Common use of Testing Clause in Contracts

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual basis or as otherwise agreed by the Parties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. 4.4 Where any Security Test carried out pursuant to paragraphs 4.1 or 4.3 above reveals any actual or potential Breach of Security and/or security failure or weaknesses, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph , the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in the Letter of Appointment), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 4, a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Management Plan or the Customer’s security requirements.

Testing. 4.1 The Supplier CONTRACTOR shall conduct tests of the ISMS ("Security Tests") on an annual basis or as otherwise agreed by the Partiesparties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the CustomerCUSTOMER. 4.2 The Customer CUSTOMER shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier CONTRACTOR shall provide the Customer CUSTOMER with the results of such tests (in a form approved by the Customer CUSTOMER in advance) as soon as practicable after completion of each Security Test. 4.3 Without prejudice to any other right of audit or access granted to the Customer CUSTOMER pursuant to this Contract, the Customer CUSTOMER and/or its authorised representatives shall be entitled, at any time and without giving notice to the SupplierCONTRACTOR, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the SupplierCONTRACTOR's compliance with the ISMS and the Security Management Plan. The Customer CUSTOMER may notify the Supplier CONTRACTOR of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the ServicesOrdered IT Products. If such tests adversely affect the CONTRACTOR’s ability to deliver the Ordered IT Products to the agreed Service Levels, the CONTRACTOR shall be granted relief against any resultant under-performance for the period of the tests. 4.4 Where any Security Test carried out pursuant to paragraphs 4.1 4.2 or 4.3 above of this Schedule reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier CONTRACTOR shall promptly notify the Customer in writing CUSTOMER of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier CONTRACTOR proposes to make in order to correct such failure or weakness. Subject to the CustomerCUSTOMER's approval in accordance with paragraph 3.4.4 of this Schedule, the Supplier CONTRACTOR shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer CUSTOMER or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in the Letter of AppointmentSchedule 2-2), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 4, a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Management Plan or the Customer’s security requirementsCUSTOMER.

Testing. 4.1 4.1. The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual [annual] basis or as otherwise agreed by the Partiesparties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 4.2. The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 4.3. Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. If such tests adversely affect the Supplier’s ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. 4.4 4.4. Where any Security Test carried out pursuant to paragraphs 4.1 1.9 or 4.3 1.10 above reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 1.7.4, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in paragraph 2.7 of the Letter of AppointmentOrder Form), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 4, a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Management Plan or the Customer’s security requirements.

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual basis or as otherwise agreed by the Partiesparties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. If such tests adversely affect the Supplier’s ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. 4.4 Where any Security Test carried out pursuant to paragraphs 4.1 or 4.3 4.2 above reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 3.4.3, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in paragraph 2.5 of the Letter of AppointmentOrder Form), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 4, a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Management Plan or the Customer’s security requirements.

Testing. 4.1 2.4.1. The Supplier Contractor shall conduct tests of the ISMS ("Security Tests") on an annual basis or as otherwise agreed by the Partiesparties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the CustomerEmployer. 4.2 2.4.2. The Customer Employer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier Contractor shall provide the Customer Employer with the results of such tests (in a form approved by the Customer Employer in advance) as soon as practicable after completion of each Security Test. 4.3 2.4.3. Without prejudice to any other right of audit or access granted to the Customer Employer pursuant to this Contractcontract, the Customer Employer and/or its authorised representatives shall be entitled, at any time and without giving notice to the SupplierContractor, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the SupplierContractor's compliance with the ISMS and the Security Management Plan. The Customer Employer may notify the Supplier Contractor of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Servicesservice. If such tests adversely affect the Contractor’s ability to deliver the service to the agreed Service Levels, the Contractor shall be granted relief against any resultant under-performance for the period of the tests. 4.4 2.4.4. Where any Security Test carried out pursuant to paragraphs 4.1 2.4.2 or 4.3 2.4.3 above reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier Contractor shall promptly notify the Customer in writing Employer of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier Contractor proposes to make in order to correct such failure or weakness. Subject to the CustomerEmployer's approval in accordance with paragraph 2.3.4.4, the Supplier Contractor shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer Employer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in the Letter of Appointment), Security Requirements the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 4, a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Management Plan or the Customer’s security requirementsEmployer.

Testing. Variation Procedure and shall not be implemented until approved in writing by the Customer. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual basis or as otherwise agreed by the Parties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Placement Services. If such tests adversely affect the Supplier’s ability to deliver the Placement Services, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. 4.4 Where any Security Test carried out pursuant to paragraphs 4.1 4.2 or 4.3 above reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 3.4.4, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in the Letter of Appointment)Security Requirements, the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 4, a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Management Plan or the Customer’s security requirements.

