Common use of Isms and Security Management Plan Clause in Contracts

Isms and Security Management Plan. Introduction Throughout the Term the Service Provider shall develop, implement, comply with (and ensure that all service provider personnel and Sub-Contractors implement and comply with) and maintain and continuously improve and maintain an ISMS which shall, without prejudice to Paragraphs 2.2 above and 4.1 below, be: approved by the Authority; tested in accordance with Paragraph 4; and periodically updated and audited in accordance with ISO/IEC 27001. The Service Provider shall develop and maintain a Security Management Plan in accordance with this Schedule to apply during the Term (and after the end of the Term as applicable) in both this Framework Agreement and all Call-Off Agreements. The Service Provider shall comply with its obligations set out in the Security Management Plan and the other elements of this Framework Agreement relevant to security (including the Security Requirements). Both the ISMS and the Security Management Plan shall, unless otherwise specified in writing by the Authority, aim to protect all aspects of the Services and all processes associated with the delivery of the Services, including the Sites, the Service Provider System and any ICT, information and data (including the Contracting Body Confidential Information) to the extent used by the Authority, the Contracting Body or the Service Provider in connection with this Framework Agreement. The Service Provider is responsible for monitoring and ensuring that it is aware of changes to the Security Policy Framework. The Service Provider shall keep the Security Management Plan up-to-date with the Security Policy Framework as amended from time to time. Development Within thirty (30) Working Days after the Commencement Date (or such other period specified in the Implementation Plan or as otherwise agreed by the Parties in writing) and in accordance with Paragraphs 3.3 and 3.4 below, the Service Provider shall prepare and deliver to the Authority and (if required by the Authority) the Pan-Government Accreditor for approval a fully complete and up-to-date Security Management Plan, relating specifically to the Services provided under this Framework Agreement. In this instance the “Pan Government Accreditor” refers to the service provided by CESG, the National Technical Authority for Information Assurance, concerned with effective management of information risk associated with adoption of pan-government shared services If the Security Management Plan or any subsequent revision to it in accordance with Paragraph 3.4 below, is approved by the Authority and (if required by the Authority) approved by the Pan-Government Accreditor, it shall be adopted immediately. If the Security Management Plan is not approved in accordance with the foregoing, the Service Provider shall amend it within eight (8) Working Days (or such other period as the Parties agree in writing) of a notice of non-approval (and the reason(s) for non-approval) and re-submit it to the Authority and (if required by the Authority) the Pan-Government Accreditor for approval. The Parties shall use all reasonable endeavours to ensure that the approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties agree in writing) from the date of its first submission in accordance with Paragraph 3.2.1 above. If the Service Provider does not achieve approval of the Security Management Plan following its resubmission, the matter shall be resolved in accordance with Clause 46 the Dispute Resolution Procedure.