In my Company, we want to establish iso27001 on Whole Organization. We Develop, Establish, and support ERP Solutions. ERP use some web service (Micro Service or API) from some third parties which some of them have licenses and others is free. Is Web Service effect on ISMS Scope?
also, Should we consider the risks of using the API in the risk assessment Process (like Access Control, Malware Analysis, Monitoring, ...)?