Common use of Audit and Testing Clause in Contracts

Audit and Testing. The Contractor shall conduct tests of the processes and countermeasures contained in the Security Plan ("Security Tests") on an [annual] basis or as otherwise agreed by the parties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Authority. The Authority shall be entitled to send a representative to witness the conduct of the Security Tests. The Contractor shall provide the Authority with the results of such tests (in a form approved by the Authority in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Authority pursuant to this Agreement, the Authority shall be entitled at any time and without giving notice to the Contractor to carry out such tests (including penetration tests) as it may deem necessary in relation to the Security Plan and the Contractor's compliance with and implementation of the Security Plan. The Authority may notify the Contractor of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery Services. If such tests impact adversely on its ability to deliver the Services to the agreed Service Levels, the Contractor shall be granted relief against any resultant under-performance for the period of the tests. Where any Security Test carried out pursuant to paragraphs 14.3 or 14.4 above reveals any actual or potential security failure or weaknesses, the Contractor shall promptly notify the Authority of any changes to the Security Plan (and the implementation thereof) which the Contractor proposes to make in order to correct such failure or weakness. Subject to the Authority's approval in accordance with paragraph 13.5.3, the Contractor shall implement such changes to the Security Plan in accordance with the timetable agreed with the Authority or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the Security Plan to address a non-compliance with the Security Policy or security requirements, the change to the Security Plan shall be at no additional cost to the Authority. For the purposes of this paragraph 14, a weakness means a vulnerability in security and a potential security failure means a possible breach of the Security Plan or security requirements. COMPLIANCE WITH ISO/IEC 27001 [The Contractor shall obtain independent certification of the Security Plan to ISO 27001 as soon as reasonably practicable and will maintain such certification for the duration of the Agreement.] [If certain parts of the Security Policy do not conform to good industry practice as described in ISO 27002 and, as a result, the Contractor reasonably believes that its certification to ISO 27001 would fail in regard to these parts, the Contractor shall promptly notify the Authority of this and the Authority in its absolute discretion may waive the requirement for certification in respect of the relevant parts.] The Contractor shall carry out such regular security audits as may be required by the British Standards Institute in order to maintain delivery of the Services in compliance with security aspects of ISO 27001 and shall promptly provide to the Authority any associated security audit reports and shall otherwise notify the Authority of the results of such security audits. If it is the Authority's reasonable opinion that compliance with the principles and practices of ISO 27001 is not being achieved by the Contractor, then the Authority shall notify the Contractor of the same and give the Contractor a reasonable time (having regard to the extent of any non-compliance and any other relevant circumstances) to become compliant with the principles and practices of ISO 27001. If the Contractor does not become compliant within the required time then the Authority has the right to obtain an independent audit against these standards in whole or in part. If, as a result of any such independent audit as described in paragraph 15.5 the Contractor is found to be non-compliant with the principles and practices of ISO 27001 then the Contractor shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Authority in obtaining such audit. BREACH OF SECURITY Either party shall notify the other immediately upon becoming aware of any Breach of Security including, but not limited to an actual, potential or attempted breach, or threat to, the Security Plan. Upon becoming aware of any of the circumstances referred to in paragraph 16.2, the Contractor shall: immediately take all reasonable steps necessary to: remedy such breach or protect the Contractor System against any such potential or attempted breach or threat; and prevent an equivalent breach in the future. Such steps shall include any action or changes reasonably required by the Authority. In the event that such action is taken in response to a breach that is determined by the Authority acting reasonably not to be covered by the obligations of the Contractor under this Agreement, then the Contractor shall be entitled to refer the matter for agreement in accordance with any procedures for handling contract change set out in the General Conditions; and as soon as reasonably practicable provide to the Authority full details (using such reporting mechanism as may be specified by the Authority from time to time) of such actual, potential or attempted breach and of the steps taken in respect thereof. APPENDIX 1 Outline Security Plan APPENDIX 2 Security Policy NHS SUPPLEMENTARY CONDITIONS OF CONTRACT RELATING TO INFORMATION SECURITY SCHEDULE 2 BUSINESS CONTINUITY AND DISASTER RECOVERY PROVISIONS PURPOSE OF THIS SCHEDULE This schedule sets out the Authority's requirements for ensuring continuity of the business processes and operations supported by the Services in circumstances of Service disruption or failure and for restoring the Services through business continuity and as necessary disaster recovery procedures. It also includes the requirement on the Contractor to develop, review, test, change, and maintain a BCDR Plan in respect of the Services. The BCDR Plan shall be divided into three parts: Part A which shall set out general principles applicable to the BCDR Plan ("General Principles"). Part B which shall relate to business continuity ("Business Continuity Plan"); and Part C which shall relate to disaster recovery ("Disaster Recovery Plan"); and The BCDR Plan shall detail the processes and arrangements which the Contractor shall follow to ensure continuity of the business processes and operations supported by the Services following any failure or disruption of any element of the Services and the recovery of the Services in the event of a Disaster. DEVELOPMENT OF BCDR PLAN The BCDR Plan shall unless otherwise required by the Authority in writing, be based upon and be consistent with the provisions of paragraphs 19, 4and 21 of this schedule 2 (Business Continuity and Disaster Recovery Provisions). The Contractor shall ensure that its Sub-contractors' disaster recovery and business continuity plans are integrated with the BCDR Plan.

