Hi everyone
When linking identified risks to ISO/IEC 27001 Annex A controls, how do you typically handle control applicability where systems are internally hosted vs externally hosted (e.g. SaaS / cloud)?
For example, physical security controls are clearly applicable for internally hosted systems. For externally hosted systems, do you usually:
- Treat physical security as the supplier’s responsibility and therefore out of scope for your own control set for that system, and
- Instead focus your risks on supplier dependency, with controls such as contracts, assurance, incident management, and business continuity?
This could be the same for organisational and people controls such as acceptable use policies and contracts of employment.
I’m particularly interested in how others model this in risk registers and Statements of Applicability.
Thanks all
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Comment as guest or Sign in
Apr 29, 2026