I have a question about ISO27001, our company is a software development company. In 14 it says it services but in 6.1.5 it says regardless of the project. My Question is in our projects(we develop the code)which have a logging screen, with respect to ISO 27001 do we need to apply secure log-on password management or event logging if as a company we had a ISO 27001.
If your projects are include in the scope of the ISMS, sure, you need to implement both controls, because both are related with the protection of the information (it is the more important thing in the ISO 27001).
In the Annex A, you can find this security control: A.9.4.3 Password management system. What could happen if your company do not have this control? Any unauthorized person could have access to restricted information.
Also you can find this control: A.12.4.1 Event logging. Here you can ask me: Why this control is important? If there are many attempts of unauthorized access, it is likely that someone is trying to access to restricted information, and you need a control to avoid this.
Therefore, if you implement an ISMS in your organization, and the risk assessment determines that the risk level is not acceptable, you must implement these 2 controls.