The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.

Changes to information processing facilities and information systems shall be subject to change management procedures.

Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.

The organisation shall determine the boundaries and applicability of the information security management system to establish its scope. When determining this scope, the organisation shall consider:

•  the external and internal issues referred to in 4.1;
• the requirements referred to in 4.2;
• interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations.

The scope shall be available as documented information.

ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.

Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organisation’s information security requirements.

Procedures and measures shall be implemented to securely manage software installation on operational systems.

The organisation shall implement appropriate procedures to protect intellectual property rights.

The organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system:

• conforms to the organisation’s own requirements for its information security management system;  the requirements of this document;
• is effectively implemented and maintained.

The organisation shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting.

When establishing the internal audit programme(s), the organisation shall consider the importance of the processes concerned and the results of previous audits.

The organisation shall:

• define the audit criteria and scope for each audit;
• select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
• ensure that the results of the audits are reported to relevant management;

Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results.

An inventory of information and other associated assets, including owners, shall be developed and maintained.

Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date.

When a Nonconformity occurs, the organisation shall:

• React to the nonconformity, and as applicable:
  • take action to control and correct it;
  • deal with the consequences
• evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by;
• reviewing the nonconformity;
  • determining the causes of the nonconformity;
  • and determining if similar nonconformities exist, or could potentially occur
• implement any action needed;
• review the effectiveness of any corrective action taken; and
• make changes to the information security management system, if necessary.
  • Corrective actions shall be appropriate to the effects of the nonconformities encountered.
  • Documented information shall be available as evidence of:
• the nature of the nonconformities and any subsequent actions taken,
• the results of any corrective action.

When the organisation determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.

Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

Personnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.

Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

Off-site assets shall be protected.

Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organisation’s classification scheme and handling requirements.

The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.

Changes to information processing facilities and information systems shall be subject to change management procedures.

Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.

The organisation shall determine the boundaries and applicability of the information security management system to establish its scope. When determining this scope, the organisation shall consider:

•  the external and internal issues referred to in 4.1;
• the requirements referred to in 4.2;
• interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations.

The scope shall be available as documented information.

ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.

Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organisation’s information security requirements.

Procedures and measures shall be implemented to securely manage software installation on operational systems.

The organisation shall implement appropriate procedures to protect intellectual property rights.

The organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system:

• conforms to the organisation’s own requirements for its information security management system;  the requirements of this document;
• is effectively implemented and maintained.

The organisation shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting.

When establishing the internal audit programme(s), the organisation shall consider the importance of the processes concerned and the results of previous audits.

The organisation shall:

• define the audit criteria and scope for each audit;
• select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
• ensure that the results of the audits are reported to relevant management;

Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results.

An inventory of information and other associated assets, including owners, shall be developed and maintained.

Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date.

When a Nonconformity occurs, the organisation shall:

• React to the nonconformity, and as applicable:
  • take action to control and correct it;
  • deal with the consequences
• evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by;
• reviewing the nonconformity;
  • determining the causes of the nonconformity;
  • and determining if similar nonconformities exist, or could potentially occur
• implement any action needed;
• review the effectiveness of any corrective action taken; and
• make changes to the information security management system, if necessary.
  • Corrective actions shall be appropriate to the effects of the nonconformities encountered.
  • Documented information shall be available as evidence of:
• the nature of the nonconformities and any subsequent actions taken,
• the results of any corrective action.

When the organisation determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.

Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

Personnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.

Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

Off-site assets shall be protected.

Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organisation’s classification scheme and handling requirements.

The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.

Changes to information processing facilities and information systems shall be subject to change management procedures.

Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.

The organisation shall determine the boundaries and applicability of the information security management system to establish its scope. When determining this scope, the organisation shall consider:

•  the external and internal issues referred to in 4.1;
• the requirements referred to in 4.2;
• interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations.

The scope shall be available as documented information.

ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.

Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organisation’s information security requirements.

Procedures and measures shall be implemented to securely manage software installation on operational systems.

The organisation shall implement appropriate procedures to protect intellectual property rights.

The organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system:

• conforms to the organisation’s own requirements for its information security management system;  the requirements of this document;
• is effectively implemented and maintained.

The organisation shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting.

When establishing the internal audit programme(s), the organisation shall consider the importance of the processes concerned and the results of previous audits.

The organisation shall:

• define the audit criteria and scope for each audit;
• select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
• ensure that the results of the audits are reported to relevant management;

Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results.

