ISMS. By the date specified in the Implementation Plan the Supplier shall develop and submit to the Customer for the Customer’s Approval an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and shall comply with the requirements of paragraphs 108.3 to 108.5 of this Call Off Schedule 8 (Security). The Supplier acknowledges that the Customer places great emphasis on the confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery of the Services, the Supplier System and any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and at all times provide a level of security which: is in accordance with Good Industry Practice, Law and this Call Off Contract; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4); meets any specific security threats to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8; and complies with the Customer’s ICT policies. Subject to Clause 34 of this call Off Contract (Security And Protection of Information) the references to standards, guidance and policies set out in paragraph 108.3 of this Call Off Schedule shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 of this Call Off Schedule, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 of this Call Off Schedule is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off Schedule. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 of this Call Off Schedule may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 to 108.5 of this Call Off Schedule shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 of this Call Off Schedule or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this Schedule. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 of this Call Off Schedule a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 of this Call Off Schedule. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery of the Services, including the Customer Premises, the Sites, the Supplier System and any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Services and all processes associated with the delivery of the Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with the provisions of this Call Off Schedule 8 (including the requirements set out in paragraph 2.3 of this Call Off Schedule); set out the plans for transiting all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at the date set out in the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8. be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Services and shall reference only documents which are in the possession of the Customer or whose location is otherwise specified in this Call Off Schedule 8. If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off Schedule. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 of this Call Off Schedule shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 of this Call Off Schedule or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off Schedule. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Services and/or associated processes; any new perceived or changed security threats; and any reasonable request by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMS; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 of this Call Off Schedule, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 of this Call Off Schedule, a Customer request, change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 4 contracts
Samples: Agreement, Local Authority Software Applications Call Off Terms, assets.crowncommercial.gov.uk
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and which shall comply with the requirements of paragraphs 108.3 98.3 to 108.5 98.5 of this Call Off Schedule 8 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery provision of the Services, including the Supplier System and Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 102;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 98.3 of this Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 98.3 of this Call Off ScheduleSchedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 98.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 98 of this Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 98.3 to 108.5 98.5 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 98.6 of this Call Off Schedule 7 or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this ScheduleCall Off Schedule 7. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 99 of this Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 99.2 of this Call Off ScheduleSchedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Services, processes associated with the delivery of the Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery of the Services, including the Customer Premises, the Sites, the Supplier System Sites and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Services and all processes associated with the delivery of the Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with the provisions of this Call Off Schedule 8 7 (including the requirements set out in paragraph 2.3 98.3 of this Call Off ScheduleSchedule 7); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date set out in timeframe agreed between the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8Parties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 87 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 99.2 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 99.3 of this Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off ScheduleSchedule 7. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 100.4 of this Call Off ScheduleSchedule 7, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 100.1 of this Call Off ScheduleSchedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 3 contracts
Samples: www.whatdotheyknow.com, assets.crowncommercial.gov.uk, assets.crowncommercial.gov.uk
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and which shall comply with the requirements of paragraphs 108.3 98.3 to 108.5 98.5 of this Call Off Schedule 8 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery provision of the Goods and/or Services, including the Supplier System and Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 102;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8Goods and/or Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 98.3 of this Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 98.3 of this Call Off ScheduleSchedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 98.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 98 of this Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 98.3 to 108.5 98.5 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 98.6 of this Call Off Schedule 7 or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this ScheduleCall Off Schedule 7. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 99 of this Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 99.2 of this Call Off ScheduleSchedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System Sites and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Call Off Schedule 8 7 (including the requirements set out in paragraph 2.3 98.3 of this Call Off ScheduleSchedule 7); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date set out in timeframe agreed between the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8Parties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 87 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 99.2 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 99.3 of this Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off ScheduleSchedule 7. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Goods and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 100.4 of this Call Off ScheduleSchedule 7, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 100.1 of this Call Off ScheduleSchedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 3 contracts
Samples: assets.crowncommercial.gov.uk, assets.crowncommercial.gov.uk, assets.crowncommercial.gov.uk
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and which shall comply with the requirements of paragraphs 108.3 97.3 to 108.5 97.5 of this Call Off Schedule 8 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery provision of the Services, including the Supplier System and Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 101;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 36 of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 97.3 of this Call Off Schedule shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 97.3 of this Call Off Schedule, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 97.1 of this Call Off Schedule is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off Schedule. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 97 of this Call Off Schedule may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 97.3 to 108.5 97.5 of this Call Off Schedule shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 97.6 of this Call Off Schedule or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this Schedule. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 98 of this Call Off Schedule a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 98.2 of this Call Off Schedule. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Services, processes associated with the delivery of the Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery of the Services, including the Customer Premises, the Sites, the Supplier System Sites and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Services and all processes associated with the delivery of the Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with the provisions of this Call Off Schedule 8 (including the requirements set out in paragraph 2.3 97.3 of this Call Off Schedule); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date set out in timeframe agreed between the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8Parties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 8. If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off Schedule. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 98.2 of this Call Off Schedule shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 98.3 of this Call Off Schedule or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off Schedule. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 99.4 of this Call Off Schedule, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 99.1 of this Call Off Schedule, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 3 contracts
