Data Center and Cloud Services Provider

This document specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

ISO 9001:2015 specifies requirements for a quality management system when an organization:

a) needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and

b) aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.

All the requirements of ISO 9001:2015 are generic and are intended to be applicable to any organization, regardless of its type or size, or the products and services it provides.

ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:

- additional implementation guidance for relevant controls specified in ISO/IEC 27002;

- additional controls with implementation guidance that specifically relate to cloud services.

This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers.

This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002:2022, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations.

The guidelines in this document can also be relevant to organizations acting as PII controllers.

This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is also provided to assist in the implementation of the requirements in this document.

This document is intended for personally identifiable information (PII) controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

This document specifies requirements for an organization to establish, implement, maintain and continually improve a service management system (SMS). The requirements specified in this document include the planning, design, transition, delivery and improvement of services to meet the service requirements and deliver value. This document can be used by:

a) a customer seeking services and requiring assurance regarding the quality of those services;

b) a customer requiring a consistent approach to the service lifecycle by all its service providers, including those in a supply chain;

c) an organization to demonstrate its capability for the planning, design, transition, delivery and improvement of services;

d) an organization to monitor, measure and review its SMS and the services;

e) an organization to improve the planning, design, transition, delivery and improvement of services through effective implementation and operation of an SMS;

f) an organization or other party performing conformity assessments against the requirements specified in this document;

g) a provider of training or advice in service management.

The term "service" as used in this document refers to the service or services in the scope of the SMS.

This document specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise.

The requirements specified in this document are generic and intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization's operating environment and complexity.

This document is applicable to all types and sizes of organizations that:

a) implement, maintain and improve a BCMS;

b) seek to ensure conformity with stated business continuity policy;

c) need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption;

d) seek to enhance their resilience through the effective application of the BCMS.

This document can be used to assess an organization's ability to meet its own business continuity needs and obligations.

This document specifies security and protection of personally identifiable information components, SLOs and SQOs for cloud service level agreements (cloud SLA) including requirements and guidance.

This document is for the benefit and use of both CSPs and CSCs.

This document specifies requirements for establishing, implementing, maintaining and improving an energy management system (EnMS). The intended outcome is to enable an organization to follow a systematic approach in achieving continual improvement of energy performance and the EnMS.

This document:

a) is applicable to any organization regardless of its type, size, complexity, geographical location, organizational culture or the products and services it provides;

b) is applicable to activities affecting energy performance that are managed and controlled by the organization;

c) is applicable irrespective of the quantity, use, or types of energy consumed;

d) requires demonstration of continual energy performance improvement, but does not define levels of energy performance improvement to be achieved;

e) can be used independently, or be aligned or integrated with other management systems.

Annex A provides guidance for the use of this document. Annex B provides a comparison of this edition with the previous edition.

ISO 14001:2015 specifies the requirements for an environmental management system that an organization can use to enhance its environmental performance. ISO 14001:2015 is intended for use by an organization seeking to manage its environmental responsibilities in a systematic manner that contributes to the environmental pillar of sustainability.

ISO 14001:2015 helps an organization achieve the intended outcomes of its environmental management system, which provide value for the environment, the organization itself and interested parties. Consistent with the organization's environmental policy, the intended outcomes of an environmental management system include:

· enhancement of environmental performance;

· fulfilment of compliance obligations;

· achievement of environmental objectives.

ISO 14001:2015 is applicable to any organization, regardless of size, type and nature, and applies to the environmental aspects of its activities, products and services that the organization determines it can either control or influence considering a life cycle perspective.

This document defines the required structure and content of security functional components for the purpose of security evaluation. It includes a catalogue of functional components that meets the common security functionality requirements of many IT products.

ISO/IEC 27037:2012 provides guidelines for specific activities in the handling of digital evidence, which are identification, collection, acquisition and preservation of potential digital evidence that can be of evidential value.

It provides guidance to individuals with respect to common situations encountered throughout the digital evidence handling process and assists organizations in their disciplinary procedures and in facilitating the exchange of potential digital evidence between jurisdictions.

ISO/IEC 27037:2012 gives guidance for the following devices and circumstances:

• Digital storage media used in standard computers like hard drives, floppy disks, optical and magneto optical disks, data devices with similar functions,
• Mobile phones, Personal Digital Assistants (PDAs), Personal Electronic Devices (PEDs), memory cards,
• Mobile navigation systems,
• Digital still and video cameras (including CCTV),
• Standard computer with network connections,
• Networks based on TCP/IP and other digital protocols, and
• Devices with similar functions as above.

The above list of devices is an indicative list and not exhaustive.

