ISO/IEC 17789 specifies the cloud computing reference architecture (CCRA). The reference architecture includes the cloud computing roles, cloud computing activities, and the cloud computing functional components and their relationships.
ISO/IEC 17788 provides an overview of cloud computing along with a set of terms and definitions. It is a terminology foundation for cloud computing standards.
ISO/IEC 17788 is applicable to all types of organizations (e.g., commercial enterprises, government agencies, not-for-profit organizations).
The Open Virtualization Format (OVF) standard provides the industry with a standard packaging format for software solutions based on virtual systems, solving critical business needs for software vendors and cloud computing service providers.
OVF has been developed by the DMTF (see also the DMTF OVF Standards Watch link).
The standard can be bought here: https://www.iso.org/standard/72081.html
The informative sections of this standard are publicly available here: https://www.iso.org/obp/ui/#iso:std:iso-iec:17203:ed-2:v1:en
ISO/IEC 27036-4 provides cloud service customers and cloud service providers with guidance on
a) gaining visibility into the information security risks associated with the use of cloud services and managing those risks effectively, and
b) responding to risks specific to the acquisition or provision of cloud services that can have an information security impact on organizations using these services.
ISO/IEC 27036-4 does not include business continuity management/resiliency issues involved with the cloud service. ISO/IEC 27031 addresses business continuity.
ISO/IEC 27036-4 does not provide guidance on how a cloud service provider should implement, manage and operate information security. Guidance on those can be found in ISO/IEC 27002 and ISO/IEC 27017.
The scope of ISO/IEC 27036-4 is to define guidelines supporting the implementation of information security management for the use of cloud services.
This document specifies security and protection of personally identifiable information components, SLOs and SQOs for cloud service level agreements (cloud SLA) including requirements and guidance.
This document is for the benefit and use of both CSPs and CSCs.
The standard can be bought here: https://www.iso.org/standard/68242.html
The informative sections of standards are publicly available https://www.iso.org/obp/ui/#iso:std:iso-iec:19086:-4:ed-1:v1:en
This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in line with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
In particular, this document specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations.
The guidelines in this document can also be relevant to organizations acting as PII controllers. However, PII controllers can be subject to additional PII protection legislation, regulations and obligations, not applying to PII processors. This document is not intended to cover such additional obligations.
The standard can be bought here: https://www.iso.org/standard/76559.html
The informative sections of this standard are publicly available here: https://www.iso.org/obp/ui/#iso:std:iso-iec:27018:ed-2:v1:en
ISO/IEC 18384-3 defines a formal ontology for service-oriented architecture (SOA), an architectural style that supports service orientation. The terms defined in this ontology are key terms from the vocabulary in ISO/IEC 18384-1.
ISO/IEC 19086-1 seeks to establish a set of common cloud SLA building blocks (concepts, terms, definitions, contexts) that can be used to create cloud Service Level Agreements (SLAs).
This document specifies
a) an overview of cloud SLAs,
b) identification of the relationship between the cloud service agreement and the cloud SLA,
c) concepts that can be used to build cloud SLAs, and
d) terms commonly used in cloud SLAs.
ISO/IEC 19086-1 is for the benefit and use of both cloud service providers and cloud service customers. The aim is to avoid confusion and facilitate a common understanding between cloud service providers and cloud service customers. Cloud service agreements and their associated cloud SLAs vary between cloud service providers, and in some cases different cloud service customers can negotiate different contract terms with the same cloud service provider for the same cloud service. This document aims to assist cloud service customers when they compare cloud services from different cloud service providers.
ISO/IEC 19086-1 does not provide a standard structure that can be used for a cloud SLA or a standard set of cloud service level objectives (SLOs) and cloud service qualitative objectives (SQOs) that will apply to all cloud services or all cloud service providers. This approach provides flexibility for cloud service providers in tailoring their cloud SLAs to the particular characteristics of the offered cloud services.
ISO/IEC 19086-1 does not supersede any legal requirement
This document:
- Describes a framework for the structured expression of data-related policies and practices in the cloud computing environment, based on the data taxonomy in ISO/IEC 19944:2017;
- provides guidelines on application of the taxonomy for handling of data based on data subcategory and classification;
- covers expression of data-related policies and practices including, but not limited to data geolocation, cross border flow of data, data access and data portability, data use, data management, and data governance;
- describes how the framework can be used in codes of conduct for practices regarding data at rest and in transit, including cross border transfer of data, as well as remote access to data;
- provides use cases for data handling challenges, i.e. control, access and location of data according to ISO/IEC 19944:2017 data categories.
This document is applicable primarily to cloud service providers, cloud service customers and cloud service users, but also to any person or organization involved in legal, policy, technical or other implications of taxonomy based data management in cloud services.
Under development
This document provides a consolidate set of concepts, terms, terminology and definitions extracted from the ISO/IEC cloud computing standards, including, but not limited to, ISO/IEC 17788, ISO/IEC 17789, ISO/IEC 19086, ISO/IEC 19941 and ISO/IEC 19944. In addition, relevant and stable terminology from non-cloud computing ISO sources (e.g., Information technology -- Security techniques) and external organization are also included.
This document also contains terms and definitions that are not necessarily contained in other works.
This document also addresses discrepancies and inconsistencies that have been identified in the consolidated terms and definitions to further enhance the usability of the ISO cloud computing terminology.
This document includes additional descriptions and clarifications of cloud computing vocabulary terms, concepts, and their inter-relationships.
Under development
This document
- extends the existing cloud computing vocabulary and reference architecture in ISO/IEC 17788 and ISO/IEC 17789 to describe an ecosystem involving devices using cloud services,
- describes the various types of data flowing within the devices and cloud computing ecosystem,
- describes the impact of connected devices on the data that flow within the cloud computing ecosystem,
- describes flows of data between cloud services, cloud service customers and cloud service users,
- provides foundational concepts, including a data taxonomy, and
- identifies the categories of data that flow across the cloud service customer devices and cloud services.
This document is applicable primarily to cloud service providers, cloud service customers and cloud service users, but also to any person or organization involved in legal, policy, technical or other implications of data flows between devices and cloud services.
Under development
ISO/IEC TR 30102 describes the general technical principles underlying Service Oriented Architecture (SOA), including principles relating to functional design, performance, development, deployment and management. It provides a vocabulary containing definitions of terms relevant to SOA.
It includes a domain-independent technical framework, addressing functional requirements and non-functional requirements.
The standard can be bought here: https://www.iso.org/standard/53222.html
The informative sections of this standard are publicly available here: https://www.iso.org/obp/ui/#iso:std:iso-iec:tr:30102:ed-1:v1:en
