Common use of ISMS Clause in Contracts

ISMS. The Supplier shall develop and submit to the Customer for the Customer’s Approval, within twenty (20) working days after the Lease Agreement Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Lease Agreement, which shall have been tested in accordance with Lease Agreement Schedule 5 (Testing) and shall comply with the requirements of paragraphs 5.12 to 5.14 of this Lease Agreement Schedule 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the provision of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) and any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Lease Agreement; meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 5.33;and at all times provide a level of security which: is in accordance with the Law and this Lease Agreement; complies with the Baseline Security Requirements; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS, theGoods and/or Services and/or Customer Data; addresses issues of incompatibility with the Supplier’s own organisational security policies; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 5.33; and complies with the Customer’s ICT policies. document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware, prioritisation of security patches, testing of security patches, application of security patches, a process for Customer approvals of exceptions, and the reporting and audit mechanism detailing the efficacy of the patching policy; and be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 42 of this Lease Agreement (Security and Protection of Information) the references to Standards, guidance and policies contained or set out in paragraph 5.12 of this Lease Agreement Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 5.12 of this Lease Agreement Schedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 5.10 of this Lease Agreement Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Lease Agreement Schedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 5.9 of this Lease Agreement Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 5.12 to 5.14 of this Lease Agreement Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 5.15 of this Lease Agreement Schedule 7 or of any change to the ISMS shall not relieve the Supplier of its obligations under this Lease Agreement Schedule 7. Within twenty (20) Working Days after the Lease Agreement Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 5.17 of this Lease Agreement Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 5.19 of this Lease Agreement Schedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Baseline Security Requirements and Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Lease Agreement Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Lease Agreement or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Lease Agreement Schedule 7 (including the requirements set out in paragraph 5.12 of this Lease Agreement Schedule); demonstrate that the Supplier’s approach to delivery of the Goods and/or Services has minimised the Customer and Supplier effort required to comply with this Lease Agreement Schedule through consideration of available, appropriate and practicable pan-government accredited services (for example, ‘platform as a service’ offering from the G-Cloud catalogue); set out the plans for transitioning all security arrangements and responsibilities from those in place at the Lease Agreement Commencement Date to those incorporated in the ISMS within the timeframe agreed between the Parties . set out the scope of the Customer System that is under the control of the Supplier; be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Lease Agreement Schedule 7 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Lease Agreement Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Lease Agreement Schedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 5.19 of this Lease Agreement Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 5.20 of this Lease Agreement Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Lease Agreement Schedule 7. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Goods and/or Services and/or associated processes; any new perceived or changed security threats; and any changes to the Security Policy; any new perceived or changed security threats; and any reasonable change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that affect information security to respond to events that may impact on the ISMS; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 5.26 of this Lease Agreement Schedule 7, any change which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 5.23 of this Lease Agreement Schedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Lease Agreement.

ISMS. The Supplier shall develop and submit to the Customer for the Customer’s Approval, within twenty (20) working days after the Lease Agreement Contract Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Lease AgreementContract, which shall have been tested in accordance with Lease Agreement Schedule 5 (Testing) and shall comply with the requirements of paragraphs 5.12 98.3 to 5.14 98.5 of this Lease Agreement Contract Schedule 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the provision of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) and any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Lease AgreementContract; meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 5.33;and 102;and at all times provide a level of security which: is in accordance with the Law and this Lease Agreement; complies with the Baseline Security RequirementsContract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework DPS (Tiers 1-4) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework DPS xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS, theGoods Goods and/or Services and/or Customer Data; addresses issues of incompatibility with the Supplier’s own organisational security policies; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 5.33; and complies with the Customer’s ICT policies. : document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware, prioritisation of security patches, testing of security patches, application of security patches, a process for Customer approvals of exceptions, and the reporting and audit mechanism detailing the efficacy of the patching policy; and be certified by (or by a person with the direct delegated authority of) a Supplier’s Suppliers main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 42 34 of this Lease Agreement Contract (Security and Protection of Information) the references to Standards, guidance and policies contained or set out in paragraph 5.12 98.3 of this Lease Agreement Contract Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 5.12 98.3 of this Lease Agreement Contract Schedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 5.10 98.1 of this Lease Agreement Contract Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Lease Agreement Contract Schedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 5.9 98 of this Lease Agreement Contract Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 5.12 98.3 to 5.14 98.5 of this Lease Agreement Contract Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 5.15 98.6 of this Lease Agreement Contract Schedule 7 or of any change to the ISMS shall not relieve the Supplier of its obligations under this Lease Agreement Contract Schedule 7. Within twenty (20) Working Days after the Lease Agreement Contract Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 5.17 99 of this Lease Agreement