ISO/IEC 27001:2013
ISO 37001:2016
ISO 9001:2015
Information technology — Security techniques — Information security management systems — Requirements
Anti-bribery management systems – Requirements with guidance for use
Quality management systems - Requirements
ISO/IEC DIS 20000-1 Information technology -Service management - Part 1: Service management system requirements (as Okt2017)
1 Scope
1 Scope
1 Scope
1 Scope
This International Standard specifies the requirements for establishing,implementing, maintaining and continually improving an information security management system within the context of the organization. This International Standard also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
This standard specifies requirements and provides guidance for establishing, implementing, maintaining, reviewing and improving an anti-bribery management system.
This International Standard specifies requirements for a quality management system when an organization:
1.1 General 1.2 Application
a)
The system can be stand-alone or can be integrated into an overall management system. This standard addresses the following in relation to the organization's activities: — bribery in the public, private and not-for- profit sectors; — bribery by the organization; — bribery by the organization's personnel acting on the organization's behalf or for its benefit; — bribery b y the organization's business associates acting on the organization's behalf or for its benefit; — bribery of the organization; — bribery of the organization's personnel in relation to the organization’s activities; — bribery o f th e organization's business associates in relation to the organization’s activities; — direct and indirect bribery (e.g. a bribe offered or accepted through or by a third party).
This standard is applicable only to bribery. It sets out requirements and provides guidance for a
v02 14Oktober2017
1
needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and b) aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements. All the requirements of this International Standard are generic and are intended to be applicable to any organization, regardless of its type or size, or the products and services it provides. NOTE 1 In this International Standard, the terms “product” or “service” only apply to products and services intended for, or required by, a customer. NOTE 2 Statutory and regulatory requirements can be expressed as legal requirements.
management system designed to help an organization to p revent, detect and respond to bribery and comply with anti- bribery laws and voluntary commitments applicable to its activities
The requirements set out in this International Standard are generic and are intended to be applicable to all organizations, regardless of type, size or nature. Excluding any of the requirements specified in Clauses 4 to 10 is not acceptable when an organization claims conformity to this International Standard.
2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
This standard does not specifically address fraud, cartels and other anti-trust/competition offences, money-laundering or other activities related to corrupt practices, although an organization can choose to extend the scope of the management management system to include such activities. The requirements of this standard are generic and are intended to be applicable to all organizations (or parts of an organization), regardless of type, size and nature of activity, and whether in the public, private or not-for- profit sectors. The extent of application of these requirements depends on the factors specified in 4.1, 4.2 and 4.5. NOTE 1 See Clause A.2 for guidance. NOTE 2 The measures necessary to prevent, detect and mitigate the risk of bribery by the organization can be different from the measures used to prevent, detect and respond to bribery of the organization (or its personnel personnel or business associates acting on the organization's behalf). See A.8.4 for guidance. 2 Normative references There are no normative references in this standard
2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO 9000:2015, Quality management systems — Fundamentals and vocabulary
ISO/IEC 27000, Information technology — Security techniques — Information
v02 14Oktober2017
2
2 Normative references
security management systems — Overview and vocabulary
3 Terms and definitions
3 Terms and definitions
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 apply.
For the purposes of this standard, th e following terms and definitions apply.
For the purposes of this do cument, the terms and definitions given in ISO 9000:2015 apply
ISO and IEC maintain terminological databases for use in standardization at the following addresses: — ISO Online browsing platform: available at http://www.iso.org/obp — IEC Electropedia: available at http://www.electropedia.org/
3.1 bribery offering, promising, giving, accepting or soliciting of an undue advantage of any value (which could be financial or non-financial), directly or indirectly, and irrespective of location(s), in violation of applicable law, as an in ducement or reward for a person acting or refraining from acting in relation to the performance (3.16) of that person's duties NOTE 1 to entry: The above is a generic definition. The meaning of the term “bribery” is as defined by the anti-bribery law applicable to the organization (3.2) and by the anti-bribery management system (3.5) designed by the organization. 3.2 organization person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives (3.11) NOTE 1 to entry: The concept of organization includes, but is not limited to sole-trader, company,
v02 14Oktober2017
3
3 Terms and definitions
corporation, firm, enterprise, authority, partnership, charity or institution, or p art or combination thereof, whether incorporated or not, public or private. NOTE 2 to entry: For organizations with more than one operating unit, one or more of the operating units can be defined as an organization. 3.3 Interested party (preferred (preferred term) stakeholder (admitted term) person or organization (3.2) that can affect, be affected by, or perceive itself to be affected by a decision or activity NOTE 1 to entry: A stakeholder can be internal or external to the organization 3.4 requirement need that is stated and obligatory NOTE 1 to entry: The core defini tion of “requirement” in ISO management system standards is “need or expectation that is stated, generally implied or obligatory”. “Generally implied requirements” requirements” are not applicable in the context of anti-bribery management. NOTE 2 to entry: “Generally implied” means that it is custom or common practice for the o rganization and interested parties that the need or expectation under consideration is implied.
NOTE 3 to entry: A specified requirement is one that is stated, for example in documented information 3.5 management system set of interrelated or interacting elements of an
v02 14Oktober2017
4
organization (3.2) to establish policies (3.10) and objectives (3.11) and processes (3.15) to achieve those objectives NOTE 1 to entry: entry: A management system can address address a single discipline or several disciplines. NOTE 2 to entry: The management system elements include the organization’s structure, roles and responsibilities, planning and operation.
4 Context of the organization 4.1 Understanding the organization and its context The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system. NOTE Determining these issues refers to establishing the external and internal context of the organization considered in Clause 5.3 of ISO 31000:2009[5].
v02 14Oktober2017
NOTE 3 to entry: The scope of a management system may include the whole of the organization, specific and identified functions of the organization, specific and identified sections of the organization, or one or more functions across a group of organizations. 4 Context of the organization
4.1 Understanding the organization and its context The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the objectives of its antibribery management system. These issues will include, without limitation, the following factors a) the size, structure and delegated decisionmaking authority of the organization; b) the locations and sectors in which the organization operates or anticipates operating; c) the nature, scale and complexity of the organization's activities and operations; d) the organization’s business model; e) the entities over which the organization has control and entities which exercise control
5
4 Context of the organization
4 Context of the organization
4.1 Understanding the organization and its context The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system. The organization shall monitor and review information about these external and internal issues. NOTE 1 Issues can include positive and negative factors or conditions for consideration. NOTE 2 Understanding the external context can be facilitated by considering issues arising from legal, technological, competitive, market, cultural, social and economic environments, whether international, national, regional or local. NOTE 3 Understanding the internal context can be facilitated by considering issues related to values, culture, knowledge and performance of the organization.
