Information Security Management System (ISMS Clause Samples

Information Security Management System (ISMS. 3.1 The Supplier shall develop and submit to the Buyer, within twenty (20) Working Days after the Start Date, an information security management system for the purposes of this Contract and shall comply with the requirements of Paragraphs 3.4 to 3.6. 3.2 The Supplier acknowledges that the Buyer places great emphasis on the reliability of the performance of the Deliverables, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. 3.3 The Buyer acknowledges that; 3.3.1 If the Buyer has not stipulated during a Further Competition that it requires a bespoke ISMS, the ISMS provided by the Supplier may be an extant ISMS covering the Services and their implementation across the Supplier’s estate; and 3.3.2 Where the Buyer has stipulated that it requires a bespoke ISMS then the Supplier shall be required to present the ISMS for the Buyer’s Approval. 3.4 The ISMS shall: 3.4.1 if the Buyer has stipulated that it requires a bespoke ISMS, be developed to protect all aspects of the Deliverables and all processes associated with the provision of the Deliverables, including the Buyer Premises, the Sites, the Supplier System, the Buyer System (to the extent that it is under the control of the Supplier) and any ICT, information and data (including the Buyer’s Confidential Information and the Government Data) to the extent used by the Buyer or the Supplier in connection with this Contract; 3.4.2 meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 7; 3.4.3 at all times provide a level of security which: a) is in accordance with the Law and this Contract; b) complies with the Baseline Security Requirements; c) as a minimum demonstrates Good Industry Practice; d) where specified by a Buyer that has undertaken a Further Competition - complies with the Security Policy and the ICT Policy; e) complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4) (▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security- policy-framework/hmg-security-policy-framework) f) takes account of guidance issued by the Centre for Protection of National Infrastructure (▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇) g) complies with HMG Information Assurance Maturity Model and Assurance Framework (▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/articles/hmg-ia-maturity-model- iamm)

Information Security Management System (ISMS. The Contractor shall develop and maintain an Information Security Management System compliant with ISO/IEC 27001 (latest revision) Information technology –Security techniques – Information security management systems – Requirements. The ISMS shall be certified by an accredited organization indicating conformance to this standard. The Contractor shall maintain full and continuous ISMS certification for the entire time charter period of performance of this contract. The Contractor shall notify the Contracting Officer within twenty-four (24) hours if for any reason the ISMS certification is revoked. At a minimum, ISMS certification (interim or otherwise) shall be in place no later than sixty (60) days after delivery of the vessel. Costs associated with certification of the ISMS shall be included in the fixed-price charter hire rate.

Information Security Management System (ISMS. The Supplier shall develop and submit to the Buyer, within twenty (20) Working Days after the Start Date, an information security management system for the purposes of this Contract and shall comply with the requirements of Paragraphs 3.4 to 3.