ISMS. By the date specified in the Implementation Plan the Supplier shall develop and submit to the Customer for the Customer’s Approval an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and shall comply with the requirements of paragraphs 108.3 to 108.5 of this Call Off Schedule 8 (Security). The Supplier acknowledges that the Customer places great emphasis on the confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery of the Services, the Supplier System and any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and at all times provide a level of security which: is in accordance with Good Industry Practice, Law and this Call Off Contract; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4); meets any specific security threats to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8; and complies with the Customer’s ICT policies. Subject to Clause 34 of this call Off Contract (Security And Protection of Information) the references to standards, guidance and policies set out in paragraph 108.3 of this Call Off Schedule shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 of this Call Off Schedule, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 of this Call Off Schedule is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off Schedule. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 of this Call Off Schedule may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 to 108.5 of this Call Off Schedule shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 of this Call Off Schedule or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this Schedule. Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 of this Call Off Schedule a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 of this Call Off Schedule. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery of the Services, including the Customer Premises, the Sites, the Supplier System and any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Services and all processes associated with the delivery of the Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with the provisions of this Call Off Schedule 8 (including the requirements set out in paragraph 2.3 of this Call Off Schedule); set out the plans for transiting all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at the date set out in the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8. be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Services and shall reference only documents which are in the possession of the Customer or whose location is otherwise specified in this Call Off Schedule 8. If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off Schedule. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 of this Call Off Schedule shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 of this Call Off Schedule or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off Schedule. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Services and/or associated processes; any new perceived or changed security threats; and any reasonable request by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMS; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 of this Call Off Schedule, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 of this Call Off Schedule, a Customer request, change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 4 contracts
Samples: Call Off Order Form and Call Off Terms, Call Off Order Form, Call Off Order Form and Call Off Terms
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and which shall comply with the requirements of paragraphs 108.3 97.3 to 108.5 97.5 of this Call Off Schedule 8 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery provision of the Services, including the Supplier System and Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 101;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 36 of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 97.3 of this Call Off Schedule shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 97.3 of this Call Off Schedule, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 97.1 of this Call Off Schedule is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off Schedule. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 97 of this Call Off Schedule may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 97.3 to 108.5 97.5 of this Call Off Schedule shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 97.6 of this Call Off Schedule or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this Schedule. Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 98 of this Call Off Schedule a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 98.2 of this Call Off Schedule. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Services, processes associated with the delivery of the Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery of the Services, including the Customer Premises, the Sites, the Supplier System Sites and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Services and all processes associated with the delivery of the Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with the provisions of this Call Off Schedule 8 (including the requirements set out in paragraph 2.3 97.3 of this Call Off Schedule); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date set out in timeframe agreed between the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8Parties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 8. If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off Schedule. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 98.2 of this Call Off Schedule shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 98.3 of this Call Off Schedule or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off Schedule. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 99.4 of this Call Off Schedule, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 99.1 of this Call Off Schedule, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 3 contracts
Samples: Call Off Contract, Call Off Contract, Call Off Contract
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and which shall comply with the requirements of paragraphs 108.3 98.3 to 108.5 98.5 of this Call Off Schedule 8 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery provision of the Goods and/or Services, including the Supplier System and Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 102;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8Goods and/or Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 98.3 of this Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 98.3 of this Call Off ScheduleSchedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 98.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 98 of this Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 98.3 to 108.5 98.5 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 98.6 of this Call Off Schedule 7 or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this ScheduleCall Off Schedule 7. Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 99 of this Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 99.2 of this Call Off ScheduleSchedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System Sites and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Call Off Schedule 8 7 (including the requirements set out in paragraph 2.3 98.3 of this Call Off ScheduleSchedule 7); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date set out in timeframe agreed between the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8Parties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 87 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 99.2 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 99.3 of this Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off ScheduleSchedule 7. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Goods and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 100.4 of this Call Off ScheduleSchedule 7, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 100.1 of this Call Off ScheduleSchedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 3 contracts
Samples: Call Off Contract, Call Off Contract, Call Off Order Form and Call Off Terms for Goods and/or Services (Non Ict)
