Common use of Security Testing Clause in Contracts

Security Testing. The Service Provider shall: (a) conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (a) and (b), not less frequently than annually). Security Tests shall be designed and implemented by the Service Provider so as to minimise the impact on the delivery of the Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the Purchaser. Subject to compliance by the Service Provider with the foregoing requirements, if any Security Tests adversely affect the Service Provider’s ability to deliver the Services so as to meet the Service Levels, the Service Provider shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider shall provide the Purchaser with the results of such tests (in a form approved by the Purchaser in advance) as soon as practicable after completion of each Security Test. Where any Security Test carried out reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider shall promptly notify the Purchaser of any changes to the Security Plan (and the implementation thereof) which the Service Provider proposes to make in order to correct such failure or weakness. Subject to the Purchaser's prior written approval, the Service Provider shall implement such changes to the Security Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the Security Plan is to address a non-compliance with the security requirements (as set out in Schedule 2 (Specification [and Service Levels] and/or elsewhere in the Contract)) or the requirements of this Schedule, the change to the Security Plan shall be at no cost to the Purchaser. If any repeat Security Test carried out pursuant to paragraph 5.3 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan).

Security Testing. The Service Provider shall: (a) Supplier shall conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (aat least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (b), not less frequently than annually)including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Service Provider Supplier so as to minimise the impact on the delivery of the Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the PurchaserCustomer. Subject to compliance by the Service Provider Supplier with the foregoing requirements, if any Security Tests adversely affect the Service ProviderSupplier’s ability to deliver the Services so as to meet the Service LevelsLevel Performance Measures, the Service Provider Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Purchaser Customer with the results of such tests Security Tests (in a form approved by the Purchaser Customer in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Customer pursuant to this Call Off Contract, the Customer and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. If any such Customer’s test adversely affects the Supplier’s ability to deliver the Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Customer’s test. Where any Security Test carried out pursuant to paragraphs 100.2 or 100.3 of this Call Off Schedule reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider Supplier shall promptly notify the Purchaser Customer of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Service Provider Supplier proposes to make in order to correct such failure or weakness. Subject to the PurchaserCustomer's prior written approvalApproval, the Service Provider Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Schedule 2 Annex 1 (Specification [and Service Levels] and/or elsewhere in the Contract)Security) to this Call Off Schedule) or the requirements of this Call Off Schedule, the change to the ISMS or Security Management Plan shall be at no cost to the PurchaserCustomer. If any repeat Security Test carried out pursuant to paragraph 5.3 100.4 of this Call Off Schedule reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan)this Call Off Contract.

Security Testing. The Service Provider shall: (a) Supplier shall conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (aat least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (b), not less frequently than annually)including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Service Provider Supplier so as to minimise the impact on the delivery of the Goods and/or Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the PurchaserCustomer. Subject to compliance by the Service Provider Supplier with the foregoing requirements, if any Security Tests adversely affect the Service ProviderSupplier’s ability to deliver the Goods and/or Services so as to meet the Service LevelsLevel Performance Measures, the Service Provider Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Purchaser Customer with the results of such tests Security Tests (in a form approved by the Purchaser Customer in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Customer pursuant to this Call Off Contract, the Customer and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. If any such Customer’s test adversely affects the Supplier’s ability to deliver the Goods and/or Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Customer’s test. Where any Security Test carried out pursuant to paragraphs 101.2 or 101.3 of this Call Off Schedule 7 reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider Supplier shall promptly notify the Purchaser Customer of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Service Provider Supplier proposes to make in order to correct such failure or weakness. Subject to the PurchaserCustomer's prior written approvalApproval, the Service Provider Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Annex 1 (Security) to this Call Off Schedule 2 (Specification [and Service Levels] and/or elsewhere in the Contract)7) or the requirements of this ScheduleCall Off Schedule 7, the change to the ISMS or Security Management Plan shall be at no cost to the PurchaserCustomer. If any repeat Security Test carried out pursuant to paragraph 5.3 101.4 of this Call Off Schedule 7 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan)this Call Off Contract.

