Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Comprehensive Guide to CAN/CSA-ISO/IEC 15050‑04: Security Requirements for Cloud Infrastructure
Scope, Technical Controls, Implementation, and Compliance of the Canadian Adoption of ISO/IEC 15050‑04
Scope and Objectives
CAN/CSA-ISO/IEC 15050‑04 is the Canadian adoption of the international standard ISO/IEC 15050‑04: Information technology – Security techniques – Security requirements for cloud service provider infrastructure – Part 4: Technical controls. Developed by ISO/IEC JTC 1/SC 27, this multipart standard provides a framework for assessing and certifying the security of cloud infrastructures.
The fourth part focuses exclusively on technical controls that a cloud service provider (CSP) must implement and maintain across its infrastructure domains: network, compute, storage, and virtualization. It is intended to complement existing security standards such as ISO/IEC 27001 and ISO/IEC 27017 by offering detailed, testable requirements for the underlying hardware and hypervisor layer.
Tip: CAN/CSA-ISO/IEC 15050‑04 harmonises with the shared responsibility model by clearly delimiting the CSP’s technical obligations, leaving application‑level and data‑level controls to the customer’s scope.
Technical Requirements
The standard structures its requirements into four domains. Each domain contains a set of mandatory controls and, where appropriate, recommended practices. Below is a summary table of the key requirement areas.
| Domain | Control ID | Requirement Description |
|---|---|---|
| Network | NET‑01 | Implement boundary firewalls, VLAN segmentation, and ingress/egress filtering to isolate tenant traffic. |
| Network | NET‑05 | Deploy intrusion detection and prevention systems (IDPS) at hypervisor and physical network interfaces. |
| Compute | COM‑02 | Harden hypervisors by removing unnecessary services, applying vendor security patches within defined SLAs. |
| Compute | COM‑04 | Enforce VM isolation via strict resource controls (CPU, memory, I/O) to prevent side‑channel attacks. |
| Storage | STO‑01 | Encrypt data at rest using AES‑256 (or equivalent) with keys managed by an FIPS‑validated HSM. |
| Storage | STO‑03 | Ensure secure deletion of tenant data upon instance termination, including persistent storage and caches. |
| Virtualization | VIR‑02 | Use virtual function (SR‑IOV) or para‑virtualisation to reduce the hypervisor attack surface. |
| Virtualization | VIR‑05 | Implement runtime integrity monitoring for the hypervisor kernel and critical drivers. |
Logging and Monitoring
In addition to the control domains, the standard mandates a minimum set of log sources and retention periods. All infrastructure events must be timestamped using a synchronised NTP source (Stratum 2 or better) and retained for at least 365 days. The required log categories include:
- Authentication events (success/failure) at the hypervisor and management plane.
- Configuration changes to security appliances (firewalls, IDPS).
- Resource allocation and deallocation events for tenant VMs.
- Access to cryptographic material (key usage, backup, destruction).
Warning: Logs must be protected against tampering, using cryptographic hashing of log chains or secure remote logging to a dedicated SIEM.
Implementation Highlights
Adopting CAN/CSA-ISO/IEC 15050‑04 requires careful mapping of existing infrastructure controls to the standard’s granular requirements. The following are critical implementation considerations.
Shared Responsibility Alignment
The standard assumes a clear demarcation between the CSP’s infrastructure and the customer’s virtualised assets. Organisations implementing the standard should first document their deployment model (IaaS, PaaS, or SaaS) and identify which controls fall under the CSP’s scope. Where third‑party components (e.g., container orchestration platforms) are used, the CSP must verify compliance of those components.
Automated Compliance Validation
The technical nature of the controls lends itself to automation. Infrastructure‑as‑code (IaC) templates can be written to enforce many of the requirements – for example, ensuring that firewall rules conform to NET‑01, or that storage volumes are encrypted at launch. Continuous compliance scanning tools can generate evidence for periodic audits.
Success: Leveraging automated policy enforcement and reporting drastically reduces the effort to maintain ongoing compliance and simplifies certification renewal.
Compliance Notes
Conformity with CAN/CSA-ISO/IEC 15050‑04 can be demonstrated through a third‑party certification scheme administered by accredited bodies (e.g., Standards Council of Canada accredited organisations). The assessment process includes:
- Documentation review – security policies, architecture diagrams, and evidence of reviewed controls.
- Technical testing – vulnerability scans of network boundaries, hypervisor hardening checks, and log integrity verification.
- Ongoing surveillance – biennial audits to verify continuous compliance, with annual self‑assessments required in between.
Non‑conformities are classified as minor or major. A major non‑conformity (e.g., absence of encryption at rest) must be remediated within 60 days before certification can be granted. Minor non‑conformities are typically corrected before the next surveillance audit.
Danger: Failure to remediate major non‑conformities within the defined timeframe results in suspension or revocation of the certificate, which may impact customer contracts requiring compliance.
Frequently Asked Questions
Q: How does CAN/CSA-ISO/IEC 15050‑04 relate to ISO/IEC 27017?
A: ISO/IEC 27017 provides cloud‑specific controls at the service and application layers, while CAN/CSA-ISO/IEC 15050‑04 focuses exclusively on the infrastructure layer (network, compute, storage, virtualisation). The two standards are complementary; a CSP might implement both for a holistic security programme.
A: ISO/IEC 27017 provides cloud‑specific controls at the service and application layers, while CAN/CSA-ISO/IEC 15050‑04 focuses exclusively on the infrastructure layer (network, compute, storage, virtualisation). The two standards are complementary; a CSP might implement both for a holistic security programme.
Q: Is certification under CAN/CSA-ISO/IEC 15050‑04 mandatory for CSPs in Canada?
A: No, it is voluntary unless contractually required by a customer or otherwise mandated by a sector‑specific regulation. However, many public‑sector cloud procurement frameworks now reference it as a preferred certification.
A: No, it is voluntary unless contractually required by a customer or otherwise mandated by a sector‑specific regulation. However, many public‑sector cloud procurement frameworks now reference it as a preferred certification.
Q: Which cloud deployment models does the standard cover?
A: The standard addresses IaaS and PaaS infrastructures directly; for SaaS, the infrastructure controls still apply to the underlying platform. Private cloud, public cloud, and hybrid architectures are all in scope provided they use virtualised or containerised compute.
A: The standard addresses IaaS and PaaS infrastructures directly; for SaaS, the infrastructure controls still apply to the underlying platform. Private cloud, public cloud, and hybrid architectures are all in scope provided they use virtualised or containerised compute.
Q: Can small and medium‑sized CSPs afford compliance?
A: Yes, the standard allows for risk‑based tailoring of certain recommended (non‑mandatory) controls. A formal risk statement in the security documentation can justify alternative compensating measures, making compliance achievable for organisations of varying sizes.
A: Yes, the standard allows for risk‑based tailoring of certain recommended (non‑mandatory) controls. A formal risk statement in the security documentation can justify alternative compensating measures, making compliance achievable for organisations of varying sizes.
© 2026 International Electrotechnical Commission (IEC) content for educational purposes.