27Şub
ISO 27001: do we need audit access to the code of the core application
We want to be 27001 certified and our company is based on one core application that is hosted in our cloud infrastructure but provided by a vendor.
Is there a situation where an auditor needs access to the source code to be able to justify if certain levels of security are "built" into the application and that the application has no backdoor which does "something unexpected with the data" (let's phrase it like this) or is this not necessary?
The background of the question is: the code application vendor would give access to the source code (contractually agreed) if but ONLY if this is a clear need from an ISO 27001 audit perspective.
