Guest user Created: Aug 12, 2021 Last commented: Aug 12, 2021

ISO 27001 - Capacity SaaS

Hello - I have purchased the ISO27001 Toolkit and the auditor asked about capacity planning reporting for SaaS like Microsoft 365 apps (Devops/Sharepoint). In Short - how do you address capacity planning in SaaS which is out of your control ? He points to cpu and utilisation, but even though i explained this, his says that i should still have oversight and be able to check the capacity of the services provided. I am not sure if i could or should or be allowed to exclude the hardware of the SaaS provider in my scope ? I hope you can advise.....

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Aug 12, 2021

Even when using SaaS you can define capacity planning, but the performance indicators need to be related to the service, not hardware elements, because, as you said, these are not under your control.

In this case, you should consider elements like the number of simultaneous users, or other elements you can measure from your side, like hours of use, requests per second. In all cases, you need to consider the impact of communication links in these measurements (a bad link can make it impossible for you to achieve all performance made available by the SaaS provider).

But please note that capacity planning for ISO 27001 would be required only if relevant risks, or legal requirements, demand implementation of control A.12.1.3 Capacity management.

For further information, see:

Implementing capacity management according to ISO 27001:2013 control A.12.1.3 https://advisera.com/27001academy/blog/2016/02/22/implementing-capacity-management-according-to-iso-270012013-control-a-12-1-3/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Aug 12, 2021

Expert Advice Community