Common use of ISMS Clause in Contracts

ISMS. The Supplier shall develop and submit to the Customer for the Customer’s Approval, within twenty (20) working days after the Contract Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Contract, which shall comply with the requirements of paragraphs 98.3 to 98.5 of this Contract Schedule 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the provision of the Goods and/or Services, including the Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Contract; meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 102;and at all times provide a level of security which: is in accordance with the Law and this Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy DPS (Tiers 1-4) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance DPS xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the Goods and/or Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Suppliers main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 of this Contract (Security and Protection of Information) the references to Standards, guidance and policies contained or set out in paragraph 98.3 of this Contract Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 98.3 of this Contract Schedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 98.1 of this Contract Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Schedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 98 of this Contract Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 98.3 to 98.5 of this Contract Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 98.6 of this Contract Schedule 7 or of any change to the ISMS shall not relieve the Supplier of its obligations under this Contract Schedule 7. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Contract Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 99 of this Contract Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 99.2 of this Contract Schedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Contract Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Contract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Contract Schedule 7 (including the requirements set out in paragraph 98.3 of this Contract Schedule 7); set out the plans for transitioning all security arrangements and responsibilities from those in place at the Contract Commencement Date to those incorporated in the ISMS within the timeframe agreed between the Parties. be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Contract Schedule 7 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Contract Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Schedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 99.2 of this Contract Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 99.3 of this Contract Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Contract Schedule 7. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to Goods and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to respond to events that may impact on the ISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 100.4 of this Contract Schedule 7, any change which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 100.1 of this Contract Schedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Contract.

ISMS. The Supplier shall develop and submit to the Customer for the Customer’s Approval, within twenty (20) working days after the Contract Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which shall comply with the requirements of paragraphs 98.3 83.12 to 98.5 83.14 of this Contract Call Off Schedule 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the provision of the Goods and/or Services, including the Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 102;and 83.33;and at all times provide a level of security which: is in accordance with the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy DPS Framework (Tiers 1-4) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf xxxxx://xxx.xxxx.xxx.xx/content/adopt-risk-management-approach complies with HMG Information Assurance Maturity Model and Assurance DPS xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf Framework xxxxx://xxx.xxxx.xxx.xx/guidance/information-assurance-maturity-model-and-assessment-framework-gpg-40 meets any specific security threats of immediate relevance to the Goods and/or Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Suppliers Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 45 of this Call Off Contract (Security and Protection of Information) the references to Standards, guidance and policies contained or set out in paragraph 98.3 83.12 of this Contract Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 98.3 83.12 of this Contract Call Off Schedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 98.1 83.10 of this Contract Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Call Off Schedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 98 83.9 of this Contract Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 98.3 83.12 to 98.5 83.14 of this Contract Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 98.6 83.15 of this Contract Call Off Schedule 7 or of any change to the ISMS shall not relieve the Supplier of its obligations under this Contract Call Off Schedule 7. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Contract Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 99 83.17 of this Contract Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 99.2 83.19 of this Contract Call Off Schedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Contract Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Contract Call Off Schedule 7 (including the requirements set out in paragraph 98.3 83.12 of this Contract Call Off Schedule 7); set out the plans for transitioning all security arrangements and responsibilities from those in place at the Contract Call Off Commencement Date to those incorporated in the ISMS within the timeframe agreed between the PartiesParties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Contract Call Off Schedule 7 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Contract Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Call Off Schedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 99.2 83.19 of this Contract Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 99.3 83.20 of this Contract Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Contract Call Off Schedule 7. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to Goods and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to respond to events that may impact on the ISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 100.4 83.26 of this Contract Call Off Schedule 7, any change which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 100.1 83.23 of this Contract Call Off Schedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.

