Annex A

1. ISO 27001 Annexe - I have a question regarding A 14 System acquisition, development, and maintenance. We are a software development company. Does this part apply to software we develop (as a business) or only for internal soft we could develop I mean for internal use?

The application of this control for customers or internal purposes will depend on the scope of your ISMS. If the ISMS scope covers software development for clients, then you need to include these activities with applicable controls.

For further information, see:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

2. ISO 27001 A 15 - May I apply this measure to the Critical IT supplier Only? Or should I apply to all suppliers?

You do not need to apply controls from section A.15 to all your suppliers. You can limit the application only to those for which you have identified unacceptable risks, or to those you have a legal requirement (e.g., law, regulation or contract), demanding the application of the control.

For further information, see:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

3. In annex A can we justify that we do not choose a measure by saying "company capacity is to light" or things like that?

Your suggested justification most probably won't be accepted by a certification auditor. A good justification for not choosing a control would be "We do not have unacceptable risks or legal requirements, demanding the implementation of this control." because it covers the two most common reasons to implement a control.