Audit and Testing. The Contractor Service Provider shall conduct tests of the processes and countermeasures contained in the Security Plan ("Security Tests") on an [annual] annual basis or as otherwise agreed by the parties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the AuthorityCustomer. The Authority Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Contractor Service Provider shall provide the Authority Customer with the results of such tests (in a form approved by the Authority Customer in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Authority Customer pursuant to this AgreementContract, the Authority Customer shall be entitled at any time and without giving notice to the Contractor Service Provider to carry out such tests (including penetration tests) as it may deem necessary in relation to the Security Plan and the ContractorService Provider's compliance with and implementation of the Security Plan. The Authority Customer may notify the Contractor Service Provider of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. If such tests impact adversely on its ability to deliver the Services to the agreed Service Levels, the Contractor Service Provider shall be granted relief against any resultant under-performance for the period of the tests. Where any Security Test carried out pursuant to paragraphs 14.3 or 14.4 4.2 and 4.3 above reveals any actual or potential security failure or weaknesses, the Contractor Service Provider shall promptly notify the Authority Customer of any changes to the Security Plan (and the implementation thereof) which the Contractor Service Provider proposes to make in order to correct such failure or weakness. Subject to the AuthorityCustomer's approval Approval in accordance with paragraph 13.5.3, 3.4.3 the Contractor Service Provider shall implement such changes to the Security Plan in accordance with the timetable agreed with the Authority Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the Security Plan to address a non-compliance with the Security Policy or security requirementsSecurity Requirements, the change to the Security Plan shall be at no additional cost to the AuthorityCustomer. For the purposes of this paragraph 144.4, a weakness means a vulnerability in security and a potential security failure means a possible breach of the Security Plan or security requirements. COMPLIANCE WITH ISO/IEC 27001 [The Contractor shall obtain independent certification of the Security Plan to ISO 27001 as soon as reasonably practicable and will maintain such certification for the duration of the AgreementRequirements.] [If certain parts of the Security Policy do not conform to good industry practice as described in ISO 27002 and, as a result, the Contractor reasonably believes that its certification to ISO 27001 would fail in regard to these parts, the Contractor shall promptly notify the Authority of this and the Authority in its absolute discretion may waive the requirement for certification in respect of the relevant parts.] The Contractor shall carry out such regular security audits as may be required by the British Standards Institute in order to maintain delivery of the Services in compliance with security aspects of ISO 27001 and shall promptly provide to the Authority any associated security audit reports and shall otherwise notify the Authority of the results of such security audits. If it is the Authority's reasonable opinion that compliance with the principles and practices of ISO 27001 is not being achieved by the Contractor, then the Authority shall notify the Contractor of the same and give the Contractor a reasonable time (having regard to the extent of any non-compliance and any other relevant circumstances) to become compliant with the principles and practices of ISO 27001. If the Contractor does not become compliant within the required time then the Authority has the right to obtain an independent audit against these standards in whole or in part. If, as a result of any such independent audit as described in paragraph 15.5 the Contractor is found to be non-compliant with the principles and practices of ISO 27001 then the Contractor shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Authority in obtaining such audit. BREACH OF SECURITY Either party shall notify the other immediately upon becoming aware of any Breach of Security including, but not limited to an actual, potential or attempted breach, or threat to, the Security Plan. Upon becoming aware of any of the circumstances referred to in paragraph 16.2, the Contractor shall: immediately take all reasonable steps necessary to: remedy such breach or protect the Contractor System against any such potential or attempted breach or threat; and prevent an equivalent breach