Security Testing. The Service Provider shall: (a) Supplier shall conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (aat least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (b), not less frequently than annually)including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Service Provider Supplier so as to minimise the impact on the delivery of the Goods and/or Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the PurchaserCustomer. Subject to compliance by the Service Provider Supplier with the foregoing requirements, if any Security Tests adversely affect the Service Provider’s Suppliers ability to deliver the Goods and/or Services so as to meet the Service LevelsLevel Performance Measures, the Service Provider Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Purchaser Customer with the results of such tests Security Tests (in a form approved by the Purchaser Customer in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Suppliers compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. If any such Customer’s test adversely affects the Suppliers ability to deliver the Goods and/or Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Customer’s test. Where any Security Test carried out pursuant to paragraphs 101.2 or 101.3 of this Contract Schedule 7 reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider Supplier shall promptly notify the Purchaser Customer of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Service Provider Supplier proposes to make in order to correct such failure or weakness. Subject to the PurchaserCustomer's prior written approvalApproval, the Service Provider Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Annex 1 (Security) to this Contract Schedule 2 (Specification [and Service Levels] and/or elsewhere in the Contract)7) or the requirements of this ScheduleContract Schedule 7, the change to the ISMS or Security Management Plan shall be at no cost to the PurchaserCustomer. If any repeat Security Test carried out pursuant to paragraph 5.3 101.4 of this Contract Schedule 7 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan)this Contract.

Security Testing. The Service Provider shall: (a) Supplier shall conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (aat least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (b), not less frequently than annually)including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Service Provider Supplier so as to minimise the impact on the delivery of the Goods and/or Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the PurchaserCustomer. Subject to compliance by the Service Provider Supplier with the foregoing requirements, if any Security Tests adversely affect the Service ProviderSupplier’s ability to deliver the Goods and/or Services so as to meet the Service LevelsLevel Performance Measures, the Service Provider Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Purchaser Customer with the results of such tests Security Tests (in a form approved by the Purchaser Customer in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Customer pursuant to this Call Off Contract, the Customer and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. If any such Customer’s test adversely affects the Supplier’s ability to deliver the Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Customer’s test. Where any Security Test carried out pursuant to paragraphs 104.2 or 104.3 of this Call Off Schedule reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider Supplier shall promptly notify the Purchaser Customer of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Service Provider Supplier proposes to make in order to correct such failure or weakness. Subject to the PurchaserCustomer's prior written approvalApproval, the Service Provider Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Schedule 2 Annex 1 (Specification [and Service Levels] and/or elsewhere in the Contract)Security) to this Call Off Schedule) or the requirements of this Call Off Schedule, the change to the ISMS or Security Management Plan shall be at no cost to the PurchaserCustomer. If any repeat Security Test carried out pursuant to paragraph 5.3 104.4 of this Call Off Schedule reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan)this Call Off Contract.

Security Testing. The Service Provider shall: (a) Supplier shall conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (aat least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (b), not less frequently than annually)including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Service Provider Supplier so as to minimise the impact on the delivery of the Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the PurchaserCustomer. Subject to compliance by the Service Provider Supplier with the foregoing requirements, if any Security Tests adversely affect the Service ProviderSupplier’s ability to deliver the Services so as to meet the Service LevelsLevel Performance Measures, the Service Provider Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Purchaser Customer with the results of such tests Security Tests (in a form approved by the Purchaser Customer in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Customer pursuant to this Call Off Contract, the Customer and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. If any such Customer’s test adversely affects the Supplier’s ability to deliver the Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Customer’s test. Where any Security Test carried out pursuant to paragraphs 101.2 or 101.3 of this Call Off Schedule 7 reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider Supplier shall promptly notify the Purchaser Customer of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Service Provider Supplier proposes to make in order to correct such failure or weakness. Subject to the PurchaserCustomer's prior written approvalApproval, the Service Provider Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Annex 1 (Security) to this Call Off Schedule 2 (Specification [and Service Levels] and/or elsewhere in the Contract)7) or the requirements of this ScheduleCall Off Schedule 7, the change to the ISMS or Security Management Plan shall be at no cost to the PurchaserCustomer. If any repeat Security Test carried out pursuant to paragraph 5.3 101.4 of this Call Off Schedule 7 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan)this Call Off Contract.

Security Testing. The Service Provider shall: (a) Supplier shall conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (aat least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (b), not less frequently than annually)including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Service Provider Supplier so as to minimise the impact on the delivery of the Goods and/or Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the PurchaserCustomer. Subject to compliance by the Service Provider Supplier with the foregoing requirements, if any Security Tests adversely affect the Service ProviderSupplier’s ability to deliver the Goods and/or Services so as to meet the Service LevelsLevel Performance Measures, the Service Provider Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Purchaser Customer with the results of such tests Security Tests (in a form approved by the Purchaser Customer in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Customer pursuant to this Call Off Contract, the Customer and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. If any such Customer’s test adversely affects the Supplier’s ability to deliver the Goods and/or Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Customer’s test. Where any Security Test carried out pursuant to paragraphs 5.29 or 5.30 of this Call Off Schedule 7 reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider Supplier shall promptly notify the Purchaser Customer of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Service Provider Supplier proposes to make in order to correct such failure or weakness. Subject to the PurchaserCustomer's prior written approvalApproval, the Service Provider Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Annex 1 (Security) to this Call Off Schedule 2 (Specification [and Service Levels] and/or elsewhere in the Contract)7) or the requirements of this ScheduleCall Off Schedule 7, the change to the ISMS or Security Management Plan shall be at no cost to the PurchaserCustomer. If any repeat Security Test carried out pursuant to paragraph 5.3 5.31 of this Call Off Schedule 7 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan)this Call Off Contract.