Testing. 4.1 The Supplier Contractor shall conduct tests of the ISMS ("Security Tests") on an annual [annual] basis or as otherwise agreed by the Partiesparties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 Authority. The Customer Authority shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier Contractor shall provide the Customer Authority with the results of such tests (in a form approved by the Customer Authority in advance) as soon as practicable after completion of each Security Test. 4.3 . Without prejudice to any other right of audit or access granted to the Customer Authority pursuant to this ContractAgreement, the Customer Authority and/or its authorised representatives shall be entitled, at any time and without giving notice to the SupplierContractor, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the SupplierContractor's compliance with the ISMS and the Security Management Plan. The Customer Authority may notify the Supplier Contractor of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery Services. If such tests impact adversely on its ability to deliver the Services to the agreed Service Levels, the Contractor shall be granted relief against any resultant under-performance for the period of the Services. 4.4 tests. Where any Security Test carried out pursuant to paragraphs 4.1 or 4.3 above reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier Contractor shall promptly notify the Customer in writing Authority of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier Contractor proposes to make in order to correct such failure or weakness. Subject to the CustomerAuthority's approval in accordance with paragraph , the Supplier Contractor shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer Authority or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in the Letter of Appointment)requirements, the change to the ISMS or Security Management Plan shall be at no cost to the CustomerAuthority. For [The Contractor shall obtain independent certification of the purposes ISMS to ISO 27001 as soon as reasonably practicable and will maintain such certification for the duration of the Agreement.] [If certain parts of the ISMS do not conform to good industry practice, or controls as described in ISO 27002 are not consistent with the Security Policy, and, as a result, the Contractor reasonably believes that it is not compliant with ISO 27001, the Contractor shall promptly notify the Authority of this paragraph 4, a weakness means vulnerability and the Authority in security and a potential security failure means a possible breach its absolute discretion may waive the requirement for certification in respect of the Security Management Plan relevant parts.] The Authority shall be entitled to carry out such regular security audits as may be required, and in accordance with Good Industry Practice, in order to ensure that the ISMS maintains compliance with the principles and practices of ISO 27001. If, on the basis of evidence provided by such audits, it is the Authority's reasonable opinion that compliance with the principles and practices of ISO/IEC 27001 is not being achieved by the Contractor, then the Authority shall notify the Contractor of the same and give the Contractor a reasonable time (having regard to the extent and criticality of any non-compliance and any other relevant circumstances) to become compliant with the principles and practices of ISO 27001. If the Contractor does not become compliant within the required time then the Authority has the right to obtain an independent audit against these standards in whole or in part. If, as a result of any such independent audit as described in paragraph the Customer’s security requirementsContractor is found to be non-compliant with the principles and practices of ISO/IEC 27001 then the Contractor shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Authority in obtaining such audit.

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual basis or as otherwise agreed by the Partiesparties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 . The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 . Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. 4.4 . If such tests adversely affect the Supplier’s ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. Where any Security Test carried out pursuant to paragraphs 4.1 4.2 or 4.3 above reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 3.4.4, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in the Letter of Appointment)requirements, the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 4, a weakness means vulnerability in security and a potential security failure means a possible breach The Supplier shall obtain independent certification of the Security Management Plan ISMS to ISO/IEC 27001 within twelve [12] months of the Commencement Date or such other period as may be agreed with the Authority and shall maintain such certification for the duration of the Contract. (Not Used) The Customer shall be entitled to carry out such regular security audits as may be required, and in accordance with Good Industry Practice, in order to ensure that the ISMS maintains compliance with the principles and practices of ISO 27001. If, on the basis of evidence provided by such audits, it is the Customer’s security requirements's reasonable opinion that compliance with the principles and practices of ISO/IEC 27001 is not being achieved by the Supplier, then the Customer shall notify the Supplier of the same and give the Supplier a reasonable time (having regard to the extent and criticality of any non-compliance and any other relevant circumstances) to become compliant with the principles and practices of ISO/IEC 27001. If the Supplier does not become compliant within the required time then the Customer has the right to obtain an independent audit against these standards in whole or in part. If, as a result of any such independent audit as described in paragraph 5.4 the Supplier is found to be non-compliant with the principles and practices of ISO/IEC 27001 then the Supplier shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Customer in obtaining such audit.

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual basis or as otherwise agreed by the Parties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 . The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 . Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. 4.4 . If such tests adversely affect the Supplier’s ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. Where any Security Test carried out pursuant to paragraphs 4.1 or 4.3 5.1 and 5.2 above reveals any actual or potential Breach of Security and/or security failure or weaknesses, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 3.2.2, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in paragraph 2.7 of the Letter of AppointmentOrder Form), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 45, weaknesses means a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Management Plan or security requirements. Where the Customer requests, the Supplier shall obtain independent certification of the ISMS to ISO/IEC 27001 within twelve (12) Months of the Commencement Date or such reasonable time period as to be agreed with the Customer and shall maintain such certification for the duration of the Contract. If certain parts of the ISMS do not conform to Good Industry Practice, or controls as described in ISO/IEC 27002 are not consistent with the Security Policy, and, as a result, the Supplier reasonably believes that it is not compliant with ISO/IEC 27001, the Supplier shall promptly notify the Customer of this and the Customer in its absolute discretion may waive the requirement for certification in respect of the relevant parts. The Customer shall be entitled to carry out such regular security audits as may be required, and in accordance with Good Industry Practice, in order to ensure that the ISMS maintains compliance with the principles and practices of ISO 27001. If, on the basis of evidence provided by such audits, it is the Customer’s security requirements's reasonable opinion that compliance with the principles and practices of ISO/IEC 27001 is not being achieved by the Supplier, then the Customer shall notify the Supplier of the same and give the Supplier a reasonable time (having regard to the extent and criticality of any non-compliance and any other relevant circumstances) to become compliant with the principles and practices of ISO/IEC 27001. If the Supplier does not become compliant within the required time then the Customer has the right to obtain an independent audit against these standards in whole or in part. If, as a result of any such independent audit as described in paragraph 6.3 the Supplier is found to be non-compliant with the principles and practices of ISO/IEC 27001 then the Supplier shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Customer in obtaining such audit.

