1、Information technology Cloud computing Service level agreement (SLA) framework Part 3: Core conformance requirements BS ISO/IEC 190863:2017 BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06Information technology Cloud computing Service level agreement (SLA) framework
2、 Part 3: Core conformance requirements Technologies de linformation Informatique en nuage Cadre de travail de laccord du niveau de service Partie 3: Exigences de conformit essentielles INTERNATIONAL STANDARD ISO/IEC 19086-3 Reference number ISO/IEC 19086-3:2017(E) First edition 2017-07 ISO/IEC 2017
3、National foreword This British Standard is the UK implementation of ISO/IEC 190863:2017. The UK participation in its preparation was entrusted to Technical Committee IST/38, Cloud Computing and Distributed Platforms. A list of organizations represented on this committee can be obtained on request to
4、 its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2017 Published by BSI Standards Limited 2017 ISBN 978 0 580 93076 8 ICS 35.210; 35.020 Compliance with a Briti
5、sh Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 July 2017. Amendments/corrigenda issued since publication Date Text affected BRITISH STANDARD BS ISO/IEC 190863:2017Information tech
6、nology Cloud computing Service level agreement (SLA) framework Part 3: Core conformance requirements Technologies de linformation Informatique en nuage Cadre de travail de laccord du niveau de service Partie 3: Exigences de conformit essentielles INTERNATIONAL STANDARD ISO/IEC 19086-3 Reference numb
7、er ISO/IEC 19086-3:2017(E) First edition 2017-07 ISO/IEC 2017 BS ISO/IEC 190863:2017 ii ISO/IEC 2017 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized othe
8、rwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office
9、 Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 19086-3:2017(E) BS ISO/IEC 190863:2017 ii ISO/IEC 2017 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2017, Published in Switzerland All rights r
10、eserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either
11、 ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 19086-3:2017(E)ISO/IEC 19086-3:2017(E)Foreword v 1 Scope
12、 . 1 2 Normative references 1 3 T erms and definitions . 1 4 Abbreviated terms 1 5 Conformance . 2 6 Relationship between the cloud service agreement and cloud SLAs .2 7 Cloud SLA Management . 2 8 Role of cloud service level objectives, cloud service qualitative objectives, metrics, remedies, and ex
13、ceptions in the cloud SLA . 2 9 Cloud SLA components . 3 9.1 General . 3 9.2 Covered services component 3 9.3 Cloud SLA definitions component 3 9.4 Service monitoring component 3 9.4.1 General 3 9.4.2 Monitoring parameters 3 9.4.3 Monitoring mechanisms 3 9.5 Roles and responsibilities component . 3
14、10 Cloud SLA content areas and their components 4 10.1 General . 4 10.2 Accessibility content area 4 10.2.1 Accessibility component . 4 10.2.2 Accessibility standards . 4 10.2.3 Accessibility policies . 4 10.3 Availability content area . 4 10.3.1 Availability component 4 10.3.2 Availability. 4 10.4
15、Cloud service performance content area . 4 10.4.1 General 4 10.4.2 Cloud service response time component 4 10.4.3 Cloud service capacity component. 5 10.4.4 Elasticity component 5 10.5 Protection of personally identifiable information (PII) content area 6 10.6 Information security content area . 6 1
16、0.7 Termination of service content area 6 10.7.1 Termination of service component 6 10.7.2 Data retention period 6 10.7.3 Log retention period . 6 10.7.4 Notification of service termination 6 10.7.5 Return of assets 6 10.8 Cloud service support content area 7 10.8.1 Cloud service support component .
17、 7 10.8.2 Support hours . 7 10.8.3 Service incident support hours . 7 10.8.4 Service incident notification time . 7 10.8.5 Maximum first response time . 7 10.8.6 Maximum incident resolution time . 7 10.8.7 Support plans 7 10.8.8 Support methods . 7 10.8.9 Support contacts 7 ISO/IEC 2017 All rights r
18、eserved iii Contents Page BS ISO/IEC 190863:2017 ISO/IEC 19086-3:2017(E)10.8.10 Service incident reporting . 7 10.8.11 Service incident notification 8 10.9 Governance content area 8 10.9.1 Governance component . 8 10.9.2 Regulation adherence 8 10.9.3 Standards adherence 8 10.9.4 Policy adherence 8 1
19、0.9.5 Audit schedule . 8 10.10 Changes to the cloud service features and functionality content area . 8 10.10.1 Changes to the cloud service features and functionality component 8 10.10.2 Minimum service change notification period . 8 10.10.3 Minimum time before feature/function deprecation . 9 10.1
20、0.4 Service change notification method 9 10.11 Service reliability content area . 9 10.11.1 General 9 10.11.2 Service resilience/fault tolerance component . 9 10.11.3 Customer data backup and restore component .10 10.11.4 Disaster recovery component11 10.12 Data management content area 11 10.12.1 In
21、tellectual property rights (IPR) component 11 10.12.2 Cloud service customer data component 11 10.12.3 Cloud service provider data component 11 10.12.4 Account data component .12 10.12.5 Derived data component 12 10.12.6 Data portability component 12 10.12.7 Data deletion component 12 10.12.8 Data l
22、ocation component.13 10.12.9 Data examination component .13 10.12.10 Law enforcement access component 14 10.13 Attestations, certifications and audits content area 14 10.13.1 General.14 10.13.2 Cloud service attestations .14 10.13.3 Cloud service certifications .14 10.13.4 Cloud service audits .14 B
23、ibliography .15 iv ISO/IEC 2017 All rights reserved BS ISO/IEC 190863:2017 ISO/IEC 19086-3:2017(E)10.8.10 Service incident reporting . 7 10.8.11 Service incident notification 8 10.9 Governance content area 8 10.9.1 Governance component . 8 10.9.2 Regulation adherence 8 10.9.3 Standards adherence 8 1
24、0.9.4 Policy adherence 8 10.9.5 Audit schedule . 8 10.10 Changes to the cloud service features and functionality content area . 8 10.10.1 Changes to the cloud service features and functionality component 8 10.10.2 Minimum service change notification period . 8 10.10.3 Minimum time before feature/fun
