Another question. I think we know the answer, but just double check.
Q2 – We produce hardware and software that sale to our customers. The software is based on licences.
2.1 - Do the ISO controls apply in any way to these products? I think not. That once they are acquired by the customer the responsibility in terms of ISO27001 falls under them. Am I right?
2.2. - Does the ISO indicate controls for SDLC (Secure Development Life Cycle?)? And for hardware?
2.3 - If we provide some sort of support service (maintenance, improvement, patching, etc), How does this affect us in term of the ISO? If we just intervene in the systems and leave without collecting any data, I guess that we have nothing to do for ISO, but if we collect some data (logs, record, etc) and store it in our systems then this data become our responsibility and thus is affected by the ISO. Is this assumption right? What controls would affect this logs/records/info?