Testing. 4.1 The Supplier Consultant shall conduct tests of the ISMS ("Security Tests") on an annual basis or as otherwise agreed by the Partiesparties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 Architect/Contract Administrator. The Customer Architect/Contract Administrator shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier Consultant shall provide the Customer Architect/Contract Administrator with the results of such tests (in a form approved by the Customer Client in advance) as soon as practicable after completion of each Security Test. 4.3 . Without prejudice to any other right of audit or access granted to the Customer Client pursuant to this Contractcontract, the Customer Architect/Contract Administrator and/or its authorised representatives shall be entitled, at any time and without giving notice to the SupplierConsultant, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the SupplierConsultant's compliance with the ISMS and the Security Management Plan. The Customer Architect/Contract Administrator may notify the Supplier Consultant of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery carrying out the Services. If such tests adversely affect the Consultant's ability to carry out the Services in accordance with the Client's Requirements, the Consultant shall be granted relief against any resultant under-performance for the period of the Services. 4.4 tests. Where any Security Test carried out pursuant to paragraphs 4.1 1.4.5.2 or 4.3 1.4.5.3 above reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier Consultant shall promptly notify the Customer in writing Architect/Contract Administrator of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier Consultant proposes to make in order to correct such failure or weakness. Subject to the CustomerArchitect/Contract Administrator's approval in accordance with paragraph (i), the Supplier Consultant shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer Architect/Contract Administrator or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in the Letter of Appointment), Security Requirements the change to the ISMS or Security Management Plan shall be at no cost to the CustomerClient. For Compliance with ISO/IEC 27001 Unless otherwise agreed by the purposes parties, the Consultant shall obtain independent certification of the ISMS to ISO/IEC 27001 within 12 months of the Contract Date and shall maintain such certification for the duration of the contract. In the event that paragraph 1.5.1 above applies, if certain parts of the ISMS do not conform to Good Industry Practice, or controls as described in ISO/IEC 27002 are not consistent with the Security Policy, and, as a result, the Consultant reasonably believes that it is not compliant with ISO/IEC 27001, the Consultant shall promptly notify the Architect/Contract Administrator of this paragraph 4, a weakness means vulnerability and the Client in security and a potential security failure means a possible breach its absolute discretion may waive the requirement for certification in respect of the relevant parts. The Architect/Contract Administrator shall be entitled to carry out such regular security audits as may be required and in accordance with Good Industry Practice, in order to ensure that the ISMS maintains compliance with the principles and practices of ISO 27001. If, on the basis of evidence provided by such audits, it is the Architect/Contract Administrator's reasonable opinion that compliance with the principles and practices of ISO/IEC 27001 is not being achieved by the Consultant, then the Architect/Contract Administrator shall notify the Consultant of the same and give the Consultant a reasonable time (having regard to the extent and criticality of any non-compliance and any other relevant circumstances) to become compliant with the principles and practices of ISO/IEC 27001. If the Consultant does not become compliant within the required time then the Architect/Contract Administrator has the right to obtain an independent audit against these standards in whole or in part. If, as a result of any such independent audit as described in paragraph 1.5.4 the Consultant is found to be non- compliant with the principles and practices of ISO/IEC 27001 then the Consultant shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Client in obtaining such audit. Breach of Security Management Plan Either party shall give an early warning to the other in accordance with the agreed security incident management process as defined by the ISMS upon becoming aware of any Breach of Security or any potential or attempted Breach of Security. Without prejudice to the security incident management process, upon becoming aware of any of the circumstances referred to in paragraph 1.6.1, the Consultant shall: immediately take all reasonable steps necessary to: remedy such breach or protect the integrity of the ISMS against any such potential or attempted breach or threat; and prevent an equivalent breach in the future. such steps shall include any action or changes reasonably required by the Architect/Contract Administrator; and as soon as reasonably practicable provide to the Architect/Contract Administrator full details (using such reporting mechanism as defined by the ISMS) of the Breach of Security or the Customer’s security requirementspotential or attempted Breach of Security.

Testing. 4.1 The Supplier Contractor shall conduct tests of the ISMS ("Security Tests") on an annual basis or as otherwise agreed by the Parties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the CustomerDepartment. 4.2 The Customer Department shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier Contractor shall provide the Customer Department with the results of such tests (in a form approved by the Customer Department in advance) as soon as practicable after completion of each Security Test. 4.3 Without prejudice to any other right of audit or access granted to the Customer Department pursuant to this ContractAgreement, the Customer Department and/or its authorised representatives shall be entitled, at any time and without giving notice to the SupplierContractor, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the SupplierContractor's compliance with the ISMS and the Security Management Plan. The Customer Department may notify the Supplier Contractor of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. If such tests adversely affect the Contractor’s ability to deliver the Services to the agreed Service Levels, the Contractor shall be granted relief against any resultant under-performance for the period of the tests. 4.4 Where any Security Test carried out pursuant to paragraphs 4.1 Paragraphs 4.2 or 4.3 above reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier Contractor shall promptly notify the Customer in writing Department of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier Contractor proposes to make in order to correct such failure or weakness. Subject to the CustomerDepartment's approval in accordance with paragraph Paragraph 3.4.4, the Supplier Contractor shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer Department or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in the Letter Appendix 1 of Appointmentthis Schedule), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 4, a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Management Plan or the Customer’s security requirementsDepartment.

Testing. 4.1 The Supplier CONTRACTOR shall conduct tests of the ISMS ("Servicenow Security Tests") Updates Document on an annual basis or as otherwise agreed by the Partiesparties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the CustomerCUSTOMER. 4.2 The Customer CUSTOMER shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier CONTRACTOR shall provide the Customer CUSTOMER with the results of such tests (in a form approved by the Customer CUSTOMER in advance) as soon as practicable after completion of each Security Test. 4.3 Without prejudice to any other right of audit or access granted to the Customer CUSTOMER pursuant to this Contract, the Customer CUSTOMER and/or its authorised representatives shall be entitled, at any time and without giving notice to the SupplierCONTRACTOR, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS Servicenow Security Updates Document and the SupplierCONTRACTOR's compliance with the ISMS and the Security Management Plan. The Customer CUSTOMER may notify the Supplier CONTRACTOR of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the ServicesOrdered IT Products. If such tests adversely affect the CONTRACTOR’s ability to deliver the Ordered IT Products to the agreed Service Levels, the CONTRACTOR shall be granted relief against any resultant under-performance for the period of the tests. 4.4 Where any Security Test carried out pursuant to paragraphs 4.1 4.2 or 4.3 above of this Schedule reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier CONTRACTOR shall promptly notify the Customer in writing CUSTOMER of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier CONTRACTOR proposes to make in order to correct such failure or weakness. Subject to the CustomerCUSTOMER's approval in accordance with paragraph 3.4.4 of this Schedule, the Supplier CONTRACTOR shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer CUSTOMER or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in the Letter of AppointmentSchedule 2-2), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 4, a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Management Plan or the Customer’s security requirementsCUSTOMER.

