(703) 860-6945

ISO/IEC 19086: A Cloud Due Diligence Checklist

ISO/IEC 19086: A Cloud Due Diligence Checklist

The service level agreement, a pivotal piece of any cloud or managed services relationship, consists of many terms, responsibilities, and procedures between the vendor (or service provider) and the customer. While completely necessary, SLAs often are inconsistent, lacking in governance and creating pain points during cloud procurement.

This is why, according to Forrester Research, ninety-four percent of respondents would have changed something about their most recent cloud agreement.

To address the challenges that many organizations face in cloud procurement, the International Organization for Standardization (ISO) is in the process of establishing a standard designed to simplify SLAs. Microsoft, in turn, announced a checklist for the proposed standard, and we look to break it down further below.

Background: ISO Announces ISO/IEC 19086-1 Standard

In September 2016, the International Organization for Standardization (ISO), an international standard-setting body that develops worldwide technological and manufacturing standards, is establishing a standard for cloud compliance agreements and SLA frameworks and technology. This standard, the ISO/IEC 19086-1 Standard, offers much needed structure and guidance to cloud contracts that will help inform CSPs and buyers alike.

ISO/IEC 19086 looks to build upon ISO/IEC 17788 and ISO 17789, and the goal of the document is to establish common terminology, and provide building blocks for cloud SLAs, digging into the following:

  • An overview of cloud SLAs,
  • Identification of the relationship between the cloud service agreement and the cloud SLA,
  • Concepts that can be used to build cloud SLAs, and
  • Terms commonly used in cloud SLAs.

ISO/IEC 19086-1:2016 is for the benefit and use of both cloud service providers and cloud service customers. The aim is to avoid confusion and facilitate a common understanding between cloud service providers and cloud service customers.

Cloud service agreements and their associated cloud SLAs vary between cloud service providers, and in some cases different cloud service customers can negotiate different contract terms with the same cloud service provider for the same cloud service. This document aims to assist cloud service customers when they compare cloud services from different cloud service providers.

Additionally, parts 2, 3, and 4 go into the metrics model, requirements, and security and privacy measures that need to be in place under the new standard, respectively.

ISO 19086 Relationships with other Standards

Microsoft Releases ISO/IEC 19086-1:2016 Checklist

To help organizations exercise due diligence as they consider a move to the cloud, Microsoft developed the Cloud Services Due Diligence Checklist. Microsoft’s checklist is tailored to a wide variety of organizations including public sector, private sector, nonprofits and more, and hopes to provide guidance for these organizations to identify their own performance, service, data management, and governance objectives and requirements.

ISO 19086 Components and Content Areas

Using the checklist, organizations will be able to define and communicate their goals and needs to providers, allowing both parties to form a better cloud service level agreement. The checklist highlights the following areas of consideration, most notably:

  • Performance: Includes accessibility standards to be met, availability guarantees, capacity, and elasticity specifications.
  • Service: Sets the basics for what service the provider will offer, most notably monitoring, response time, and resilience/fault tolerance. Takes a deeper look at disaster recovery, backup/recovery, and support plan pricing and specs.
  • Data Management: Provides the building blocks and basics of data ownership, intellectual property, data portability, location, and more.
  • Governance: Defines the roles and responsibilities of both parties, including information security, termination of service, changes, law enforcement access, and applicable certifications/audits/attestation.

Head to Microsoft’s Cloud Services Due Diligence Checklist page to learn more and to download the full checklist.



Leave a reply

Your email address will not be published. Required fields are marked *