloud service, so this standard seeks to establish a set of common
13 cloud SLA building blocks (concepts, terms, definitions, contexts) that can then be used to create cloud
14 SLAs that help avoid confusion and facilitates a common understanding between cloud service providers
15 and cloud service customers.
16 This International Standard does not supersede any legal requirement.
17 2 Normative references
18 The following referenced documents are indispensable for the application of this document. For dated
19 references, only the edition cited applies. For undated references, the latest edition of the referenced
20 document (including any amendments) applies.
21 Recommendation ITU-T Y.3500 | ISO/IEC 17788:2014, Information technology — Cloud computing —
22 Overview and vocabulary
23 Recommendation ITU-T Y.3502 | ISO/IEC 17789:2014, Information technology — Cloud computing —
24 Reference architecture
25 3 Terms and definitions
26 For the purposes of this document, the terms and definitions given in Rec. ITU-T Y.3500 | ISO/IEC 17788
27 and the following definitions apply.
28 3.1
29 accessibility
30 usability of a product, service, environment or facility by people within the widest range of capabilities
31 Note 1 to entry: The concept of accessibility addresses the full range of user capabilities and is not limited
32 to users who are formally recognized as having disability.
© ISO/IEC 2015 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC DIS 19086-1
33 Note 2 to entry: The usability-oriented concept of accessibility aims to achieve levels of effectiveness,
34 efficiency and satisfaction that are as high as possible considering the specified context of use, while
35 paying attention to the full range of capabilities within the user population.
36 Note 3 to entry: It is important in the context of ISO/IEC 19086 to distinguish between the specialized
37 meaning of “accessibility” as defined here and the term “accessible” which is used with its dictionary
38 meaning of “able to be reached or entered”.
39 [SOURCE: ISO 9241-171:2008, 3.2]
40 3.2
41 cloud service agreement
42 documented agreement between the cloud service provider and cloud service customer that governs the
43 covered service(s)
44
45 Note 1 to entry: A cloud service agreement can consist of one or more parts recorded in one or more
46 documents
47
48 3.3
49 failure notification policy
50 policy specifying the processes by which the cloud service customer and cloud service partner can notify
51 the cloud service provider of a service outage and by which the cloud service provider can notify the cloud
52 service customer and cloud service partner that a service outage has occurred.
53 Note 1 to entry: The policy may also include the process for providing updates on service outages, who
54 receives notifications and updates, the maximum time between the detection of a service outage and the
55 issuance of a notice of service outage, the maximum time interval between service outage updates and
56 how service outage updates are described
57 3.4
58 remedy
59 compensation available to the cloud service customer in the event the cloud service provider fails to meet a
60 specified cloud service level objective.
61 3.5
62 resilience
63 ability of a cloud service to recover operational condition quickly after a fault occurs
64 3.6
65 cloud service level objective
66 SLO
67 commitment a cloud service provider makes for a specific, quantitative characteristic of a cloud service,
68 where the value follows the interval or ratio scale
69
70 Note 1 to entry: an SLO commitment may be expressed as a range
71 3.7
72 cloud service qualitative objective
73 SQO
74 commitment a cloud service provider makes for a specific, qualitative characteristic of a cloud service,
75 where the value follows the nominal or ordinal scale
76 Note 1 to entry: a cloud service qualitative objective may be expressed as an enumerated list
77 Note 2 to entry: qualitative characteristics typically require human interpretation
78 Note 3 to entry: The ordinal scale allows for existence/nonexistence
2 © ISO/IEC 2015 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC DIS 19086-1
79 3.8
80 metric
81 a standard of measurement that defines the conditions and the rules for performing the measurement and
82 for understanding the results of a measurement.
83 Note 1 to entry: A metric implements a particular abstract metric concept.
84 Note 2 to entry: A metric is to be applied in practice within a given context that requires specific properties
85 to be measured, at a given time(s) for a specific goal.
86 3.9
87 disaster recovery
88 ability of the ICT elements of an organization to support its critical business functions to an acceptable level
89 within a predetermined period of time following a disaster
90 [SOURCE: ISO/IEC 27031:2011, 3.7]
91 3.10
92 personally identifiable information (PII)
93 any information that (a) can be used to identify the PII principal to whom such information relates, or
94 (b) is or might be directly or indirectly linked to a PII principal
95
96 Note to entry: To determine whether a PII principal is identifiable, account should be taken of all the means
97 which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to identify
98 that natural person.
