xi. 11

Supplier relationships

Supplier relationships policy in place.

Capturing, Processing, Storage, Transmission

Administrative control

xii. 12

Information security incident management

Information security incident management policy in place.

Capturing, Processing, Storage, Transmission

Administrative control

xii (a)

Management of information security incidents and improvements

There should be responsibilities and procedures to manage (report, assess, respond to and learn from) information security events, incidents and weaknesses consistently and effectively, and to collect forensic evidence.

Capturing, Processing, Storage, Transmission

Administrative control

xiii. 13

Information security aspects of business continuity management

Business continuity plan document in place.

Capturing, Processing, Storage, Transmission

Administrative control

xiii (a)

Redundancies

IT facilities should have sufficient redundancy to satisfy availability requirements.

Capturing, Processing, Storage, Transmission

Technical control

xiv. 14

Compliance

Compliance policy in place.

Capturing, Processing, Storage, Transmission

Administrative control

xiv (a)

Compliance with legal and contractual requirements

The organisation must identify and document its obligations to external authorities and other third parties in relation to information security.

Capturing, Processing, Storage, Transmission

Compliance control

xv. 15

Risk Management

Risks registered developed, operational and updated.

Capturing, Processing, Storage, Transmission

Compliance control