Control A.14.2.7

 All controls from section A.14 System acquisition, development, and maintenance would be "not applicable" only if you also do not have an internal development process.

In case your organization has internal development, you have to perform a risk assessment and evaluate legal requirements to verify if other controls from section A.14 are applicable or not.

Up to this point, since you don’t have external development, only control A.14.2.7 Outsourced development is not applicable to your organization.

This article will provide you a further explanation about software development:

• How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/

Is A. 14.1.2 and A. 14.1.3 related to only payments applications?

Controls A. 14.1.2 (Securing application services on public networks) and A. 14.1.3 (Protecting application services transactions) are applicable to all kinds of applications, not only payment applications.

For example, any application that is remotely (i.e., from outside organization's network) accessed can make use of control A.14.1.2. And for control A.14.1.3, by "transactions" it means any operation performed between systems, not financial ones.

Please, I have another question, we don’t have any outsource development or online transactions so A. 14.1.2, A.14.1.3 and A.14.2.7 are not applicable.
Internally, we are using Sharepoint for storing documents only, sometimes we do some customization without using any code is this lead us to use the following controls: A14.1.1, A.14.2.1, A.14.2.2, A.14.2.2, A.14.2.3, A.14.2.4, A14.2.5, A.14.2.6, A.14.2.8, A.14.2.9 and A14.3.1
?
Appreciate your advice

I'm assuming that by "customization without using any code" you mean parameterization of available options or setting up workflows.

Considering that, please note that controls from section A.14 cover not only system development, but also acquisition and maintenance, and "customization without using any code" can be understood as security in the support process, so the controls you mentioned may be applicable if you have relevant risks that can be treated by them, or legal requirements (e.g., laws, regulations or contracts), demanding the implementation of such controls.

For example, requests for configuration of a new parameter may need to be formally defined, and after that its implementation must be planned and test to be sure it won't have a negative impact on the current implementation.

This article will provide you a further explanation about selecting controls:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

These materials will also help you regarding selecting controls:

• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/