All the controls for development , maintenance , support
Assign topic to the user
Afef,
This is primarily the question of setting the ISMS scope. If your scope covers only the systems you develop and maintain internally, then the controls from Annex A have to apply only to those systems; if you include in your scope also the products you deliver to your customers, then the controls must cover them as well.
If you include in the scope the products you deliver to your customers, then you have to assess all the risks related to information contained in those products, and then you have to apply applicable controls.
This article will explain you the logic of risk assessment and applying controls: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Comment as guest or Sign in
Jan 12, 2016