Risk assessment on IaaS

Answer: The general approach will be the same, the main difference is being in the fact that during risk analysis you will have to consider situations that are specifically related to IaaS environment (e.g., geographic location of the provider, performance monitoring, tenants segregation, etc.). To support your risk treatment I suggest you to take a look at the ISO 27017, which offers recommendations and guidelines for the implementation of controls of ISO 27001 considering cloud environments.

These articles will provide you further explanation about ISO 27107 and cloud aspects to be considered:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- How to use ISO 27 017 to manage legal risks related to geographical location https://advisera.com/27001academy/blog/2016/09/19/how-to-use-iso27017-to-manage-legal-risks-related-to-geographical-location/
- Resolving cloud security concerns by defining clear responsibilities according to ISO 27017 https://advisera.com/27001academy/blog/2016/08/23/resolving-cloud-security-concerns-by-defining-clear-responsibilities-according-to-iso-27017/
- Network segregation in cloud environments according to ISO 27017 https://advisera.com/27001academy/blog/2016/09/26/network-segregation-in-cloud-environments-according-to-iso-27017/