I was wondering if you had previous comments on scoping ISO 27001 for SaaS products.
Say a company is in the business of providing SaaA cloud-based solutions, with developers in house utilizing cloud infrastructure, what would be SO 27001 certification look like? The processes/ Datacenter used for the development of the SaaS application is ISO 27001 certified? the product might have multiple releases.. so stay away from calling out product as scope? and focus on people, process, site and dev, test, prod environments as scope?
And if the products are from multiple locations?
Assign topic to the user
Basically, you need to include in the ISMS scope the cloud elements you can control - this article will provide you with details: Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
Comment as guest or Sign in
Jan 29, 2020