1、BS ISO/IEC 19086-1:2016 Information technology Cloud computing Service level agreement (SLA) framework Part 1: Overview and concepts BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS ISO/IEC 19086-1:2016 BRITISH STANDARD National foreword This British Standard is t
2、he UK implementation of ISO/IEC 19086-1:2016. The UK participation in its preparation was entrusted to Technical Committee IST/38, Cloud Computing and Distributed Platforms. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not p
3、urport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2016. Published by BSI Standards Limited 2016 ISBN 978 0 580 88681 2 ICS 35.020 Compliance with a British Standard cannot confer immunity from legal obli
4、gations. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 30 September 2016. Amendments/corrigenda issued since publication Date Text affectedBS ISO/IEC 19086-1:2016 Information technology Cloud computing Service level agreement (SLA) framewor
5、k Part 1: Overview and concepts Technologies de linformation Informatique en nuage Cadre de travail de laccord du niveau de service Partie 1: Aperu gnral et concepts INTERNATIONAL STANDARD ISO/IEC 19086-1 Reference number ISO/IEC 19086-1:2016(E) First edition 2016-09-15 ISO/IEC 2016 BS ISO/IEC 19086
6、-1:2016ii ISO/IEC 2016 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2016, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photoco
7、pying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 7
8、49 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 19086-1:2016(E)BS ISO/IEC 19086-1:2016ISO/IEC 19086-1:2016(E)Foreword v Introduction vi 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Symbols and abbreviated terms . 4 5 Overview of SLAs for cloud services . 5 6
9、 Relationship between the cloud service agreement and cloud SLAs .6 7 Cloud SLA management best practices 7 7.1 General . 7 7.2 Design . 7 7.3 Evaluation and acceptance . 7 7.4 Implementation and execution . 8 7.5 Changes to the cloud SLA . 8 8 The role of cloud service level objectives, cloud servi
10、ce qualitative objectives, metrics, remedies and exceptions in the cloud SLA . 8 8.1 General . 8 8.2 Metrics 8 8.3 SLOs and SQOs . 9 8.3.1 Service levels . 9 8.3.2 Cloud service level objectives . 9 8.3.3 Cloud service qualitative objectives 9 8.4 Remedies and claims 10 8.4.1 Remedies .10 8.4.2 Clai
11、ms process 10 8.5 Exceptions 10 9 Cloud SLA components 10 9.1 General 10 9.2 Covered services component .10 9.2.1 Description .10 9.2.2 Relevance .11 9.3 Cloud SLA definitions component .11 9.3.1 Description .11 9.3.2 Relevance .11 9.4 Service monitoring component .11 9.4.1 Description .11 9.4.2 Rel
12、evance .11 9.4.3 Cloud service qualitative objectives .11 9.5 Roles and responsibilities component 11 9.5.1 Description .11 9.5.2 Relevance .12 10 Cloud SLA content areas and their components .12 10.1 General 12 10.2 Accessibility content area .12 10.2.1 Accessibility component 12 10.3 Availability
13、content area 13 10.3.1 Availability component .13 10.4 Cloud service performance content area 13 10.4.1 General.13 10.4.2 Cloud service response time component .13 ISO/IEC 2016 All rights reserved iii Contents PageBS ISO/IEC 19086-1:2016ISO/IEC 19086-1:2016(E)10.4.3 Cloud service capacity component1
14、4 10.4.4 Elasticity component . 15 10.5 Protection of personally identifiable information (PII) content area.16 10.5.1 Protection of PII component .16 10.6 Information Security content area 17 10.6.1 Information Security component .17 10.7 Termination of service content area .18 10.7.1 Termination o
15、f service component .18 10.8 Cloud service support content area .19 10.8.1 Cloud service support component 19 10.9 Governance content area . 21 10.9.1 Governance component 21 10.10 Changes to the cloud service features and functionality content area 22 10.10.1 Changes to the cloud service features a
16、nd functionality component .22 10.11 Service reliability content area 23 10.11.1 General.23 10.11.2 Service resilience/fault tolerance component 23 10.11.3 Customer data backup and restore component .24 10.11.4 Disaster recovery component25 10.12 Data management content area 26 10.12.1 General.26 10
17、.12.2 Intellectual property rights (IPR) component 27 10.12.3 Cloud service customer data component 27 10.12.4 Cloud service provider data component 28 10.12.5 Account data component .28 10.12.6 Derived Data component .28 10.12.7 Data portability component 29 10.12.8 Data deletion component 29 10.12
18、.9 Data location component.30 10.12.10 Data examination component .31 10.12.11 Law enforcement access component 31 10.13 Attestations, certifications and audits content area 31 10.13.1 Attestations, certifications and audits component31 Bibliography .33 iv ISO/IEC 2016 All rights reservedBS ISO/IEC
19、19086-1:2016ISO/IEC 19086-1:2016(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of In
20、ternational Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liai
21、son with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part
22、 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elemen
23、ts of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations r
24、eceived (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISO
25、s adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 38, Cloud computing and distributed platforms. A list of all pa
26、rts in the ISO/IEC 19086 series can be found on the ISO website. ISO/IEC 2016 All rights reserved vBS ISO/IEC 19086-1:2016ISO/IEC 19086-1:2016(E) Introduction This document provides an overview, foundational concepts, and definitions for the cloud SLA framework. ISO/IEC 19086 builds on the cloud com
27、puting concepts defined in ISO/IEC 17788 and ISO/IEC 17789. This document establishes a common framework for helping organizations to understand the purpose of all the parts of ISO/IEC 19086 and the relationships between those parts. It also identifies other documents that have relationships with IS
28、O/IEC 19086 and which are useful in understanding cloud SLAs. This document can be used by any organization or individual involved in the creation, modification or understanding of a cloud service level agreement which conforms to ISO/IEC 19086. The cloud SLA should account for the key characteristi