ISMS. The Supplier shall develop and submit to the Customer for the Customer’s Approval, within twenty (20) working days after the Contract Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which shall comply with the requirements of paragraphs 98.3 101.3 to 98.5 101.5 of this Contract Call Off Schedule 7 8 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the provision of the Goods and/or Services, including the Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 102;and 105;and at all times provide a level of security which: is in accordance with the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy DPS Framework (Tiers 1-4) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance DPS Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the Goods and/or Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Suppliers Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 of this Call Off Contract (Security and Protection of Information) the references to Standards, guidance and policies contained or set out in paragraph 98.3 101.3 of this Contract Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 98.3 101.3 of this Contract Schedule 7Call Off Schedule, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 98.1 101.1 of this Contract Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Schedule 7Call Off Schedule. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 98 101 of this Contract Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 98.3 101.3 to 98.5 101.5 of this Contract Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 98.6 101.6 of this Contract Call Off Schedule 7 or of any change to the ISMS shall not relieve the Supplier of its obligations under this Contract Schedule 7Schedule. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Contract Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 99 102 of this Contract Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 99.2 102.2 of this Contract Schedule 7Call Off Schedule. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Contract Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Contract Call Off Schedule 7 8 (including the requirements set out in paragraph 98.3 101.3 of this Contract Schedule 7Call Off Schedule); set out the plans for transitioning all security arrangements and responsibilities from those in place at the Contract Call Off Commencement Date to those incorporated in the ISMS within the timeframe agreed between the Parties. be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Contract Call Off Schedule 7 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Contract Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Schedule 7Call Off Schedule. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 99.2 102.2 of this Contract Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 99.3 102.3 of this Contract Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Contract Schedule 7Call Off Schedule. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to Goods and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to respond to events that may impact on the ISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 100.4 103.4 of this Contract Schedule 7Call Off Schedule, any change which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 100.1 103.1 of this Contract Schedule 7Call Off Schedule, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.

ISMS. The Supplier shall develop and submit to the Customer for the Customer’s Approval, within twenty (20) working days after the Contract Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this ContractContract , which shall comply with the requirements of paragraphs 98.3 to 98.5 of this Contract Schedule 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the provision of the Goods and/or Services, including the Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this ContractContract ; meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 102;and at all times provide a level of security which: is in accordance with the Law and this ContractContract ; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy DPS (Tiers 1-4) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance DPS xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the Goods and/or Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Suppliers main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 of this Contract (Security and Protection of Information) the references to Standards, guidance and policies contained or set out in paragraph 98.3 of this Contract Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 98.3 of this Contract Schedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 98.1 of this Contract Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Schedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 98 of this Contract Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 98.3 to 98.5 of this Contract Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 98.6 of this Contract Schedule 7 or of any change to the ISMS shall not relieve the Supplier of its obligations under this Contract Schedule 7. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Contract Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 99 of this Contract Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 99.2 of this Contract Schedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Contract Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Contract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Contract Schedule 7 (including the requirements set out in paragraph 98.3 of this Contract Schedule 7); set out the plans for transitioning all security arrangements and responsibilities from those in place at the Contract Commencement Date to those incorporated in the ISMS within the timeframe agreed between the PartiesParties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Contract Schedule 7 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Contract Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Schedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 99.2 of this Contract Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 99.3 of this Contract Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Contract Schedule 7. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to Goods and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to respond to events that may impact on the ISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 100.4 of this Contract Schedule 7, any change which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 100.1 of this Contract Schedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Contract.

