I have a question that I cannot get a clear answer to. I hope that you can help.
My customer develops a software product for its customers. They do not however carry out any software development for themselves. All of the systems that they use in-house are commercial-off-the-shelf packages like Office365, Slack, PeopleHR, and Xero (all of which are SAAS applications). They do not customise the code at all.
We are trying to establish whether or not they need to apply the Annex A.14.2 controls as these are aimed at "developments within the organisation".
Do you have any thoughts on this?