4.1 Understanding the organization and its context
a) b) c)
4.2 Understanding the needs and expectations of interested parties
over the organization; the organization's business associates; the nature and extent of interactions with public officials; applicable statutory, regulatory, contractual and professional obligations and duties.
NOTE An organization has control over another organization if it directly or indirectly controls the management of the organization (see A.13.1.3). 4.2 Understanding the needs and expectations of stakeholders
The organization shall determine: a) interested parties that are relevant to the information security management system; and b) the requirements of these interested parties relevant to information security.
The organization shall determine: a) the stakeholders that are relevant to the antibribery management system; b) the relevant requirements of these stakeholders.
NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligations.
NOTE In identifying the requirements of stakeholders, an organization can distinguish between mandatory requirements and the non-mandatory expectations of, and voluntary commitments to, stakeholders
4.2 Understanding the needs and expectations of interested parties Due to their effect or potential effect on the organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, the organization shall determine: a) the interested parties that are relevant to the quality management system; b) the requirements of these interested parties that are relevant to the quality management system.
4.3 Determining the scope of the information security management system
4.3 Determining the scope of the anti-bribery management system
The organization shall monitor and review information about these interested parties and their relevant requirements. 4.3 Determining the scope of the quality management system
The organization shall determine the boundaries and applicability of the information security management system to establish its scope.
The organization shall determine the bound aries and applicability of the anti-bribery management system to establish its scope.
The organization shall determine the boundaries and applicability of the quality management system to establish its scope.
v02 14Oktober2017
6
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the service management system
When determining this scope, the organization shall consider: a) the external and internal issues referred to in 4.1; b) the requirements referred to in 4.2; and c) interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations.
When determining this scope, the organization shall consider: a) the external and internal issues referred to in 4.1; b) the requirements referred to in 4.2 c) the results of the bribery risk assessment referred to in 4.5 The scope shall be available as documented information. NOTE
When determining this scope, the organization shall consider: a) the external and internal issues referred to in 4.1; b) the requirements of relevant interested parties referred to in 4.2; c) the products and services of the organization. The organization shall apply all the requirements of this International Standard if they are applicable within the determined scope of its quality management system.
See Clause A.2 for guidance.
The scope shall be available as documented information.
The scope of the organization’s quality management system shall be available and be maintained as documented information. The scope shall state the types of products and services covered, and provide justification for any requirement of this International Standard that the organization determines is not applicable to the scope of its quality management system. Conformity to this International Standard may only be claimed if the requirements determined as not being applicable do not affect the organization’s ability or responsibility to ensure the conformity of its products and services and the enhancement of customer satisfaction.
4.4 Information security management system
4.4 Anti-bribery management system
4.4 Quality management system and its processes
The organization shall establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of this International Standard.
The organization shall establish, document, implement, maintain and continually review and, where necessary, improve an anti- bribery management system, including the processes needed and their interactions, in accordance with the requirements of this standard. The anti-bribery management system shall contain measures designed to identify and evaluate the risk of,
4.4.1 The organization shall establish, implement, maintain and continually improve a quality management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard. The organization shall determine the processes needed for the quality management system and their application throughout the organization, and shall: a) determine the inputs required and the outputs
v02 14Oktober2017
7
4.4 Service management system
and to prevent, detect and respond to, bribery. NOTE 1 It is not possible to completely eliminate the risk of bribery, and no anti-bribery management system will be capable of preventing and detecting all bribery. The anti-bribery management system shall be reasonable and proportionate, taking into account the factors referred to in 4.3. NOTE 2 See Clause A.3 for guidance
4.5 Bribery risk assessment 4.5.1 The organization shall undertake regular bribery risk assessment(s) which shall: a) identify the bribery risks the organization might reasonably anticipate given the factors listed in 4.1 b) analyse, assess and prioritize the identified bribery risks; c) evaluate the suitability and effectiveness of the organization's existing controls to mitigate the assessed bribery risks 4.5.2 The organization shall establish criteria for evaluating its level of bribery risk, which shall take into
v02 14Oktober2017
8
expected from these processes; b) determine the sequence and interaction of these processes; c) determine and apply the criteria and methods (including monitoring, measurements and related performance indicators) needed to ensure the effective operation and control of these processes; d) determine the resources needed for these processes and ensure their availability; e) assign the responsibilities and authorities for these processes; f) address the risks and opportunities as determined in accordance with the requirements of 6.1; g) evaluate these processes and implement any changes needed to ensure that these processes achieve their intended results; h) improve the processes and the quality management system. 4.4.2 To the extent necessary, the organization shall: a) maintain documented information to support the operation of its processes; b) retain documented information to have confidence that the processes are being carried out as planned.
account the organization's policies and objectives.
4.5.3 The bribery risk assessment shall be reviewed: a) on a regular basis so that changes and new information can be properly assessed based on timing and frequency defined by the organization; b) in the event of a significant change to the structure or activities of the organization. 4.5.4 The organization shall retain documented information that demonstrates that the bribery risk assessment has been conducted and used to design or improve the anti-bribery management system. NOTE
See Clause A.4 for guidance.
5 Leadership
5 Leadership
5 Leadership
5 Leadership
5.1 Leadership and commitment
5.1 Leadership and commitment 5.1.1 Governing body
5.1 Leadership and commitment 5.1.1 General
5.1 Leadership and commitment
Top management shall demonstrate leadership and commitment with respect to the information security management system by:
When the organization has a governing body, that body shall demonstrate leadership and commitment with respect to the anti-bribery management system by: a) approving the organization’s anti-bribery policy; b) ensuring that the organization’s strategy and antibribery policy are aligned; c) at planned intervals receiving and reviewing
Top management shall demonstrate leadership and commitment with respect to the quality management system by: a) taking accountability for the effectiveness of the quality management system; b) ensuring that the quality policy and quality objectives are established for the quality management
a) ensuring the information security policy and the information security objectives are established and are compatible with
v02 14Oktober2017
9
the strategic direction of the organization; b) ensuring the integration of the information security management system requirements into the organization's processes; c) ensuring that the resources needed for the information security management system are available; d) communicating the importance of effective information security management and of conforming to the information security management system requirements; e) ensuring that the information security management system achieves its intended outcome(s); f ) directing and supporting persons to contribute to the effectiveness of the information security management system; g) promoting continual improvement; and h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.
information about the content and operation of the organization’s anti- bribery management system; d) requiring that adequate and appropriate resources needed for effective operation of the anti-bribery management system are allocated and assigned; e) exercising reasonable oversight over the implementation of the organization’s anti-bribery management system by top management and its effectiveness. These activities shall be carried out by top management if the organization does not have a governing body
system and are compatible with the context and strategic direction of the organization; c) ensuring the integration of the quality management system requirements into the organization’s business processes; d) promoting the use of the process approach and risk-based thinking; e) ensuring that the resources needed for the q uality management system are available; f) communicating the importance of effective quality management and of conforming to the quality management system requirements; g) ensuring that the quality management system achieves its intended results; h) engaging, directing and supporting persons to contribute to the effectiveness of the quality management system; i) promoting improvement; j) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. NOTE Reference to “business” in this International Standard can be interpreted broadly to mean those activities that are core to the purpo ses of the organization’s existence, whether the organization is public, private, for profit or not for profit.