in the future. Such steps shall include any action or changes reasonably required by the Authority. In the event that such action is taken in response to a breach that is determined by the Authority acting reasonably not to be covered by the obligations of the Contractor under this Agreement, then the Contractor shall be entitled to refer the matter for agreement in accordance with any procedures for handling contract change set out in the General Conditions; and as soon as reasonably practicable provide to the Authority full details (using such reporting mechanism as may be specified by the Authority from time to time) of such actual, potential or attempted breach and of the steps taken in respect thereof. APPENDIX 1 Outline Security Plan APPENDIX 2 Security Policy NHS SUPPLEMENTARY CONDITIONS OF CONTRACT RELATING TO INFORMATION SECURITY SCHEDULE 2 BUSINESS CONTINUITY AND DISASTER RECOVERY PROVISIONS PURPOSE OF THIS SCHEDULE This schedule sets out the Authority's requirements for ensuring continuity of the business processes and operations supported by the Services in circumstances of Service disruption or failure and for restoring the Services through business continuity and as necessary disaster recovery procedures. It also includes the requirement on the Contractor to develop, review, test, change, and maintain a BCDR Plan in respect of the Services. The BCDR Plan shall be divided into three parts: Part A which shall set out general principles applicable to the BCDR Plan ("General Principles"). Part B which shall relate to business continuity ("Business Continuity Plan"); and Part C which shall relate to disaster recovery ("Disaster Recovery Plan"); and The BCDR Plan shall detail the processes and arrangements which the Contractor shall follow to ensure continuity of the business processes and operations supported by the Services following any failure or disruption of any element of the Services and the recovery of the Services in the event of a Disaster. DEVELOPMENT OF BCDR PLAN The BCDR Plan shall unless otherwise required by the Authority in writing, be based upon and be consistent with the provisions of paragraphs 19, 4and 21 of this schedule 2 (Business Continuity and Disaster Recovery Provisions). The Contractor shall ensure that its Sub-contractors' disaster recovery and business continuity plans are integrated with the BCDR Plan.

Audit and Testing. The Contractor Consultant shall conduct tests of the processes and countermeasures contained in the Security Plan ("Security Tests") on an [annual] annual basis or as otherwise agreed by the partiesParties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the AuthorityAgency. The Authority Agency shall be entitled to send a representative to witness the conduct of the Security Tests. The Contractor Consultant shall provide the Authority Agency with the results of such tests (in a form approved by the Authority Agency in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Authority Agency pursuant to this Agreement, the Authority Agency shall be entitled at any time and without giving notice to the Contractor Consultant to carry out such tests (including penetration tests) as it may deem necessary in relation to the Security Plan and the ContractorConsultant's compliance with and implementation of the Security Plan. The Authority Agency may notify the Contractor Consultant of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery Consultancy Services. If such tests impact adversely on its ability to deliver the Services to the agreed Service LevelsConsultancy Services, the Contractor Consultant shall be granted relief against any resultant under-performance for the period of the tests. Where any Security Test carried out pursuant to paragraphs 14.3 or 14.4 above this Paragraph 3 reveals any actual or potential security failure or weaknesses, the Contractor Consultant shall promptly notify the Authority Agency of any changes to the Security Plan (and the implementation thereof) which the Contractor Consultant proposes to make in order to correct such failure or weakness. Subject to the Authority's approval in accordance with paragraph 13.5.3, the Contractor The Consultant shall implement such changes to the Security Plan in accordance with the timetable agreed with the Authority Agency or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the Security Plan is implemented to address a non-compliance with the Security Policy or security requirements, the change to the Security Plan shall be at no additional cost to the AuthorityAgency. For the purposes of this paragraph 14Paragraph 3, a weakness means a vulnerability in security and a potential security failure means a possible breach of the Security Plan or security requirements. COMPLIANCE