We are in the process of implementing ISO 27001, the company doesn’t have external development so the A.14.2.7 control for outsourced development is not applicable, shall we consider all A. 14 controls are not applicable or only A.14.2.7
Your advice is highly appreciated
Controls A. 14.1.2 (Securing application services on public networks) and A. 14.1.3 (Protecting application services transactions) are applicable to all kinds of applications, not only payment applications.
For example, any application that is remotely (i.e., from outside organization's network) accessed can make use of control A.14.1.2. And for control A.14.1.3, by "transactions" it means any operation performed between systems, not financial ones.
Please, I have another question, we don’t have any outsource development or online transactions so A. 14.1.2, A.14.1.3 and A.14.2.7 are not applicable. Internally, we are using Sharepoint for storing documents only, sometimes we do some customization without using any code is this lead us to use the following controls: A14.1.1, A.14.2.1, A.14.2.2, A.14.2.2, A.14.2.3, A.14.2.4, A14.2.5, A.14.2.6, A.14.2.8, A.14.2.9 and A14.3.1 ? Appreciate your advice
I'm assuming that by "customization without using any code" you mean parameterization of available options or setting up workflows.
Considering that, please note that controls from section A.14 cover not only system development, but also acquisition and maintenance, and "customization without using any code" can be understood as security in the support process, so the controls you mentioned may be applicable if you have relevant risks that can be treated by them, or legal requirements (e.g., laws, regulations or contracts), demanding the implementation of such controls.
For example, requests for configuration of a new parameter may need to be formally defined, and after that its implementation must be planned and test to be sure it won't have a negative impact on the current implementation.
This article will provide you a further explanation about selecting controls: