1. A.14.2.1 Secure development policy =does this control still applicable for organization that fully outsource their development process?
2. A.14.2.2 =does this control only for during development process (i.e. coding, bug fixing), or does it includes changes when system is put into operations (i.e. new requirements, enhancement)? How does it differ from A.12.1.2? Does operating system patching/updating part of A.14.2.2 or A.12.1.2?
3. A.14.2.5 =is this only applicable for inhouse development? Is this applicable when analyzing system requirements and system design?
Yes, you can apply this control, but in this case you need to request a secure development policy to the external company
You can consider this control for development process and also for changes in systems when you put them into operations. The control A.12.1.2 is more general (for all changes related to information security: organization, business processes, information processing facilities, etc.), and the control A.14.2.2 is specifically related to changes to systems within the development lifecycle. I think that operating system patching/updating is more related to the control A.14.2.2
Yes, but here you can also demand a secure system engineering principles to an external company, and yes, you can apply this control when analyzing system requirements and system design.