Common use of Documentation Clause in Contracts

Documentation. OVHcloud must deploy a formal documented management system to : • provide a comprehensive framework for policy rules, guideline, operational documentation, records and indicators • ensure formalism and follow-up of activities implemented to reduce risks • demonstrate compliance with applicable legal, regulatory or contractual requirements • demonstrate compliance with the rules set out in the detailed security policies OVHcloud must deploy a formal approach for managing assets carrying security risks or in support for security management to ensure appropriate security controls over them: • Maintain accurate inventories of those assets • Define and maintain ownership for those assets • Classification of those assets based on appropriate criteria to support security decision • Definition of security rules adapted to their criticality OVHcloud must deploy a risk management approach to structure operational decisions affecting security. This risk management approach is based on the principles of ISO/IEC 31000 and ISO/IEC 27005 standards. It is based on: • In-depth knowledge of systems through asset cartography, asset classifications and valuations from a security perspective • Ongoing analysis of feared events, vulnerabilities, and the threat environment • uniform formalization of security risks to make them explicit to technical experts and decision- makers for reasonable and informed decision-making • follow-up of decisions and action plans following the identification of a risk The establishment of formal risk management enables the operational specificity of a project or product to be taken into account and the achievement of specific security objectives. Failure to comply with a ISSP rule results in an analysis of the risks resulting from the introduction of compensatory security measures to achieve at least an equivalent level of safety or acceptance of risk.