v02 14Oktober2017
5.1.2 Top management
5.1.2 Customer focus
Top management shall demonstrate leadership and commitment with respect to the anti-bribery management system by: a) ensuring that the anti-bribery management system, including policy and objectives, is established, implemented, maintained and reviewed to adequately address the organization's bribery risks;
Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that: a) customer and applicable statutory and regulatory requirements are determined, understood and consistently met; b) the risks and opportunities that can affect
10
b) ensuring the integration of the anti-bribery management system requirements into the organization’s processes; c) deploying adequate and appropriate resources for the effective operation of the anti-bribery management system; d) communicating internally and externally regarding the anti-bribery policy; e) communicating internally the importance of effective anti-bribery management and of conforming to the anti-bribery management system requirements f) ensuring that the anti-bribery management system is appropriately designed to achieve its objectives; g) directing and supporting personnel to contribute to the effectiveness of the anti- bribery management system; h) promoting an appropriate anti-bribery culture within the organization; i) promoting continual improvement; j) supporting other relevant management roles to demonstrate their leadership in preventing and detecting bribery as it applies to their areas of responsibility; k) encouraging the use of reporting procedures for suspected and actual bribery (see 8.9); l) ensuring that no personnel will suffer retaliation, discrimination or disciplinary action (see 7.2.2.1 d)) for reports made in good faith or on the basis of a reasonable belief of violation or suspected violation of the organization’s anti-bribery policy, or for refusing to engage in bribery, even if such refusal can result in the organization losing business (except where the individual participated in the violation); m) at planned intervals, reporting to the governing body (if any) on the content and operation of the anti-bribery management system and of allegations of serious or systematic bribery.
v02 14Oktober2017
11
conformity of products and services and the ability to enhance customer satisfaction are determined and addressed; c) the focus on enhancing customer satisfaction is maintained.
NOTE
See Clause A.5 for guidance.
5.2 Policy
5.2 Anti-bribery policy
5.2 Policy 5.2.1 Developing the quality policy
Top management shall establish an information security policy that:
Top management shall establish, maintain and review an anti-bribery policy that:
Top management shall establish, implement and maintain a quality policy that: a) is appropriate to the purpose and context of the organization and supports its strategic direction; b) provides a framework for setting quality objectives; c) includes a commitment to satisfy applicable requirements; d) includes a commitment to continu al improvement of the quality management system. 5.2.2 Communicating the quality policy The quality policy shall: a) be available and be maintained as documented information; b) be communicated, understood and applied within the organization; c) be available to relevant interested parties, as appropriate
a) prohibits bribery; b) requires compliance with anti-bribery laws that are applicable to the organization; a) is appropriate to the purpose of the organization; b) includes information security objectives (see 6.4) or provides the frameworP for setting information security objectives;
c) is appropriate to the purpose of the organization;
c) includes a commitment to satisfy applicable requirements related to information security; and
e) includes a commitment to satisfy anti-bribery management system requirements; f) encourages raising concerns in good faith or on the basis of a reasonable belief in confidence without fear of reprisal; g) includes a commitment to continu al improvement of the anti-bribery management system; h) explains the authority and independence of the anti-bribery compliance function; i) explains the consequences of not complying with the anti-bribery policy. The anti-bribery policy shall: — be available as documented information; — be communicated in appropriate languages within the organization and to business associates who pose more than a low risk of bribery; — be available to relevant stakeholders, as appropriate. 5.3 Organizational roles, responsibilities and
d) includes a commitment to continual improvement of the information security management system. The information security policy shall: e) be available as documented information; f) be communicated within the organization; and
g) be available to interested parties, as appropriate. 5.3 Organizational roles, responsibilities
v02 14Oktober2017
d) provides a framework for setting, reviewingand achieving anti-bribery objectives;
12
5.3 Organizational roles, responsibilities and
5.2 Policy 5.2.1 Establishing the service management policy 5.2.2 Communicating the service management policy
5.3 Organizational roles,
and authorities
authorities
authorities
5.3.1 Roles and responsibilities Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated.
Top management shall have overall responsibility for the implementation of, and compliance with, the anti-bribery management system, as described in 5.1.2.
Top management shall ensure that the responsibilities and authorities for relevant roles are assigned, communicated and understood within the organization.
Top management shall assign the responsibility and authority for:
Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within and throughout every level of the organization.
Top management shall assign the responsibility and authority for: a) ensuring that the quality management system conforms to the requirements of this International Standard; b) ensuring that the processes are delivering th eir intended outputs; c) reporting on the performance of the quality management system and on opportunities for improvement (see 10.1), in particular to top management; d) ensuring the promotion of customer focus throughout the organization; e) ensuring that the integrity of the quality management system is maintained when changes to the quality management system are planned and implemented.
a) ensuring that the information security management system conforms to the requirements of this International Standard; and b) reporting on the performance of th e information security management system to top management. NOTE Top management may also assign responsibilities and authorities for reporting performance of the information security management system within the organization.
Managers at every level shall be responsible for requiring that the anti-bribery management system requirements are applied and complied with in their department or function. The governing body (if any), top management and all other personnel shall be responsible for understanding, complying with and applying the antibribery management system requirements, as they relate to their role in the organization.
5.3.2 Anti-bribery compliance function Top management shall assign to an anti- bribery compliance function the responsibility and authority for: a) overseeing the design and implementation by the organization of the anti-bribery management system; b) providing advice and guidance to personnel on the anti-bribery management system and issues relating to bribery; c) ensuring that the anti-bribery management system
v02 14Oktober2017
13
responsibilities and authorities
conforms to the requirements of this standard; d) reporting on the performance of the anti-bribery management system to the governing body (if any) and top management and other compliance functions, as appropriate. The anti-bribery compliance function shall be adequately resourced and assigned to person(s) who have the appropriate competence, status, authority and independence. The anti-bribery compliance function shall have direct and prompt access to the governing body (if any) and top management in the event that any issue or concern needs to be raised in relation to bribery or the anti- bribery management system. Top management can assign some or all of the antibribery compliance function to persons external to the organization. If it does, top management shall ensure that specific personnel have responsibility for, and authority over, those externally assigned parts of the function. NOTE See Clause A.6 for guidance. 5.3.3 Delegated decision-making Where top management delegates to personnel the authority for the making of decisions in relation to which there is more than a low risk of bribery, the organization shall establish and maintain a decisionmaking process or set of controls w hich requires that the decision process and the level of authority of the decision-maker(s) are appropriate and free of actual or potential conflicts of interest. Top management shall ensure that these processes are reviewed periodically as part of its role and responsibility for implementation of, and compliance with, the anti-
v02 14Oktober2017
14
bribery management system outlined in 5.3.1 NOTE Delegation of decision-making will not exempt top management or the governing body (if any) of their duties and responsibilities as described in 5.1.1, 5.1.2 and 5.3.1, nor does it necessarily transfer to the delegated personnel potential legal responsibilities.
