My doubt is related on controls to be implemented regarding software development, i.e, controls 8.25, 8.26, 8.27, 8.28 and 8.29.
I understand that if there is any type of internal software development the controls must be applied.
However, if a company has installed any software/platform that is open source, it means that its allowed or can be made changes. Even, and for instance, for solutions that IT systems administrators use to manage IT infrastructure.
In this case, any of the mentioned controls must be applied ? meaning that they cannot be excluded.