Save 20% on accredited ISO 27001 course exams.
Limited-time offer – ends February 29, 2024
Use promo code:

ISO 27001 & ISO 22301 Blog

Defining the ISMS scope if the servers are in the cloud

In the article How to define the ISMS scope we show that scope definition of an Information Security Management System (ISMS) requires clear understanding about what to protect to minimize risks of information compromise, and servers implemented in cloud environments are an extra challenge in this critical step of the ISMS implementation.

While the flexibility of cloud solutions offers many options for an organization to choose from to fulfill its needs, these can also result in different risk scenarios that can have a great influence not only on applicable security controls, but over the scope definition itself.

This article will present a brief description of common cloud solutions you can find, and how to take them into account to ensure that an ISMS scope based on ISO 27001 is aligned with business needs and the adopted cloud solution, covering the information to be protected.

Most common cloud solutions

Common cloud service models adopted in the market, in order of increasing complexity, are:

Infrastructure as a Service (IaaS): offers only basic computing infrastructure (e.g., physical and virtual machines, location, network, backup, etc.)

Platform as a Service (PaaS): offers, beyond computing infrastructure, a development environment for application developers (e.g., operating systems, programming-language execution environment, databases, etc.)

Software as a Service (SaaS): offers to final users access to application software and databases (e.g., email, file sharing, social networks, ERPs, etc.)

Defining the ISMS scope if the servers are in the cloud - 27001AcademyFigure 1 – Asset control by cloud service models

Note that, as complexity increases from IaaS to SaaS, assets under the control of the customer start to go under the control of the provider, and this drives the changes in the ISMS scope, as will be presented next.

Cloud solutions and their impact on scope definition

First of all, you should note that cloud solutions can be implemented either as private clouds (when the Provider is not a third party, but the organization’s own IT department or similar business unit) or public clouds (when assets are outsourced by a third party, depending upon the cloud model).

That said, considering sites, processes, and assets – these are the relationships between cloud solutions and their impacts on scope definition:

Cloud Solution Comment Impact on ISMS scope definition
1) The organization deploys its physical servers to host their virtual servers on its own datacenter. This is the private cloud type concept, more often seen in medium and large organizations, who can afford the infrastructure costs. In this case, the cloud model (IaaS, PaaS, or SaaS) does not have influence over the scope, as all assets belong to the organization. Datacenter facilities’ physical location, hardware, software, and data should be included in the ISMS scope.
2) The organization deploys its physical servers to host their virtual servers on a third-party infrastructure (only space and facilities). The third party offers colocation service (a widely used outsourcing concept before the age of cloud services) and the organization operates the physical and virtual servers. This can be seen as a transition between private and public cloud types. Hardware, software, and data should be included in the ISMS scope, while the physical location is out of the scope.
3) The organization deploys its virtual servers in a third-party basic computing infrastructure (public IaaS). The organization takes advantage of all physical infrastructure and virtual machines provided by the third party. Software and data should be in the ISMS scope, while physical location and hardware are completely out.
4) The organization uses a third-party platform (public PaaS). Virtual servers, and to some degree applications, are provided by the third party. When the organization uses a third-party Platform-as-a-Service, the data and all application software should be included in the ISMS scope, while everything else is out, including all system software.
5) The organization uses third-party Software-as-a-Service (public SaaS). Virtual servers and all applications are provided by the third party. When the organization uses third-party Software-as-a-Service, only the data should be in the ISMS scope.

How do you handle what is out of the scope?

As you saw, the adopted cloud solution can greatly impact an ISMS scope, from having everything under your control to only maintaining the data with you. But, what does this reduction in scope mean in terms of risks? Does this mean that you will have fewer concerns about information security? The short answer is no.

Just because you have another entity responsible for elements you used to control does not mean the risks disappeared. This situation, when you designate another party to handle your risks, is called risk transfer, and can be adopted when the results of risk assessment demonstrate that a third party can provide a better solution than you handling the assets yourself. For more information, see: 4 mitigation options in risk treatment according to ISO 27001.

But, the benefits may be rendered useless if the third party’s practices do not offer proper security levels considering the organization’s scope. To handle this situation, an organization should consider ISO 27001 controls related to supplier relationships (Annex A section 15), for example, by establishing security clauses in contracts and service agreements. For more information, see: 6-step process for handling supplier security according to ISO 27001.

For more information about the size of the scope, see Problems with defining the scope in ISO 27001.

Improve information protection and security investment by aligning ISMS and adopted cloud solution

Remember, cloud solutions can offer many possibilities for making your business run in a more cost-effective way – but you should be aware that benefits can be lost (or even result in further damage) if your cloud scenario is not considered in the way you protect information under your responsibility.

By following the requirements and controls of ISO 27001, you can form a solid basis for defining your organization’s ISMS scope and the sharing of responsibilities between you and your suppliers. This will help you plan the controls and clauses you will enforce in your service agreements, allowing you to reap the benefits of the chosen cloud solution while keeping information and assets under your responsibility properly protected.

To learn more about how to define an ISO 27001 ISMS scope, try our free online training ISO 27001 Foundations Online Course.

Advisera Rhand Leal
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.

Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.


FAQs about ISO 27001 scope