5.4 Control of parties involved in the service lifecycle 6 Planning
6 Planning
6 Planning
6 Planning
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1.1 General When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: a) ensure the information security management system can achieve its intended outcome(s); b) prevent, or reduce, undesired effects; and c) achieve continual improvement.
When planning for the anti-bribery management system, the organization shall consider the issues referred to in 4.1, the requirements referred to in 4.2, the risks identified in 4.5, and opportunities for improvement that need to be addressed to:
The organization shall plan: d) actions to address these risks and opportunities; and e) how to 1) integrate and implement the actions into its information security management system
v02 14Oktober2017
a) give reasonable assurance that the anti- bribery management system can achieve its objectives; b) prevent, or reduce, undesired effects relevant to the anti-bribery policy and objectives; c) monitor the effectiveness of the anti- bribery management system; d) achieve continual improvement. The organization shall plan: — actions to address these bribery risks and opportunities for improvement; — how to: — integrate and implement these actions into its antibribery management system processes; — evaluate the effectiveness of these actions..
15
6.1.1 When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: a) give assurance that the quality management system can achieve its intended result(s); b) enhance desirable effects; c) prevent, or reduce, undesired effects; d) achieve improvement. 6.1.2 The organization shall plan: a) actions to address these risks and opportunities; b) how to: 1) integrate and implement the actions into its quality management system processes (see 4.4); 2) evaluate the effectiveness of these actions. Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services. NOTE 1 Options to address risks can include avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by
2)
processes; and evaluate the effectiveness of these actions.
informed decision. NOTE 2 Opportunities can lead to the adoption of new practices, launching new products, opening new markets, addressing new clients, building partnerships, using new technology and other desirable and viable possibilities to address the organization’s or its customers’ needs.
6.1.2 Information security risk assessment The organization shall define and apply an information security risk assessment process that: a) establishes and maintains information security risk criteria that include: 1) the risk acceptance criteria; and 2) criteria for performing information security risk assessments; b) ensures that repeated information security risk assessments produce consistent, valid and comparable results;
c) identifies the information security risks: 1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and 2) identify the risk owners; d) analyses the information security risks: 1) assess the potential consequences that would result if the risks identified in 6...4 c) 1) were to materialize;
v02 14Oktober2017
16
2)
assess the realistic liPelihood of the occurrence of the risks identified in 6...4 c) .); and 3) determine the levels of risk; e) evaluates the information security risks: 1) .) compare the results of risk analysis with the risk criteria established in 6...4a); and 2) prioritize the analysed risks for risk treatment. The organization shall retain documented information about the information security risk assessment process.
6.1.3 Information security risk treatment The organization shall define and apply an information security risk treatment process to: a) select appropriate information security risk treatment options, taking account of the risk assessment results; b) determine all controls that are necessary to implement the information security risk treatment option(s) chosen; NOTE Organizations can design controls as required, or identify them from any source. c) compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted; NOTE 1 Annex A contains a
v02 14Oktober2017
17
comprehensive list of control objectives and controls. Users of this International Standard are directed to Annex A to ensure that no necessary controls are overlooPed. NOTE 4 Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed. d) produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A; e) formulate an information security risk treatment plan; and f ) obtain risk owners' approval of the information security risk treatment plan and acceptance of the residual information security risks. The organization shall retain documented information about the information security risk treatment process. NOTE The information security risk assessment and treatment process in this International Standard aligns with the principles and generic guidelines provided in ISO 31000[5]. 6.2 Information security objectives and planning to achieve them
v02 14Oktober2017
6.2 Anti-bribery objectives and planning to achieve them
18
6.2 Quality objectives and planning to achieve them 6.2.1 The organization shall establish quality objectives at relevant functions, levels and processes
6.2 Service management objectives and planning to achieve them
The organization shall establish information security objectives at relevant functions and levels.
The organization shall establish anti-bribery management system objectives at relevant functions and levels. The anti-bribery management system objectives shall:
The information security objectives shall: a) be consistent with the information security policy; b) be measurable (if practicable); c) take into account applicable information security requirements, and results from risk assessment and risk treatment;
a) be consistent with the anti-bribery policy; b) be measurable (if practicable); c) take into account applicable factors referredto in 4.1, the requirements referred to in 4.2 and the bribery risks identified in 4.5; d) be achievable; e) be monitored; f) be communicated in accordance with 7.4; g) be updated as appropriate.
d) be communicated; and e)be updated as appropriate.
The organization shall retain documented information on the anti-bribery management system objectives.
The organization shall retain documented information on the information security objectives.
When planning ho w to achieve it s anti- bribery management system objectives, the organization shall determine: — what will be done; — what resources will be required; — who will be responsible; — when the objectives will be achieved; — how the results will be evaluated and reported; — who will impose sanctions or penalties
When planning how to achieve its information security objectives, the organization shall determine: f ) what will be done; g) what resources will be required; h) who will be responsible; i) when it will be completed; and j) how the results will be evaluated.
needed for the quality management system. The quality objectives shall: a) be consistent with the quality policy; b) be measurable; c) take into account applicable requirements; d) be relevant to conformity of products and services and to enhancement of customer satisfaction; e) be monitored; f) be communicated; g) be updated as appropriate. The organization shall maintain documented information on the quality objectives.
19
6.2.2 Plan to achieve objectives
6.2.2 When planning how to achieve its quality objectives, the organization shall determine: a) what will be done; b) what resources will be required; c) who will be responsible; d) when it will be completed; e) how the results will be evaluated.
6.3 Planning of changes When the organization determines the need for changes to the quality management system, the changes shall be carried out in a planned manner (see 4.4)..
v02 14Oktober2017
6.2.1 Establish objectives
6.3 Plan the service management system
The organization shall consider: a) the purpose of the changes and their potential consequences; b) the integrity of the quality management system; c) the availability of resources; d) the allocation or reallocation of responsibilities and authorities. 7 Support
7 Support
7 Support
7.1 Resources
7.1 Resources
The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system.
The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the anti-bribery management system. NOTE
See Clause A.7 for guidance.