ISMS. The Supplier shall develop and submit to the Customer for the Customer’s Approval, within twenty (20) working days after the Contract Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which shall have been tested in accordance with Call Off Schedule 5 (Testing) and shall comply with the requirements of paragraphs 98.3 6.12 to 98.5 6.14 of this Contract Call Off Schedule 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the provision of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) and any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 102;and 6.33;and at all times provide a level of security which: is in accordance with the Law and this Call Off Contract; complies with the Baseline Security Requirements; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy DPS Framework (Tiers 1-4) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance DPS Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the Goods ISMS, theGoods and/or Services and/or Customer Data; addresses issues of incompatibility with the Supplier’s own organisational security policies; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 6.33; and complies with the Customer’s ICT policies: . document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware, prioritisation of security patches, testing of security patches, application of security patches, a process for Customer approvals of exceptions, and the reporting and audit mechanism detailing the efficacy of the patching policy; and be certified by (or by a person with the direct delegated authority of) a Suppliers Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 42 of this Call Off Contract (Security and Protection of Information) the references to Standards, guidance and policies contained or set out in paragraph 98.3 6.12 of this Contract Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 98.3 6.12 of this Contract Call Off Schedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 98.1 6.10 of this Contract Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Call Off Schedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 98 6.9 of this Contract Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 98.3 6.12 to 98.5 6.14 of this Contract Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 98.6 6.15 of this Contract Call Off Schedule 7 or of any change to the ISMS shall not relieve the Supplier of its obligations under this Contract Call Off Schedule 7. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Contract Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 99 6.17 of this Contract Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 99.2 6.19 of this Contract Call Off Schedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Baseline Security Requirements and Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Contract Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Contract Call Off Schedule 7 (including the requirements set out in paragraph 98.3 6.12 of this Contract Call Off Schedule); demonstrate that the Supplier’s approach to delivery of the Goods and/or Services has minimised the Customer and Supplier effort required to comply with this Call Off Schedule 7through consideration of available, appropriate and practicable pan-government accredited services (for example, ‘platform as a service’ offering from the G-Cloud catalogue); set out the plans for transitioning all security arrangements and responsibilities from those in place at the Contract Call Off Commencement Date to those incorporated in the ISMS within the timeframe agreed between the PartiesParties . set out the scope of the Customer System that is under the control of the Supplier; be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Contract Call Off Schedule 7 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Contract Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Call Off Schedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 99.2 6.19 of this Contract Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 99.3 6.20 of this Contract Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Contract Call Off Schedule 7. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Goods and/or Services and/or associated processes; any new perceived or changed security threats; and any changes to the Security Policy; any new perceived or changed security threats; and any reasonable change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that affect information security to respond to events that may impact on the ISMS including the security incident management process, incident response plans and general procedures and controls that affect information securityISMS; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 100.4 6.26 of this Contract Call Off Schedule 7, any change which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 100.1 6.23 of this Contract Call Off Schedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.

ISMS. The Supplier shall develop and submit to the Customer for the Customer’s Approval, within twenty (20) working days after the Contract Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which shall comply with the requirements of paragraphs 98.3 28.3 to 98.5 28.5 of this Contract Call Off Schedule 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the provision of the Goods and/or Services, including the Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 102;and 32.;and at all times provide a level of security which: is in accordance with the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy DPS Framework (Tiers 1-4) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance DPS Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the Goods and/or Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Suppliers Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 39. of this Call Off Contract (Security and Protection of Information) the references to Standards, guidance and policies contained or set out in paragraph 98.3 28.3 of this Contract Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 98.3 28.3 of this Contract Call Off Schedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 98.1 28.1 of this Contract Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Call Off Schedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 98 28. of this Contract Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 98.3 28.3 to 98.5 28.5 of this Contract Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 98.6 28.6 of this Contract Call Off Schedule 7 or of any change to the ISMS shall not relieve the Supplier of its obligations under this Contract Call Off Schedule 7. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Contract Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 99 29. of this Contract Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 99.2 29.2 of this Contract Call Off Schedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Contract Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Contract Call Off Schedule 7 (including the requirements set out in paragraph 98.3 28.3 of this Contract Call Off Schedule 7); set out the plans for transitioning all security arrangements and responsibilities from those in place at the Contract Call Off Commencement Date to those incorporated in the ISMS within the timeframe agreed between the PartiesParties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Contract Call Off Schedule 7 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Contract Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Call Off Schedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 99.2 29.2 of this Contract Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 99.3 29.3 of this Contract Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Contract Call Off Schedule 7. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to Goods and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to respond to events that may impact on the ISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 100.4 30.4 of this Contract Call Off Schedule 7, any change which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 100.1 30.1 of this Contract Call Off Schedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.