25、ction deprecation . 9 10.10.4 Service change notification method 9 10.11 Service reliability content area . 9 10.11.1 General 9 10.11.2 Service resilience/fault tolerance component . 9 10.11.3 Customer data backup and restore component .10 10.11.4 Disaster recovery component11 10.12 Data management
26、content area 11 10.12.1 Intellectual property rights (IPR) component 11 10.12.2 Cloud service customer data component 11 10.12.3 Cloud service provider data component 11 10.12.4 Account data component .12 10.12.5 Derived data component 12 10.12.6 Data portability component 12 10.12.7 Data deletion c
27、omponent 12 10.12.8 Data location component.13 10.12.9 Data examination component .13 10.12.10 Law enforcement access component 14 10.13 Attestations, certifications and audits content area 14 10.13.1 General.14 10.13.2 Cloud service attestations .14 10.13.3 Cloud service certifications .14 10.13.4
28、Cloud service audits .14 Bibliography .15 iv ISO/IEC 2017 All rights reserved ISO/IEC 19086-3:2017(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies t
29、hat are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other inter
30、national organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its
31、 further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ direc
32、tives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will b
33、e in the Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the voluntary nature of standards, the meani
34、ng of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www .iso .org/ iso/ foreword .html. This document was prepared by Te
35、chnical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 38, Cloud computing and distributed platforms. A list of all the parts in the ISO 19086 series can be found on the ISO website. ISO/IEC 2017 All rights reserved v BS ISO/IEC 190863:2017BS ISO/IEC 190863:2017 Information technol
36、ogy Cloud computing Service level agreement (SLA) framework Part 3: Core conformance requirements 1 Scope This document specifies the core conformance requirements for service level agreements (SLAs) for cloud services based on ISO/IEC 19086-1 and guidance on the core conformance requirements. This
37、document is for the benefit of and use by both cloud service providers and cloud service customers. This document does not provide a standard structure that would be used for cloud SLAs. 2 Normative references The following documents are referred to in the text in such a way that some or all of thei
38、r content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 17788, Information technology Cloud computing Overview and vocabulary ISO/IEC 1
39、9086-1, Information technology Cloud computing Service level agreement (SLA) framework Part 1: Overview and concepts 3 T erms an d definiti ons For the purposes of this document, the terms and definitions given in ISO/IEC 17788 and ISO/IEC 19806- 1 apply. ISO and IEC maintain terminological database
40、s for use in standardization at the following addresses: IEC Electropedia: available at h t t p :/ www .electropedia .org/ ISO Online browsing platform: available at h t t p :/ www .iso .org/ obp 4 Abbreviated terms CSC cloud service customer CSP cloud service provider CSA cloud service agreement IC
41、T information and communications technology IPR intellectual property rights PII personally identifiable information RTO recovery time objective INTERNATIONAL ST ANDARD ISO/IEC 19086-3:2017(E) ISO/IEC 2017 All rights reserved 1 BS ISO/IEC 190863:2017 ISO/IEC 19086-3:2017(E) RPO recovery point object
42、ive SLA service level agreement SLO cloud service level objective SQO cloud service qualitative objective 5 Conformance A cloud SLA that conforms to this document shall implement at least the following components, as described in ISO/IEC 19086-1: covered services; cloud SLA definitions. ISO/IEC 1908
43、6-1 includes one or more cloud service level objectives (SLOs) or cloud service qualitative objectives (SQOs) for each cloud SLA component (Clause 9) or content area (Clause 10). When using a component from Clause 9 or a content area from Clause 10, a conforming cloud SLA is not required to use the
44、SLOs or SQOs described in those components or content areas. A conforming cloud SLA is recommended to use SLOs and SQOs from ISO/IEC 19086-1, when appropriate. Regardless of whether an SLO or SQO is used, a CSP shall not redefine any term in such a way that it contradicts the terms and definitions i
45、n ISO/IEC 19086-1 or this document. ISO/IEC 19086-2 defines a model for specifying metrics for cloud service level agreements (SLAs). Conforming cloud SLAs are encouraged to use the model in ISO/IEC 19086-2 when specifying metrics for SLOs and SQOs. A conforming cloud SLA may use a subset of the com
46、ponents (Clause 9) or content areas (Clause 10) described in this document or it may include components or content areas outside the scope of this document. However, a conforming cloud SLA shall adhere to the definition of the terms, components or content areas, as stated in ISO/IEC 19086-1 and the
47、requirements as stated in this document. Conformance for a specific component or content area means that the SLA shall adhere to all the requirements for that component or content area. Conformance to this document does not require implementation of any specific technology. 6 Relationship between th
48、e cloud service agreement and cloud SLAs The relationship between the cloud service agreement and cloud SLAs is covered in ISO/IEC 19086-1. There are no conformance requirements for the relationship between the CSA and cloud SLAs. 7 Cloud SLA Management Cloud SLA management is covered in ISO/IEC 190
49、86-1. There are no conformance requirements for cloud SLA management. 8 Role of cloud service level objectives, cloud service qualitative objectives, metrics, remedies, and exceptions in the cloud SLA The role of cloud service level objectives, cloud service qualitative objectives, metrics, remedies, and exceptions in the cloud SLA is covered in ISO/IEC 19086-1. There are no conformance requirements for role of cloud service level objectives, cloud service qualitative objectives,
