>**ISO 27002 Control 14.2.4**: Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled.
>**Implementation Guidance**: As far as possible and practicable, vendor-supplied software packages should be used without modification.
What kind of modifications to to vendor-supplied software packages are we talking about here? Changes to the code? If so, then vendor-supplied software packages aren’t going to be COTS, because their code is proprietary. If it’s not COTS, it’s going to be treated like any other software development and there are already other controls for this in ISO27k.
Any thoughts would be appreciated. Thanks!