System Acquisition Development and Maintenance
Regarding 27001 Toolkit\08_Annex_A_Security_Controls\A.14_System_Acquisition_Development_and_Maintenance:
We do not do any software development. Is it safe to say that we do not need to complete this Policy and Appendix on Specification o Requirements? If so, do we note this elsewhere in the documentation?
Assign topic to the user
Your assumption is correct. Since you do not do any software development, you do not need to complete the Secure Development Policy.
Since this document will not be used by your organization, you must update the Statement of Applicability to reflect this situation.
These articles will provide you a further explanation:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
This material will also help you:
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Jan 29, 2021