Software as a Service (SaaS), or cloud services, is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet. But what are the information security implications of this new approach?
In recent years there has been an explosion of SaaS vendors looking to capitalise on the opportunity to service customers who are now embracing the benefits that this software delivery model provides. The Australian market is not immune to this phenomenon with many examples of local vendors setting up SaaS business models to service the growing market opportunity. IDC predicts that SaaS market will be worth $10.7 Billion by 2009.
Any company considering setting up SaaS offering will need to address the information security concern during the initial planning, implementation and ongoing operational stages. Adoption and certification based on a recognised international information security standard should be considered a mandatory requirement. In the absence of any SaaS specific information security standard, ISO 27001 remains one of the most relevant internationally recognised security benchmarks available. The ISO 27001 standard is managed by the International Organisation for Standardization (ISO) and the International Electrotechnical Commission.
Achieving ISO 27001 certification should not be seen as the end goal. SaaS customers will expect and rightfully demand that their vendors maintain rigorous information security standards on an ongoing basis.
Sense of Security’s Governance, Risk and Compliance Practice employs experienced ISO 27001 Lead Auditors that can assist in developing and implementing an effective security strategy that aligns to ISO/IEC 27001:2013 or supports a full certification objective. Click here for more information.