Security Testing. The Service Provider shall: (a) Supplier shall conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (aat least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (b), not less frequently than annually)including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Service Provider Supplier so as to minimise the impact on the delivery of the Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the PurchaserContracting Authority. Subject to compliance by the Service Provider Supplier with the foregoing requirements, if any Security Tests adversely affect the Service ProviderSupplier’s ability to deliver the Services so as to meet the Service LevelsLevel Performance Measures, the Service Provider Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider Contracting Authority shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Purchaser Contracting Authority with the results of such tests Security Tests (in a form approved by the Purchaser Contracting Authority in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Contracting Authority pursuant to this Call Off Contract, the Contracting Authority and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier’s compliance with the ISMS and the Security Management Plan. The Contracting Authority may notify the Supplier of the results of such tests after completion of each such test. If any such Contracting Authority’s test adversely affects the Supplier’s ability to deliver the Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Contracting Authority’s test. Where any Security Test carried out pursuant to paragraphs 6.2 or 6.3 of this Call Off Schedule 7 reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider Supplier shall promptly notify the Purchaser Contracting Authority of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Service Provider Supplier proposes to make in order to correct such failure or weakness. Subject to the PurchaserContracting Authority's prior written approvalApproval, the Service Provider Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser Contracting Authority or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Annex 1 (Security) to this Call Off Schedule 2 (Specification [and Service Levels] and/or elsewhere in the Contract)7) or the requirements of this ScheduleCall Off Schedule 7, the change to the ISMS or Security Management Plan shall be at no cost to the PurchaserContracting Authority. If any repeat Security Test carried out pursuant to paragraph 5.3 6.4 of this Call Off Schedule 7 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan)this Call Off Contract.

Security Testing. The Service Provider shall: (a) Supplier shall conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (aat least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (b), not less frequently than annually)including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Service Provider Supplier so as to minimise the impact on the delivery of the Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the PurchaserCustomer. Subject to compliance by the Service Provider Supplier with the foregoing requirements, if any Security Tests adversely affect the Service ProviderSupplier’s ability to deliver the Services so as to meet the Service LevelsLevel Performance Measures, the Service Provider Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Purchaser Customer with the results of such tests Security Tests (in a form approved by the Purchaser Customer in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Customer pursuant to this Call Off Contract, the Customer and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. If any such Customer’s test adversely affects the Supplier’s ability to deliver the Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Customer’s test. Where any Security Test carried out pursuant to paragraphs 15.2 or 15.3 of this Call Off Schedule 7 reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider Supplier shall promptly notify the Purchaser Customer of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Service Provider Supplier proposes to make in order to correct such failure or weakness. Subject to the PurchaserCustomer's prior written approvalApproval, the Service Provider Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Annex 1 (Security) to this Call Off Schedule 2 (Specification [and Service Levels] and/or elsewhere in the Contract)7) or the requirements of this ScheduleCall Off Schedule 7, the change to the ISMS or Security Management Plan shall be at no cost to the PurchaserCustomer. If any repeat Security Test carried out pursuant to paragraph 5.3 15.4 of this Call Off Schedule 7 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan)this Call Off Contract.

Security Testing. The Service Provider shall: (a) Supplier shall conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (aat least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (b), not less frequently than annually)including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Service Provider Supplier so as to minimise the impact on the delivery of the Goods and/or Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the PurchaserCustomer. Subject to compliance by the Service Provider Supplier with the foregoing requirements, if any Security Tests adversely affect the Service ProviderSupplier’s ability to deliver the Goods and/or Services so as to meet the Service LevelsLevel Performance Measures, the Service Provider Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Purchaser Customer with the results of such tests Security Tests (in a form approved by the Purchaser Customer in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Customer pursuant to this Call Off Contract, the Customer and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. If any such Customer’s test adversely affects the Supplier’s ability to deliver the Goods and/or Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Customer’s test. Where any Security Test carried out pursuant to paragraphs 83.29 or 83.30 of this Call Off Schedule 7 reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider Supplier shall promptly notify the Purchaser Customer of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Service Provider Supplier proposes to make in order to correct such failure or weakness. Subject to the PurchaserCustomer's prior written approvalApproval, the Service Provider Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Annex 1 (Security) to this Call Off Schedule 2 (Specification [and Service Levels] and/or elsewhere in the Contract)7) or the requirements of this ScheduleCall Off Schedule 7, the change to the ISMS or Security Management Plan shall be at no cost to the PurchaserCustomer. If any repeat Security Test carried out pursuant to paragraph 5.3 83.31 of this Call Off Schedule 7 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan)this Call Off Contract.