Testing. 4.1 5.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual basis or as otherwise agreed by the Parties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 5.2 The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 5.3 Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Goods and Services. If such tests adversely affect the Supplier's ability to deliver the Goods and Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. 4.4 5.4 Where any Security Test carried out pursuant to paragraphs 4.1 or 4.3 5.1 and 5.2 above reveals any actual or potential Breach of Security and/or security failure or weaknesses, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 3.2.2, the Supplier shall implement such changes to the ISMS and the Security Management Plan is required in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in paragraph 2.8 of the Letter of AppointmentOrder Form), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 45, weaknesses means a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Management Plan or the Customer’s security requirements.

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual [annual] basis or as otherwise agreed by the Parties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 . The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 . Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. 4.4 . If such tests adversely affect the Supplier's ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. Where any Security Test carried out pursuant to paragraphs 4.1 or 4.3 5.1 and 5.2 above reveals any actual or potential Breach of Security and/or security failure or weaknesses, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 3.2.2, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is required to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in paragraph 2.4 of the Letter of AppointmentOrder Form), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 45, weaknesses means a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Management Plan or security requirements. [Where the Customer requests, the Supplier shall obtain independent certification of the ISMS to ISO/IEC 27001 within [twelve (12)] Months of the Commencement Date or such reasonable time period as to be agreed with the Customer and shall maintain such certification for the duration of the Contract.] [If certain parts of the ISMS do not conform to Good Industry Practice, or controls as described in ISO/IEC 27002 are not consistent with the Security Policy, and, as a result, the Supplier reasonably believes that it is not compliant with ISO/IEC 27001, the Supplier shall promptly notify the Customer of this and the Customer in its absolute discretion may waive the requirement for certification in respect of the relevant parts.] The Customer shall be entitled to carry out such regular security audits as may be required, and in accordance with Good Industry Practice, in order to ensure that the ISMS maintains compliance with the principles and practices of ISO 27001. If, on the basis of evidence provided by such audits, it is the Customer’s security requirements's reasonable opinion that compliance with the principles and practices of ISO/IEC 27001 is not being achieved by the Supplier, then the Customer shall notify the Supplier of the same and give the Supplier a reasonable time (having regard to the extent and criticality of any non-compliance and any other relevant circumstances) to become compliant with the principles and practices of ISO/IEC 27001. If the Supplier does not become compliant within the required time then the Customer has the right to obtain an independent audit against these standards in whole or in part. If, as a result of any such independent audit as described in paragraph 6.3 the Supplier is found to be non-compliant with the principles and practices of ISO/IEC 27001 then the Supplier shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Customer in obtaining such audit.

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual basis or as otherwise agreed by the Partiesparties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. If such tests adversely affect the Supplier‟s ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. 4.4 Where any Security Test carried out pursuant to paragraphs 4.1 or 4.3 4.2 above reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 3.4.3, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in paragraph 2.5 of the Letter of AppointmentOrder Form), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 4, a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Management Plan or the Customer’s security requirements.

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual [annual] basis or as otherwise agreed by the Partiesparties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 . The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 . Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. 4.4 . If such tests adversely affect the Supplier’s ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. Where any Security Test carried out pursuant to paragraphs 4.1 4.2 or 4.3 above reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 3.4.4, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in paragraph 2.5 of the Letter of AppointmentOrder Form), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For BREACH OF SECURITY Either party shall notify the purposes other in accordance with the agreed security incident management process as defined by the ISMS upon becoming aware of this paragraph 4any Breach of Security or any potential or attempted Breach of Security. Without prejudice to the security incident management process, a weakness means vulnerability in security and a potential security failure means a possible breach upon becoming aware of any of the circumstances referred to in paragraph 5.1, the Supplier shall: immediately take all reasonable steps necessary to: remedy such breach or protect the integrity of the ISMS against any such potential or attempted breach or threat; and prevent an equivalent breach in the future. Such steps shall include any action or changes reasonably required by the Customer. In the event that such action is taken in response to a breach that is determined by the Customer acting reasonably not to be covered by the obligations of the Supplier under this Contract, then the Supplier shall be entitled to refer the matter to the Variation Procedure; and as soon as reasonably practicable provide to the Customer full details (using such reporting mechanism as defined by the ISMS) of the Breach of Security Management Plan or the Customer’s security requirements.potential or attempted Breach of Security. THIS DEED OF GUARANTEE is made the day of 20[ ]