ISMS. The Supplier shall develop and submit to the Customer for the Customer’s Approval, within twenty (20) working days after the Contract Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which shall comply with the requirements of paragraphs 98.3 5.12 to 98.5 5.14 of this Contract Call Off Schedule 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the provision of the Goods and/or Services, including the Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 102;and 5.33;and at all times provide a level of security which: is in accordance with the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy DPS Framework (Tiers 1-4) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance DPS Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the Goods and/or Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Suppliers Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 47 of this Call Off Contract (Security and Protection of Information) the references to Standards, guidance and policies contained or set out in paragraph 98.3 5.12 of this Contract Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 98.3 5.12 of this Contract Call Off Schedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 98.1 5.10 of this Contract Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Call Off Schedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 98 5.9 of this Contract Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 98.3 5.12 to 98.5 5.14 of this Contract Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 98.6 5.15 of this Contract Call Off Schedule 7 or of any change to the ISMS shall not relieve the Supplier of its obligations under this Contract Call Off Schedule 7. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Contract Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 99 5.17 of this Contract Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 99.2 5.19 of this Contract Call Off Schedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Contract Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Contract Call Off Schedule 7 (including the requirements set out in paragraph 98.3 5.12 of this Contract Call Off Schedule 7); set out the plans for transitioning all security arrangements and responsibilities from those in place at the Contract Call Off Commencement Date to those incorporated in the ISMS within the timeframe agreed between the PartiesParties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Contract Call Off Schedule 7 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Contract Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Call Off Schedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 99.2 5.19 of this Contract Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 99.3 5.20 of this Contract Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Contract Call Off Schedule 7. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to Goods and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to respond to events that may impact on the ISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 100.4 5.26 of this Contract Call Off Schedule 7, any change which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 100.1 5.23 of this Contract Call Off Schedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.

ISMS. The Supplier shall develop and submit to the Customer for the Customer’s Approval, within twenty (20) working days after the Contract Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Contract, which shall comply with the requirements of paragraphs 98.3 78.12 to 98.5 78.14 of this Contract Schedule 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the provision of the Goods and/or Services, including the Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Contract; meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 102;and 78.33;and at all times provide a level of security which: is in accordance with the Law and this Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy DPS (Tiers 1-4) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance DPS xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the Goods and/or Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Suppliers main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 43 of this Contract (Security and Protection of Information) the references to Standards, guidance and policies contained or set out in paragraph 98.3 78.12 of this Contract Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 98.3 78.12 of this Contract Schedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 98.1 78.10 of this Contract Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Schedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 98 78.9 of this Contract Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 98.3 78.12 to 98.5 78.14 of this Contract Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 98.6 78.15 of this Contract Schedule 7 or of any change to the ISMS shall not relieve the Supplier of its obligations under this Contract Schedule 7. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Contract Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 99 78.17 of this Contract Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 99.2 78.19 of this Contract Schedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Contract Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Contract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Contract Schedule 7 (including the requirements set out in paragraph 98.3 78.12 of this Contract Schedule 7); set out the plans for transitioning all security arrangements and responsibilities from those in place at the Contract Commencement Date to those incorporated in the ISMS within the timeframe agreed between the Parties. be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Contract Schedule 7 7. If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Contract Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Schedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 99.2 78.19 of this Contract Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 99.3 78.20 of this Contract Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Contract Schedule 7. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to Goods and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to respond to events that may impact on the ISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 100.4 78.26 of this Contract Schedule 7, any change which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 100.1 78.23 of this Contract Schedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Contract.

