Information Security Management Systems Clause Samples

Information Security Management Systems. ● Supplier must operate an information security management system (ISMS) that is based on recognized, marketable standards (e.g., ISO27001, BSI Grundschutz) ● Supplier must prepare at least one comprehensive information security risk report per year and make it available to Controller. ● This must contain at least the following information on security-relevant topics with regard to the provision of services: ○ The basic compliance with the contractually agreed security measures. ○ Identified information security risks (to be replaced, if necessary, by separate risk reporting) ○ Status and development of information security incidents ○ General overview of vulnerability scans carried out and their results ○ General overview of penetration tests carried out and their results ○ Results of security audits performed by the ISMS organization ○ Security awareness measures carried out ○ Relevant results of the internal audit and third-party auditors (e.g., auditors) with reference to the Supplier ISMS as well as security-relevant findings in connection with the performance of services under the contract. ● Supplier grants Controller the right to verify compliance with the contractually agreed information security specifications.