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual [annual] basis or as otherwise agreed by the Parties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 . The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 . Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. 4.4 . If such tests adversely affect the Supplier’s ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. Where any Security Test carried out pursuant to paragraphs 4.1 or 4.3 5.1 and 5.2 above reveals any actual or potential Breach of Security and/or security failure or weaknesses, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 3.2.2, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in paragraph 2.7 of the Letter of AppointmentOrder Form), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 45, weaknesses means a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Management Plan or security requirements. [[Where the Customer requests, the Supplier shall obtain independent certification of the ISMS to ISO/IEC 27001 within [twelve (12)] Months of the Commencement Date or such reasonable time period as to be agreed with the Customer and shall maintain such certification for the duration of the Contract.] [If certain parts of the ISMS do not conform to Good Industry Practice, or controls as described in ISO/IEC 27002 are not consistent with the Security Policy, and, as a result, the Supplier reasonably believes that it is not compliant with ISO/IEC 27001, the Supplier shall promptly notify the Customer of this and the Customer in its absolute discretion may waive the requirement for certification in respect of the relevant parts.] The Customer shall be entitled to carry out such regular security audits as may be required, and in accordance with Good Industry Practice, in order to ensure that the ISMS maintains compliance with the principles and practices of ISO 27001. If, on the basis of evidence provided by such audits, it is the Customer’s security requirements's reasonable opinion that compliance with the principles and practices of ISO/IEC 27001 is not being achieved by the Supplier, then the Customer shall notify the Supplier of the same and give the Supplier a reasonable time (having regard to the extent and criticality of any non-compliance and any other relevant circumstances) to become compliant with the principles and practices of ISO/IEC 27001. If the Supplier does not become compliant within the required time then the Customer has the right to obtain an independent audit against these standards in whole or in part. If, as a result of any such independent audit as described in paragraph 6.3 the Supplier is found to be non-compliant with the principles and practices of ISO/IEC 27001 then the Supplier shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Customer in obtaining such audit.

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual [annual] basis or as otherwise agreed by the Parties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 . The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 . Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. 4.4 . If such tests adversely affect the Supplier’s ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. Where any Security Test carried out pursuant to paragraphs 4.1 or 4.3 5.1 and 5.2 above reveals any actual or potential Breach of Security and/or security failure or weaknesses, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 3.2.2, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in paragraph 2.7 of the Letter of AppointmentOrder Form), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 45, weaknesses means a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Management Plan or security requirements. [If certain parts of the ISMS do not conform to Good Industry Practice, or controls as described in ISO/IEC 27002 are not consistent with the Security Policy, and, as a result, the Supplier reasonably believes that it is not compliant with ISO/IEC 27001, the Supplier shall promptly notify the Customer of this and the Customer in its absolute discretion may waive the requirement for certification in respect of the relevant parts.] The Customer shall be entitled to carry out such regular security audits as may be required, and in accordance with Good Industry Practice, in order to ensure that the ISMS maintains compliance with the principles and practices of ISO 27001. If, on the basis of evidence provided by such audits, it is the Customer’s security requirements's reasonable opinion that compliance with the principles and practices of ISO/IEC 27001 is not being achieved by the Supplier, then the Customer shall notify the Supplier of the same and give the Supplier a reasonable time (having regard to the extent and criticality of any non-compliance and any other relevant circumstances) to become compliant with the principles and practices of ISO/IEC 27001. If the Supplier does not become compliant within the required time then the Customer has the right to obtain an independent audit against these standards in whole or in part. If, as a result of any such independent audit as described in paragraph 6.3 the Supplier is found to be non-compliant with the principles and practices of ISO/IEC 27001 then the Supplier shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Customer in obtaining such audit.

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual [annual] basis or as otherwise agreed by the Partiesparties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 . The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 . Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. 4.4 . If such tests adversely affect the Supplier’s ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. Where any Security Test carried out pursuant to paragraphs 4.1 1.9 or 4.3 1.10 above reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 1.7.4, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in paragraph 2.7 of the Letter of AppointmentOrder Form), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For COMPLIANCE WITH ISO/iec 27001 [The Supplier shall obtain independent certification of the purposes ISMS to ISO/IEC 27001 within [12] months of the Commencement Date and shall maintain such certification for the duration of the Contract.] [If certain parts of the ISMS do not conform to good industry practice, or controls as described in ISO/IEC 27002 are not consistent with the Security Policy, and, as a result, the Supplier reasonably believes that it is not compliant with ISO/IEC 27001, the Supplier shall promptly notify the Customer of this paragraph 4, a weakness means vulnerability and the Customer in security and a potential security failure means a possible breach its absolute discretion may waive the requirement for certification in respect of the Security Management Plan or relevant parts.] The Customer shall be entitled to carry out such regular security audits as may be required, and in accordance with Good Industry Practice, in order to ensure that the ISMS maintains compliance with the principles and practices of ISO 27001. If, on the basis of evidence provided by such audits, it is the Customer’s security requirements's reasonable opinion that compliance with the principles and practices of ISO/IEC 27001 is not being achieved by the Supplier, then the Customer shall notify the Supplier of the same and give the Supplier a reasonable time (having regard to the extent and criticality of any non-compliance and any other relevant circumstances) to become compliant with the principles and practices of ISO/IEC 27001. If the Supplier does not become compliant within the required time then the Customer has the right to obtain an independent audit against these standards in whole or in part. If, as a result of any such independent audit as described in paragraph 1.15 the Supplier is found to be non-compliant with the principles and practices of ISO/IEC 27001 then the Supplier shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Customer in obtaining such audit.

