Common use of Development of the Security Management Plan Clause in Contracts

Development of the Security Management Plan. Within [twenty (20)] Working Days after the Commencement Date (or such other period specified in the Implementation Plan or as otherwise agreed by the Parties in writing) and in accordance with paragraph 4.2 (Amendment and Revision), the Supplier will prepare and deliver to the Customer for approval a fully complete and up to date Security Management Plan which will be based on the draft Security Management Plan. If the Security Management Plan, or any subsequent revision to it in accordance with paragraph 4.2 (Amendment and Revision), is Approved it will be adopted immediately and will replace the previous version of the Security Management Plan. If the Security Management Plan is not Approved the Supplier shall amend it within ten (10) Working Days or such other period as the Parties may agree in writing of a notice of non-approval from the Customer and re-submit to the Customer for approval. The parties will use all reasonable endeavours to ensure that the approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the parties may agree in writing) from the date of its first submission to the Customer. If the Customer does not approve the Security Management Plan following its resubmission, the matter will be resolved in accordance with the Dispute Resolution Procedure. No approval to be given by the Customer pursuant to this paragraph 3.2.2 may be unreasonably withheld or delayed. However where the Customer does not approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 4 shall be deemed to be reasonable. Content of the Security Management Plan The Security Management Plan will set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Services and all processes associated with the delivery of the Services and shall at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with the provisions of this Contract (including this Schedule, the principles set out in paragraph 2.2 and any other elements of this Contract relevant to security or any data protection guidance produced by the Customer); The Security Management Plan (including the draft version) should also set out the plans for transiting all security arrangements and responsibilities from those in place at the Commencement Date to those incorporated in the Supplier’s ISMS at the date set out in the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in this Contract and paragraph 2.7 of the Order Form. The Security Management Plan will be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules of this Contract which cover specific areas included within that standard. The Security Management Plan shall be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Services and shall only reference documents which are in the possession of the Customer or whose location is otherwise specified in this Schedule. Amendment and Revision of the ISMS and Security Management Plan The ISMS and Security Management Plan will be fully reviewed and updated by the Supplier annually, or from time to time to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Services and/or associated processes; any new perceived or changed security threats; any reasonable request by the Customer. The Supplier will provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amendment of the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review should include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMS; and suggested improvements in measuring the effectiveness of controls.

Development of the Security Management Plan. Within [twenty (20)] ) Working Days after the Commencement Date (or such other period specified in the Implementation Plan or as otherwise agreed by the Parties in writing) and in accordance with paragraph 4.2 (Amendment and Revision), the Supplier will prepare and deliver to the Customer for approval a fully complete and up to date Security Management Plan which will be based on the draft Security Management Plan. If the Security Management Plan, or any subsequent revision to it in accordance with paragraph 4.2 (Amendment and Revision), is Approved it will be adopted immediately and will replace the previous version of the Security Management Plan. If the Security Management Plan is not Approved the Supplier shall amend it within ten (10) Working Days or such other period as the Parties may agree in writing of a notice of non-approval from the Customer and re-submit to the Customer for approval. The parties will use all reasonable endeavours to ensure that the approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the parties may agree in writing) from the date of its first submission to the Customer. If the Customer does not approve the Security Management Plan following its resubmission, the matter will be resolved in accordance with the Dispute Resolution Procedure. No approval to be given by the Customer pursuant to this paragraph 3.2.2 may be unreasonably withheld or delayed. However where the Customer does not approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 4 shall be deemed to be reasonable. Content of the Security Management Plan The Security Management Plan will set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Services and all processes associated with the delivery of the Services and shall at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with the provisions of this Contract (including this Schedule, the principles set out in paragraph 2.2 and any other elements of this Contract relevant to security or any data protection guidance produced by the Customer); The Security Management Plan (including the draft version) should also set out the plans for transiting all security arrangements and responsibilities from those in place at the Commencement Date to those incorporated in the Supplier’s ISMS at the date set out in the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in this Contract and paragraph 2.7 2.4 of the Order Form. The Security Management Plan will be structured in accordance with ISO/IEC27001 and ISO/IEC27002, crossISMS 27001,cross-referencing if necessary to other Schedules of this Contract which cover specific areas included within that standard. The Security Management Plan shall be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Services and shall only reference documents which are in the possession of the Customer or whose location is otherwise specified in this Schedule. Amendment and Revision of the ISMS and Security Management Plan The ISMS and Security Management Plan will be fully reviewed and updated by the Supplier annually, or from time to time to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Services and/or associated processes; any new perceived or changed security threats; any reasonable request by the Customer. The Supplier will provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amendment of the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review should include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMS; and suggested improvements in measuring the effectiveness of controls.