7.1 Resources 7.1.1 General The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the quality management system. The organization shall consider: a) the capabilities of, and constraints on, existing internal resources; b) what needs to be obtained from external providers. 7.1.2 People The organization shall determine and provide the persons necessary for the effective implementation of its quality management system and for the operation and control of its processes. 7.1.3 Infrastructure The organization shall determine, provide and maintain the infrastructure necessary for the operation of its processes and to achieve conformity of products and services. NOTE Infrastructure can include: a) buildings and associated utilities; b) equipment, including hardware and software;
v02 14Oktober2017
20
7 Support of the service management system 7.1 Resources
c) transportation resources; d) information and communication technology.
7.1.4 Environment for the operation of processes The organization shall determine, provide and maintain the environment necessary for the operation of its processes and to achieve conformity of products and services. NOTE A suitable environment can be a combination of human and physical factors, such as: a) social (e.g. non-discriminatory, calm, nonconfrontational); b) psychological (e.g. stress-reducing, burnout prevention, emotionally protective); c) physical (e.g. temperature, heat, humidity, light, airflow, hygiene, noise). These factors can differ substantially depending on the products and services provided.
7.1.5 Monitoring and measuring resources 7.1.5.1 General The organization shall determine and provide the resources needed to ensure valid and reliable results when monitoring or measuring is used to verify the conformity of products and services to requirements. The organization shall ensure that the resources provided: a) are suitable for the specific type of monitoring and measurement activities being undertaken; b) are maintained to ensure their continuing fitness for their purpose. The organization shall retain appropriate documented information as evidence of fitness for purpose of the monitoring and measurement resources.
v02 14Oktober2017
21
7.1.5.2 Measurement traceability When measurement traceability is a requirement, or is considered by the organization to be an essential part of providing confidence in the validity of measurement results, measuring equipment shall be: a) calibrated or verified, or both, at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards; when no such standards exist, the basis used for calibration or verification shall be retained as documented information; b) identified in order to determine their status; c) safeguarded from adjustments, damage or deterioration that would invalidate the calibration status and subsequent measurement results. The organization shall determine if the validity of previous measurement results has been adversely affected when measuring equipment is found to be unfit for its intended purpose, and shall take appropriate action as necessary.
7.1.6 Organizational knowledge The organization shall determine the knowledge necessary for the operation of its processes and to achieve conformity of products and services. This knowledge shall be maintained and be made available to the extent necessary. When addressing changing needs and trends, the organization shall consider its current knowledge and determine how to acquire or access any necessary additional knowledge and required updates. NOTE 1 Organizational knowledge is knowledge specific to the organization; it is gained by experience. It is information that is used and shared to achieve the organization’s objectives.
v02 14Oktober2017
22
7.2 Competence
The organization shall: a) determine the necessary competence of person(s) doing worP under its control that affects its information security performance; b) ensure that these persons are competent on the basis of appropriate education, training, or experience; c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and d) retain appropriate documented information as evidence of competence. NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or the re- assignment of current employees; or the hiring or contracting of competent persons.
NOTE 2 Organizational knowledge can be based on: a) internal sources (e.g. intellectual property; knowledge gained from experience; lessons learned from failures and successful projects; capturing and sharing undocumented knowledge and experience; the results of improvements in processes, products and services); b) external sources (e.g. standards; academia; conferences; gathering knowledge from customers or external providers). 7.2 Competence
7.2 Competence 7.2.1 General The organization shall: a) determine the necessary competence of person(s) doing work under its control that affects its antibribery performance; b) ensure that these persons are competent on the basis of appropriate education, training, or experience; c) where applicable, take actions to acquire and maintain the necessary competence, and evaluate the effectiveness of the actions taken; d) retain appropriate documented information as evidence of competence. NOTE Applicable actions can include, for example, the provision of training to, the coaching of, or the reassignment of personnel or business associates; or the hiring or contracting of the same.
7.2.2 Employment process 7.2.2.1 In relation to all of its personnel, the organization shall implement procedures such that: a) conditions of employment require personnel to
v02 14Oktober2017
23
The organization shall: a) determine the necessary competence of person(s) doing work under its control that affects the performance and effectiveness of the quality management system; b) ensure that these persons are competent on the basis of appropriate education, training, or experience; c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; d) retain appropriate documented information as evidence of competence. NOTE Applicable actions can include, for example, the provision of training to, the mentoring of, or the reassignment of currently employed persons; or the hiring or contracting of competent persons.
7.2 Competence
comply with the anti-bribery policy and anti-bribery management system, and give the organization the right to discipline personnel in the event of noncompliance; b) within a reasonable period of their employment commencing, personnel receive a copy of, or are provided with access to, the anti-bribery policy and training in relation to that policy; c) the organization has procedures which enable it to take appropriate disciplinary action against personnel who violate the anti-bribery policy or anti-bribery management system; and d) personnel will not suffer retaliation, discrimination or disciplinary action (e.g. by threats, isolation, demotion, preventing advancement, transfer, dismissal, bullying, victimization, or other forms of harassment) for: 1) refusing to participate in, or for turning down, any activity in respect of which they have reasonably judged there to be a more than low risk of bribery which has not been mitigated by the organization; or 2) concerns raised or reports made in good faith, or on the basis of a reasonable belief, of attempted, actual or suspected bribery or violation of the antibribery policy or the anti-bribery management system (except where the individual participated in the violation).
7.2.2.2 In relation to all positions which are exposed to more than a low bribery risk as determined in the bribery risk assessment (see 4.5), and to the antibribery compliance function the organization shall implement procedures which provide that: a) due diligence (see 8.2) is conducted on persons before they are employed, and on personnel before they are transferred or promoted by the organization, to ascertain as far as is reasonable that it is appropriate to employ or redeploy them and that it is
v02 14Oktober2017
24
reasonable to believe that they will comply with the anti-bribery policy and anti-bribery management system requirements; b) performance bonuses, performance targets and other incentivizing elements of remuneration are reviewed periodically to verify that there are reasonable safeguards in place to prevent them from encouraging bribery; c) such personnel, top management, and the governing body (if any), file a declaration at reasonable intervals proportionate with the identified bribery risk, confirming their compliance with the antibribery policy. NOTE 1 The anti-bribery compliance declaration can stand alone or be a component of a broader compliance declaration process. NOTE 2 See Clause A.8 for guidance.
7.3 Awareness
7.3 Awareness and training
7.3 Awareness
Persons doing worP under the organization's control shall be aware of: a) the information security policy; b) their contribution to t he effectiveness of the information security management system, including the benefits of improved information security performance; and c) the implications of not conforming with the information security management system requirements.