Contract Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 5.19 99.2 of this Lease Agreement Contract Schedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Baseline Security Requirements and Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Lease Agreement Contract Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Lease Agreement Contract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Lease Agreement Contract Schedule 7 (including the requirements set out in paragraph 5.12 98.3 of this Lease Agreement Schedule); demonstrate that the Supplier’s approach to delivery of the Goods and/or Services has minimised the Customer and Supplier effort required to comply with this Lease Agreement Contract Schedule through consideration of available, appropriate and practicable pan-government accredited services (for example, ‘platform as a service’ offering from the G-Cloud catalogue7); set out the plans for transitioning all security arrangements and responsibilities from those in place at the Lease Agreement Contract Commencement Date to those incorporated in the ISMS within the timeframe agreed between the Parties Parties. set out the scope of the Customer System that is under the control of the Supplier; be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Lease Agreement Contract Schedule 7 7. If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Lease Agreement Contract Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Lease Agreement Contract Schedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 5.19 99.2 of this Lease Agreement Contract Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 5.20 99.3 of this Lease Agreement Contract Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Lease Agreement Contract Schedule 7. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Goods and/or Services and/or associated processes; any new perceived or changed security threats; and any changes to the Security Policy; any new perceived or changed security threats; and any reasonable change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that affect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 5.26 100.4 of this Lease Agreement Contract Schedule 7, any change which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 5.23 100.1 of this Lease Agreement Contract Schedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Lease AgreementContract.

ISMS. The Supplier shall develop and submit to the Customer for the Customer’s Approval, within twenty (20) working days after the Lease Agreement Contract Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Lease AgreementContract , which shall have been tested in accordance with Lease Agreement Schedule 5 (Testing) and shall comply with the requirements of paragraphs 5.12 98.3 to 5.14 98.5 of this Lease Agreement Contract Schedule 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the provision of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) and any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Lease AgreementContract ; meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 5.33;and 102;and at all times provide a level of security which: is in accordance with the Law and this Lease Agreement; complies with the Baseline Security RequirementsContract ; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework DPS (Tiers 1-4) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework DPS xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS, theGoods Goods and/or Services and/or Customer Data; addresses issues of incompatibility with the Supplier’s own organisational security policies; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 5.33; and complies with the Customer’s ICT policies. : document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware, prioritisation of security patches, testing of security patches, application of security patches, a process for Customer approvals of exceptions, and the reporting and audit mechanism detailing the efficacy of the patching policy; and be certified by (or by a person with the direct delegated authority of) a Supplier’s Suppliers main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 42 34 of this Lease Agreement Contract (Security and Protection of Information) the references to Standards, guidance and policies contained or set out in paragraph 5.12 98.3 of this Lease Agreement Contract Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 5.12 98.3 of this Lease Agreement Contract Schedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 5.10 98.1 of this Lease Agreement Contract Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Lease Agreement Contract Schedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 5.9 98 of this Lease Agreement Contract Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 5.12 98.3 to 5.14 98.5 of this Lease Agreement Contract Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 5.15 98.6 of this Lease Agreement Contract Schedule 7 or of any change to the ISMS shall not relieve the Supplier of its obligations under this Lease Agreement Contract Schedule 7. Within twenty (20) Working Days after the Lease Agreement Contract Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 5.17 99 of this Lease Agreement Contract Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 5.19 99.2 of this Lease Agreement Contract Schedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Baseline Security Requirements and Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Lease Agreement Contract Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Lease Agreement Contract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Lease Agreement Contract Schedule 7 (including the requirements set out in paragraph 5.12 98.3 of this Lease Agreement Schedule); demonstrate that the Supplier’s approach to delivery of the Goods and/or Services has minimised the Customer and Supplier effort required to comply with this Lease Agreement Contract Schedule through consideration of available, appropriate and practicable pan-government accredited services (for example, ‘platform as a service’ offering from the G-Cloud catalogue7); set out the plans for transitioning all security arrangements and responsibilities from those in place at the Lease Agreement Contract Commencement Date to those incorporated in the ISMS within the timeframe agreed between the Parties . set out the scope of the Customer System that is under the control of the Supplier; be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Lease Agreement Contract Schedule 7 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Lease Agreement Contract Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Lease Agreement Contract Schedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 5.19 99.2 of this Lease Agreement Contract Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 5.20 99.3 of this Lease Agreement Contract Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Lease Agreement Contract Schedule 7. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Goods and/or Services and/or associated processes; any new perceived or changed security threats; and any changes to the Security Policy; any new perceived or changed security threats; and any reasonable change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that affect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 5.26 100.4 of this Lease Agreement Contract Schedule 7, any change which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 5.23 100.1 of this Lease Agreement Contract Schedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Lease AgreementContract.

