Risk assessment of outsourced hosting service
Assign topic to the user
Answer:
This is basically the question of the ISMS scope - you should include in your scope (and therefore in your risk assessment) only the assets you can control. So you should include in your scope/risk assessment the applications and your data on those virtual servers you control, however you should exclude the physical servers because you do not control them.
However, control A.15.1.1 requires you also to perform risk assessment of your suppliers, so this means that you should assess how this hosting service can affect confidentiality, integrity and availability of your data - for that purpose you can use the same Risk Assessment Table, and write as an asset "hosting service". So you won't be assessing the physical servers, but figure out what incidents can happen in general - e.g. unauthorized access to your data, loss of data, unavailability of the service, etc.
These articles can also help you:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Comment as guest or Sign in
Jun 13, 2016