Do we have to use the control A.12.1.4 for all software development processes?

For ISO 27001, there are three possible justifications to not implement a control:

1) there is no relevant risk that justifies the control implementation;

2) the organization decides to accept the risks in all situations which would justify the control implementation; and

3) the organization decides to accept the risks in a case by case basis, i.e. implementing the control in some projects and not in others.

For options 2 and 3, the decision could be based on an evaluation of the impacts of implementing the control (e.g., loss of business opportunities, loss of productivity) versus the potential losses caused by an incident that happens because of the control's absence.

This article will provide you further explanation about risk treatment options:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

These materials will also help you regarding risk treatment options:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-2 7001-risk-management-in-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

Thank you for your time and informative reply. So, we should evaluate not to implement relevant contro by using the outcome of risk mangement. This makes quite sense. Thanks again