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual basis or as otherwise agreed by the Partiesparties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 . The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 . Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. 4.4 . If such tests adversely affect the Supplier’s ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under‑performance for the period of the tests. Where any Security Test carried out pursuant to paragraphs 4.1 11 or 4.3 12 above reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 10.3, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance non‑compliance with the Security Policy or the Customer’s security requirements (as set out in paragraph 2.5 of the Letter of AppointmentOrder Form), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For Unless otherwise agreed with the purposes Customer, the Supplier shall obtain independent certification of the ISMS to ISO/IEC 27001 within 12 months of the Commencement Date and shall maintain such certification for the duration of the Contract. If certain parts of the ISMS do not conform to good industry practice, or controls as described in ISO/IEC 27002 are not consistent with the Security Policy, and, as a result, the Supplier reasonably believes that it is not compliant with ISO/IEC 27001, the Supplier shall promptly notify the Customer of this paragraph 4, a weakness means vulnerability and the Customer in security and a potential security failure means a possible breach its absolute discretion may waive the requirement for certification in respect of the Security Management Plan or relevant parts. The Customer shall be entitled to carry out such regular security audits as may be required, and in accordance with Good Industry Practice, in order to ensure that the ISMS maintains compliance with the principles and practices of ISO 27001. If, on the basis of evidence provided by such audits, it is the Customer’s security requirements's reasonable opinion that compliance with the principles and practices of ISO/IEC 27001 is not being achieved by the Supplier, then the Customer shall notify the Supplier of the same and give the Supplier a reasonable time (having regard to the extent and criticality of any non‑compliance and any other relevant circumstances) to become compliant with the principles and practices of ISO/IEC 27001. If the Supplier does not become compliant within the required time then the Customer has the right to obtain an independent audit against these standards in whole or in part. If, as a result of any such independent audit as described in paragraph 18 the Supplier is found to be non‑compliant with the principles and practices of ISO/IEC 27001 then the Supplier shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Customer in obtaining such audit.

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual basis or as otherwise agreed by the Parties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Placement Services. If such tests adversely affect the Supplier’s ability to deliver the Placement Services, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. 4.4 Where any Security Test carried out pursuant to paragraphs 4.1 4.2 or 4.3 above reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 3.4.4, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in the Letter of Appointment)Security Requirements, the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 4, a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Management Plan or the Customer’s security requirements.

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual [annual] basis or as otherwise agreed by the Partiesparties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. If such tests adversely affect the Supplier’s ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. 4.4 Where any Security Test carried out pursuant to paragraphs 4.1 4.2 or 4.3 above reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 3.4.4, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in paragraph 2.5 of the Letter of AppointmentOrder Form), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 4, a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Management Plan or the Customer’s security requirements.

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual [annual] basis or as otherwise agreed by the Partiesparties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. If such tests adversely affect the Supplier‟s ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. 4.4 Where any Security Test carried out pursuant to paragraphs 4.1 4.2 or 4.3 above reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 3.4.4, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-non- compliance with the Security Policy or the Customer’s security requirements (as set out in paragraph 2.5 of the Letter of AppointmentOrder Form), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 4, a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Management Plan or the Customer’s security requirements.

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual basis or as otherwise agreed by the Partiesparties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 Contracting Body. The Customer Contracting Body shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer Contracting Body with the results of such tests (in a form approved by the Customer Contracting Body in advance) as soon as practicable after completion of each Security Test. 4.3 . Without prejudice to any other right of audit or access granted to the Customer Contracting Body pursuant to this Contract, the Customer Contracting Body and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's ’s compliance with the ISMS and the Security Management Plan. The Customer Contracting Body may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. 4.4 . If such tests adversely affect the Supplier’s ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. Where any Security Test carried out pursuant to paragraphs 4.1 4.2 or 4.3 above reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier shall promptly notify the Customer in writing Contracting Body of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the CustomerContracting Body's approval in accordance with paragraph 3.6, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer Contracting Body or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements Requirements (as set out in paragraph 2.2 of the Letter of AppointmentOrder Form), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 4, a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Management Plan or the Customer’s security requirementsContracting Body.

Testing. 4.1 3.1. The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual [annual] basis or as otherwise agreed by the Parties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 3.2. The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 3.3. Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. If such tests adversely affect the Supplier‟s ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. 4.4 3.4. Where any Security Test carried out pursuant to paragraphs 4.1 or 4.3 8.1 and 8.2 above reveals any actual or potential Breach of Security and/or security failure or weaknesses, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 6.2.2, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in the Letter of Appointment), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 48, weaknesses means a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Management Plan or the Customer’s security requirements.

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual [annual] basis or as otherwise agreed by the Parties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 . The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 . Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Goods and Services. 4.4 . If such tests adversely affect the Supplier's ability to deliver the Goods and Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. Where any Security Test carried out pursuant to paragraphs 4.1 or 4.3 5.1 and 5.2 above reveals any actual or potential Breach of Security and/or security failure or weaknesses, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 3.2.2, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is required to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in paragraph 2.8 of the Letter of AppointmentOrder Form), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 45, weaknesses means a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Management Plan or security requirements. [Where the Customer requests, the Supplier shall obtain independent certification of the ISMS to ISO/IEC 27001 within [twelve (12)] Months of the Commencement Date or such reasonable time period as to be agreed with the Customer and shall maintain such certification for the duration of the Contract.] [If certain parts of the ISMS do not conform to Good Industry Practice, or controls as described in ISO/IEC 27002 are not consistent with the Security Policy, and, as a result, the Supplier reasonably believes that it is not compliant with ISO/IEC 27001, the Supplier shall promptly notify the Customer of this and the Customer in its absolute discretion may waive the requirement for certification in respect of the relevant parts.] The Customer shall be entitled to carry out such regular security audits as may be required, and in accordance with Good Industry Practice, in order to ensure that the ISMS maintains compliance with the principles and practices of ISO 27001. If, on the basis of evidence provided by such audits, it is the Customer’s security requirements's reasonable opinion that compliance with the principles and practices of ISO/IEC 27001 is not being achieved by the Supplier, then the Customer shall notify the Supplier of the same and give the Supplier a reasonable time (having regard to the extent and criticality of any non-compliance and any other relevant circumstances) to become compliant with the principles and practices of ISO/IEC 27001. If the Supplier does not become compliant within the required time then the Customer has the right to obtain an independent audit against these standards in whole or in part. If, as a result of any such independent audit as described in paragraph 6.3 the Supplier is found to be non-compliant with the principles and practices of ISO/IEC 27001 then the Supplier shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Customer in obtaining such audit.

