ISO 27001 - Cloud Services
have a question about cloud services:
I've read that we should include in Scope only data for SaaS, or data and application software for IaaS, etc.
Does it mean that we have to write that in our ISMS Scope document, or is it self-explanatory and we just consider that later during Risk Assessment?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
The ISMS scope states the information you want your ISMS to protect, so what you want to protect (in your example data and application software) needs to be stated in the ISMS. The detail that it is located in a cloud solution can be kept to be stated during the Risk Assessment.
This article will provide you a further explanation about the scope definition in the cloud:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
Comment as guest or Sign in
Sep 04, 2020