GOST R ISO/IEC 19086-4-2020 PDF

Full title and description

GOST R ISO/IEC 19086-4-2020 — National standard of the Russian Federation titled "Information technology. Cloud computing. Service level agreement framework (SLA). Part 4. Components of information security and of protection of PII". It is an identical adoption (IDT) of ISO/IEC 19086-4:2019 and defines security and privacy protection components for cloud SLAs, including SLOs and SQOs, requirements and implementation guidance.

Abstract

This standard describes components for information security and protection of personally identifiable information (PII) that are to be used when specifying cloud service level agreements (cloud SLAs). It lists component areas (policy, access management, cryptography, incident management, continuity, etc.), and privacy components (consent, lawfulness, minimization, transparency, accountability, individual access, legal compliance), together with recommended SLOs/SQOs and guidance for their inclusion in contractual SLA language.

General information

• Status: National standard (active), identical adoption (IDT) of ISO/IEC 19086-4:2019.
• Publication date: Approved by Rosstandart order 10 November 2020; introduced into effect 1 June 2021; published (Standartinform) 2020.
• Publisher: Published in Russia by Standartinform; approved by the Federal Agency on Technical Regulating and Metrology (Rosstandart).
• ICS / categories: 35.210 — Cloud computing.
• Edition / version: GOST R ISO/IEC 19086-4-2020 (IDT of ISO/IEC 19086-4:2019).
• Number of pages: 24 pages (Russian edition / published text).

Scope

The standard applies to any organization or individual involved in creating, modifying or interpreting cloud SLAs. It describes components of information security and of protection of PII that may be included in cloud SLA clauses, specifies related SLOs and SQOs, and gives requirements and guidance for their use to support mutual understanding between cloud service providers (CSPs) and cloud service customers (CSCs). The document is intended to be used alongside other parts of ISO/IEC 19086 and related security/privacy standards.

Key topics and requirements

• Definition of security component areas for cloud SLAs: security policy, organization of security, asset management, access management, cryptography, physical/environmental security, operations security, communications security, systems acquisition/development/maintenance, supplier relationships, incident management, business continuity, regulatory compliance.
• Privacy/PII protection components: consent and choice, lawfulness and purpose specification, data minimization, limitations on use/storage/disclosure, accuracy and quality, openness/transparency/observability, individual participation and access, accountability, and legal/compliance components.
• Specification of Service Level Objectives (SLOs) and Service Qualitative Objectives (SQOs) related to security and privacy components to be embedded in cloud SLAs (measurement model references cross-referenced with ISO/IEC 19086-2).
• Guidance on mapping components to contractual language in SLAs, and alignment with related security and privacy standards (for example ISO/IEC 27017, 27018, 29100).
• Recommendations for use by both CSPs and CSCs when negotiating or auditing SLA commitments that affect confidentiality, integrity, availability, and privacy of PII.

Typical use and users

Primary users are cloud service providers, cloud service customers, legal and procurement teams, information security and privacy officers, auditors, and standards implementers working on SLA drafting, assessment, procurement and compliance. The standard supports contractual design, technical-to-contract translation of security/privacy guarantees, and third‑party assurance activities.

Related standards

This part is one of the ISO/IEC 19086 series and is intended to be used with ISO/IEC 19086-1 (overview and concepts), ISO/IEC 19086-2 (metric model), and other parts of the series. It also cross-references cloud/security/privacy standards such as ISO/IEC 17788 (cloud vocabulary), ISO/IEC 27017, ISO/IEC 27018 and ISO/IEC 29100.

Keywords

cloud computing; SLA; service level agreement; SLO; SQO; information security; PII; privacy; data protection; CSP; CSC; metrics; contractual requirements; ISO/IEC 19086.

FAQ

Q: What is this standard?

A: It is the Russian national adoption (GOST R ISO/IEC 19086-4-2020) of ISO/IEC 19086-4:2019 that specifies components of information security and protection of PII for inclusion in cloud SLAs.

Q: What does it cover?

A: It covers component definitions and recommended SLOs/SQOs for security and privacy topics (policy, access control, cryptography, incident management, data minimization, consent, transparency, accountability, etc.), and provides guidance for embedding these components into cloud SLA language.

Q: Who typically uses it?

A: Cloud service providers and customers, procurement and legal teams, security/privacy officers, auditors and consultants involved in drafting, negotiating or evaluating cloud SLAs.

Q: Is it current or superseded?

A: As of the published adoption, GOST R ISO/IEC 19086-4-2020 is an active national standard (introduced 1 June 2021) and is identical to ISO/IEC 19086-4:2019. Users should check Rosstandart and ISO publishing notices for any future revisions or amendments.

Q: Is it part of a series?

A: Yes — it is Part 4 of the ISO/IEC 19086 series (SLA framework). Other parts include Part 1 (overview/concepts), Part 2 (metric model) and additional parts that address other aspects of SLA specification.

Q: What are the key keywords?

A: Cloud SLA, security components, privacy/PII protection, SLO, SQO, CSP, CSC, information security, data minimization, transparency, accountability.