Hello - I have purchased the ISO27001 Toolkit and the auditor asked about capacity planning reporting for SaaS like Microsoft 365 apps (Devops/Sharepoint).
In Short - how do you address capacity planning in SaaS which is out of your control ?
He points to cpu and utilisation, but even though i explained this, his says that i should still have oversight and be able to check the capacity of the services provided. I am not sure if i could or should or be allowed to exclude the hardware of the SaaS provider in my scope ?
I hope you can advise.....
Even when using SaaS you can define capacity planning, but the performance indicators need to be related to the service, not hardware elements, because, as you said, these are not under your control.
In this case, you should consider elements like the number of simultaneous users, or other elements you can measure from your side, like hours of use, requests per second. In all cases, you need to consider the impact of communication links in these measurements (a bad link can make it impossible for you to achieve all performance made available by the SaaS provider).
But please note that capacity planning for ISO 27001 would be required only if relevant risks, or legal requirements, demand implementation of control A.12.1.3 Capacity management.