ISMS scope for cloud environment
Assign topic to the user
Answer: When an organization provides SaaS, it is important to identify which elements it has direct control over, because these are the elements that will be part of the ISMS scope.
For example, if your organization owns the datacenter that hosts your SaaS, then the physical environment, hardware, and software (e.g., virtual servers, operational systems and applications), must be included in the ISMS scope. On the other hand, if your SaaS is hosted on an outsourced datacenter provider, the most probable situation is that you have only to include the application you provide to your customers in the ISMS scope (the other elements will be handled by means of controls related to supplier relationship management). In case of use of outsourced datacenter provider, for a precise answer you must verify the service agreement established with the provider.
This article will provide you further explanation about defining a scope considering cloud models:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
Regarding the software development process performed by your organization, and assuming it is unrelated to the SaaS provided, it may be included normally as part of the scope. An example of text would be:
"The ISMS scope is defined by the information related to the organization's software development processes and the information related to the service XXX, provided as SaaS by the organization to its clients."
Comment as guest or Sign in
May 10, 2018