Security Testing. The Service Provider shall: (a) Supplier shall conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (aat least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (b), not less frequently than annually)including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Service Provider Supplier so as to minimise the impact on the delivery of the Products and/or Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the PurchaserCustomer. Subject to compliance by the Service Provider Supplier with the foregoing requirements, if any Security Tests adversely affect the Service ProviderSupplier’s ability to deliver the Products and/or Services so as to meet the Service LevelsLevel Performance Measures, the Service Provider Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Purchaser Customer with the results of such tests Security Tests (in a form approved by the Purchaser Customer in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Customer pursuant to this Call Off Contract, the Customer and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. If any such Customer’s test adversely affects the Supplier’s ability to deliver the Products and/or Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Customer’s test. Where any Security Test carried out pursuant to paragraphs 106.2 or 106.3 of this Call Off Schedule 7 reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider Supplier shall promptly notify the Purchaser Customer of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Service Provider Supplier proposes to make in order to correct such failure or weakness. Subject to the PurchaserCustomer's prior written approvalApproval, the Service Provider Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Annex 1 (Security) to this Call Off Schedule 2 (Specification [and Service Levels] and/or elsewhere in the Contract)7) or the requirements of this ScheduleCall Off Schedule 7, the change to the ISMS or Security Management Plan shall be at no cost to the PurchaserCustomer. If any repeat Security Test carried out pursuant to paragraph 5.3 106.4 of this Call Off Schedule 7 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan)this Call Off Contract.

Security Testing. The Service Provider shall: (a) Supplier shall conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (aat least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (b), not less frequently than annually)including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Service Provider Supplier so as to minimise the impact on the delivery of the Goods and/or Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the PurchaserCustomer. Subject to compliance by the Service Provider Supplier with the foregoing requirements, if any Security Tests adversely affect the Service Provider’s Suppliers ability to deliver the Goods and/or Services so as to meet the Service LevelsLevel Performance Measures, the Service Provider Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Purchaser Customer with the results of such tests Security Tests (in a form approved by the Purchaser Customer in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Suppliers compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. If any such Customer’s test adversely affects the Suppliers ability to deliver the Goods and/or Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Customer’s test. Where any Security Test carried out pursuant to paragraphs 6.2 or 6.3 of this Contract Schedule 7 reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider Supplier shall promptly notify the Purchaser Customer of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Service Provider Supplier proposes to make in order to correct such failure or weakness. Subject to the PurchaserCustomer's prior written approvalApproval, the Service Provider Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Annex 1 (Security) to this Contract Schedule 2 (Specification [and Service Levels] and/or elsewhere in the Contract)7) or the requirements of this ScheduleContract Schedule 7, the change to the ISMS or Security Management Plan shall be at no cost to the PurchaserCustomer. If any repeat Security Test carried out pursuant to paragraph 5.3 6.4 of this Contract Schedule 7 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan)this Contract.

Security Testing. The Service Provider shall: (a) Supplier shall conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (aat least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (b), not less frequently than annually)including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Service Provider Supplier so as to minimise the impact on the delivery of the Goods and/or Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the PurchaserCustomer. Subject to compliance by the Service Provider Supplier with the foregoing requirements, if any Security Tests adversely affect the Service Provider’s Suppliers ability to deliver the Goods and/or Services so as to meet the Service LevelsLevel Performance Measures, the Service Provider Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Purchaser Customer with the results of such tests Security Tests (in a form approved by the Purchaser Customer in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Suppliers compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. If any such Customer’s test adversely affects the Suppliers ability to deliver the Goods and/or Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Customer’s test. Where any Security Test carried out pursuant to paragraphs 78.29 or 78.30 of this Contract Schedule 7 reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider Supplier shall promptly notify the Purchaser Customer of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Service Provider Supplier proposes to make in order to correct such failure or weakness. Subject to the PurchaserCustomer's prior written approvalApproval, the Service Provider Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Annex 1 (Security) to this Contract Schedule 2 (Specification [and Service Levels] and/or elsewhere in the Contract)7) or the requirements of this ScheduleContract Schedule 7, the change to the ISMS or Security Management Plan shall be at no cost to the PurchaserCustomer. If any repeat Security Test carried out pursuant to paragraph 5.3 78.31 of this Contract Schedule 7 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan)this Contract.

