July 15, 2021

Restrictions on changes to software packages (ISO 27002 14.2.4)

>**ISO 27002 Control 14.2.4**: Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled.
>**Implementation Guidance**: As far as possible and practicable, vendor-supplied software packages should be used without modification.

What kind of modifications to to vendor-supplied software packages are we talking about here? Changes to the code? If so, then vendor-supplied software packages aren’t going to be COTS, because their code is proprietary. If it’s not COTS, it’s going to be treated like any other software development and there are already other controls for this in ISO27k.

Any thoughts would be appreciated. Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.