Skip to main content
AFEND
Back to home
SaaS

ISO 27001 readiness for SaaS.

Built for cloud-native teams that live on shared infrastructure, third-party APIs, and weekly release cycles. The overlay opens with sector-specific risks, high-scrutiny controls, and evidence scaffolding so your Statement of Applicability starts from real content, not a blank page.

Start a 14-day trialJump into why it’s hard ↓
Controls pre-decided for cloud-only SaaS
~74 of 93

The SoA opens with cloud-aware defaults on physical + data-center controls. Only ~19 need a genuine first-time decision.

Sector risks seeded in the register
12+ per workspace

Cloud misconfiguration, secret exfiltration, multi-tenant isolation, OSS supply-chain exposure - ranked by likelihood × impact, ready to accept or edit.

Sub-processors auto-tracked
Unlimited

Every OSS dependency, API vendor, and SaaS tool gets a row in the sub-processor register with DPA status - no more hunting the corporate card statement.

Focus areas pre-loaded for this profile

  • Cloud misconfiguration and secret leakage
  • Multi-tenant data isolation
  • OSS supply-chain visibility
  • Backup and restore discipline (real restores, not just backups)
  • Incident response playbooks and on-call
Why it’s hard

The friction SaaS teams hit before AFEND.

  1. 01Enterprise procurement gates that won't move without an ISO 27001 certificate, a SOC 2 report, or a credible roadmap to one of them.
  2. 02A shared-responsibility model where your cloud provider owns the data centre but you own the configuration - and auditors still ask for both.
  3. 03Ship velocity vs. change management: weekly production deploys don't look like a clause-8 change-control process without deliberate mapping.
  4. 04Supply chain: every OSS dependency, every API vendor, and every third-party SaaS the team subscribed to through expense-it is in scope.
  5. 05Multi-tenant data isolation is the single question every enterprise security reviewer asks, in four different wordings.
What auditors ask

The questions an external auditor opens with.

Not the Annex A wording. The real questions your auditor puts in the Stage 1 interview - and that AFEND makes answerable by construction.

  • Q1Show how a new engineer's access is provisioned, reviewed, and revoked on departure - end to end.
  • Q2Evidence that production secrets are rotated, not just stored in a manager.
  • Q3The last three production changes with the linked ticket, code review, and deploy audit log.
  • Q4A sample restore from backup done recently (not just a 'backup succeeded' line).
  • Q5Your sub-processor list and the DPAs, next to the in-app data-flow diagram.
Scrutinised controls

Annex A controls the auditor will press on for SaaS.

All 93 Annex A controls go through the Statement of Applicability. These six get disproportionate scrutiny in saas engagements - AFEND surfaces them on the SoA dashboard so you approve them first.

A.8.3

Information access restriction

Multi-tenant access separation is the first thing an enterprise buyer's security team tests. Expect proof that tenant A can't read tenant B's rows.
A.8.8

Management of technical vulnerabilities

Dependency-scanning output alone isn't enough - auditors want a backlog with triage SLAs and evidence of remediation.
A.8.9

Configuration management

Infrastructure-as-code, drift detection, and environment parity. 'It's all Terraform' doesn't count unless the drift story is documented.
A.8.13

Information backup

Running backups isn't the control - restoring them is. Expect a dated restore record.
A.8.23

Web filtering

More relevant than it sounds: production secrets exfiltrated through dev laptops is still the #1 SaaS incident pattern.
A.5.21

Managing information security in the ICT supply chain

Every vendor that touches production - observability, feature flags, CDN - gets asked about.
Evidence you need

Artefacts the readiness pack must contain.

Mapped to the Annex A controls above. AFEND’s evidence room accepts file uploads, external-system links, and review cycles; the auditor export bundles them in the expected structure.

  • Access review export per quarter (who had access, who reviewed it, timestamp)
  • Cloud configuration baseline scan (CIS benchmark or equivalent) with delta logs
  • Secrets-manager inventory with last-rotation date for each production secret
  • Tenant isolation test results (automated or pen-tested)
  • SBOM for the main application, refreshed per release
  • Restore-from-backup record dated recently
  • Incident post-mortems with root-cause, timeline, and corrective action
Common pitfalls

Mistakes we see every SaaS team repeat.

Anti-pattern

Treating 'AWS is SOC 2 certified' as enough for your own controls.

Fix

Scope it explicitly. Customer-managed controls (IAM, encryption keys, network ACLs) are yours. The auditor will draw the line for you if you don't.

Anti-pattern

Continuous delivery without a change-management artefact.

Fix

Your pull-request + deploy pipeline is already most of the evidence. Just map it: ticket → review → merge → deploy log → monitoring window. One diagram, one SOP, done.

Anti-pattern

Running backups but never testing restores.

Fix

Run a restore on a small service on a documented cadence. That single record closes more evidence requests than six policies.

Anti-pattern

Forgetting the shadow-IT tools that engineering expensed.

Fix

Pull the corporate card statement + the SSO app list. Every tool that touches customer data or source code goes in the sub-processor register.

FAQ

Questions SaaS buyers ask us.

Do we need ISO 27001 if we already have SOC 2 Type II?

Depends on the buyer. European enterprises, public-sector buyers, and anyone regulated under DORA or NIS2 increasingly prefer ISO 27001. AFEND helps you reuse 80%+ of your SOC 2 evidence toward a Stage 1 audit.

How do we handle controls that are our cloud provider's responsibility?

You mark them as 'controlled by supplier' in the SoA, attach the provider's compliance report (AWS, GCP, Azure all publish them), and then document the customer-managed configuration that sits on top. Auditors accept this model when it's explicit.

We ship 20 deploys a day. Does ISO 27001 mean we have to slow down?

No. Clause 8 asks for change control, not weekly release trains. Your CI pipeline, PR reviews, and rollback procedures already satisfy the intent - AFEND helps you name it that way in the SoA and keep the evidence.

What should we expect the readiness phase to involve?

Scope the ISMS, decide every Annex A control with a rationale, populate the risk register, build the policy pack, collect evidence and link it to controls, run an internal audit, and complete a management review. AFEND turns those steps into a guided workflow with clear hand-offs between phases.

Other overlays

AFEND ships four industry overlays.

Ready for SaaS

Open a workspace with the SaaS overlay already loaded.

14-day trial, no credit card. The SaaS risk library, the six core controls, and the evidence scaffolding above are pre-seeded the moment you choose this industry at setup.

Start a 14-day trial
ISO 27001 readiness for SaaS. - AFEND