Approval of documents and risks

Also our company does not perform and software development instead relying on a variety of SAAS offerings. Is there any reason we would need any of the controls found in ISO 27002 14.2 Security in development and support processes ?

Answer:
Regarding your first question, from my point of view meeting minutes is enough for the standard, but in the case of risks, they need to be approved by their owners before the risk treatment plan is to be implemented. This article about the steps of the risk assessment & treatment can be interesting for you “ISO 27001 risk assessment & treatment – 6 basic steps” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ And also this article about the risk owners “Risk owners vs. asset owners in ISO 27001:2013” : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

Regarding your second question, if there are no risks related to the development of software because there is no development in your company, you can exclude security controls related to the development, although there are some controls that are not only related with the development that you should consider to apply: A.14.2.5 Secure system engineering principles. For more information about this control, please read this “What are secure engineering principles in ISO 27001:2013 control A.14.2.5?” : https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/

And in your specific case, during the risk assessment & treatment, you could identify if there are risks related to the connection with the SAAS provider, and if so, controls that you can use to reduce these risks are A.14.1.2 Securing application services on public networks, and A.14.1.3 Protecting application services transactions.

Finally, our online course can be interesting for you because you can find more information about security controls “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

Hi and thank you for your response! Quick question, with respect to the approval of the risk treatment plan, can the risk owners attend the review meeting, with the risk treatment plan discussed, and meeting minutes be maintained for the meeting to show approval?
Thanks!

If you mean to approve the risks in a review meeting, for me it is ok, if it is performed before the implementation of the risk treatment plan, and obviously the risk owners are present, and you can maintain the minutes as evidence to show approval.

For more information about the risk assessment and treatment, this free webinar can be interesting for you “The basics of risk assessment and treatment according to ISO 27001” : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/