Our company sells software we develop ourselves.
Development is done within a separate system and is managed by its own policies, procedures, and has its own set of (security) requirements.
Do we need to include these policies, procedures and requirements into the ISMS?
I prefer to exclude this from the ISMS scope, because we dont use this software in our oown production environment and the requirements are customer specific.
Thanks.
Documents and procedures separately
Confidentiality level for the Business Continuity Policy
Justification in SoA
Procedure to become Lead Auditor
Clause 8.1 ISO 27001:2013
Recovery Point Objective
Sample risks related to staff resignation and pension