Checklist of ISO/IEC 27001-A.14.2.4 Restrictions on changes to software packages


Information technology (IT) systems are the backbone of modern organizations, and changes to these systems are inevitable due to various reasons such as software updates, hardware changes, and so on.

However, any changes to IT systems can introduce vulnerabilities, which can be exploited by attackers. 

Therefore, it is essential to ensure that changes to IT systems are made in a controlled and secure manner. In this article, we will discuss the A.14.2.4 control objective from the ISO/IEC 27001 standard, which focuses on restrictions on changes to software packages.

Sample Checklist:

  • Check if there is a policy or procedure in place that governs changes to software packages.
  • Review a sample of software packages and check if any changes have been made to them.
  • If changes have been made, confirm if the original built-in controls have not been compromised.
  • Check if the vendor’s consent and involvement were obtained before making any changes.
  • Verify whether the vendor still supports the software package after making the changes.
  • Determine whether the possibility of getting standard program updates from vendors was explored.
  • Check if compatibility was checked with other software in use before making any changes.


The A.14.2.4 control objective is an essential aspect of securing IT systems. 

It helps organizations ensure that changes to software packages are made in a controlled and secure manner. 

By following the sample checklist provided above, organizations can ensure compliance with the A.14.2.4 control objective and minimize the risk of introducing vulnerabilities to their IT systems.

See also  Checklist of ISO/IEC 27001-A.12.4.1 Event logging

Leave a comment

Your email address will not be published. Required fields are marked *