ISMS scope on cloud environments

Answer: On SaaS customers use the provider's applications running on a cloud infrastructure. On iPaaS customers can build and deploy connected applications residing on different environments (e.g., between different clouds or between cloud and on-premises environments), which differs from PaaS only in the fact that in PaaS all applications are built and deployed in a single cloud environment).

So, the difference between the ISMS scope for an iPaas and a SaaS is the same from the ISMS scope for an Paas and a SaaS: in the iPaaS scope you should include the data and all application software (excluding hardware and system software), and in SaaS scope you should include only the data).

We received this question:

>I have tried to understand why in a SaaS ISMS scope only data shall be included (reference to answer below - https://community.advisera.com/topic/isms-scope-on-cloud-environments/) when SaaS as provider has control over Application, Platform, Virtual infrastructure, Physical infrastructure (https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/)
>
>To me it seems logical that the provider has control over the assets he provides.
>
>Where do I think wrong?

Answer: The SaaS ISMS scope considering only the data included refers to the customer's point of view (generally described in the customer's ISMS scope like "data associated to application XYZ provided as SaaS by provider ABC)."

When you are the SaaS provider the scope is indeed as you thought, including Application, Platform, Virtual infrastructure, and Physical infrastructure, and the provider's ISMS scope statement would be something like "Platform, Virtual infrastructure, and Physical infrastructure related to the XYZ Application, provided as SaaS to our customers."