ISMS and SaaS solutions
1. How shall I deal with SaaS solutions such as Office365 and Gitlab.com when it comes to controls related to backups and business continuity. I don't think it is feasible to build an on-premise DR site for such a solution.
2. Also, do we have to keep a backup of our emails or does it depend on the risk assessment and whether we accept such risk?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. How shall I deal with SaaS solutions such as Office365 and Gitlab.com when it comes to controls related to backups and business continuity. I don't think it is feasible to build an on-premise DR site for such a solution.
ISO 27001 controls identified as applicable to a SaaS provider must be handled by means of contractual clauses in your service agreement with the provider, where you establish that such controls must be implemented by the provider. If you are a small user of such SaaS service, then instead of service agreement you will agree with their terms and conditions which should state which kind of backup they are using.
Normally SaaS providers have multiple sites and they implement backups and business continuity by mirroring data and operation on these sites (of course, you have to verify which solutions your provider can offer).
A simple way of backing up smaller amounts of data is to save them on local computers - this is feasible for e.g. MS Office documents produced on individual PCs.
For more information, see:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
2. Also, do we have to keep a backup of our emails or does it depend on the risk assessment and whether we accept such risk?
If you had accepted the risks for which backup of your e-mails would be the treatment, then you do not need to implement the backup.
Please note that backup is a control, and considering ISO 27001, you need first perform risk assessment, which helps you identify which risks need treatment, before deciding if you are going to implement a control or not.
For more information, see:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Comment as guest or Sign in
Feb 26, 2020