This document provides guidelines for multiple organizations handling information security incidents in a coordinated manner. It also addresses the impacts of external cooperation on the internal incident management of an individual organization and provides guidelines for an individual organization to adapt to the coordination process. Furthermore, it provides guidelines for the coordination team, if it exists, to perform coordination activities supporting the cross-organization incident response.

The principles given in this document are generic and are intended to be applicable to multiple organizations to work together to handle information security incidents, regardless of their types, sizes or nature.

ISO/IEC 21827:2008 specifies the Systems Security Engineering - Capability Maturity Model® (SSE-CMM®), which describes the essential characteristics of an organization's security engineering process that must exist to ensure good security engineering. ISO/IEC 21827:2008 does not prescribe a particular process or sequence, but captures practices generally observed in industry. The model is a standard metric for security engineering practices covering the following:

• the entire life cycle, including development, operation, maintenance and decommissioning activities;
• the whole organization, including management, organizational and engineering activities;
• concurrent interactions with other disciplines, such as system, software, hardware, human factors and test engineering; system management, operation and maintenance;
• interactions with other organizations, including acquisition, system management, certification, accreditation and evaluation.

The objective is to facilitate an increase of maturity of the security engineering processes within the organization.

This document specifies requirements for the vendors and gives guidelines for both the users and the developers of software safety and security verification tools. The users of such tools include, but are not limited to, bodies performing verification and software developers who need to be aware and pay attention to safety and/or security of software. This document guides the verification tool vendors to provide as high-quality products as possible and helps the users to understand the capabilities and characteristics of verification tools.

This document introduces use cases for software safety and security verification tools and entity relationship model related to them.

ISO 45001:2018 specifies requirements for an occupational health and safety (OH&S) management system, and gives guidance for its use, to enable organizations to provide safe and healthy workplaces by preventing work-related injury and ill health, as well as by proactively improving its OH&S performance.

ISO 45001:2018 is applicable to any organization that wishes to establish, implement and maintain an OH&S management system to improve occupational health and safety, eliminate hazards and minimize OH&S risks (including system deficiencies), take advantage of OH&S opportunities, and address OH&S management system nonconformities associated with its activities.

ISO 45001:2018 helps an organization to achieve the intended outcomes of its OH&S management system. Consistent with the organization's OH&S policy, the intended outcomes of an OH&S management system include:

a) continual improvement of OH&S performance;

b) fulfilment of legal requirements and other requirements;

c) achievement of OH&S objectives.

ISO 45001:2018 is applicable to any organization regardless of its size, type and activities. It is applicable to the OH&S risks under the organization's control, taking into account factors such as the context in which the organization operates and the needs and expectations of its workers and other interested parties.

ISO 45001:2018 does not state specific criteria for OH&S performance, nor is it prescriptive about the design of an OH&S management system.

ISO 45001:2018 enables an organization, through its OH&S management system, to integrate other aspects of health and safety, such as worker wellness/wellbeing.

ISO 45001:2018 does not address issues such as product safety, property damage or environmental impacts, beyond the risks to workers and other relevant interested parties.

ISO 45001:2018 can be used in whole or in part to systematically improve occupational health and safety management.

ISO/IEC 18033-2:2006 specifies encryption systems (ciphers) for the purpose of data confidentiality. The primary purpose of encryption (or encipherment) techniques is to protect the confidentiality of stored or transmitted data. An encryption algorithm is applied to data (often called plaintext or cleartext) to yield encrypted data (or ciphertext); this process is known as encryption.

The OCF Cloud specifications are divided into a series of documents:

• OCF Cloud security specification (this document): The cloud security specification document specifies the security recuirements and definitions for OCF devices and OCF clouds implementations.
• OCF Device to Cloud Specification: The OCF Device to Cloud Specification document defines functional extensions and capabilities to meet the requirements of the OCF Cloud. This document specifies new Resource Types to enable the functionality and any extensions required to connect an OCF device to an OCF cloud.
• OCF Cloud API for cloud services specification: The Cloud API for cloud services specification defines the OCF cloud API.

This document specifies one method for authenticated encryption suitable for applications requiring lightweight cryptographic mechanisms.

This method processes a data string with the following security objectives:

a) data confidentiality, i.e. protection against unauthorized disclosure of data,

b) data integrity, i.e. protection that enables the recipient of data to verify that it has not been modified.

Optionally, this method can provide data origin authentication, i.e.

ISO/IEC 10118-2:2010 specifies hash-functions which make use of an n-bit block cipher algorithm. They are therefore suitable for an environment in which such an algorithm is already implemented. Block ciphers are specified in ISO/IEC 18033-3.

Four hash-functions are specified.