LIVE VIRTUAL TRAININGS
Learn in small groups from top experts and real-life examples

Expert Advice Community

Guest

ISO 27001 - Capacity SaaS

  Quote
Guest
Guest user Created:   Aug 12, 2021 Last commented:   Aug 12, 2021

ISO 27001 - Capacity SaaS

Hello - I have purchased the ISO27001 Toolkit and the auditor asked about capacity planning reporting for SaaS like Microsoft 365 apps (Devops/Sharepoint). In Short - how do you address capacity planning in SaaS which is out of your control ? He points to cpu and utilisation, but even though i explained this, his says that i should still have oversight and be able to check the capacity of the services provided. I am not sure if i could or should or be allowed to exclude the hardware of the SaaS provider in my scope ? I hope you can advise.....
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Aug 12, 2021

Even when using SaaS you can define capacity planning, but the performance indicators need to be related to the service, not hardware elements, because, as you said, these are not under your control.

In this case, you should consider elements like the number of simultaneous users, or other elements you can measure from your side, like hours of use, requests per second. In all cases, you need to consider the impact of communication links in these measurements (a bad link can make it impossible for you to achieve all performance made available by the SaaS provider).

But please note that capacity planning for ISO 27001 would be required only if relevant risks, or legal requirements, demand implementation of control A.12.1.3 Capacity management.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 12, 2021

Aug 12, 2021

Suggested Topics