ISMS. The Supplier shall develop and submit to the Customer for the Customer’s Approval, within twenty (20) working days after the Contract Lease Agreement Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this ContractLease Agreement, which shall have been tested in accordance with Lease Agreement Schedule 5 (Testing) and shall comply with the requirements of paragraphs 98.3 5.12 to 98.5 5.14 of this Contract Lease Agreement Schedule 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the provision of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) and any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this ContractLease Agreement; meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 102;and 5.33;and at all times provide a level of security which: is in accordance with the Law and this ContractLease Agreement; complies with the Baseline Security Requirements; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy DPS Framework (Tiers 1-4) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance DPS Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the Goods ISMS, theGoods and/or Services and/or Customer Data; addresses issues of incompatibility with the Supplier’s own organisational security policies; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 5.33; and complies with the Customer’s ICT policies: . document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware, prioritisation of security patches, testing of security patches, application of security patches, a process for Customer approvals of exceptions, and the reporting and audit mechanism detailing the efficacy of the patching policy; and be certified by (or by a person with the direct delegated authority of) a Suppliers Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 42 of this Contract Lease Agreement (Security and Protection of Information) the references to Standards, guidance and policies contained or set out in paragraph 98.3 5.12 of this Contract Lease Agreement Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 98.3 5.12 of this Contract Lease Agreement Schedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 98.1 5.10 of this Contract Lease Agreement Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Lease Agreement Schedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 98 5.9 of this Contract Lease Agreement Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 98.3 5.12 to 98.5 5.14 of this Contract Lease Agreement Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 98.6 5.15 of this Contract Lease Agreement Schedule 7 or of any change to the ISMS shall not relieve the Supplier of its obligations under this Contract Lease Agreement Schedule 7. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Contract Lease Agreement Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 99 5.17 of this Contract Lease Agreement Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 99.2 5.19 of this Contract Lease Agreement Schedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Baseline Security Requirements and Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Contract Lease Agreement Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Contract Lease Agreement or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Contract Lease Agreement Schedule 7 (including the requirements set out in paragraph 98.3 5.12 of this Contract Lease Agreement Schedule); demonstrate that the Supplier’s approach to delivery of the Goods and/or Services has minimised the Customer and Supplier effort required to comply with this Lease Agreement Schedule 7through consideration of available, appropriate and practicable pan-government accredited services (for example, ‘platform as a service’ offering from the G-Cloud catalogue); set out the plans for transitioning all security arrangements and responsibilities from those in place at the Contract Lease Agreement Commencement Date to those incorporated in the ISMS within the timeframe agreed between the PartiesParties . set out the scope of the Customer System that is under the control of the Supplier; be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Contract Lease Agreement Schedule 7 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Contract Lease Agreement Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Lease Agreement Schedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 99.2 5.19 of this Contract Lease Agreement Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 99.3 5.20 of this Contract Lease Agreement Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Contract Lease Agreement Schedule 7. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Goods and/or Services and/or associated processes; any new perceived or changed security threats; and any changes to the Security Policy; any new perceived or changed security threats; and any reasonable change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that affect information security to respond to events that may impact on the ISMS including the security incident management process, incident response plans and general procedures and controls that affect information securityISMS; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 100.4 5.26 of this Contract Lease Agreement Schedule 7, any change which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 100.1 5.23 of this Contract Lease Agreement Schedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this ContractLease Agreement.