The organization shall provide adequate and appropriate anti-bribery awareness and training to personnel. Such training shall address the following issues, as appropriate, taking into account the results of the bribery risk assessment (see 4.5): a) the organization’s anti-bribery policy, procedures and anti-bribery management system, and their duty to comply; b) the bribery risk and the damage to them and the organization which can result from bribery; c) the circumstances in which bribery can occur in relation to their duties, and ho w to recognize these circumstances; d) how to recognize and respond to solicitations or offers of bribes; e) how they can help prevent and avoid bribery and
The organization shall ensure that persons doing work under the organization’s control are aware of: a) the quality policy; b) relevant quality objectives; c) their contribution to the effectiveness of the quality management system, including the benefits of improved performance; d) the implications of not conforming with the quality management system requirements.
v02 14Oktober2017
25
7.3 Awareness
recognize key bribery risk indicators; f) their contribution to the effectiveness of the antibribery management system, including the benefits of improved anti-bribery performance and of reporting suspected bribery; g) the implications and potential consequences of not conforming with the anti-bribery management system requirements; h) how and to whom they are able to report any concerns (see 8,9); i) information on available training and resources. Personnel shall be provided with anti-bribery awareness and training on a regular basis (at planned intervals determined by the organization), as appropriate to their roles, the risks of bribery to which they are exposed, and any changing circumstances. The awareness and training programmes shall be periodically updated as necessary to reflect relevant new information. Taking into account the bribery risks identified (see 4.5), the organization shall also implement procedures addressing anti-bribery awareness and training for business associates acting on its behalf or for its benefit, and which could pose more than a low bribery risk to the organization. These proced ures shall identify the business associates for which such awareness and training is necessary, its content, and the means by which the training shall be provided. The organization shall retain documented information on the training procedures, the content of the training, and when and to whom it was provided. NOTE 1 The awareness and training requirements for business associates can be communicated through contractual or similar requirements, and be implemented by the organization, the business associate or by other parties appointed for th at
v02 14Oktober2017
26
purpose.
7.4 Communication The organization shall determine the need for internal and external communications relevant to the information security management system including: a) on what to communicate; b) when to communicate; c) with whom to communicate; d) who shall communicate; and e) the processes by which communication shall be effected.
NOTE 2 See Clause A.9 for guidance. 7.4 Communication
7.4 Communication
7.4.1 The organization shall determine the internal and external communications relevant to the antibribery management system including: a) on what it will communicate; b) when to communicate; c) with whom to communicate; d) how to communicate; e) who will communicate; f) the languages in which to communicate
7.4 Communication
The organization shall determine the internal and external communications relevant to the quality management system, including: a) on what it will communicate; b) when to communicate; c) with whom to communicate; d) how to communicate; e) who communicates.
7.5 Documented information
7.4.2 The anti-bribery policy shall be made available to all the organization’s personnel and business associates, be communicated directly to both personnel and business associates who pose more than a low risk of bribery, and shall be published through the organization’s internal and external communication channels, as appropriate. 7.5 Documented Information
7.5 Documented information
7.5 Documented information
7.5.1 General
7.5.1 General
7.5.1 General
7.5.1 General
The organization's information security management system shall include: a) documented information required by this International Standard; and b) documented information determined by the organization as being necessary for the effectiveness of the information security management system.
The organization’s anti-bribery management system shall include: a) documented information required by this standard; b) documented information determined by the organization as being necessary for the effectiveness of the anti-bribery management system.
The organization’s quality management system shall include: a) documented information required by this International Standard; b) documented information determined by the organization as being necessary for the effectiveness of the quality management system.
NOTE The extent of documented information for an information security management system can differ from one
v02 14Oktober2017
NOTE 1 The extent of documented information for an anti-bribery management system can differ from one organization to another due to: — the size of organization and its type of activities, processes, products and services;
27
NOTE The extent of documented information for a quality management system can differ from one organization to another due to: — the size of organization and its type of activities,
organization to another due to: 1) the size of organization and its type of activities, processes, products and services; 2) the complexity of processes and their interactions; and 3) the competence of persons.
7.5.2 Creating and updating
— the complexity of processes and their interactions; — the competence of personnel. NOTE 2 Documented information can b e retained separately as part of the anti-bribery management system, or can be retained as part of other management systems (e.g. compliance, financial, commercial, audit).
NOTE 3 See Clause A.17 for guidance. 7.5.2 Creating and updating
processes, products and services; — the complexity of processes and their interactions; — the competence of persons.
7.5.2 Creating and updating
When creating and updating documented information the organization shall ensure appropriate: a) identification and description (e.g. a title, date, author, or reference number); b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and c) review and approval for suitability and adequacy
When creating and updating documented information the organization shall ensure appropriate: a) identification and description (e.g. a tit le, date, author, or reference number); b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic); c) review and approval for suitability and adequacy.
When creating and updating documented information, the organization shall ensure appropriate: a) identification and description (e.g. a title, date, author, or reference number); b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic); c) review and approval for suitability and adequacy.
7.5.3 Control of documented Information
7.5.3 Control of documented information
7.5.3 Control of documented information
Documented information required by the information security management system and by this International Standard shall be controlled to ensure: a) it is available and suitable for use, where and when it is needed; and b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
Documented information required by the anti-bribery management system and by this standard shall be controlled to ensure: a) it is available and suitable for use, where and when it is needed; b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
7.5.3.1 Documented information required by the quality management system and by this International Standard shall be controlled to ensure: a) it is available and suitable for use, where and when it is needed; b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
For the control of documented information, the organization shall address the following activities, as applicable: — distribution, access, retrieval and use;
7.5.3.2 For the control of documented information, the organization shall address the following activities, as applicable: a) distribution, access, retrieval and use;
For the control of documented information, the organization shall
v02 14Oktober2017
28
7.5.2 Creating and updating documented information
7.5.3 Control of documented information
address the following activities, as applicable: c) distribution, access, retrieval and use; d) storage and preservation, including the preservation of legibility; e) control of changes (e.g. version control); and f ) retention and disposition. Documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled.
— storage and preservation, including preservation of legibility; — control of changes (e.g. version control); — retention and disposition. Documented information of external origin determined by the organization to be necessary for the planning and operation of the anti-bribery management system shall be identified as appropriate, and controlled.
NOTE Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.
b) storage and preservation, including preservation of legibility; c) control of changes (e.g. version control); d) retention and disposition. Documented information of external origin determined by the organization to be necessary for the planning and operation of the quality management system shall be identified as appropriate, and be controlled. Documented information retained as evidence of conformity shall be protected from unintended alterations.
7.5.4 Service management system documented information
NOTE Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.
NOTE Access implies a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc.
7.6 Knowledge 8 Operation
8 Operation
8 Operation
8.1 Operational planning and control
8.1 Operational planning and control
8.1 Operational planning and control
The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives determined in 6.4.
The organization shall plan, implement, review and control the processes needed to meet requirements of the anti-bribery management system, and to implement the actions determined in 6.1, by: a) establishing criteria for the processes; b) implementing control of the processes in accordance with the criteria; c) keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned.
