Secure Development Life Cycle

Another question. I think we know the answer, but just double check.
Q2 – We produce hardware and software that sale to our customers. The software is based on licences.
2.1 - Do the ISO controls apply in any way to these products? I think not. That once they are acquired by the customer the responsibility in terms of ISO27001 falls under them. Am I right?

You are partially correct. While ISO 27001 does not apply to products or services, it can be applied to a product lifecycle process, which may cover support to sold products, and the release of updates to fix identified security breaches. For example, regular security updates for smartphones, released by their manufacturers, are an example.

2.2. - Does the ISO indicate controls for SDLC (Secure Development Life Cycle?)? And for hardware?

ISO 27001 does not explicitly specify controls for SDLC, but by the nature of the controls from section A.14 (System acquisition, development, and maintenance) these can be applicable to SDLC.

As for hardware, please note that the SDLC concept applies to both hardware and software, and controls from section A.14 from ISO 27001 Annex A refer to systems, which are composed either by hardware, and software elements.

For further information, see:

• How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/

2.3 - If we provide some sort of support service (maintenance, improvement, patching, etc), How does this affect us in term of the ISO? If we just intervene in the systems and leave without collecting any data, I guess that we have nothing to do for ISO, but if we collect some data (logs, record, etc) and store it in our systems then this data become our responsibility and thus is affected by the ISO. Is this assumption right? What controls would affect this logs/records/info?

In case your support service process is included in your ISMS scope, then you need to go through all ISO 27001 requirements. The situation about collecting data or not will only affect make difference regarding which risks your process will be exposed to, and the applicable controls (i.e., by intervening and collecting data you will be in a more complex and riskier situation).

About which controls to consider regarding logs/records/info, this will depend on the results of risk assessment and applicable legal requirements.

For further information, see:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
• Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/