ISMS. The Supplier shall develop and submit to the Customer for the Customer’s Approval, within twenty (20) working days after the Contract Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which shall comply with the requirements of paragraphs 98.3 to 98.5 of this Contract Call Off Schedule 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or and Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or and Services and all processes associated with the provision of the Goods and/or and Services, including the Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 102;and at all times provide a level of security which: is in accordance with the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy DPS Framework (Tiers 1-4) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance DPS Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the Goods and/or and Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or and Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Suppliers Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 of this Call Off Contract (Security and Protection of Information) the references to Standards, guidance and policies contained or set out in paragraph 98.3 of this Contract Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 98.3 of this Contract Call Off Schedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 98.1 of this Contract Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Call Off Schedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 98 of this Contract Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 98.3 to 98.5 of this Contract Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 98.6 of this Contract Call Off Schedule 7 or of any change to the ISMS shall not relieve the Supplier of its obligations under this Contract Call Off Schedule 7. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Contract Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 99 of this Contract Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 99.2 4.2 of this Contract Call Off Schedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Contract Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or and Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or and Services and all processes associated with the delivery of the Goods and/or and Services, including the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or and Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or and Services and all processes associated with the delivery of the Goods and/or and Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or and Services comply with the provisions of this Contract Call Off Schedule 7 (including the requirements set out in paragraph 98.3 of this Contract Call Off Schedule 7); set out the plans for transitioning all security arrangements and responsibilities from those in place at the Contract Call Off Commencement Date to those incorporated in the ISMS within the timeframe agreed between the PartiesParties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or and Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Contract Call Off Schedule 7 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Contract Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Call Off Schedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 99.2 4.2 of this Contract Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 99.3 4.3 of this Contract Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Contract Call Off Schedule 7. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to Goods and/or and Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to respond to events that may impact on the ISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 100.4 of this Contract Call Off Schedule 7, any change which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 100.1 of this Contract Call Off Schedule 7, a Customer request, a change to Annex 1 (SecuritySecurity Policy ) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.

ISMS. The Supplier shall develop and submit to the Customer for the Customer’s Approval, within twenty (20) working days after the Contract Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which shall comply with the requirements of paragraphs 98.3 80.3 to 98.5 80.5 of this Contract Call Off Schedule 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the provision of the Goods and/or Services, including the Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 102;and 84;and at all times provide a level of security which: is in accordance with the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy DPS Framework (Tiers 1-4) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf xxxxx://xxx.xxx.xx/government/publications/security-policy-framework ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf xxxxx://xxx.xxxx.xxx.xx/ complies with HMG Information Assurance Maturity Model and Assurance DPS xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf Framework xxxxx://xxx.xxxx.xxx.xx/articles/hmg-ia-maturity-model-iamm meets any specific security threats of immediate relevance to the Goods and/or Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Suppliers Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 355 of this Call Off Contract (Security and Protection of Information) the references to Standards, guidance and policies contained or set out in paragraph 98.3 80.3 of this Contract Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 98.3 80.3 of this Contract Call Off Schedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 98.1 80.1 of this Contract Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Call Off Schedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 98 80 of this Contract Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 98.3 80.3 to 98.5 80.5 of this Contract Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 98.6 80.6 of this Contract Call Off Schedule 7 or of any change to the ISMS shall not relieve the Supplier of its obligations under this Contract Call Off Schedule 7. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Contract Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 99 81 of this Contract Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 99.2 81.2 of this Contract Call Off Schedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Contract Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or ServicestheServices, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Contract Call Off Schedule 7 (including the requirements set out in paragraph 98.3 80.3 of this Contract Call Off Schedule 7); set out the plans for transitioning all security arrangements and responsibilities from those in place at the Contract Call Off Commencement Date to those incorporated in the ISMS within the timeframe agreed between the PartiesParties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Contract Call Off Schedule 7 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Contract Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Call Off Schedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 99.2 81.2 of this Contract Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 99.3 81.3 of this Contract Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Contract Call Off Schedule 7. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to Goods and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to respond to events that may impact on the ISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 100.4 82.4 of this Contract Call Off Schedule 7, any change which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 100.1 82.1 of this Contract Call Off Schedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.