29、cs of a cloud computing service and needs to facilitate a common understanding between cloud service providers and cloud service customers. In particular, it defines the following fundamental concepts of the cloud SLA framework: Cloud Service Agreement (CSA) Cloud Service Level Agreement (SLA) Cloud
30、 Service Level Objectives (SLO) Cloud Service Qualitative Objectives (SQO) This document also describes the content areas and components that consist of a list of SLOs and SQOs. ISO/IEC 19086-2 provides the metrics model to be used for creating metrics used in SLOs and SQOs. ISO/IEC 19086-3 provides
31、 the core conformance requirements derived from the SLOs and SQOs defined in this document. ISO/IEC 19086-4 builds upon the foundational concepts and definitions described by this document by describing specific components and the conformance requirements for SLOs and SQOs in the area of Security an
32、d Privacy. More specifically, this document a) promotes cohesion between the parts of ISO/IEC 19086 by explaining the concepts and terminology used across all parts, b) contributes to the understanding of ISO/IEC 19086 by clarifying the relationships between all the parts, and c) provides an overvie
33、w of other International Standards which can be used in combination with ISO/IEC 19086. Figure 1 represents an overview of the content of ISO/IEC 19086 and the relationships between the parts of ISO/IEC 19086 and other key International Standards relating to cloud computing.vi ISO/IEC 2016 All right
34、s reservedBS ISO/IEC 19086-1:2016ISO/IEC 19086-1:2016(E) Figure 1 Relationship of parts of ISO/IEC 19086 and other cloud computing standards This document addresses the contents of a cloud SLA in two main groupings: SLA Components, addressed in Clause 9, and SLA Content Areas, addressed in Clause 10
35、, as shown in Figure 2. Figure 2 SLA components and SLA content areas ISO/IEC 2016 All rights reserved viiBS ISO/IEC 19086-1:2016BS ISO/IEC 19086-1:2016Information technology Cloud computing Service level agreement (SLA) framework Part 1: Overview and concepts 1 Scope This document seeks to establis
36、h a set of common cloud SLA building blocks (concepts, terms, definitions, contexts) that can be used to create cloud Service Level Agreements (SLAs). This document specifies a) an overview of cloud SLAs, b) identification of the relationship between the cloud service agreement and the cloud SLA, c)
37、 concepts that can be used to build cloud SLAs, and d) terms commonly used in cloud SLAs. This document is for the benefit and use of both cloud service providers and cloud service customers. The aim is to avoid confusion and facilitate a common understanding between cloud service providers and clou
38、d service customers. Cloud service agreements and their associated cloud SLAs vary between cloud service providers, and in some cases different cloud service customers can negotiate different contract terms with the same cloud service provider for the same cloud service. This document aims to assist
39、 cloud service customers when they compare cloud services from different cloud service providers. This document does not provide a standard structure that can be used for a cloud SLA or a standard set of cloud service level objectives (SLOs) and cloud service qualitative objectives (SQOs) that will
40、apply to all cloud services or all cloud service providers. This approach provides flexibility for cloud service providers in tailoring their cloud SLAs to the particular characteristics of the offered cloud services. This document does not supersede any legal requirement. 2 Normative references The
41、 following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
42、ISO/IEC 17788:2014, Information technology Cloud computing Overview and vocabulary ISO/IEC 17789,Information technology Cloud computing Reference architecture 3 T erms a nd definiti ons For the purposes of this document, the terms and definitions given in ISO/IEC 17788 and the following apply. ISO a
43、nd IEC maintain terminological databases for use in standardization at the following addresses: IEC Electropedia: available at http:/ /www.electropedia.org/ INTERNATIONAL ST ANDARD ISO/IEC 19086-1:2016(E) ISO/IEC 2016 All rights reserved 1BS ISO/IEC 19086-1:2016ISO/IEC 19086-1:2016(E) ISO Online bro
44、wsing platform: available at http:/ /www.iso.org/obp 3.1 accessibility usability of a product, service, environment or facility by people within the widest range of capabilities Note 1 to entry: The concept of accessibility addresses the full range of user capabilities and is not limited to users wh
45、o are formally recognized as having disability. Note 2 to entry: The usability-oriented concept of accessibility aims to achieve levels of effectiveness, efficiency and satisfaction that are as high as possible considering the specified context of use, while paying attention to the full range of cap
46、abilities within the user population. Note 3 to entry: It is important in the context of ISO/IEC 19086 to distinguish between the specialized meaning of “accessibility” as defined here and the term “accessible” which is used with its dictionary meaning of “able to be reached or entered.” SOURCE: ISO
47、 9241-171:2008, 3.2 3.2 business continuity capability of the organization to continue delivery of products or services at acceptable predefined levels following disruptive incident SOURCE: ISO/IEC 22301:2012, 3.3 3.3 cloud service agreement documented agreement between the cloud service provider an
48、d cloud service customer that governs the covered service(s) Note 1 to entry: A cloud service agreement can consist of one or more parts recorded in one or more documents. 3.4 cloud service level agreement cloud SLA part of the cloud service agreement (3.3) that includes cloud service level objectiv
49、es (3.5) and cloud service qualitative objectives (3.6) for the covered cloud service(s) 3.5 cloud service level objective SLO commitment a cloud service provider makes for a specific, quantitative characteristic of a cloud service, where the value follows the interval scale (3.9) or ratio scale (3.17) Note 1 to entry: An SLO commitment may be expressed as a range. 3.6 cloud service qualitative objective SQO commitment a cloud service provider makes for a spe