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and which shall comply with the requirements of paragraphs 108.3 98.3 to 108.5 98.5 of this Call Off Schedule 8 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery provision of the Services, including the Supplier System and Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 102;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 98.3 of this Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 98.3 of this Call Off ScheduleSchedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 98.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 98 of this Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 98.3 to 108.5 98.5 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 98.6 of this Call Off Schedule 7 or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this ScheduleCall Off Schedule 7. Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 99 of this Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 99.2 of this Call Off ScheduleSchedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Services, processes associated with the delivery of the Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery of the Services, including the Customer Premises, the Sites, the Supplier System Sites and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Services and all processes associated with the delivery of the Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with the provisions of this Call Off Schedule 8 7 (including the requirements set out in paragraph 2.3 98.3 of this Call Off ScheduleSchedule 7); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date set out in timeframe agreed between the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8Parties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 87 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 99.2 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 99.3 of this Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off ScheduleSchedule 7. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 100.4 of this Call Off ScheduleSchedule 7, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 100.1 of this Call Off ScheduleSchedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 3 contracts
Samples: Call Off Contract, Call Off Terms for Services, Call Off Contract
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and which shall comply with the requirements of paragraphs 108.3 101.3 to 108.5 101.5 of this Call Off Schedule 8 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery provision of the Goods and/or Services, including the Supplier System and Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 105;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8Goods and/or Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 101.3 of this Call Off Schedule shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 101.3 of this Call Off Schedule, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 101.1 of this Call Off Schedule is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off Schedule. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 101 of this Call Off Schedule may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 101.3 to 108.5 101.5 of this Call Off Schedule shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 101.6 of this Call Off Schedule or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this Schedule. Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 102 of this Call Off Schedule a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 102.2 of this Call Off Schedule. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System Sites and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Call Off Schedule 8 (including the requirements set out in paragraph 2.3 101.3 of this Call Off Schedule); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date set out in timeframe agreed between the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8Parties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 8. If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off Schedule. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 102.2 of this Call Off Schedule shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 102.3 of this Call Off Schedule or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off Schedule. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Goods and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 103.4 of this Call Off Schedule, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 103.1 of this Call Off Schedule, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 2 contracts
Samples: Call Off Contract, Call Off Contract
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and which shall comply with the requirements of paragraphs 108.3 12.3 to 108.5 12.5 of this Call Off Schedule 8 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery provision of the Services, including the Supplier System and Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 16.;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 34. of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 12.3 of this Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 12.3 of this Call Off ScheduleSchedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 12.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 12. of this Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 12.3 to 108.5 12.5 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 12.6 of this Call Off Schedule 7 or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this ScheduleCall Off Schedule 7. Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 13. of this Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 13.2 of this Call Off ScheduleSchedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Services, processes associated with the delivery of the Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery of the Services, including the Customer Premises, the Sites, the Supplier System Sites and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Services and all processes associated with the delivery of the Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with the provisions of this Call Off Schedule 8 7 (including the requirements set out in paragraph 2.3 12.3 of this Call Off ScheduleSchedule 7); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date set out in timeframe agreed between the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8Parties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 87 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 13.2 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 13.3 of this Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off ScheduleSchedule 7. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 14.4 of this Call Off ScheduleSchedule 7, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 14.1 of this Call Off ScheduleSchedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 2 contracts
Samples: Call Off Terms for Services, Call Off Terms for Services
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and which shall comply with the requirements of paragraphs 108.3 5.12 to 108.5 5.14 of this Call Off Schedule 8 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery provision of the Goods and/or Services, including the Supplier System and Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 5.33;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8Goods and/or Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 47 of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 5.12 of this Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 5.12 of this Call Off ScheduleSchedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 5.10 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 5.9 of this Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 5.12 to 108.5 5.14 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 5.15 of this Call Off Schedule 7 or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this ScheduleCall Off Schedule 7. Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 5.17 of this Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 5.19 of this Call Off ScheduleSchedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System Sites and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Call Off Schedule 8 7 (including the requirements set out in paragraph 2.3 5.12 of this Call Off ScheduleSchedule 7); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date set out in timeframe agreed between the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8Parties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 87 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 5.19 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 5.20 of this Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off ScheduleSchedule 7. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Goods and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 5.26 of this Call Off ScheduleSchedule 7, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 5.23 of this Call Off ScheduleSchedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 1 contract
