ISO/IEC 27017 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:
additional implementation guidance for relevant controls specified in ISO/IEC 27002;
additional controls with implementation guidance that specifically relate to cloud services.
This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers.
This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in line with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
In particular, this document specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations.
The guidelines in this document can also be relevant to organizations acting as PII controllers. However, PII controllers can be subject to additional PII protection legislation, regulations and obligations, not applying to PII processors. This document is not intended to cover such additional obligations.
This document specifies security and protection of personally identifiable information components, SLOs and SQOs for cloud service level agreements (cloud SLA) including requirements and guidance.
This document is for the benefit and use of both CSPs and CSCs.
ISO/IEC 27036-4 provides cloud service customers and cloud service providers with guidance on
a) gaining visibility into the information security risks associated with the use of cloud services and managing those risks effectively, and
b) responding to risks specific to the acquisition or provision of cloud services that can have an information security impact on organizations using these services.
ISO/IEC 27036-4 does not include business continuity management/resiliency issues involved with the cloud service. ISO/IEC 27031 addresses business continuity.
ISO/IEC 27036-4 does not provide guidance on how a cloud service provider should implement, manage and operate information security. Guidance on those can be found in ISO/IEC 27002 and ISO/IEC 27017.
The scope of ISO/IEC 27036-4 is to define guidelines supporting the implementation of information security management for the use of cloud services.
The Open Virtualization Format (OVF) standard provides the industry with a standard packaging format for software solutions based on virtual systems, solving critical business needs for software vendors and cloud computing service providers.
OVF has been developed by the DMTF (see also the DMTF OVF Standards Watch link).
ISO/IEC 17788 provides an overview of cloud computing along with a set of terms and definitions. It is a terminology foundation for cloud computing standards.
ISO/IEC 17788 is applicable to all types of organizations (e.g., commercial enterprises, government agencies, not-for-profit organizations).
ISO/IEC 17789 specifies the cloud computing reference architecture (CCRA). The reference architecture includes the cloud computing roles, cloud computing activities, and the cloud computing functional components and their relationships.
ISO/IEC 17963 describes a Web services protocol based on SOAP for use in management‑specific domains. These domains include the management of entities such as PCs, servers, devices, Web services and other applications manageable entities. Services can expose only a WS-Management interface or compose the WS-Management service interface with some of the many other Web service specifications.
A crucial application for these services is in the area of systems management. To promote interoperability between management applications and managed resources, ISO/IEC PAS 17963 identifies a core set of Web service specifications and usage requirements that expose a common set of operations central to all systems management. This includes the ability to do the following:
a) get, put (update), create, and delete individual resource instances, such as settings and dynamic values;
b) enumerate the contents of containers and collections, such as large tables and logs;
c) subscribe to events emitted by managed resources;
d) execute specific management methods with strongly typed input and output parameters.
In each of these areas of scope, ISO/IEC 17963 defines minimal implementation requirements for conformant Web service implementations. An implementation is free to extend beyond this set of operations, and to choose not to support one or more of the preceding areas of functionality if that functionality is not appropriate to the target device or system.
ISO/IEC 17963 intends to meet the following requirements:
a) constrain Web services protocols and formats so that Web services can be implemented with a small footprint in both hardware and software management services;
b) define minimum requirements for compliance without constraining richer implementations;
c) ensure backward compatibility and interoperability with WS-Management version 1.0;
d) ensure composability with other Web services specifications.
This standard has been developed by the DMTF (see also the DMTF WS-Management Standards Watch link).
ISO/IEC 18384-1 establishes vocabulary, guidelines, and general technical principles underlying service oriented architecture (SOA), including principles relating to functional design, performance, development, deployment, and management.
ISO/IEC 18384-2 describes a Reference Architecture for SOA Solutions which applies to functional design, performance, development, deployment and management of SOA Solutions. It includes a domain-independent framework, addressing functional requirements and non-functional requirements, as well as capabilities and best practices to support those requirements.
ISO/IEC 18384-3 defines a formal ontology for service-oriented architecture (SOA), an architectural style that supports service orientation. The terms defined in this ontology are key terms from the vocabulary in ISO/IEC 18384-1.
This International Standard specifies methods for generating and testing prime numbers as required in cryptographic protocols and algorithms.
Firstly, this International Standard specifies methods for testing whether a given number is prime. The testing methods included in this International Standard can be divided into two groups:
• Probabilistic primality tests, which have a small error probability. All probabilistic tests described here may declare a composite to be a prime. One test described here may declare a prime to be composite.
• Deterministic methods, which are guaranteed to give the right verdict. These methods use so-called primality certificates.