Development of the Security Management Plan. Within [twenty (20)] Working Days after the Commencement Date (or such other period specified in the Implementation Plan or as otherwise agreed by the Parties in writing) and in accordance with paragraph 4.2 (Amendment and RevisionRevision of the ISMS and Security Management Plan), the Supplier will prepare and deliver to the Customer for approval a fully complete and up to date Security Management Plan which will be based on the draft Security Management Plan. If the Security Management Plan, or any subsequent revision to it in accordance with paragraph 4.2 (Amendment and RevisionRevision of the ISMS and Security Management Plan), is Approved it will be adopted immediately and will replace the previous version of the Security Management Plan. If the Security Management Plan is not Approved the Supplier shall amend it within ten (10) Working Days or such other period as the Parties may agree in writing of a notice of non-approval from the Customer and re-submit to the Customer for approval. The parties will use all reasonable endeavours to ensure that the approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the parties may agree in writing) from the date of its first submission to the Customer. If the Customer does not approve the Security Management Plan following its resubmission, the matter will be resolved in accordance with the Dispute Resolution Procedure. No approval to be given by the Customer pursuant to this paragraph 3.2.2 may be unreasonably withheld or delayed. However where a refusal by the Customer does not approve to Approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 4 shall be deemed to be reasonable. Content of the Security Management Plan The Security Management Plan will set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and Services and all processes associated with the delivery of the Goods and Services and shall at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and Services comply with the provisions of this Contract (including this Schedule, the principles set out in paragraph 2.2 and any other elements of this Contract relevant to security or any data protection guidance produced by the Customer); . The Security Management Plan (including the draft version) should also set out the plans for transiting all security arrangements and responsibilities from those in place at the Commencement Date to those incorporated in the Supplier’s 's ISMS at the date set out in the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in this Contract and paragraph 2.7 2.8 of the Order Form. The Security Management Plan will be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules of this Contract which cover specific areas included within that standard. The Security Management Plan shall be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Services and shall only reference documents which are in the possession of the Customer or whose location is otherwise specified in this Schedule. Amendment and Revision of the ISMS and Security Management Plan The ISMS and Security Management Plan will be fully reviewed and updated by the Supplier annually, or from time to time to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Goods and Services and/or associated processes; any new perceived or changed security threats; any reasonable request by the Customer. The Supplier will provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amendment of the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review should include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMS; and suggested improvements in measuring the effectiveness of controls.

Development of the Security Management Plan. Within [twenty (20)] Working Days after the Commencement Date (or such other period specified in the Implementation Plan or as otherwise agreed by the Parties in writing) and in accordance with paragraph 4.2 (Amendment and Revision), the Supplier will prepare and deliver to the Customer for approval a fully complete and up to date Security Management Plan which will be based on the draft outline Security Management Plan. If the Security Management Plan, or any subsequent revision to it in accordance with paragraph 4.2 (Amendment and Revision), is Approved it will be adopted immediately and will replace the previous version of the Security Management Plan. If the Security Management Plan is not Approved the Supplier shall amend it within ten (10) Working Days or such other period as the Parties may agree in writing of a notice of non-approval from the Customer and re-submit to the Customer for approval. The parties will use all reasonable endeavours to ensure that the approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the parties may agree in writing) from the date of its first submission to the Customer. If the Customer does not approve the Security Management Plan following its resubmission, the matter will be resolved in accordance with the Dispute Resolution Procedure. No approval to be given by the Customer pursuant to this paragraph 3.2.2 may be unreasonably withheld or delayed. However where a refusal by the Customer does not approve to Approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 4 shall be deemed to be reasonable. Content of the Security Management Plan The Security Management Plan will set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Services and all processes associated with the delivery of the Services and shall at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with the provisions of this Contract (including this Schedule, the principles set out in paragraph 2.2 and any other elements of this Contract relevant to security or any data protection guidance produced by the Customer); . The Security Management Plan (including the draft outline version) should also set out the plans for transiting all security arrangements and responsibilities from those in place at the Commencement Date to those incorporated in the Supplier’s 's ISMS at the date set out in the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in this Contract and paragraph 2.7 2.4 of the Order Form. The Security Management Plan will be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules of this Contract which cover specific areas included within that standard. The Security Management Plan shall be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Services and shall only reference documents which are in the possession of the Customer or whose location is otherwise specified in this Schedule. Amendment and Revision of the ISMS and Security Management Plan The ISMS and Security Management Plan will be fully reviewed and updated by the Supplier annually, or from time to time to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Services and/or associated processes; any new perceived or changed security threats; any reasonable request by the Customer. The Supplier will provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amendment of the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review should include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMS; and suggested improvements in measuring the effectiveness of controls.