Security controls and SaaS

Answer: The quantity of controls that would become not directly applicable would depend of the results of your risk assessment, so there is no way I can precise you a number of controls, but most of controls in sections A.10 to A.13 would not be directly applicable. I used the expression "directly applicable" because in a situation like this, when an organization adopts a SaaS provider, what happens is a risk transfer (your organization transfer the risks related to the operation and maintenance of an IT infrastructure to a third party).

In this case, the organization has to establish clear security clauses in the service agreement, including the monitoring of provider services, or it may find itself with an environment that is riskier than one r an by the organization itself.

For this situation, ISO 27001 has the Annex A.15 (supplier relationships), which covers controls regarding on what clauses to include in agreement's and how to monitor suppliers. Basically, the security clauses would define that the provider should ensure at least the same security levels the organization would deem necessary if it was was running the environment itself.

So, at the end what happens is that you change your direct application of many IT-related controls to the application of few administrative ones, related to contracts and monitoring.

This article will provide you further explanation about security in cloud computing:

- Cloud computing and ISO 27001 / BS 25999 https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/