ISMS. The Supplier shall develop and submit to the Customer for the Customer’s Approval, within twenty (20) working days after the Contract Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which shall comply with the requirements of paragraphs 98.3 3.3 to 98.5 3.5 of this Contract Call Off Schedule 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods Products and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods Products and/or Services and Servicesand all processes associated with the provision of the Goods Products and/or Services, including the Customer PremisesPremises , the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 102;and 7;and at all times provide a level of security which: is in accordance with the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy DPS Framework (Tiers 1-4) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance DPS Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the Goods Products and/or Services and/or Servicesand/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods Products and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Suppliers Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 37 of this Call Off Contract (Security and Protection of Information) the references to Standards, guidance and policies contained or set out in paragraph 98.3 3.3 of this Contract Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 98.3 3.3 of this Contract Call Off Schedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 98.1 3.1 of this Contract Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Call Off Schedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 98 3 of this Contract Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 98.3 3.3 to 98.5 3.5 of this Contract Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 98.6 3.6 of this Contract Call Off Schedule 7 or of any change to the ISMS shall not relieve the Supplier of its obligations under this Contract Call Off Schedule 7. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Contract Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 99 4 of this Contract Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 99.2 4.2 of this Contract Call Off Schedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Contract Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods Products and/or Services, processes associated with the delivery of the Goods Products and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods Products and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods Products and/or Services and all processes associated with the delivery of the Goods Products and/or Services, including the Customer PremisesPremises , the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods Products and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods Products and/or Services and Servicesand all processes associated with the delivery of the Goods Products and/or Services and Servicesand at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods Products and/or Services comply Servicescomply with the provisions of this Contract Call Off Schedule 7 (including the requirements set out in paragraph 98.3 3.3 of this Contract Call Off Schedule 7); set out the plans for transitioning all security arrangements and responsibilities from those in place at the Contract Call Off Commencement Date to those incorporated in the ISMS within the timeframe agreed between the PartiesParties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods Products and/or Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Contract Call Off Schedule 7 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Contract Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Call Off Schedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 99.2 4.2 of this Contract Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 99.3 4.3 of this Contract Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Contract Call Off Schedule 7. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to Goods Products and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to respond to events that may impact on the ISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 100.4 5.4 of this Contract Call Off Schedule 7, any change which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 100.1 5.1 of this Contract Call Off Schedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.

ISMS. The Supplier shall develop and submit to the Customer for the Customer’s Approval, within twenty (20) working days after the Contract Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Contract, which shall comply with the requirements of paragraphs 98.3 to 98.5 of this Contract Schedule 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the provision of the Goods and/or Services, including the Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Contract; meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 102;and at all times provide a level of security which: is in accordance with the Law and this Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy DPS (Tiers 1-4) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance DPS xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the Goods and/or Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Suppliers main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 of this Contract (Security and Protection of Information) the references to Standards, guidance and policies contained or set out in paragraph 98.3 of this Contract Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 98.3 of this Contract Schedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 98.1 of this Contract Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Schedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 98 of this Contract Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 98.3 to 98.5 of this Contract Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 98.6 of this Contract Schedule 7 or of any change to the ISMS shall not relieve the Supplier of its obligations under this Contract Schedule 7. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Contract Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 99 of this Contract Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 99.2 of this Contract Schedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Contract Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Contract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Contract Schedule 7 (including the requirements set out in paragraph 98.3 of this Contract Schedule 7); set out the plans for transitioning all security arrangements and responsibilities from those in place at the Contract Commencement Date to those incorporated in the ISMS within the timeframe agreed between the Parties. be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Contract Schedule 7 7. If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Contract Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Schedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 99.2 of this Contract Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 99.3 of this Contract Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Contract Schedule 7. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to Goods and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to respond to events that may impact on the ISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 100.4 of this Contract Schedule 7, any change which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 100.1 of this Contract Schedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Contract.

