Standards and Best Practices

CTP Technical Model and API

The Cloud Trust Protocol (CTP) is designed to be a mechanism by which cloud service
customers can ask for and receive information related to the security of the services they
use in the cloud, promoting transparency and trust. The primary purpose of the CTP and the elements of transparency is to generate evidence-based confidence that everything that is claimed to be happening in the cloud is indeed happening as described, …, and nothing else. This is a classic application of the definition of digital trust.Webpage:



The European Commission has released a set of cloud service level agreement (SLA) standards designed to give EU businesses more certainty around what cloud service providers and consumers are responsible for when entering into contractual agreements. Cloud Select Industry Group CSIG – SLA standardisation guidelines involve model terms for cloud computing service level agreements for contracts between cloud providers and professional cloud users, taking into account the developing EU acquis in this field.Webpage:



Nowadays, possibly the most well-known activity in the area of Cloud SLA standardization is being carried out by ISO/IEC JTC 1/SC38 on “19086 – Information Technology (Cloud Computing) Service Level Agreement (SLA) Framework and Terminology”. This prospective standard will be subdivided in four different parts:
  • The first part targets the definition of a standardized framework for Cloud SLAs (not only security-related), including both a vocabulary and comprehensive catalogue of commonly used SLO’s.
  • The second part plans for the definition of a conceptual model for Cloud SLA-related metrics.
  • The third part will discuss core requirements, related to the implementation of the proposed Cloud SLAs.
  • The fourth part (being developed jointly with SC27) is focused on security and privacy issues related to Cloud SLAs.


ISO/IEC 27004

ISO/IEC 27004:2009 provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001.



ISO/IEC 27017

Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services




This document proposes a framework that identifies and characterizes the information and relationships needed to describe and observe properties of cloud services that are representative, accurate and reproducible. This information can be used in a variety of ways including, collection, comparison, gap analysis, and assessment or description of metrics at the technical or business levels. These metrics can connect information intended for decision-making, for the service agreements between provider and customer, for the runtime performance measurement and the underlying properties within the providers system.





The Cloud Security Alliance published in February 2013 a first version of the Privacy Level Agreement (PLA), PLA4EU v1, as an output from its PLA Working Group (WG). The PLA is a standard that aims to provide a structured way for organisations to disclose information about privacy and data protection practices undertaken to comply with applicable data protection laws. PLA is intended to be used by cloud providers and (potential) cloud customers. Cloud providers would use PLA to disclose their offerings in terms of privacy and data protection measures; (potential) cloud customers would use PLA to assess the level of compliance of the cloud provider offerings with applicable data protection laws. Information to be disclosed in the PLA will differ depending on the data protection role played by the cloud providers. In 2015 the PLA v2 was released with the ultimate objective to create a certification/seal for the worldwide cloud services market. The next step towards this goal will be turning PLA4EU v2 into a privacy compliance tool for cloud service providers offering services in the EEA.



Started in February 2015 , the ETSI CSC Phase II activity was designed to develop a follow-up set of reports to the ETSI Cloud Standards Coordination deliverable from 2013. More in particular, ETSI CSC Phase II (finished in December 2015) produced four reports: Cloud Computing User Needs (WI1), Standards and Open Source (WI2), Interoperability and Security (WI3), and Standards Maturity Assessment (WI1). The topic of Cloud SLAs was mostly in the focus of the WI3 report.