Security Testing. The Service Provider shall: (a) Supplier shall conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (aat least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (b), not less frequently than annually)including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Service Provider Supplier so as to minimise the impact on the delivery of the Goods and Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the PurchaserCustomer. Subject to compliance by the Service Provider Supplier with the foregoing requirements, if any Security Tests adversely affect the Service ProviderSupplier’s ability to deliver the Goods and Services so as to meet the Service LevelsLevel Performance Measures, the Service Provider Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Purchaser Customer with the results of such tests Security Tests (in a form approved by the Purchaser Customer in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Customer pursuant to this Call Off Contract, the Customer and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. If any such Customer’s test adversely affects the Supplier’s ability to deliver the Goods and Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Customer’s test. Where any Security Test carried out pursuant to paragraphs 6.2 or 6.3 of this Call Off Schedule 7 reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider Supplier shall promptly notify the Purchaser Customer of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Service Provider Supplier proposes to make in order to correct such failure or weakness. Subject to the PurchaserCustomer's prior written approvalApproval, the Service Provider Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Annex 1 (Security Policy ) to this Call Off Schedule 2 (Specification [and Service Levels] and/or elsewhere in the Contract)7) or the requirements of this ScheduleCall Off Schedule 7, the change to the ISMS or Security Management Plan shall be at no cost to the PurchaserCustomer. If any repeat Security Test carried out pursuant to paragraph 5.3 6.4 of this Call Off Schedule 7 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan)this Call Off Contract.

Security Testing. The Service Provider shall: (a) Supplier shall conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (aat least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (b), not less frequently than annually)including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Service Provider Supplier so as to minimise the impact on the delivery of the Goods and/or Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the PurchaserCustomer. Subject to compliance by the Service Provider Supplier with the foregoing requirements, if any Security Tests adversely affect the Service ProviderSupplier’s ability to deliver the Goods and/or Services so as to meet the Service LevelsLevel Performance Measures, the Service Provider Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Purchaser Customer with the results of such tests Security Tests (in a form approved by the Purchaser Customer in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Customer pursuant to this Call Off Contract, the Customer and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. If any such Customer’s test adversely affects the Supplier’s ability to deliver the Goods and/or Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Customer’s test. Where any Security Test carried out pursuant to paragraphs 6.29 or 6.30 of this Call Off Schedule 7 reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider Supplier shall promptly notify the Purchaser Customer of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Service Provider Supplier proposes to make in order to correct such failure or weakness. Subject to the PurchaserCustomer's prior written approvalApproval, the Service Provider Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Annex 1 (Security) to this Call Off Schedule 2 (Specification [and Service Levels] and/or elsewhere in the Contract)7) or the requirements of this ScheduleCall Off Schedule 7, the change to the ISMS or Security Management Plan shall be at no cost to the PurchaserCustomer. If any repeat Security Test carried out pursuant to paragraph 5.3 6.31 of this Call Off Schedule 7 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan)this Call Off Contract.

Security Testing. The Service Provider shall: (a) conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (a) and (b), not less frequently than annually). Security Tests shall be designed and implemented by the Service Provider so as to minimise the impact on the delivery of the Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the Purchaser. Subject to compliance by the Service Provider with the foregoing requirements, if any Security Tests adversely affect the Service Provider’s ability to deliver the Services so as to meet the Service Levels, if applicable, the Service Provider shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider shall provide the Purchaser with the results of such tests (in a form approved by the Purchaser in advance) as soon as practicable after completion of each Security Test. Where any Security Test carried out reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider shall promptly notify the Purchaser of any changes to the Security Plan (and the implementation thereof) which the Service Provider proposes to make in order to correct such failure or weakness. Subject to the Purchaser's prior written approval, the Service Provider shall implement such changes to the Security Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the Security Plan is to address a non-compliance with the security requirements (as set out in Schedule 2 (Specification [and Service Levels] Statement of Requirements) and/or elsewhere in the Contract)) or the requirements of this Schedule, the change to the Security Plan shall be at no cost to the Purchaser. If any repeat Security Test carried out pursuant to paragraph 5.3 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan).