ISMS. The Supplier shall develop and submit to the Customer for the Customer’s Approval, within twenty (20) working days after the Lease Agreement Contract Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Lease AgreementContract, which shall have been tested in accordance with Lease Agreement Schedule 5 (Testing) and shall comply with the requirements of paragraphs 5.12 78.12 to 5.14 78.14 of this Lease Agreement Contract Schedule 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the provision of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) and any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Lease AgreementContract; meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 5.33;and 78.33;and at all times provide a level of security which: is in accordance with the Law and this Lease Agreement; complies with the Baseline Security RequirementsContract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework DPS (Tiers 1-4) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework DPS xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS, theGoods Goods and/or Services and/or Customer Data; addresses issues of incompatibility with the Supplier’s own organisational security policies; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 5.33; and complies with the Customer’s ICT policies. : document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware, prioritisation of security patches, testing of security patches, application of security patches, a process for Customer approvals of exceptions, and the reporting and audit mechanism detailing the efficacy of the patching policy; and be certified by (or by a person with the direct delegated authority of) a Supplier’s Suppliers main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 42 43 of this Lease Agreement Contract (Security and Protection of Information) the references to Standards, guidance and policies contained or set out in paragraph 5.12 78.12 of this Lease Agreement Contract Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 5.12 78.12 of this Lease Agreement Contract Schedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 5.10 78.10 of this Lease Agreement Contract Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Lease Agreement Contract Schedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 5.9 78.9 of this Lease Agreement Contract Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 5.12 78.12 to 5.14 78.14 of this Lease Agreement Contract Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 5.15 78.15 of this Lease Agreement Contract Schedule 7 or of any change to the ISMS shall not relieve the Supplier of its obligations under this Lease Agreement Contract Schedule 7. Within twenty (20) Working Days after the Lease Agreement Contract Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 5.17 78.17 of this Lease Agreement Contract Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 5.19 78.19 of this Lease Agreement Contract Schedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Baseline Security Requirements and Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Lease Agreement Contract Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Lease Agreement Contract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Lease Agreement Contract Schedule 7 (including the requirements set out in paragraph 5.12 78.12 of this Lease Agreement Schedule); demonstrate that the Supplier’s approach to delivery of the Goods and/or Services has minimised the Customer and Supplier effort required to comply with this Lease Agreement Contract Schedule through consideration of available, appropriate and practicable pan-government accredited services (for example, ‘platform as a service’ offering from the G-Cloud catalogue7); set out the plans for transitioning all security arrangements and responsibilities from those in place at the Lease Agreement Contract Commencement Date to those incorporated in the ISMS within the timeframe agreed between the Parties Parties. set out the scope of the Customer System that is under the control of the Supplier; be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Lease Agreement Contract Schedule 7 7. If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Lease Agreement Contract Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Lease Agreement Contract Schedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 5.19 78.19 of this Lease Agreement Contract Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 5.20 78.20 of this Lease Agreement Contract Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Lease Agreement Contract Schedule 7. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Goods and/or Services and/or associated processes; any new perceived or changed security threats; and any changes to the Security Policy; any new perceived or changed security threats; and any reasonable change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that affect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 5.26 78.26 of this Lease Agreement Contract Schedule 7, any change which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 5.23 78.23 of this Lease Agreement Contract Schedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Lease AgreementContract.

