Topic-specific policies
ISO/IEC 27070

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27070:2021 — Information technology — Security techniques — Requirements for establishing virtualized roots of trust (first edition)



“This document specifies requirements for establishing virtualized roots of trust.” [!!]
[Source: ISO/IEC 27070:2021]


The integrity and hence value of some security functions and subsystems (particularly those relating to cryptography) relies on their being based on trustworthy foundations known as the Root of Trust. Special RoT security arrangements are necessary to negate threats involving low-level exploitation of data-processing chips, devices or systems, in turn compromising the higher-level firmware, device drivers, operating system and application software that build upon the RoT.

Whereas trusted computing generally involves some form of Hardware Security Module (e.g. an ISO/IEC 11889 Trusted  Platform Module) providing various cryptographic functions and key storage in a physically secure tamper-resistant enclosure, that architecture is not well suited to cloud computing. In the cloud, systems are virtualised, hence they cannot readily access and rely directly upon hardware-based RoT in the conventional manner.


Scope and purpose

The standard specifies functional requirements and information security controls supporting the provision of trustworthy foundations for cloud computing environments, where Virtual Machines are dynamically created to provide cloud services.



The standard has two main sections:

  1. The ‘functional view’ describes the architecture in functional/modular terms.
  2. The ‘activity view’ describes how the functional modules deliver the desired level of trusted computing.



The standard was first published in 2021.


Personal comments

The trust, risk and security implications of this are, frankly, above my pay grade. As my little brain understands it, the standard aims to establish a rock-solid foundation on which to build the house of cards delivering cloud computing services. Regardless of all the information risks and security controls at higher levels (of which there are many), providing a sound, trustworthy platform makes RoT a fundamental security requirement. Otherwise, we’re erecting skyscrapers in the marsh.

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT LtdContact us re Intellectual Property Rights