Security Testing. The Service Provider shall: (a) Supplier shall conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (aat least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (b), not less frequently than annually)including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Service Provider Supplier so as to minimise the impact on the delivery of the Products and/or Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the PurchaserCustomer. Subject to compliance by the Service Provider Supplier with the foregoing requirements, if any Security Tests adversely affect the Service ProviderSupplier’s ability to deliver the Products and/or Services so as to meet the Service LevelsLevel Performance Measures, the Service Provider Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Purchaser Customer with the results of such tests Security Tests (in a form approved by the Purchaser Customer in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Customer pursuant to this Call Off Contract, the Customer and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. If any such Customer’s test adversely affects the Supplier’s ability to deliver the Products and/or Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Customer’s test. Where any Security Test carried out pursuant to paragraphs 6.2 or 6.3 of this Call Off Schedule 7 reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider Supplier shall promptly notify the Purchaser Customer of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Service Provider Supplier proposes to make in order to correct such failure or weakness. Subject to the PurchaserCustomer's prior written approvalApproval, the Service Provider Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Annex 1 (Security) to this Call Off Schedule 2 (Specification [and Service Levels] and/or elsewhere in the Contract)7) or the requirements of this ScheduleCall Off Schedule 7, the change to the ISMS or Security Management Plan shall be at no cost to the PurchaserCustomer. If any repeat Security Test carried out pursuant to paragraph 5.3 6.4 of this Call Off Schedule 7 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default of this Call Off Contract. isms COMPLIANCE The Customer shall be entitled to carry out such security audits as it may reasonably deem necessary in order to ensure that the ISMS maintains compliance with the principles and practices of ISO 27001 and/or the Security Policy. If, on the basis of evidence provided by such security audits, it is capable the Customer's reasonable opinion that compliance with the principles and practices of ISO/IEC 27001 and/or the Security Policy are not being achieved by the Supplier, then the Customer shall notify the Supplier of the same and give the Supplier a reasonable time (having regard to the extent and criticality of any non-compliance and any other relevant circumstances) to implement and remedy. It If the Supplier does not become compliant within the required time then the Customer shall also be deemed have the right to obtain an independent audit against these standards in whole or in part. If, as a result of any such independent audit as described in paragraph 7.2 of this Call Off Schedule 7 the Supplier is found to be a Delay for non-compliant with the purposes principles and practices of clause 24.3 (Rectification Plan) ISO/IEC 27001 and/or the Security Policy then the Supplier shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and be dealt with accordingly shall reimburse in terms of clause 24.3 (Rectification Plan)full the costs incurred by the Customer in obtaining such audit.

Security Testing. The Service Provider shall: (a) Supplier shall conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (aat least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (b), not less frequently than annually)including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Service Provider Supplier so as to minimise the impact on the delivery of the Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the PurchaserCustomer. Subject to compliance by the Service Provider Supplier with the foregoing requirements, if any Security Tests adversely affect the Service ProviderSupplier’s ability to deliver the Services so as to meet the Service LevelsLevel Performance Measures, the Service Provider Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Purchaser Customer with the results of such tests Security Tests (in a form approved by the Purchaser Customer in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Customer pursuant to this Call Off Contract, the Customer and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. If any such Customer’s test adversely affects the Supplier’s ability to deliver the Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Customer’s test. Where any Security Test carried out pursuant to paragraphs 31.2 or 31.3 of this Call Off Schedule 7 reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider Supplier shall promptly notify the Purchaser Customer of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Service Provider Supplier proposes to make in order to correct such failure or weakness. Subject to the PurchaserCustomer's prior written approvalApproval, the Service Provider Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Annex 1 (Security) to this Call Off Schedule 2 (Specification [and Service Levels] and/or elsewhere in the Contract)7) or the requirements of this ScheduleCall Off Schedule 7, the change to the ISMS or Security Management Plan shall be at no cost to the PurchaserCustomer. If any repeat Security Test carried out pursuant to paragraph 5.3 31.4 of this Call Off Schedule 7 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan)this Call Off Contract.

Security Testing. The Service Provider shall: (a) Supplier shall conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (aat least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (b), not less frequently than annually)including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Service Provider Supplier so as to minimise the impact on the delivery of the Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the PurchaserContracting Authority. Subject to compliance by the Service Provider Supplier with the foregoing requirements, if any Security Tests adversely affect the Service ProviderSupplier’s ability to deliver the Services so as to meet the Service LevelsLevel Performance Measures, the Service Provider Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider Contracting Authority shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Purchaser Contracting Authority with the results of such tests Security Tests (in a form approved by the Purchaser Contracting Authority in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Contracting Authority pursuant to this Call Off Contract, the Contracting Authority and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier’s compliance with the ISMS and the Security Management Plan. The Contracting Authority may notify the Supplier of the results of such tests after completion of each such test. If any such Contracting Authority’s test adversely affects the Supplier’s ability to deliver the Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Contracting Authority’s test. Where any Security Test carried out pursuant to paragraphs 91.2 or 91.3 of this Call Off Schedule 7 reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider Supplier shall promptly notify the Purchaser Contracting Authority of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Service Provider Supplier proposes to make in order to correct such failure or weakness. Subject to the PurchaserContracting Authority's prior written approvalApproval, the Service Provider Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser Contracting Authority or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Annex 1 (Security) to this Call Off Schedule 2 (Specification [and Service Levels] and/or elsewhere in the Contract)7) or the requirements of this ScheduleCall Off Schedule 7, the change to the ISMS or Security Management Plan shall be at no cost to the PurchaserContracting Authority. If any repeat Security Test carried out pursuant to paragraph 5.3 91.4 of this Call Off Schedule 7 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan)this Call Off Contract.