ISMS. The Supplier shall develop and submit to the Customer for the Customer’s Approval, within twenty (20) working days after the Lease Agreement Contract Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Lease AgreementContract, which shall have been tested in accordance with Lease Agreement Schedule 5 (Testing) and shall comply with the requirements of paragraphs 5.12 98.3 to 5.14 98.5 of this Lease Agreement Contract Schedule 7 (Security). The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS. The ISMS shall: unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the provision of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) and any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Lease AgreementContract; meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 5.33;and 102;and at all times provide a level of security which: is in accordance with the Law and this Lease Agreement; complies with the Baseline Security RequirementsContract; as a minimum demonstrates Good Industry Practice; complies with the Security Policy; complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework DPS (Tiers 1-4) xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ; takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management xxxx://xxx.xxxx.xxx.xx/Documents/Publications/2005/2005003-Risk_management.pdf complies with HMG Information Assurance Maturity Model and Assurance Framework DPS xxxx://xxx.xxxx.xxx.xx/publications/Documents/iamm-assessment-framework.pdf meets any specific security threats of immediate relevance to the ISMS, theGoods Goods and/or Services and/or Customer Data; addresses issues of incompatibility with the Supplier’s own organisational security policies; complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 5.33; and complies with the Customer’s ICT policies. : document the security incident management processes and incident response plans; document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware, prioritisation of security patches, testing of security patches, application of security patches, a process for Customer approvals of exceptions, and the reporting and audit mechanism detailing the efficacy of the patching policy; and be certified by (or by a person with the direct delegated authority of) a Supplier’s Suppliers main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan). Subject to Clause 42 34 of this Lease Agreement Contract (Security and Protection of Information) the references to Standards, guidance and policies contained or set out in paragraph 5.12 98.3 of this Lease Agreement Contract Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time. In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 5.12 98.3 of this Lease Agreement Contract Schedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with. If the ISMS submitted to the Customer pursuant to paragraph 5.10 98.1 of this Lease Agreement Contract Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Lease Agreement Contract Schedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 5.9 98 of this Lease Agreement Contract Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 5.12 98.3 to 5.14 98.5 of this Lease Agreement Contract Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the ISMS pursuant to paragraph 5.15 98.6 of this Lease Agreement Contract Schedule 7 or of any change to the ISMS shall not relieve the Supplier of its obligations under this Lease Agreement Contract Schedule 7. Within twenty (20) Working Days after the Lease Agreement Contract Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 5.17 99 of this Lease Agreement Contract Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 5.19 99.2 of this Lease Agreement Contract Schedule 7. The Security Management Plan shall: be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan); comply with the Baseline Security Requirements and Security Policy; identify the necessary delegated organisational roles defined for those responsible for ensuring this Lease Agreement Contract Schedule 7 is complied with by the Supplier; detail the process for managing any security risks from Sub‑Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services; unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Lease Agreement Contract or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services; set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Lease Agreement Contract Schedule 7 (including the requirements set out in paragraph 5.12 98.3 of this Lease Agreement Schedule); demonstrate that the Supplier’s approach to delivery of the Goods and/or Services has minimised the Customer and Supplier effort required to comply with this Lease Agreement Contract Schedule through consideration of available, appropriate and practicable pan-government accredited services (for example, ‘platform as a service’ offering from the G-Cloud catalogue7); set out the plans for transitioning all security arrangements and responsibilities from those in place at the Lease Agreement Contract Commencement Date to those incorporated in the ISMS within the timeframe agreed between the Parties Parties. set out the scope of the Customer System that is under the control of the Supplier; be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross-referencing if necessary to other Schedules which cover specific areas included within those standards; and be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Lease Agreement Contract Schedule 7 . If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Lease Agreement Contract Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Lease Agreement Contract Schedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 5.19 99.2 of this Lease Agreement Contract Schedule 7 shall be deemed to be reasonable. Approval by the Customer of the Security Management Plan pursuant to paragraph 5.20 99.3 of this Lease Agreement Contract Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Lease Agreement Contract Schedule 7. The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier and at least annually to reflect: emerging changes in Good Industry Practice; any change or proposed change to the Supplier System, the Goods and/or Services and/or associated processes; any new perceived or changed security threats; and any changes to the Security Policy; any new perceived or changed security threats; and any reasonable change in requirement requested by the Customer. The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation: suggested improvements to the effectiveness of the ISMS; updates to the risk assessments; proposed modifications to the procedures and controls that affect information security to respond to events that may impact on the ISMSISMS including the security incident management process, incident response plans and general procedures and controls that affect information security; and suggested improvements in measuring the effectiveness of controls. Subject to paragraph 5.26 100.4 of this Lease Agreement Contract Schedule 7, any change which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 5.23 100.1 of this Lease Agreement Contract Schedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer. The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Lease AgreementContract.