Question - ISO 27001

1. How do you put in place HR systems when there are no employees ? Would this be more about Supplier management ? and supplier worker management ?

Since your customer uses contractors, his relationship with them and their employees will be through supplier management, so regarding ISO 27001 implementation, this will mostly cover controls from ISO 27001 Annex A section 15 Supplier relationships.

For further information, see:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001

2.  With Software Development - Would they either:  (a) require suppliers to follow his requirements or ISO Compliant software development manuals. OR.  (b)  require the subsidiary to produce there software development manual (which meets the requirements of ISO 27001) – which he approves?

In this situation first, you need to ensure, by means of security clauses in contracts or service agreements, that risks you consider relevant, and legal requirements applicable to his organization, related to software development are properly treated by the supplier.

Considering that, alternative (a) is more adequate because in alternative (b) you only consider the standard's requirements, not those of your customer.

These articles will provide you with further explanation about security clauses and software development:

• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
• How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/