The organization shall plan, implement and control the processes (see 4.4) needed to meet the requirements for the provision of products and services, and to implement the actions determined in Clause 6, by: a) determining the requirements for the products and services; b) establishing criteria for: 1) the processes; 2) the acceptance of products and services; c) determining the resources needed to achieve conformity to the product and service requirements;
The organization shall Peep documented information to the extent necessary to have confidence that the processes have been carried out as planned.
v02 14Oktober2017
These processes shall include the specific controls
29
8 Operation of the service management system 8.1 Operational planning and control
referred to in 8.2 to 8.10.
The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.
d) implementing control of the processes in accordance with the criteria; e) determining and keeping documented information to the extent necessary: 1) to have confidence that the processes have been carried out as planned; 2) to demonstrate the conformity of products and services to their requirements.
The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse eff ects, as necessary. The organization shall ensure that outsourced processes are controlled.
The organization shall ensure that outsourced processes are determined and controlled.
NOTE The core text of ISO management system standards contains a requirement in relation to outsourcing, which is not used in this standard, as outsourcing providers are included within the definition of business associate.
8.2 Information security risk assessment
8.2 Due diligence
The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6 .1.2 a). The organization shall retain documented information of the results of the information security risk assessments.
Where the organization's bribery risk assessment, as conducted in 4,5, has assessed a more than low bribery risk in relation to: a) specific categories of transactions, projects or activities, b) planned or on-going relationships with specific categories of business associates, or c) specific categories of personnel in certain positions (see 7.2.2.2), the organization shall assess the nature and extent of the bribery risk in relation to specific transactions, projects, activities, business associates and personnel falling within those categories. This assessment shall include any due diligence necessary to obtain sufficient information to assess the bribery risk. The due diligence shall be u pdated at a defined frequency, so that changes and new information can
v02 14Oktober2017
30
NOTE “Keeping” implies both the maintaining and the retaining of documented information. The output of this planning shall be suitable for the organization’s operations.
The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. The organization shall ensure that outsourced processes are controlled (see 8.4). 8.2 Requirements for products and services
8.2.1 Customer communication Communication with customers shall include: a) providing information relating to products and services; b) handling enquiries, contracts or orders, including changes; c) obtaining customer feedback relating to products and services, including customer complaints; d) handling or controlling customer property; e) establishing specific requirements for contingency actions, when relevant. 8.2.2 Determining the requirements related to products and services When determining the requirements for the products and services to be offered to customers, the
8.2 Service portfolio 8.2.1 Plan the services 8.2.2 Service catalogue management 8.2.3 Asset management 8.2.4 Configuration management 8.2.5 Service Delivery
be properly taken into account. NOTE 1 The organization can conclude that it is unnecessary, unreasonable or disproportionate to undertake due diligence on certain categories of personnel and business associate. NOTE 2 The factors listed in a), b) and c) above are not exhaustive.
organization shall ensure that: a) the requirements for the products and services are defined, including: 1) any applicable statutory and regulatory requirements; 2) those considered necessary by the organization; b) the organization can meet the claims for the products and services it offers.
8.2.3 Review of requirements related to products and services 8.2.3.1 The organization shall ensure that it has the ability to meet the requirements for products and services to be offered to customers. The organization shall conduct a review before committing to supply products and services to a customer, to include: a) requirements specified by the customer, including the requirements for delivery and postdelivery activities; b) requirements not stated by the customer, but necessary for the specified or intended use, when known; c) requirements specified by the organization; d) statutory and regulatory requirements applicable to the products and services; e) contract or order requirements differing from those previously expressed. The organization shall ensure that con tract or order requirements differing from those previously defined are resolved. The customer’s requirements shall be confirmed by the organization before acceptance, when the customer does not provide a documented statement of their requirements.
NOTE 3 See Clause A.10 for guidance.
NOTE In some situations, such as internet sales, a formal review is impractical for each order. Instead, the review can cover relevant product information,
v02 14Oktober2017
31
such as catalogues or advertising material.
8.2.3.2 The organization shall retain documented information, as applicable: a) on the results of the review; b) on any new requirements for the products and services. 8.2.4 Changes to requirements for products and services The organization shall ensure that relevant documented information is amended, and that relevant persons are made aware of the changed requirements, when the requirements for products and services are changed. 8.3 Design and development of products and services
8.3 Information security risk treatment
8.3 Financials controls
The organization shall implement the information security risk treatment plan.
The organization shall implement financial controls that manage bribery risk.
The organization shall retain documented information of the results of the information securit y risk treatment.
NOTE
See Clause A.11 for guidance.
8.3.1 General The organization shall establish, implement and maintain a design and development process th at is appropriate to ensure the subsequent provision of products and services. 8.3.2 Design and development planning In determining the stages and controls for design and development, the organization shall consider: a) the nature, duration and complexity of the design and development activities; b) the required process stages, including applicable design and development reviews; c) the required design and development verification and validation activities; d) the responsibilities and authorities involved in the design and development process; e) the internal and external resource needs for the design and development of products and services; f) the need to control i nterfaces between persons
v02 14Oktober2017
32
8.3 Relationship and agreement
8.3.1 General 8.3.2 Business relationship management 8.3.3 Service level management 8.3.4 Supplier management
involved in the design and development process; g) the need for involv ement of customers and users in the design and development process; h) the requirements for subsequent provision of products and services; i) the level of control expected for the design and development process by customers and other relevant interested parties; j) the documented information needed to demonstrate that design and development requirements have been met.
8.3.3 Design and development inputs The organization shall determine the requirements essential for the specific types of products and services to be designed and developed. The organization shall consider: a) functional and performance requirements; b) information derived from previous similar design and development activities; c) statutory and regulatory requirements; d) standards or codes of practice that the organization has committed to implement; e) potential consequences of failure due to the nature of the products and services. Inputs shall be adequate for design and development purposes, complete and unambiguous. Conflicting design and development inputs shall be resolved. The organization shall retain documented information on design and development inputs. 8.3.4 Design and development controls The organization shall apply controls to the design and development process to ensure that: a) the results to be achieved are defined; b) reviews are conducted to evaluate the ability of the results of design and development to meet
v02 14Oktober2017
33
requirements; c) verification activities are conducted to ensure that the design and development outputs meet the input requirements; d) validation activities are conducted to ensure that the resulting products and services meet the requirements for the specified application or intended use; e) any necessary actions are taken on problems determined during the reviews, or verification and validation activities; f) documented information of these activities is retained. NOTE Design and development reviews, verification and validation have distinct purposes. They can be conducted separately or in any combination, as is suitable for the products and services of the organization.