Samples: assets.crowncommercial.gov.uk, www.contractsfinder.service.gov.uk, data.gov.uk
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and which shall comply with the requirements of paragraphs 108.3 101.3 to 108.5 101.5 of this Call Off Schedule 8 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery provision of the Goods and/or Services, including the Supplier System and Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 105;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8Goods and/or Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 101.3 of this Call Off Schedule shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 101.3 of this Call Off Schedule, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 101.1 of this Call Off Schedule is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off Schedule. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 101 of this Call Off Schedule may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 101.3 to 108.5 101.5 of this Call Off Schedule shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 101.6 of this Call Off Schedule or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this Schedule. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 102 of this Call Off Schedule a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 102.2 of this Call Off Schedule. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System Sites and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Call Off Schedule 8 (including the requirements set out in paragraph 2.3 101.3 of this Call Off Schedule); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date set out in timeframe agreed between the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8Parties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 8. If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off Schedule. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 102.2 of this Call Off Schedule shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 102.3 of this Call Off Schedule or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off Schedule. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Goods and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 103.4 of this Call Off Schedule, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 103.1 of this Call Off Schedule, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 2 contracts
Samples: assets.crowncommercial.gov.uk, assets.crowncommercial.gov.uk
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and which shall comply with the requirements of paragraphs 108.3 12.3 to 108.5 12.5 of this Call Off Schedule 8 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery provision of the Services, including the Supplier System and Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 16.;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 34. of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 12.3 of this Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 12.3 of this Call Off ScheduleSchedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 12.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 12. of this Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 12.3 to 108.5 12.5 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 12.6 of this Call Off Schedule 7 or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this ScheduleCall Off Schedule 7. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 13. of this Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 13.2 of this Call Off ScheduleSchedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Services, processes associated with the delivery of the Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery of the Services, including the Customer Premises, the Sites, the Supplier System Sites and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Services and all processes associated with the delivery of the Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with the provisions of this Call Off Schedule 8 7 (including the requirements set out in paragraph 2.3 12.3 of this Call Off ScheduleSchedule 7); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date set out in timeframe agreed between the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8Parties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 87 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 13.2 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 13.3 of this Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off ScheduleSchedule 7. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 14.4 of this Call Off ScheduleSchedule 7, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 14.1 of this Call Off ScheduleSchedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 2 contracts
Samples: assets.crowncommercial.gov.uk, assets.crowncommercial.gov.uk
ISMS. By the date specified in the Implementation Plan the Supplier shall develop and submit to the Customer for the Customer’s Approval an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and shall comply with the requirements of paragraphs 108.3 20.3 to 108.5 20.5 of this Call Off Schedule 8 (Security). The Supplier acknowledges that the Customer places great emphasis on the confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery of the Services, the Supplier System and any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and at all times provide a level of security which: is in accordance with Good Industry Practice, Law and this Call Off Contract; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4); meets any specific security threats to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 24. (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8; and complies with the Customer’s ICT policies. Subject to Clause 34 34. of this call Off Contract (Security And Protection of Information) the references to standards, guidance and policies set out in paragraph 108.3 20.3 of this Call Off Schedule shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 20.3 of this Call Off Schedule, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 20.1 of this Call Off Schedule is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off Schedule. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 20. of this Call Off Schedule may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 20.3 to 108.5 20.5 of this Call Off Schedule shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 20.6 of this Call Off Schedule or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this Schedule. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 21. of this Call Off Schedule a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 of this Call Off Schedule. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery of the Services, including the Customer Premises, the Sites, the Supplier System and any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Services and all processes associated with the delivery of the Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with the provisions of this Call Off Schedule 8 (including the requirements set out in paragraph 2.3 of this Call Off Schedule); set out the plans for transiting all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at the date set out in the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8. be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Services and shall reference only documents which are in the possession of the Customer or whose location is otherwise specified in this Call Off Schedule 8. If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off Schedule. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 21.2 of this Call Off Schedule shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 21.3 of this Call Off Schedule or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off Schedule. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Services and/or associated processes; any new perceived or changed security threats; and any reasonable request by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMS; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 22.4 of this Call Off Schedule, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 22.1 of this Call Off Schedule, a Customer request, change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 1 contract
Samples: Local Authority Software Applications Call Off Terms
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and which shall comply with the requirements of paragraphs 108.3 100.3 to 108.5 100.5 of this Call Off Schedule 8 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery provision of the Goods and/or Services, including the Supplier System and Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 104;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8Goods and/or Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 36 of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 100.3 of this Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 100.3 of this Call Off ScheduleSchedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 100.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 100 of this Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 100.3 to 108.5 100.5 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 100.6 of this Call Off Schedule 7 or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this ScheduleCall Off Schedule 7. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 101 of this Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 101.2 of this Call Off ScheduleSchedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System Sites and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Call Off Schedule 8 7 (including the requirements set out in paragraph 2.3 100.3 of this Call Off ScheduleSchedule 7); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date set out in timeframe agreed between the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8Parties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 87 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 101.2 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 101.3 of this Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off ScheduleSchedule 7. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Goods and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 102.4 of this Call Off ScheduleSchedule 7, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 102.1 of this Call Off ScheduleSchedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 1 contract
Samples: assets.crowncommercial.gov.uk