WITH ISO/IEC 27001 [The Contractor shall obtain independent certification of the Security Plan to ISO 27001 as soon as reasonably practicable and will maintain such certification for the duration of the Agreement.] [If certain parts of the Security Policy do not conform to good industry practice as described in ISO 27002 and, as a result, the Contractor reasonably believes that its certification to ISO 27001 would fail in regard to these parts, the Contractor shall promptly notify the Authority of this and the Authority in its absolute discretion may waive the requirement for certification in respect of the relevant parts.] The Contractor shall carry out such regular security audits as may be required by the British Standards Institute in order to maintain delivery of the Services in compliance with security aspects of ISO 27001 and shall promptly provide to the Authority any associated security audit reports and shall otherwise notify the Authority of the results of such security audits. If it is the Authority's reasonable opinion that compliance with the principles and practices of ISO 27001 is not being achieved by the Contractor, then the Authority shall notify the Contractor of the same and give the Contractor a reasonable time (having regard to the extent of any non-compliance and any other relevant circumstances) to become compliant with the principles and practices of ISO 27001. If the Contractor does not become compliant within the required time then the Authority has the right to obtain an independent audit against these standards in whole or in part. If, as a result of any such independent audit as described in paragraph 15.5 the Contractor is found to be non-compliant with the principles and practices of ISO 27001 then the Contractor shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Authority in obtaining such audit. BREACH OF SECURITY Either party shall notify the other immediately upon becoming aware of any Breach of Security including, but not limited to an actual, potential or attempted breach, or threat to, the Security Plan. Upon becoming aware of any of the circumstances referred to in paragraph 16.2, the Contractor shall: immediately take all reasonable steps necessary to: remedy such breach or protect the Contractor System against any such potential or attempted breach or threat; and prevent an equivalent breach in the future. Such steps shall include any action or changes reasonably required by the Authority. In the event that such action is taken in response to a breach that is determined by the Authority acting reasonably not to be covered by the obligations of the Contractor under this Agreement, then the Contractor shall be entitled to refer the matter for agreement in accordance with any procedures for handling contract change set out in the General Conditions; and as soon as reasonably practicable provide to the Authority full details (using such reporting mechanism as may be specified by the Authority from time to time) of such actual, potential or attempted breach and of the steps taken in respect thereof. APPENDIX 1 Outline Security Plan APPENDIX 2 Security Policy NHS SUPPLEMENTARY CONDITIONS OF CONTRACT RELATING TO INFORMATION SECURITY SCHEDULE 2 BUSINESS CONTINUITY AND DISASTER RECOVERY PROVISIONS PURPOSE OF THIS SCHEDULE This schedule sets out the Authority's requirements for ensuring continuity of the business processes and operations supported by the Services in circumstances of Service disruption or failure and for restoring the Services through business continuity and as necessary disaster recovery procedures. It also includes the requirement on the Contractor to develop, review, test, change, and maintain a BCDR Plan in respect of the Services. The BCDR Plan shall be divided into three parts: Part A which shall set out general principles applicable to the BCDR Plan ("General Principles"). Part B which shall relate to business continuity ("Business Continuity Plan"); and Part C which shall relate to disaster recovery ("Disaster Recovery Plan"); and The BCDR Plan shall detail the processes and arrangements which the Contractor shall follow to ensure continuity of the business processes and operations supported by the Services following any failure or disruption of any element of the Services and the recovery of the Services in the event of a Disaster. DEVELOPMENT OF BCDR PLAN The BCDR Plan shall unless otherwise required by the Authority in writing, be based upon and be consistent with the provisions of paragraphs 19, 4and 21 of this schedule 2 (Business Continuity and Disaster Recovery Provisions). The Contractor shall ensure that its Sub-contractors' disaster recovery and business continuity plans are integrated with the BCDR Plan.