ISMS. The Supplier shall develop and submit to the Customer for the Customer’s Approval, within twenty (20) working days after the Contract Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which shall comply with the requirements of paragraphs 98.3 5.12 to 98.5 5.14 of this Contract Call Off Schedule 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the provision of the Goods and/or Services, including the Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 102;and 5.33;and at all times provide a level of security which: is in accordance with the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy DPS Framework (Tiers 1-4) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance DPS Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the Goods and/or Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Suppliers Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 44 of this Call Off Contract (Security and Protection of Information) the references to Standards, guidance and policies contained or set out in paragraph 98.3 5.12 of this Contract Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 98.3 5.12 of this Contract Call Off Schedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 98.1 5.10 of this Contract Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Call Off Schedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 98 5.9 of this Contract Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 98.3 5.12 to 98.5 5.14 of this Contract Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 98.6 5.15 of this Contract Call Off Schedule 7 or of any change to the ISMS shall not relieve the Supplier of its obligations under this Contract Call Off Schedule 7. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Contract Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 99 5.17 of this Contract Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 99.2 5.19 of this Contract Call Off Schedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Contract Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Contract Call Off Schedule 7 (including the requirements set out in paragraph 98.3 5.12 of this Contract Call Off Schedule 7); set out the plans for transitioning all security arrangements and responsibilities from those in place at the Contract Call Off Commencement Date to those incorporated in the ISMS within the timeframe agreed between the PartiesParties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Contract Call Off Schedule 7 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Contract Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Call Off Schedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 99.2 5.19 of this Contract Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 99.3 5.20 of this Contract Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Contract Call Off Schedule 7. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to Goods and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to respond to events that may impact on the ISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 100.4 5.26 of this Contract Call Off Schedule 7, any change which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 100.1 5.23 of this Contract Call Off Schedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.

ISMS. The Supplier shall develop and submit to the Customer for the Customer’s Approval, within twenty (20) working days after the Contract Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which shall comply with the requirements of paragraphs 98.3 103.3 to 98.5 103.5 of this Contract Call Off Schedule 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods Products and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods Products and/or Services and Servicesand all processes associated with the provision of the Goods Products and/or Services, including the Customer PremisesPremises , the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 102;and 107;and at all times provide a level of security which: is in accordance with the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy DPS Framework (Tiers 1-4) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance DPS Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the Goods Products and/or Services and/or Servicesand/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods Products and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Suppliers Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 37 of this Call Off Contract (Security and Protection of Information) the references to Standards, guidance and policies contained or set out in paragraph 98.3 103.3 of this Contract Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 98.3 103.3 of this Contract Call Off Schedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 98.1 103.1 of this Contract Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Call Off Schedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 98 103 of this Contract Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 98.3 103.3 to 98.5 103.5 of this Contract Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 98.6 103.6 of this Contract Call Off Schedule 7 or of any change to the ISMS shall not relieve the Supplier of its obligations under this Contract Call Off Schedule 7. SECURITY MANAGEMENT PLAN Within twenty (20) Working Days after the Contract Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 99 104 of this Contract Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 99.2 104.2 of this Contract Call Off Schedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Contract Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods Products and/or Services, processes associated with the delivery of the Goods Products and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods Products and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods Products and/or Services and all processes associated with the delivery of the Goods Products and/or Services, including the Customer PremisesPremises , the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods Products and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods Products and/or Services and Servicesand all processes associated with the delivery of the Goods Products and/or Services and Servicesand at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods Products and/or Services comply Servicescomply with the provisions of this Contract Call Off Schedule 7 (including the requirements set out in paragraph 98.3 103.3 of this Contract Call Off Schedule 7); set out the plans for transitioning all security arrangements and responsibilities from those in place at the Contract Call Off Commencement Date to those incorporated in the ISMS within the timeframe agreed between the PartiesParties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods Products and/or Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Contract Call Off Schedule 7 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Contract Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Contract Call Off Schedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 99.2 104.2 of this Contract Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 99.3 104.3 of this Contract Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Contract Call Off Schedule 7. AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to Goods Products and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to respond to events that may impact on the ISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 100.4 105.4 of this Contract Call Off Schedule 7, any change which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 100.1 105.1 of this Contract Call Off Schedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.