Hi , we are a company that develops softwares (for us and for clients).
1- Shall all the controls for development , maintenance , support be applied for our products and for the products we develop for us to support our business? or only the the products we develop for us ?
for example : secure development policy or technical vul check : these controls shall be applied on the products or the software we develop to support our business ?
If we include our products (that we develop for clients) in the scope , what are the consequences on implementation?
This is primarily the question of setting the ISMS scope. If your scope covers only the systems you develop and maintain internally, then the controls from Annex A have to apply only to those systems; if you include in your scope also the products you deliver to your customers, then the controls must cover them as well.
If you include in the scope the products you deliver to your customers, then you have to assess all the risks related to information contained in those products, and then you have to apply applicable controls.