Audit and Testing. The Contractor shall shall, at the written request of the Authority, conduct tests of the processes and countermeasures contained Security Policy in the Security Plan ("Security Tests") on an [annual] basis or as otherwise agreed by the parties. The date, timing, content and conduct of such Security Tests shall be agreed in advance accordance with the Authority. The Authority shall be entitled to send a representative to witness the conduct provisions of the Security Policy relating to security testing and with any other testing procedures agreed between the parties (“Security Tests”). The Contractor shall provide the Authority with the results of such tests (in a form approved by the Authority in advance) as soon as practicable after completion of each Security Test. Without Test Subject to paragraphs 5.4 and 5.5, without prejudice to any other right of audit or access granted to the Authority pursuant to this Agreement, the Authority shall be entitled at any time, from time to time and without giving notice to the Contractor to carry out such tests Security Tests (including penetration tests) as it may reasonably deem are necessary in relation order to the Security Plan and test the Contractor's compliance with with, and implementation of of, the Security PlanPolicy. The Authority may will, as soon as practicable, notify the Contractor of the results of security failure or weaknesses identified by such tests Security Tests after completion of each such testSecurity Test. Where the Authority reasonably considers that the Security Tests shall be designed and implemented so as to minimise the will detrimentally impact on the delivery Services. If such tests impact adversely on its ability to deliver , then the Services to the agreed Service Levels, Authority shall provide the Contractor shall be granted relief against any resultant under-performance for the period with reasonable advance notice of the testsSecurity Tests. Where any Security Test carried out pursuant to paragraphs 14.3 or 14.4 above reveals any actual or potential security failure or weaknesses, the The Contractor shall promptly notify the Authority of any changes to the Security Plan (and the implementation thereof) which the Contractor proposes to make in order to correct such failure or weakness. Subject to the Authority's approval in accordance with paragraph 13.5.3, the Contractor shall implement such changes to the Security Plan in accordance with the timetable agreed with the Authority or, otherwiseshall, as soon as reasonably possible. For the avoidance possible after receipt of doubtsuch notice, where the change to the Security Plan to address a non-compliance with the Security Policy or security requirements, the change to the Security Plan shall be at no additional cost to advise the Authority: (i) whether such Security Tests will, in its reasonable opinion, detrimentally affect the Services; and (ii) any possible activities that the Contractor may reasonably be able to undertake to mitigate any such effect on the Services. For the purposes of this paragraph 14, a weakness means a vulnerability in security and a potential security failure means a possible breach of the Security Plan or security requirements. COMPLIANCE WITH ISO/IEC 27001 [The Contractor shall obtain independent certification of the Security Plan to ISO 27001 parties will as soon as reasonably practicable possible meet and will maintain such certification for discuss the duration of the Agreement.] [If certain parts of the Security Policy do not conform to good industry practice as described in ISO 27002 and, as a result, the Contractor reasonably believes that its certification to ISO 27001 would fail in regard to these parts, the Contractor shall promptly notify the Authority of this and the Authority in its absolute discretion may waive the requirement for certification in respect of the relevant parts.] The Contractor shall carry out such regular security audits as may be required by the British Standards Institute in order to maintain delivery of the Services in compliance with security aspects of ISO 27001 and shall promptly provide to the Authority any associated security audit reports and shall otherwise notify the Authority of the results of such security audits. If it is the Authority's reasonable opinion that compliance with the principles and practices of ISO 27001 is not being achieved by the Contractor, then the Authority shall notify the Contractor of the same and give the Contractor a reasonable time (having regard to the extent of any non-compliance and any other relevant circumstances) to become compliant with the principles and practices of ISO 27001same. If the Contractor does not become compliant parties fail to agree how the Security Tests should be held within 7 days of receipt of such notice from the required time then Authority, either party may refer the Dispute to the Dispute Resolution Procedure. Where the Authority has provides no notice to the right to obtain an independent audit against these standards Contractor in whole or in part. Ifaccordance with paragraph 5.4 that it will be carrying out Security Tests, and the Services are detrimentally affected as a result of the carrying out of such tests, then, to the extent that any such independent audit failure to perform or Service failure has arisen as described in paragraph 15.5 a result of the Contractor is found to be non-compliant with the principles and practices carrying out of ISO 27001 then the Contractor shallsuch Security Tests, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Authority in obtaining such audit. BREACH OF SECURITY Either party shall notify the other immediately upon becoming aware of any Breach of Security including, but not limited to an actual, potential or attempted breach, or threat to, the Security