Identropy has identified four major categories for SaaS risk: Usage Risk, Application Risk, Data Security Risk and Operational Risk. The list is by no means definitive, but we have built it into our consulting model, and are sharing it in hopes it can help anyone tasked with SaaS security to start putting together a framework. The bad news is that there is a wealth of reference out there that can help with risk assessments with security assessments. The FedRAMP program provides a standardized approach to security assessment for cloud products and services that will work for your organizations needs.”]
Source: https://informationsecuritybuzz.com/news/determining-saas-risk-a-consultants-cheat-sheet/