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual basis or as otherwise agreed by the Partiesparties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 . The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 . Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. 4.4 . If such tests adversely affect the Supplier’s ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under‑performance for the period of the tests. Where any Security Test carried out pursuant to paragraphs 4.1 or 4.3 above reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph , the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance non‑compliance with the Security Policy or the Customer’s security requirements (as set out in paragraph 2.5 of the Letter of AppointmentOrder Form), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For The Supplier shall obtain independent certification of the purposes ISMS to ISO/IEC 27001 within 12 months of the Commencement Date and shall maintain such certification for the duration of the Contract. If certain parts of the ISMS do not conform to good industry practice, or controls as described in ISO/IEC 27002 are not consistent with the Security Policy, and, as a result, the Supplier reasonably believes that it is not compliant with ISO/IEC 27001, the Supplier shall promptly notify the Customer of this paragraph 4, a weakness means vulnerability and the Customer in security and a potential security failure means a possible breach its absolute discretion may waive the requirement for certification in respect of the Security Management Plan or relevant parts. The Customer shall be entitled to carry out such regular security audits as may be required, and in accordance with Good Industry Practice, in order to ensure that the ISMS maintains compliance with the principles and practices of ISO 27001. If, on the basis of evidence provided by such audits, it is the Customer’s security requirements's reasonable opinion that compliance with the principles and practices of ISO/IEC 27001 is not being achieved by the Supplier, then the Customer shall notify the Supplier of the same and give the Supplier a reasonable time (having regard to the extent and criticality of any non‑compliance and any other relevant circumstances) to become compliant with the principles and practices of ISO/IEC 27001. If the Supplier does not become compliant within the required time then the Customer has the right to obtain an independent audit against these standards in whole or in part. If, as a result of any such independent audit as described in paragraph the Supplier is found to be non‑compliant with the principles and practices of ISO/IEC 27001 then the Supplier shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Customer in obtaining such audit.

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual basis or as otherwise agreed by the Partiesparties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 Contracting Body. The Customer Contracting Body shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer Contracting Body with the results of such tests (in a form approved by the Customer Contracting Body in advance) as soon as practicable after completion of each Security Test. 4.3 . Without prejudice to any other right of audit or access granted to the Customer Contracting Body pursuant to this Contract, the Customer Contracting Body and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's ’s compliance with the ISMS and the Security Management Plan. The Customer Contracting Body may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. 4.4 . If such tests adversely affect the Supplier’s ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. Where any Security Test carried out pursuant to paragraphs 4.1 4.2 or 4.3 above reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier shall promptly notify the Customer in writing Contracting Body of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the CustomerContracting Body's approval in accordance with paragraph 3.6, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer Contracting Body or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements Requirements (as set out in paragraph 2.3 of the Letter of AppointmentOrder Form), the change to the ISMS or Security Management Plan shall be at no cost to the CustomerContracting Body. For The Supplier shall obtain independent certification of the purposes ISMS to ISO/IEC 27001 within 12 months of the Commencement Date and shall maintain such certification for the duration of the Contract. If certain parts of the ISMS do not conform to good industry practice, or controls as described in ISO/IEC 27002 are not consistent with the Security Policy, and, as a result, the Supplier reasonably believes that it is not compliant with ISO/IEC 27001, the Supplier shall promptly notify the Contracting Body of this paragraph 4, a weakness means vulnerability and the Contracting Body in security and a potential security failure means a possible breach its absolute discretion may waive the Requirement for certification in respect of the Security Management Plan relevant parts. The Contracting Body shall be entitled to carry out such regular security audits as may be required, and in accordance with Good Industry Practice, in order to ensure that the ISMS maintains compliance with the principles and practices of ISO 27001. If, on the basis of evidence provided by such audits, it is the Contracting Body's reasonable opinion that compliance with the principles and practices of ISO/IEC 27001 is not being achieved by the Supplier, then the Contracting Body shall notify the Supplier of the same and give the Supplier a reasonable time (having regard to the extent and criticality of any non-compliance and any other relevant circumstances) to become compliant with the principles and practices of ISO/IEC 27001. If the Supplier does not become compliant within the required time then the Contracting Body has the right to obtain an independent audit against these standards in whole or in part. If, as a result of any such independent audit as described in paragraph 5.4 the Customer’s security requirementsSupplier is found to be non-compliant with the principles and practices of ISO/IEC 27001 then the Supplier shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Contracting Body in obtaining such audit.

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual [annual] basis or as otherwise agreed by the Partiesparties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 . The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 . Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. 4.4 . If such tests adversely affect the Supplier’s ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. Where any Security Test carried out pursuant to paragraphs 4.1 1.9 or 4.3 1.10 above reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 1.7.4, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in paragraph 2.7 of the Letter of AppointmentOrder Form), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For [The Supplier shall obtain independent certification of the purposes ISMS to ISO/IEC 27001 within [12] months of the Commencement Date and shall maintain such certification for the duration of the Contract.] [If certain parts of the ISMS do not conform to good industry practice, or controls as described in ISO/IEC 27002 are not consistent with the Security Policy, and, as a result, the Supplier reasonably believes that it is not compliant with ISO/IEC 27001, the Supplier shall promptly notify the Customer of this paragraph 4, a weakness means vulnerability and the Customer in security and a potential security failure means a possible breach its absolute discretion may waive the requirement for certification in respect of the Security Management Plan or relevant parts.] The Customer shall be entitled to carry out such regular security audits as may be required, and in accordance with Good Industry Practice, in order to ensure that the ISMS maintains compliance with the principles and practices of ISO 27001. If, on the basis of evidence provided by such audits, it is the Customer’s security requirements's reasonable opinion that compliance with the principles and practices of ISO/IEC 27001 is not being achieved by the Supplier, then the Customer shall notify the Supplier of the same and give the Supplier a reasonable time (having regard to the extent and criticality of any non-compliance and any other relevant circumstances) to become compliant with the principles and practices of ISO/IEC 27001. If the Supplier does not become compliant within the required time then the Customer has the right to obtain an independent audit against these standards in whole or in part. If, as a result of any such independent audit as described in paragraph 1.15 the Supplier is found to be non-compliant with the principles and practices of ISO/IEC 27001 then the Supplier shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Customer in obtaining such audit.