Samples: Call Off Contract
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and which shall comply with the requirements of paragraphs 108.3 28.3 to 108.5 28.5 of this Call Off Schedule 8 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery provision of the Services, including the Supplier System and Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 32.;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 39. of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 28.3 of this Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 28.3 of this Call Off ScheduleSchedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 28.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 28. of this Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 28.3 to 108.5 28.5 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 28.6 of this Call Off Schedule 7 or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this ScheduleCall Off Schedule 7. Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 29. of this Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 29.2 of this Call Off ScheduleSchedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Services, processes associated with the delivery of the Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery of the Services, including the Customer Premises, the Sites, the Supplier System Sites and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Services and all processes associated with the delivery of the Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with the provisions of this Call Off Schedule 8 7 (including the requirements set out in paragraph 2.3 28.3 of this Call Off ScheduleSchedule 7); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date set out in timeframe agreed between the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8Parties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 87 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 29.2 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 29.3 of this Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off ScheduleSchedule 7. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 30.4 of this Call Off ScheduleSchedule 7, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 30.1 of this Call Off ScheduleSchedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 1 contract
Samples: Call Off Contract
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and which shall comply with the requirements of paragraphs 108.3 80.3 to 108.5 80.5 of this Call Off Schedule 8 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery provision of the Services, including the Supplier System and Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 84;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/publications/security-policy-framework ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxxx://xxx.xxxx.xxx.xx/ complies with HMG Information Assurance Maturity Model and Assurance Framework xxxxx://xxx.xxxx.xxx.xx/articles/hmg-ia-maturity-model-iamm meets any specific security threats of immediate relevance to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 355 of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 80.3 of this Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 80.3 of this Call Off ScheduleSchedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 80.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 80 of this Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 80.3 to 108.5 80.5 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 80.6 of this Call Off Schedule 7 or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this ScheduleCall Off Schedule 7. Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 81 of this Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 81.2 of this Call Off ScheduleSchedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Services, processes associated with the delivery of theServices, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery of the Services, including the Customer Premises, the Sites, the Supplier System Sites and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Services and all processes associated with the delivery of the Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with the provisions of this Call Off Schedule 8 7 (including the requirements set out in paragraph 2.3 80.3 of this Call Off ScheduleSchedule 7); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date set out in timeframe agreed between the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8Parties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 87 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 81.2 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 81.3 of this Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off ScheduleSchedule 7. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 82.4 of this Call Off ScheduleSchedule 7, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 82.1 of this Call Off ScheduleSchedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 1 contract
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, which shall have been tested in accordance with Call Off Schedule 5 (Testing); ) and shall comply with the requirements of paragraphs 108.3 6.12 to 108.5 6.14 of this Call Off Schedule 8 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery provision of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) and any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 6.33;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; complies with the Baseline Security Requirements; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS, theGoods and/or Services and/or Customer Data; addresses issues of incompatibility with the Supplier’s own organisational security policies; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 86.33; and complies with the Customer’s ICT policies. document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware, prioritisation of security patches, testing of security patches, application of security patches, a process for Customer approvals of exceptions, and the reporting and audit mechanism detailing the efficacy of the patching policy; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 42 of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 6.12 of this Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 6.12 of this Call Off ScheduleSchedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 6.10 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 6.9 of this Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 6.12 to 108.5 6.14 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 6.15 of this Call Off Schedule 7 or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this ScheduleCall Off Schedule 7. Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 6.17 of this Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 6.19 of this Call Off ScheduleSchedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Baseline Security Requirements and Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Call Off Schedule 8 7 (including the requirements set out in paragraph 2.3 6.12 of this Call Off Schedule); demonstrate that the Supplier’s approach to delivery of the Goods and/or Services has minimised the Customer and Supplier effort required to comply with this Call Off Schedule through consideration of available, appropriate and practicable pan-government accredited services (for example, ‘platform as a service’ offering from the G-Cloud catalogue); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date timeframe agreed between the Parties . set out in the Implementation Plan for the Supplier to meet the full obligations scope of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8. Customer System that is under the control of the Supplier; be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 87 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 6.19 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 6.20 of this Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off ScheduleSchedule 7. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Goods and/or Services and/or associated processes; any new perceived or changed security threats; and any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect affect information security to respond to events that may impact on the ISMS; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 6.26 of this Call Off ScheduleSchedule 7, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 6.23 of this Call Off ScheduleSchedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 1 contract