99 [SOURCE: ISO/IEC 29100:2011, 2.9]
100
101 3.11
102 PII processor
103 privacy stakeholder that processes personally identifiable information (PII) on behalf of and in accordance
104 with the instructions of a PII controller
105 [SOURCE: ISO/IEC 29100, 2.12]
106 3.12
107 service level agreement (SLA)
108 part of the cloud service agreement that includes cloud service level objectives and cloud service qualitative
109 objectives for the covered service(s)
110
111 3.13
112 business continuity
113 capability of the organization to continue delivery of products or services at acceptable predefined levels
114 following disruptive incident
115 [SOURCE: ISO/IEC 22301:2012(en), 3.3]
116 3.14
117 PII controller
118 privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing
119 personally identifiable information (PII) other than natural persons who use data for personal purposes
120 [SOURCE: ISO/IEC 29100:2011, 2.10]
121 3.15
122 PII principal
123 natural person to whom the personally identifiable information (PII) relates
124 [SOURCE: ISO/IEC 29100:2011, 2.11]
© ISO/IEC 2015 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/IEC DIS 19086-1
125 3.16
126 nominal scale
127 scale with unordered labelled categories or ordered by convention
128
129 [SOURCE: ISO 3534-2:2006(en), 1.1.6]
130
131 3.17
132 ordinal scale
133 scale with ordered labelled categories
134 [SOURCE: ISO 3534-2:2006(en), 1.1.7]
135 3.18
136 interval scale
137 continuous scale or discrete scale with equal sized scale values and an arbitrary zero
138 [SOURCE: ISO 3534-2:2006(en), 1.1.8]
139 3.19
140 ratio scale
141 continuous scale with equal sized scale values and an absolute or natural zero point
142 [SOURCE: ISO 3534-2:2006(en), 1.1.9]
143 4 Symbols and abbreviated terms
144 For the purposes of this document, the following abbreviations apply:
145 AUP Acceptable Use Policy
146 BLOB Binary Large Object
147 CSA Cloud Service Agreement
148 CSC Cloud Service Customer
149 CSP Cloud Service Provider
150 DDoS Distributed Denial of Service
151 IaaS Infrastructure as a Service
152 ICT Information and Communications Technology
153 IPR Intellectual Property Rights
154 IT Information Technology
155 KPI Key Performance Indicator
156 MBRT Maximum Batch Response Time
157 MTTSR Maximum Time to Service Recovery
158 PaaS Platform as a Service
159 PII Personally Identifiable Information
4 © ISO/IEC 2015 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC DIS 19086-1
160 RPO Recovery Point Objective
161 RTO Recovery Time Objective
162 SaaS Software as a Service
163 SCRUD search, create, read, update and delete
164 SLA Service Level Agreement
165 SLO Cloud Service Level Objective
166 SQO Cloud Service Qualitative Objective
167 TTSR Time to Service Recovery
168 VM Virtual Machine
169 WCAG W3C Web Content Accessibility Guidelines
170 5 Overview of SLAs for cloud services
171 A service level agreement (SLA) is a part of the cloud service agreement that includes cloud service level
172 objectives and cloud service qualitative objectives for the covered service(s). The cloud SLA should
173 account for the key characteristics of cloud computing as described in Clause 6.2 of Rec. ITU-T Y.3500 |
174 ISO/IEC 17788 that include:
175 ⎯ Self-service – A CSC may gain access to cloud services without human interaction with the CSP. The
176 cloud service agreement (CSA) (see Clause 6) and the associated cloud SLA may be presented and
177 agreed through software tools and financial arrangements that are automated.
178 ⎯ Resource pooling – The public cloud deployment models allow sharing resources across many CSCs
179 that do not have a relationship. The private cloud models allow users to share resources within the
180 same organization. The hybrid cloud models allow users to share some resources within the same
181 organization and some resources across many CSCs that do not necessarily have a relationship. The
182 community cloud deployment models allow sharing resources across CSCs that have some
183 relationship.
184 ⎯ Multi-tenancy – Cloud environments are enabled through the use of large-scale virtualization of
185 servers, storage and networks. Overall system usage is typically spread over many CSCs. Cloud
186 environments typically have no persistent relationship between particular physical resources and their
187 use by CSCs. The CSCs are assigned virtual resources, and logging of usage is done at this level of
188 abstraction.
189 ⎯ Rapid elasticity and scaling – A characteristic of cloud computing where physical or virtual resources
190 can be rapidly and elastically adjusted, in some cases automatically, to quickly increase or decrease
191 resources.
192 ⎯ Tradeoff between cost and control – Large-scale, standardized cloud services may be provided on a
193 low unit cost, utility basis, in conjunction with standardized contracts and cloud SLAs. If a CSC requires
194 more control and customization of cloud services than is available from a standard utility service model,
195 then this may be provided at additional cost and with a specific cloud SLA.
196 ⎯ Measured service - A feature where the metered delivery of cloud services is such that usage can be
197 monitored, controlled, reported, and billed. This is an important feature needed to optimize and validate
198 the delivered cloud service. The focus of this key characteristic is that the CSC may only pay for the
199 resources that they use.
© ISO/IEC 2015 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/IEC DIS 19086-1
200 ⎯ Broad network access – The capabilities of cloud services are made available over the network and
201 are typically accessed through standard mechanisms that promote use by heterogeneous client
202 platforms (for example, access through mobile phones, laptops and workstations).
203 Details of cloud SLAs, SLOs and SQOs can vary for different cloud service categories, cloud capabilities
204 types and different cloud deployment models (see Rec ITU-T Y.3500 | ISO/IEC 17788). Cloud SLAs in this
205 standard are intended to be useful for CSCs and CSPs across the variety of cloud service categories and
206 cloud deployment models. As the definition of cloud SLOs and SQOs is intended to be technology and
207 business model neutral, so not all of these SLOs or SQOs will apply to every cloud service, and those that
208 do apply may be structured and applied in different ways to specific cloud services. For example, service
209 availability can be measured in different ways, some of which depend on the specific cloud service; a
210 computational cloud service is different than an email cloud service and service availability for each will be
211 computed differently.
212 6 Relationship between the cloud service agreement and SLAs
213 Cloud s
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.