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual basis or as otherwise agreed by the Parties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 . The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 . Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. 4.4 . If such tests adversely affect the Supplier’s ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. Where any Security Test carried out pursuant to paragraphs 4.1 or 4.3 5.1 and 5.2 above reveals any actual or potential Breach of Security and/or security failure or weaknesses, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 3.2.2, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance with the Security Policy or the Customer’s security requirements (as set out in paragraph 2.4 of the Letter of AppointmentOrder Form), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For the purposes of this paragraph 45, weaknesses means a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Management Plan or the Customer’s security requirements.

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual basis or as otherwise agreed by the Parties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 . The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 . Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Placement Services. 4.4 . If such tests adversely affect the Supplier’s ability to deliver the Placement Services, the Supplier shall be granted relief against any resultant under‑performance for the period of the tests. Where any Security Test carried out pursuant to paragraphs 4.1 4.2 or 4.3 above reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 3.4.4, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance non‑compliance with the Security Policy or the Customer’s security requirements (as set out in the Letter of Appointment)Security Requirements, the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For The Supplier shall obtain independent certification of the purposes ISMS to ISO/IEC 27001 (or standards offering equivalent protection) within 12 months of the Commencement Date and shall maintain such certification for the duration of the Contract. If certain parts of the ISMS do not conform to good industry practice, or controls as described in ISO/IEC 27002 (or a standard offering equivalent protection) are not consistent with the Security Policy, and, as a result, the Supplier reasonably believes that it is not compliant with ISO/IEC 27001 (or a standard offering equivalent protection), the Supplier shall promptly notify the Customer of this paragraph 4, a weakness means vulnerability and the Customer in security and a potential security failure means a possible breach its absolute discretion may waive the requirement for certification in respect of the Security Management Plan relevant parts. The Customer shall be entitled to carry out such regular security audits as may be required, and in accordance with Good Industry Practice, in order to ensure that the ISMS maintains compliance with the principles and practices of ISO/IEC 27001 (or a standard offering equivalent protection). If, on the basis of evidence provided by such audits, it is the Customer’s security requirements's reasonable opinion that compliance with the principles and practices of ISO/IEC 27001 (or a standard offering equivalent protection) is not being achieved by the Supplier, then the Customer shall notify the Supplier of the same and give the Supplier a reasonable time (having regard to the extent and criticality of any non‑compliance and any other relevant circumstances) to become compliant with the principles and practices of ISO/IEC 27001 (or a standard offering equivalent protection). If the Supplier does not become compliant within the required time then the Customer has the right to obtain an independent audit against these standards in whole or in part. If, as a result of any such independent audit as described in paragraph 5.4 the Supplier is found to be non‑compliant with the principles and practices of ISO/IEC 27001 (or a standard offering equivalent protection) then the Supplier shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Customer in obtaining such audit.

Testing. 4.1 The Supplier shall conduct tests of the ISMS ("Security Tests") on an annual basis or as otherwise agreed by the Partiesparties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. 4.2 . The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test. 4.3 . Without prejudice to any other right of audit or access granted to the Customer pursuant to this Contract, the Customer and/or its authorised representatives shall be entitled, at any time and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier's compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery of the Services. 4.4 . If such tests adversely affect the Supplier’s ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under‑performance for the period of the tests. Where any Security Test carried out pursuant to paragraphs 4.1 or 4.3 4.2 above reveals any actual or potential Breach of Security and/or security failure or weaknessesSecurity, the Supplier shall promptly notify the Customer in writing of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer's approval in accordance with paragraph 3.4.3, the Supplier shall implement such changes to the ISMS and the Security Management Plan in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan to address a non-compliance non‑compliance with the Security Policy or the Customer’s security requirements (as set out in paragraph 2.5 of the Letter of AppointmentOrder Form), the change to the ISMS or Security Management Plan shall be at no cost to the Customer. For The Supplier shall obtain independent certification of the purposes ISMS to ISO/IEC 27001 within 12 months of the Commencement Date and shall maintain such certification for the duration of the Contract. If certain parts of the ISMS do not conform to good industry practice, or controls as described in ISO/IEC 27002 are not consistent with the Security Policy, and, as a result, the Supplier reasonably believes that it is not compliant with ISO/IEC 27001, the Supplier shall promptly notify the Customer of this paragraph 4, a weakness means vulnerability and the Customer in security and a potential security failure means a possible breach its absolute discretion may waive the requirement for certification in respect of the Security Management Plan or relevant parts. The Customer shall be entitled to carry out such regular security audits as may be required, and in accordance with Good Industry Practice, in order to ensure that the ISMS maintains compliance with the principles and practices of ISO 27001. If, on the basis of evidence provided by such audits, it is the Customer’s security requirements's reasonable opinion that compliance with the principles and practices of ISO/IEC 27001 is not being achieved by the Supplier, then the Customer shall notify the Supplier of the same and give the Supplier a reasonable time (having regard to the extent and criticality of any non‑compliance and any other relevant circumstances) to become compliant with the principles and practices of ISO/IEC 27001. If the Supplier does not become compliant within the required time then the Customer has the right to obtain an independent audit against these standards in whole or in part. If, as a result of any such independent audit as described in paragraph 5.3 the Supplier is found to be non‑compliant with the principles and practices of ISO/IEC 27001 then the Supplier shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Customer in obtaining such audit.