Samples: Call Off Contract
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and which shall comply with the requirements of paragraphs 108.3 83.12 to 108.5 83.14 of this Call Off Schedule 8 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery provision of the Goods and/or Services, including the Supplier System and Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 83.33;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxxx://xxx.xxxx.xxx.xx/content/adopt-risk-management-approach complies with HMG Information Assurance Maturity Model and Assurance Framework xxxxx://xxx.xxxx.xxx.xx/guidance/information-assurance-maturity-model-and-assessment-framework-gpg-40 meets any specific security threats of immediate relevance to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8Goods and/or Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 45 of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 83.12 of this Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 83.12 of this Call Off ScheduleSchedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 83.10 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 83.9 of this Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 83.12 to 108.5 83.14 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 83.15 of this Call Off Schedule 7 or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this ScheduleCall Off Schedule 7. Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 83.17 of this Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 83.19 of this Call Off ScheduleSchedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System Sites and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Call Off Schedule 8 7 (including the requirements set out in paragraph 2.3 83.12 of this Call Off ScheduleSchedule 7); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date set out in timeframe agreed between the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8Parties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 87 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 83.19 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 83.20 of this Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off ScheduleSchedule 7. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Goods and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 83.26 of this Call Off ScheduleSchedule 7, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 83.23 of this Call Off ScheduleSchedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 1 contract
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and which shall comply with the requirements of paragraphs 108.3 3.3 to 108.5 3.5 of this Call Off Schedule 8 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Products and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and Products and/or Servicesand all processes associated with the delivery provision of the Products and/or Services, including the Supplier System and Customer Premises , the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 7;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS; complies with ISOProducts and/or Servicesand/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Products and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 37 of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 3.3 of this Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 3.3 of this Call Off ScheduleSchedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 3.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 3 of this Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 3.3 to 108.5 3.5 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 3.6 of this Call Off Schedule 7 or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this ScheduleCall Off Schedule 7. Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 4 of this Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 4.2 of this Call Off ScheduleSchedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Products and/or Services, processes associated with the delivery of the Products and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Products and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Products and/or Services and all processes associated with the delivery of the Products and/or Services, including the Customer PremisesPremises , the Sites, the Supplier System Sites and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Products and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Services and Products and/or Servicesand all processes associated with the delivery of the Services and Products and/or Servicesand at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply Products and/or Servicescomply with the provisions of this Call Off Schedule 8 7 (including the requirements set out in paragraph 2.3 3.3 of this Call Off ScheduleSchedule 7); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date set out in timeframe agreed between the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8Parties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Products and/or Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 87 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 4.2 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 4.3 of this Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off ScheduleSchedule 7. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Products and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 5.4 of this Call Off ScheduleSchedule 7, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 5.1 of this Call Off ScheduleSchedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 1 contract
Samples: Call Off Order Form
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and which shall comply with the requirements of paragraphs 108.3 103.3 to 108.5 103.5 of this Call Off Schedule 8 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Products and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and Products and/or Servicesand all processes associated with the delivery provision of the Products and/or Services, including the Supplier System and Customer Premises , the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 107;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS; complies with ISOProducts and/or Servicesand/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Products and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 37 of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 103.3 of this Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 103.3 of this Call Off ScheduleSchedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 103.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 103 of this Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 103.3 to 108.5 103.5 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 103.6 of this Call Off Schedule 7 or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this ScheduleCall Off Schedule 7. Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 104 of this Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 104.2 of this Call Off ScheduleSchedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Products and/or Services, processes associated with the delivery of the Products and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Products and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Products and/or Services and all processes associated with the delivery of the Products and/or Services, including the Customer PremisesPremises , the Sites, the Supplier System Sites and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Products and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Services and Products and/or Servicesand all processes associated with the delivery of the Services and Products and/or Servicesand at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply Products and/or Servicescomply with the provisions of this Call Off Schedule 8 7 (including the requirements set out in paragraph 2.3 103.3 of this Call Off ScheduleSchedule 7); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date set out in timeframe agreed between the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8Parties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Products and/or Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 87 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 104.2 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 104.3 of this Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off ScheduleSchedule 7. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Products and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 105.4 of this Call Off ScheduleSchedule 7, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 105.1 of this Call Off ScheduleSchedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 1 contract
Samples: Call Off Contract
ISMS. By the date specified in the Implementation Plan the Supplier shall develop and submit to the Customer for the Customer’s Approval an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and shall comply with the requirements of paragraphs 108.3 20.3 to 108.5 20.5 of this Call Off Schedule 8 (Security). The Supplier acknowledges that the Customer places great emphasis on the confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery of the Services, the Supplier System and any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and at all times provide a level of security which: is in accordance with Good Industry Practice, Law and this Call Off Contract; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4); meets any specific security threats to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 24. (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8; and complies with the Customer’s ICT policies. Subject to Clause 34 34. of this call Off Contract (Security And Protection of Information) the references to standards, guidance and policies set out in paragraph 108.3 20.3 of this Call Off Schedule shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 20.3 of this Call Off Schedule, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 20.1 of this Call Off Schedule is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off Schedule. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 20. of this Call Off Schedule may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 20.3 to 108.5 20.5 of this Call Off Schedule shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 20.6 of this Call Off Schedule or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this Schedule. Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 21. of this Call Off Schedule a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 of this Call Off Schedule. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Services and all processes associated with the delivery of the Services, including the Customer Premises, the Sites, the Supplier System and any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Services and all processes associated with the delivery of the Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with the provisions of this Call Off Schedule 8 (including the requirements set out in paragraph 2.3 of this Call Off Schedule); set out the plans for transiting all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at the date set out in the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8. be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Services and shall reference only documents which are in the possession of the Customer or whose location is otherwise specified in this Call Off Schedule 8. If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off Schedule. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 21.2 of this Call Off Schedule shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 21.3 of this Call Off Schedule or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off Schedule. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Services and/or associated processes; any new perceived or changed security threats; and any reasonable request by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMS; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 22.4 of this Call Off Schedule, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 22.1 of this Call Off Schedule, a Customer request, change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 1 contract
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and which shall comply with the requirements of paragraphs 108.3 101.3 to 108.5 101.5 of this Call Off Schedule 8 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery provision of the Goods and/or Services, including the Supplier System and Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 105;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8Goods and/or Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 101.3 of this Call Off Schedule shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 101.3 of this Call Off Schedule, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 101.1 of this Call Off Schedule is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off Schedule. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 101 of this Call Off Schedule may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 101.3 to 108.5 101.5 of this Call Off Schedule shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 101.6 of this Call Off Schedule or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this Schedule. Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 102 of this Call Off Schedule a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 102.2 of this Call Off Schedule. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System Sites and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Call Off Schedule 8 (including the requirements set out in paragraph 2.3 101.3 of this Call Off Schedule); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date set out in timeframe agreed between the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8Parties. be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 8. If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off Schedule. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 102.2 of this Call Off Schedule shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 102.3 of this Call Off Schedule or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off Schedule. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Goods and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 103.4 of this Call Off Schedule, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 103.1 of this Call Off Schedule, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 1 contract
Samples: Call Off Agreement