Plan. Upon becoming aware of any of the circumstances referred to in paragraph 16.2, the Contractor shall: immediately take all reasonable steps necessary to: remedy such breach or protect the Contractor System against any such potential or attempted breach or threat; and prevent an equivalent breach in the future. Such steps shall include any action or changes reasonably required by the Authority. In the event that such action is taken in response to a breach that is determined by the Authority acting reasonably not to be covered by the obligations of the Contractor under this Agreement, then the Contractor shall be entitled to refer the matter for agreement in accordance with any procedures for handling contract change set out in the General Conditions; and as soon as reasonably practicable provide to the Authority full details (using such reporting mechanism as may be specified by the Authority from time to time) of such actual, potential or attempted breach and of the steps taken in respect thereof. APPENDIX 1 Outline Security Plan APPENDIX 2 Security Policy NHS SUPPLEMENTARY CONDITIONS OF CONTRACT RELATING TO INFORMATION SECURITY SCHEDULE 2 BUSINESS CONTINUITY AND DISASTER RECOVERY PROVISIONS PURPOSE OF THIS SCHEDULE This schedule sets out the Authority's requirements for ensuring continuity of the business processes and operations supported by the Services in circumstances of Service disruption or failure and for restoring the Services through business continuity and as necessary disaster recovery procedures. It also includes the requirement on the Contractor to develop, review, test, change, and maintain a BCDR Plan Credits in respect of the Services. The BCDR Plan shall be divided into three parts: Part A which shall set out general principles applicable to the BCDR Plan ("General Principles"any relevant Service failure(s). Part B which shall relate to business continuity ("Business Continuity Plan"); and Part C which shall relate to disaster recovery ("Disaster Recovery Plan"); and The BCDR Plan shall detail the processes and arrangements which the Contractor shall follow to ensure continuity of the business processes and operations supported by the Services following any failure or disruption of any element of the Services and the recovery of the Services in the event of a Disaster. DEVELOPMENT OF BCDR PLAN The BCDR Plan shall unless otherwise required by the Authority in writing, be based upon and be consistent with the provisions of paragraphs 19, 4and 21 of this schedule 2 (Business Continuity and Disaster Recovery Provisions). The Contractor shall ensure that its Sub-contractors' disaster recovery and business continuity plans are integrated with the BCDR Plan.

Audit and Testing. The Contractor shall conduct tests of the processes and countermeasures contained in the Security Plan ("Security Tests") on an [annual] annual basis or as otherwise agreed by the parties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Authority. The Authority shall be entitled to send a representative to witness the conduct of the Security Tests. The Contractor shall provide the Authority with the results of such tests (in a form approved by the Authority in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Authority pursuant to this Agreementthe Contract, the Authority shall be entitled at any time and without giving notice to the Contractor to carry out such tests (including penetration tests) as it may deem necessary in relation to the Security Plan and the Contractor's compliance with and implementation of the Security Plan. The Authority may notify the Contractor of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery Services. If such tests impact adversely on its his ability to deliver the Services to the agreed Service Levels, the Contractor shall be granted relief against any resultant under-performance for the period of the tests. Where any Security Test carried out pursuant to paragraphs 14.3 4.2 or 14.4 4.3 above reveals any actual or potential security failure or weaknesses, the Contractor shall promptly notify the Authority of any changes to the Security Plan (and the implementation thereof) which the Contractor proposes to make in order to correct such failure or weakness. Subject to the Authority's approval Approval in accordance with paragraph 13.5.33.4.3, the Contractor shall implement such changes to the Security Plan in accordance with the timetable agreed with the Authority or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the Security Plan to address a non-compliance with the Security Policy or security requirements, the change to the Security Plan shall be at no additional cost to the Authority. For the purposes of this paragraph 144, a weakness means a vulnerability in security and a potential security failure means a possible breach of the Security Plan or security requirements. COMPLIANCE WITH ISO/IEC 27001 [The Contractor shall obtain independent certification of the Security Plan to ISO 27001 as soon as reasonably practicable and will maintain such certification for the duration of the Agreement.] [Contract. If certain parts of the Security Policy do not conform to good industry practice as described in ISO 27002 and, as a result, the Contractor reasonably believes that its certification to ISO 27001 would fail in regard to these parts, the Contractor shall promptly notify the Authority of this and the Authority in its absolute discretion may waive the requirement for certification in respect of the relevant parts.] . The Contractor shall carry out such regular security audits as may be required by the British Standards Institute in order to maintain delivery of the Services in compliance with security aspects of ISO 27001 and shall promptly provide to the Authority any associated security audit reports and shall otherwise notify the Authority of