Common use of Information Security Management System Clause in Contracts

Information Security Management System. 2.1 The Supplier shall, within 30 Working Days of the Commencement Date, submit to the Authority a proposed ISMS which: 2.1.1 has been tested; and 2.1.2 complies with the requirements of paragraphs 2.2 and 2.3. 2.2 The Supplier shall at all times ensure that the level of security, include cyber security, provided by the ISMS is sufficient to protect the confidentiality, integrity and availability of Information Assets and Authority Data used in the provision of the Services and to provide robust risk management. 2.3 The Supplier shall implement, operate and maintain an ISMS which shall: 2.3.1 protect all aspects of and processes of Information Assets and Authority Data, including where these are held on the ICT Environment (to the extent that this is under the control of the Supplier); 2.3.2 be aligned to and compliant with the relevant standards in ISO/IEC 27001: 2013 or equivalent and the Certification Requirements in accordance with paragraph 5 unless otherwise Approved; 2.3.3 provide a level of security which ensures that the ISMS and the Supplier System: 2.3.3.1 meet the requirements in the Contract; 2.3.3.2 are in accordance with applicable Law; 2.3.3.3 demonstrate Good Industry Practice, including the Government’s 10 Steps to Cyber Security, currently available at: ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/10-steps-cyber-security; 2.3.3.4 comply with the Security Policy Framework and any other relevant Government security standards; 2.3.3.5 comply with the Baseline Security Requirements; and 2.3.3.6 comply with the Authority’s policies, including, where applicable, Information Security Policy Framework or its replacements; 2.3.4 address any issues of incompatibility with the Supplier’s organisational security policies; 2.3.5 address any specific security threats of immediate relevance to Information Assets and/or Authority Data; 2.3.6 document: 2.3.6.1 the security incident management processes, including reporting, recording and management of information risk incidents, including those relating to the ICT Environment (to the extent that this is within the control of the Supplier) and the loss of protected Personal Data, and the procedures for reducing and raising awareness of information risk; 2.3.6.2 incident response plans, including security incident response companies; and 2.3.6.3 the vulnerability management policy, including processes for identification of system vulnerabilities and assessment of the potential effect on the Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware, prioritisation of security patches, testing and application of

Information Security Management System. 2.1 The Supplier shall, within 30 Working Days of the Commencement Date, submit to the Authority a proposed ISMS which: 2.1.1 has been tested; and 2.1.2 complies with the requirements of paragraphs 2.2 and 2.3. 2.2 The Supplier shall at all times ensure that the level of security, include cyber security, provided by the ISMS is sufficient to protect the confidentiality, integrity and availability of Information Assets and Authority Data used in the provision of the Services and to provide robust risk management. 2.3 The Supplier shall implement, operate and maintain an ISMS which shall: 2.3.1 protect all aspects of and processes of Information Assets and Authority Data, including where these are held on the ICT Environment (to the extent that this is under the control of the Supplier); 2.3.2 be aligned to and compliant with the relevant standards in ISO/IEC 27001: 2013 or equivalent and the Certification Requirements in accordance with paragraph 5 unless otherwise Approved; 2.3.3 provide a level of security which ensures that the ISMS and the Supplier System: 2.3.3.1 meet the requirements in the ContractFramework Agreement; 2.3.3.2 are in accordance with applicable Law; 2.3.3.3 demonstrate Good Industry Practice, including the Government’s 10 Steps to Cyber Security, currently available at: ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/10-steps-cyber-security; 2.3.3.4 comply with the Security Policy Framework and any other relevant Government security standards; 2.3.3.5 comply with the Baseline Security Requirements; and; 2.3.3.6 comply with the Authority’s policies, including, where applicable, the Authority’s Information Security Assurance Policy Framework or its replacementsin PSI 24/2014; 2.3.4 address any issues of incompatibility with the Supplier’s organisational security policies; 2.3.5 address any specific security threats of immediate relevance to Information Assets and/or Authority Data; 2.3.6 document: 2.3.6.1 the security incident management processes, including reporting, recording and management of information risk incidents, including those relating to the ICT Environment (to the extent that this is within the control of the Supplier) and the loss of protected Personal Data, and the procedures for reducing and raising awareness of information risk; 2.3.6.2 incident response plans, including the role of nominated security incident response companies; and 2.3.6.3 the vulnerability management policy, including processes for identification of system vulnerabilities and assessment of the potential effect on the Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware, prioritisation of security patches, testing and application of security patches and the reporting and audit mechanism detailing the efficacy of the patching policy; 2.3.7 include procedures for the secure destruction of Information Assets and Authority Data and any hardware or devices on which such information or data is stored; and 2.3.8 be certified by (or by a person with the direct delegated authority of) the Supplier’s representative appointed and/or identified in accordance with paragraph 1.3. 2.4 If the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies notified to the Supplier from time to time, the Supplier shall immediately notify the Authority of such inconsistency and the Authority shall, as soon as practicable, notify the Supplier of the provision that takes precedence. 2.5 The Supplier shall, upon request from the Authority or any accreditor appointed by the Authority, provide sufficient design documentation detailing the security architecture of its ISMS to support the Authority’s and/or accreditor’s assurance that it is appropriate, secure and complies with the Authority’s requirements. 2.6 The Authority shall review the proposed ISMS submitted pursuant to paragraph 2.1and shall, within 10 Business Days of its receipt notify the Supplier as to whether it has been approved. 2.7 If the ISMS is Approved, it shall be adopted by the Supplier immediately and thereafter operated and maintained throughout the Term in accordance with this Schedule 6. 2.8 If the ISMS is not Approved, the Supplier shall amend it within 10 Business Days of a notice of non- approval from the Authority and re-submit it to the Authority for approval. The Authority shall, within a further 10 Working Days notify the Supplier whether the amended ISMS has been approved. The Parties shall use reasonable endeavours to ensure that the approval process takes as little time as possible and in any event no longer than 30 Working Days from the date of its first submission to the Authority. If the Authority does not approve the ISMS following its resubmission, the matter shall be resolved in accordance with clause I1 (Dispute Resolution). 2.9 Approval of the ISMS or any change to it shall not relieve the Supplier of its obligations under this Schedule 6. 2.10 The Supplier shall provide to the Authority, upon request, any or all ISMS documents.