Security Testing. The Service Provider shall: (a) Supplier shall conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (aat least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (b), not less frequently than annually)including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Service Provider Supplier so as to minimise the impact on the delivery of the Goods and/or Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the PurchaserCustomer. Subject to compliance by the Service Provider Supplier with the foregoing requirements, if any Security Tests adversely affect the Service ProviderSupplier’s ability to deliver the Goods and/or Services so as to meet the Service LevelsLevel Performance Measures, the Service Provider Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Purchaser Customer with the results of such tests Security Tests (in a form approved by the Purchaser Customer in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Customer pursuant to this Call Off Contract, the Customer and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. If any such Customer’s test adversely affects the Supplier’s ability to deliver the Goods and/or Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Customer’s test. Where any Security Test carried out pursuant to paragraphs 103.2 or 103.3 of this Call Off Schedule 7 reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider Supplier shall promptly notify the Purchaser Customer of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Service Provider Supplier proposes to make in order to correct such failure or weakness. Subject to the PurchaserCustomer's prior written approvalApproval, the Service Provider Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Annex 1 (Security) to this Call Off Schedule 2 (Specification [and Service Levels] and/or elsewhere in the Contract)7) or the requirements of this ScheduleCall Off Schedule 7, the change to the ISMS or Security Management Plan shall be at no cost to the PurchaserCustomer. If any repeat Security Test carried out pursuant to paragraph 5.3 103.4 of this Call Off Schedule 7 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan)this Call Off Contract.

Security Testing. The Service Provider shall: (a) Supplier shall conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (aat least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (b), not less frequently than annually)including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Service Provider Supplier so as to minimise the impact on the delivery of the Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the PurchaserCustomer. Subject to compliance by the Service Provider Supplier with the foregoing requirements, if any Security Tests adversely affect the Service ProviderSupplier’s ability to deliver the Services so as to meet the Service LevelsServices, the Service Provider Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Purchaser Customer with the results of such tests Security Tests (in a form approved by the Purchaser Customer in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Customer pursuant to this Call Off Contract, the Customer and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. If any such Customer’s test adversely affects the Supplier’s ability to deliver the Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Customer’s test. Where any Security Test carried out pursuant to paragraphs 83.2 or 83.3 of this Call Off Schedule 7 reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider Supplier shall promptly notify the Purchaser Customer of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Service Provider Supplier proposes to make in order to correct such failure or weakness. Subject to the PurchaserCustomer's prior written approvalApproval, the Service Provider Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Annex 1 (Security) to this Call Off Schedule 2 (Specification [and Service Levels] and/or elsewhere in the Contract)7) or the requirements of this ScheduleCall Off Schedule 7, the change to the ISMS or Security Management Plan shall be at no cost to the PurchaserCustomer. If any repeat Security Test carried out pursuant to paragraph 5.3 83.4 of this Call Off Schedule 7 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default of this Call Off Contract. ISMS COMPLIANCE The Customer shall be entitled to carry out such security audits as it may reasonably deem necessary in order to ensure that the ISMS maintains compliance with the principles and practices of ISO 27001 and/or the Security Policy. If, on the basis of evidence provided by such security audits, it is capable the Customer's reasonable opinion that compliance with the principles and practices of ISO/IEC 27001 and/or the Security Policy are not being achieved by the Supplier, then the Customer shall notify the Supplier of the same and give the Supplier a reasonable time (having regard to the extent and criticality of any non-compliance and any other relevant circumstances) to implement and remedy. It If the Supplier does not become compliant within the required time then the Customer shall also be deemed have the right to obtain an independent audit against these standards in whole or in part. If, as a result of any such independent audit as described in paragraph 84.2 of this Call Off Schedule 7 the Supplier is found to be a Delay for non-compliant with the purposes principles and practices of clause 24.3 (Rectification Plan) ISO/IEC 27001 and/or the Security Policy then the Supplier shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and be dealt with accordingly shall reimburse in terms of clause 24.3 (Rectification Plan)full the costs incurred by the Customer in obtaining such audit.