the results of such security audits. If it is the Authority's reasonable opinion that compliance with the principles and practices of ISO 27001 is not being achieved by the Contractor, then the Authority shall notify the Contractor of the same and give the Contractor a reasonable time (having regard to the extent of any non-compliance and any other relevant circumstances) to become compliant with the principles and practices of ISO 27001. If the Contractor does not become compliant within the required time then the Authority has the right to obtain an independent audit against these standards in whole or in part. If, as a result of any such independent audit as described in paragraph 15.5 5.4 the Contractor is found to be non-compliant with the principles and practices of ISO 27001 then the Contractor shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Authority in obtaining such audit. BREACH OF SECURITY Either party shall notify the other immediately upon becoming aware of any Breach of Security including, but not limited to an actual, potential or attempted breach, or threat to, the Security Plan. Upon becoming aware of any of the circumstances referred to in paragraph 16.26.1, the Contractor shall: immediately take all reasonable steps necessary to: remedy such breach or protect the Contractor System against any such potential or attempted breach or threat; and prevent an equivalent breach in the future. Such steps shall include any action or changes reasonably required by the Authority. In the event that such action is taken in response to a breach that is determined by the Authority acting reasonably not to be covered by the obligations of the Contractor under this Agreementthe Contract, then the Contractor shall be entitled to refer the matter for agreement to the change control procedures in accordance with any procedures for handling contract change set out in the General Conditions; and Condition 44 (Variation). as soon as reasonably practicable provide to the Authority full details (using such reporting mechanism as may be specified by the Authority from time to time) of such actual, potential or attempted breach and of the steps taken in respect thereof. APPENDIX 1 TO SCHEDULE 1 Outline Security Plan [Security Plan]Redacted re: Freedom of Information Act, Section 43 Commercial Interests. APPENDIX 2 TO SCHEDULE 1 Security Policy NHS SUPPLEMENTARY CONDITIONS OF CONTRACT RELATING TO INFORMATION SECURITY SCHEDULE 2 BUSINESS CONTINUITY AND DISASTER RECOVERY PROVISIONS PURPOSE OF THIS SCHEDULE This schedule sets out For Suppliers of services to the Authority's Department for Work and Pensions The Department for Work and Pensions treats its information as a valuable asset and considers that it is essential that information must be protected, together with the systems, equipment and processes which support its use. These information assets may include data, text, drawings, diagrams, images or sounds in electronic, magnetic, optical or tangible media, together with any Personal Data for which the Department for Work and Pensions is the Data Controller. In order to protect Departmental information appropriately, our suppliers must provide the security measures and safeguards appropriate to the nature and use of the information. All suppliers of services to the Department for Work and Pensions must comply, and be able to demonstrate compliance, with the Department’s relevant policies and standards. The Chief Executive or other suitable senior official of each supplier must agree in writing to comply with these policies and standards. Each supplier must also appoint a named officer who will act as a first point of contact with the Department for security issues. In addition all staff working for the supplier and where relevant sub-contractors, with access to Departmental IT Systems, Services or Departmental information must be made aware of these requirements and must comply with them. All suppliers must comply with the relevant Standards from the DWP Information Systems Security Standards. The Standards are based on and follow the same format as International Standard 27001, but with specific reference to the Department’s use. The following are key requirements and all suppliers must comply with relevant DWP policies concerning: Personnel Security Staff recruitment in accordance with government requirements for ensuring continuity pre-employment checks; Staff training and awareness of the business processes Departmental security and operations supported by the Services in circumstances of Service disruption or failure and for restoring the Services through business continuity and as necessary disaster recovery procedures. It also includes the requirement on the Contractor to develop, review, test, change, and maintain a BCDR Plan in respect of the Services. The BCDR Plan shall be divided into three parts: Part A which shall set out general principles applicable to the BCDR Plan ("General Principles"). Part B which shall relate to business continuity ("Business Continuity Plan"); and Part C which shall relate to disaster recovery ("Disaster Recovery Plan"); and The BCDR Plan shall detail the processes and arrangements which the Contractor shall follow to ensure continuity of the business processes and operations supported by the Services following any failure or disruption of any element of the Services and the recovery of the Services in the event of a Disaster. DEVELOPMENT OF BCDR PLAN The BCDR Plan shall unless otherwise required by the Authority in writing, be based upon and be consistent with the provisions of paragraphs 19, 4and 21 of this schedule 2 (Business Continuity and Disaster Recovery Provisions). The Contractor shall ensure that its Sub-contractors' disaster recovery and business continuity plans are integrated with the BCDR Planspecific contract requirements.