Assets of IaaS

Answer:

You still have to access the risks, even for physical assets, as if the IaaS was being managed by your organization because you need to identify and understand which risks are relevant to you, so you can ensure that those risks are being treated properly by your IaaS provider. The fact that your provider is ISO 27001 certified greatly improves the chances that they will be treating risks relevant to you, but only by means of a risks assessment you will be sure of this situat ion (for a certification auditor it will not be obvious that your risks will be on acceptable levels only because of the providers' certification).

Once you have identified unacceptable risks your provider has to treat, you can apply controls from section A.15 (relationship with suppliers), so proper clauses will be included on service agreements.

These articles will provide you further explanation about ensuring security with providers:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

And what about the situation when there is only online agreement which is default for all the customers and you "sign" it only by ticking the check-box under the Terms and Conditions. It is not possible to request to include any clauses to the agreement with the 3rd party service provider as they don't agree to do unique agreements for different customers. For example it could be online payments platform, which is PCI-DSS compliant and you integrate that solution on your website.

Answer:

In situations where you cannot change service conditions presented by the provider you should evaluate if your organization can accept the risks not properly covered by the provided service agreement,and if there are alternative providers you can consider.