An inventory of information and other associated assets, including owners, shall be developed and maintained.

Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date.

When a Nonconformity occurs, the organisation shall:

• React to the nonconformity, and as applicable:
  • take action to control and correct it;
  • deal with the consequences
• evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by;
• reviewing the nonconformity;
  • determining the causes of the nonconformity;
  • and determining if similar nonconformities exist, or could potentially occur
• implement any action needed;
• review the effectiveness of any corrective action taken; and
• make changes to the information security management system, if necessary.
  • Corrective actions shall be appropriate to the effects of the nonconformities encountered.
  • Documented information shall be available as evidence of:
• the nature of the nonconformities and any subsequent actions taken,
• the results of any corrective action.

When the organisation determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.

Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

Personnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.

Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

Off-site assets shall be protected.

Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organisation’s classification scheme and handling requirements.

The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.

Changes to information processing facilities and information systems shall be subject to change management procedures.

Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.

The organisation shall determine the boundaries and applicability of the information security management system to establish its scope. When determining this scope, the organisation shall consider:

•  the external and internal issues referred to in 4.1;
• the requirements referred to in 4.2;
• interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations.

The scope shall be available as documented information.

ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.

Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organisation’s information security requirements.

Procedures and measures shall be implemented to securely manage software installation on operational systems.

The organisation shall implement appropriate procedures to protect intellectual property rights.

The organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system:

• conforms to the organisation’s own requirements for its information security management system;  the requirements of this document;
• is effectively implemented and maintained.

The organisation shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting.

When establishing the internal audit programme(s), the organisation shall consider the importance of the processes concerned and the results of previous audits.

The organisation shall:

• define the audit criteria and scope for each audit;
• select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
• ensure that the results of the audits are reported to relevant management;

Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results.

An inventory of information and other associated assets, including owners, shall be developed and maintained.

Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date.

When a Nonconformity occurs, the organisation shall:

• React to the nonconformity, and as applicable:
  • take action to control and correct it;
  • deal with the consequences
• evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by;
• reviewing the nonconformity;
  • determining the causes of the nonconformity;
  • and determining if similar nonconformities exist, or could potentially occur
• implement any action needed;
• review the effectiveness of any corrective action taken; and
• make changes to the information security management system, if necessary.
  • Corrective actions shall be appropriate to the effects of the nonconformities encountered.
  • Documented information shall be available as evidence of:
• the nature of the nonconformities and any subsequent actions taken,
• the results of any corrective action.

When the organisation determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.

Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

Personnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.

Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

Off-site assets shall be protected.

Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organisation’s classification scheme and handling requirements.

The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.

Changes to information processing facilities and information systems shall be subject to change management procedures.

Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.

The organisation shall determine the boundaries and applicability of the information security management system to establish its scope. When determining this scope, the organisation shall consider:

•  the external and internal issues referred to in 4.1;
• the requirements referred to in 4.2;
• interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations.

The scope shall be available as documented information.

ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.

Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organisation’s information security requirements.

Procedures and measures shall be implemented to securely manage software installation on operational systems.

The organisation shall implement appropriate procedures to protect intellectual property rights.

The organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system:

• conforms to the organisation’s own requirements for its information security management system;  the requirements of this document;
• is effectively implemented and maintained.

The organisation shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting.

When establishing the internal audit programme(s), the organisation shall consider the importance of the processes concerned and the results of previous audits.

The organisation shall:

• define the audit criteria and scope for each audit;
• select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
• ensure that the results of the audits are reported to relevant management;

Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results.

An inventory of information and other associated assets, including owners, shall be developed and maintained.

Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date.

When a Nonconformity occurs, the organisation shall:

• React to the nonconformity, and as applicable:
  • take action to control and correct it;
  • deal with the consequences
• evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by;
• reviewing the nonconformity;
  • determining the causes of the nonconformity;
  • and determining if similar nonconformities exist, or could potentially occur
• implement any action needed;
• review the effectiveness of any corrective action taken; and
• make changes to the information security management system, if necessary.
  • Corrective actions shall be appropriate to the effects of the nonconformities encountered.
  • Documented information shall be available as evidence of:
• the nature of the nonconformities and any subsequent actions taken,
• the results of any corrective action.

When the organisation determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.

Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

Personnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.

Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

Off-site assets shall be protected.

Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organisation’s classification scheme and handling requirements.