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and which shall comply with the requirements of paragraphs 108.3 5.12 to 108.5 5.14 of this Call Off Schedule 8 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery provision of the Goods and/or Services, including the Supplier System and Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 5.33;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8Goods and/or Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 44 of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 5.12 of this Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 5.12 of this Call Off ScheduleSchedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 5.10 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 5.9 of this Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 5.12 to 108.5 5.14 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 5.15 of this Call Off Schedule 7 or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this ScheduleCall Off Schedule 7. Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 5.17 of this Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 5.19 of this Call Off ScheduleSchedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System Sites and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Call Off Schedule 8 7 (including the requirements set out in paragraph 2.3 5.12 of this Call Off ScheduleSchedule 7); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date set out in timeframe agreed between the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8Parties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 87 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 5.19 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 5.20 of this Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off ScheduleSchedule 7. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Goods and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 5.26 of this Call Off ScheduleSchedule 7, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 5.23 of this Call Off ScheduleSchedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 1 contract
Samples: Call Off Contract
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and which shall comply with the requirements of paragraphs 108.3 100.3 to 108.5 100.5 of this Call Off Schedule 8 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery provision of the Goods and/or Services, including the Supplier System and Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 104;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8Goods and/or Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 36 of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 100.3 of this Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 100.3 of this Call Off ScheduleSchedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 100.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 100 of this Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 100.3 to 108.5 100.5 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 100.6 of this Call Off Schedule 7 or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this ScheduleCall Off Schedule 7. Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 101 of this Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 101.2 of this Call Off ScheduleSchedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System Sites and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Call Off Schedule 8 7 (including the requirements set out in paragraph 2.3 100.3 of this Call Off ScheduleSchedule 7); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date set out in timeframe agreed between the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8Parties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 87 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 101.2 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 101.3 of this Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off ScheduleSchedule 7. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Goods and/or Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 102.4 of this Call Off ScheduleSchedule 7, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 102.1 of this Call Off ScheduleSchedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 1 contract
Samples: Call Off Contract
ISMS. By the date specified in the Implementation Plan the The Supplier shall develop and submit to the Customer for the Customer’s Approval Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Contract, which: if required by the Implementation Plan, shall have been tested in accordance with Call Off Schedule 5 (Testing); and which shall comply with the requirements of paragraphs 108.3 98.3 to 108.5 98.5 of this Call Off Schedule 8 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and Services and all processes associated with the delivery provision of the Goods and Services, including the Supplier System and Customer Premises, the Sites, any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Contract; meet the relevant standards in ISO/IEC 27001;and 27001 and ISO/IEC27002 in accordance with Paragraph 102;and at all times provide a level of security which: is in accordance with Good Industry Practice, the Law and this Call Off Contract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4)) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS; complies with ISO/IEC27001 Goods and ISO/IEC27002 in accordance with paragraph 112 (Compliance of the ISMS With ISO/IEC 27001); complies with the security requirements as set out in Annex 1 (Security) to this Call Off Schedule 8Services and/or Customer Data; and complies with the Customer’s ICT policies: document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 34 of this call Call Off Contract (Security And and Protection of Information) the references to standardsStandards, guidance and policies contained or set out in paragraph 108.3 98.3 of this Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 108.3 98.3 of this Call Off ScheduleSchedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 108.1 98.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 108 98 of this Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 108.3 98.3 to 108.5 98.5 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 108.6 98.6 of this Call Off Schedule 7 or of any change or amendment to the ISMS shall not relieve the Supplier of its obligations under this ScheduleCall Off Schedule 7. Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 109 99 of this Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 3.2 4.2 of this Call Off ScheduleSchedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and Services and all processes associated with the delivery of the Goods and Services, including the Customer Premises, the Sites, the Supplier System Sites and any ICT, information Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off ContractContract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and Services and all processes associated with the delivery of the Goods and Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and Services comply with the provisions of this Call Off Schedule 8 7 (including the requirements set out in paragraph 2.3 98.3 of this Call Off ScheduleSchedule 7); set out the plans for transiting transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the Supplier’s ISMS at within the date set out in timeframe agreed between the Implementation Plan for the Supplier to meet the full obligations of the security requirements set out in Schedule Annex 1 (Security) to this Schedule 8Parties . be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and Services and shall reference only documents which are in the possession of the Customer Parties or whose location is otherwise specified in this Call Off Schedule 87 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off ScheduleSchedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 109.2 4.2 of this Call Off Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 109.3 4.3 of this Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off ScheduleSchedule 7. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier from time to time and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Goods and Services and/or associated processes; any changes to the Security Policy; any new perceived or changed security threats; and any reasonable request change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that effect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 110.4 100.4 of this Call Off ScheduleSchedule 7, any change or amendment which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 110.1 100.1 of this Call Off ScheduleSchedule 7, a Customer request, a change to Annex 1 (SecuritySecurity Policy ) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Contract.
Appears in 1 contract
Samples: Call Off Contract