Security Testing. The Service Provider shall: (a) conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (a) and (b), not less frequently than annually). Security Tests shall be designed and implemented by the Service Provider so as to minimise the impact on the delivery of the Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the Purchaser. Subject to compliance by the Service Provider with the foregoing requirements, if any Security Tests adversely affect the Service Provider’s ability to deliver the Services so as to meet the Service Levels, if applicable, the Service Provider shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider shall provide the Purchaser with the results of such tests (in a form approved by the Purchaser in advance) as soon as practicable after completion of each Security Test. Where any Security Test carried out reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider shall promptly notify the Purchaser of any changes to the Security Plan (and the implementation thereof) which the Service Provider proposes to make in order to correct such failure or weakness. Subject to the Purchaser's prior written approval, the Service Provider shall implement such changes to the Security Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the Security Plan is to address a non-compliance with the security requirements (as set out in Schedule 2 (Specification [and Service Levels] Specification) and/or elsewhere in the Contract)) or the requirements of this Schedule, the change to the Security Plan shall be at no cost to the Purchaser. If any repeat Security Test carried out pursuant to paragraph 5.3 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan).

Security Testing. The Service Provider shall: (a) Supplier shall conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (aat least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (b), not less frequently than annually)including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Service Provider Supplier so as to minimise the impact on the delivery of the Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the PurchaserCustomer. Subject to compliance by the Service Provider Supplier with the foregoing requirements, if any Security Tests adversely affect the Service ProviderSupplier’s ability to deliver the Services so as to meet the Service LevelsLevel Performance Measures, the Service Provider Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Purchaser Customer with the results of such tests Security Tests (in a form approved by the Purchaser Customer in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Customer pursuant to this Call Off Contract, the Customer and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. If any such Customer’s test adversely affects the Supplier’s ability to deliver the Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Customer’s test. Where any Security Test carried out pursuant to paragraphs 94.2 or 94.3 of this Call Off Schedule reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider Supplier shall promptly notify the Purchaser Customer of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Service Provider Supplier proposes to make in order to correct such failure or weakness. Subject to the PurchaserCustomer's prior written approvalApproval, the Service Provider Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Schedule 2 Annex 1 (Specification [and Service Levels] and/or elsewhere in the Contract)Security) to this Call Off Schedule) or the requirements of this Call Off Schedule, the change to the ISMS or Security Management Plan shall be at no cost to the PurchaserCustomer. If any repeat Security Test carried out pursuant to paragraph 5.3 94.4 of this Call Off Schedule reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan)this Call Off Contract.

Security Testing. The Service Provider shall: (a) Supplier shall conduct relevant Security Tests from time to time and (b) specifically conduct Security Tests required by the Cyber Security Requirements at such times as set out in the Cyber Security Requirements (and in both cases (aat least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (b), not less frequently than annually)including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Service Provider Supplier so as to minimise the impact on the delivery of the Goods and/or Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the PurchaserCustomer. Subject to compliance by the Service Provider Supplier with the foregoing requirements, if any Security Tests adversely affect the Service ProviderSupplier’s ability to deliver the Goods and/or Services so as to meet the Service LevelsLevel Performance Measures, the Service Provider Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests. The Service Provider Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Purchaser Customer with the results of such tests Security Tests (in a form approved by the Purchaser Customer in advance) as soon as practicable after completion of each Security Test. Without prejudice to any other right of audit or access granted to the Customer pursuant to this Lease Agreement, the Customer and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. If any such Customer’s test adversely affects the Supplier’s ability to deliver the Goods and/or Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Customer’s test. Where any Security Test carried out pursuant to paragraphs 5.29 or 5.30 of this Lease Agreement Schedule 7 reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Service Provider Supplier shall promptly notify the Purchaser Customer of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Service Provider Supplier proposes to make in order to correct such failure or weakness. Subject to the PurchaserCustomer's prior written approvalApproval, the Service Provider Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Annex 1 (Security) to this Lease Agreement Schedule 2 (Specification [and Service Levels] and/or elsewhere in the Contract)7) or the requirements of this ScheduleLease Agreement Schedule 7, the change to the ISMS or Security Management Plan shall be at no cost to the PurchaserCustomer. If any repeat Security Test carried out pursuant to paragraph 5.3 5.31 of this Lease Agreement Schedule 7 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material Default that is capable of remedy. It shall also be deemed to be a Delay for the purposes of clause 24.3 (Rectification Plan) and be dealt with accordingly in terms of clause 24.3 (Rectification Plan)this Lease Agreement.