8.3.5 Design and development outputs The organization shall ensure that design and development outputs: a) meet the input requirements; b) are adequate for the subsequent processes for th e provision of products and services; c) include or reference monitoring and measuring requirements, as appropriate, and acceptance criteria; d) specify the characteristics of the products and services that are essential for their intended purpo se and their safe and proper provision. The organization shall retain documented information on design and development outputs. 8.3.6 Design and development changes The organization shall identify, review and control changes made during, or subsequent to, the design
v02 14Oktober2017
34
and development of products and services, to the extent necessary to ensure that there is no adverse impact on conformity to requirements. The organization shall retain documented information on: a) design and development changes; b) the results of reviews; c) the authorization of the changes; d) the actions taken to prevent adverse impacts 8.4 Control of externally provided processes, products and services
8.4 Non-financials controls The organization shall implement non-financial controls that manage bribery risk with respect to such areas as procurement, operational, sales, commercial, human resources, legal and regulatory activities. NOTE 1 Any particular transaction, activity or relationship can be subject to financial as well as nonfinancial controls. NOTE 2 See Clause A.12 for guidance.
8.4.1 General The organization shall ensure that externally provided processes, products and services conform to requirements. The organization shall determine the controls to be applied to externally provided processes, products and services when: a) products and services from external providers are intended for incorporation into the organization’s own products and services; b) products and services are provided directly to the customer(s) by external providers on behalf of the organization; c) a process, or part of a process, is provided by an external provider as a result of a decision by the organization. The organization shall determine and apply criteria for the evaluation, selection, monitoring of performance, and re-evaluation of external providers, based on their ability to provide processes or products and services in accordance with requirements. The organization shall retain documented information of these activities and any necessary actions arising from the evaluations. 8.4.2 Type and extent of control
v02 14Oktober2017
35
8.4 Supply and demand
8.4.1 Budgeting and accounting for services 8.4.2 Demand management 8.4.3 Capacity management
The organization shall ensure that externally provided processes, products and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers. The organization shall: a) ensure that externally provided processes remain within the control of its quality management system; b) define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output; c) take into consideration: 1) the potential impact of the externally provided processes, products and services on the organization’s ability to consistently meet customer and applicable statutory and regulatory requirements; 2) the effectiveness of the controls applied by the external provider; d) determine the verification, or oth er activities, necessary to ensure that the externally provided processes, products and services meet requirements.
8.4.3 Information for external providers The organization shall ensure the adequacy of requirements prior to their communication to the external provider. The organization shall communicate to external providers its requirements for: a) the processes, products and services to be provided; b) the approval of: 1) products and services; 2) methods, processes and equipment; 3) the release of products and services; c) competence, including any required qualification of persons;
v02 14Oktober2017
36
8.5 Implementation of anti-bribery controls by controlled organizations and by business associates 8.5.1 The organization shall implement procedures which require that all other organizations over which it has control either: a) implement the organization’s anti-bribery management system, or b) implement their own anti-bribery controls, in each case only to the extent that is reasonable and proportionate with regard to the bribery risks faced by the controlled organizations, taking into account the bribery risk assessment conducted in accordance with 4.5. NOTE An organization has control over another organization if it directly or indirectly controls the management of the organization (see A.13.1.3).
v02 14Oktober2017
37
d) the external providers’ interactions with the organization; e) control and monitoring of the external providers’ performance to be applied by the organization; f) verification or validation activities that the organization, or its customer, intends to perform at the external providers’ premises. 8.5 Production and service provision
8.5.1 Control of production and service provision The organization shall implement production and service provision under controlled conditions. Controlled conditions shall include, as applicable: a) the availability of documented information that defines: 1) the characteristics of the products to be produced, the services to be provided, or the activities to be performed; 2) the results to be achieved; b) the availability and use of suitable monitoring and measuring resources; c) the implementation of monitoring and measurement activities at appropriate stages to verify that criteria for control of processes or outputs, and acceptance criteria for products and services, have been met; d) the use of suitable infrastructure and environment for the operation of processes; e) the appointment of competent persons, including any required qualification; f) the validation, and periodic revalidation, of the ability to achieve planned results of the processes for production and service provision, where the resulting output cannot be verified by subsequent monitoring or measurement; g) the implementation of actions t o prevent human
8.5 Service design, build and transition 8.5.1 Change management 8.5.2 Service design and transition 8.5.3 Release and deployment management
error; h) the implementation of release, delivery and postdelivery activities.
8.5.2 Identification and traceability The organization shall use suitable means to identify outputs when it is necessary to ensure the conformity of products and services. The organization shall identify the status of outputs with respect to monitoring and measurement requirements throughout production and service provision. The organization shall control the unique identification of the outputs when traceability is a requirement, and shall retain the documented information necessary to enable traceability. 8.5.3 Property belonging to customers or external providers The organization shall exercise care with property belonging to customers or external providers while it is under the organization’s control or being used by the organization. The organization shall identify, verify, protect and safeguard customers’ or external providers’ property provided for use or incorporation into the products and services. When the property of a customer or external provider is lost, damaged or otherwise found to be unsuitable for use, the organization shall report this to the customer or external provider and retain documented information on what has occurred. NOTE A customer’s or external provider’s property can include material, components, tools and equipment, premises, intellectual property and personal data..
v02 14Oktober2017
38
8.5.4 Preservation The organization shall preserve the outputs during production and service provision, to the extent necessary to ensure conformity to requirements. NOTE Preservation can include identification, handling, contamination control, packaging, storage, transmission or transportation, and protection. 8.5.5 Post-delivery activities The organization shall meet requirements for postdelivery activities associated with the products and services. In determining the extent of post-delivery activities that are required, the organization shall consider: a) statutory and regulatory requirements; b) the potential undesired consequences associated with its products and services; c) the nature, use and intended lifetime of its products and services; d) customer requirements; e) customer feedback. NOTE Post-delivery activities can include actions under warranty provisions, contractual obligations such as maintenance services, and supplementary services such as recycling or final disposal.
v02 14Oktober2017
8.6 Anti-bribery commitments
8.5.6 Control of changes The organization shall review and control changes for production or service provision, to the extent necessary to ensure continuing conformity with requirements. The organization shall retain documented information describing the results of the review of changes, the person(s) authorizing the change, and any necessary actions arising from the review. 8.6 Release of products and services
8.6 Resolution and fulfilment
For business associates which pose more than a low
The organization shall implement planned
8.6.1 Incident management
39
bribery risk, the organization shall implement procedures which require that, as far as practicable: a) business associates commit to preventing bribery by, on behalf of, or for the benefit of the business associate in connection with the relevant transaction, project, activity, or relationship; b) the organization is able to terminate the relationship with the business associate in the event of bribery by, on behalf of, or for the benefit of the business associate in connection with the relevant transaction, project, activity, or relationship. Where it is not practicable to meet the requirements of a) or b) above, this shall be a factor taken into account in evaluating the bribery risk of the relationship with this business associate (see 4.5 and 8.2) and the way in which the organization manages such risks (see 8.3, 8.4 and 8.5). NOTE See Clause A.14 for guidance. 8.7 Gifts, hospitality, donations and similar benefits The organization shall implement procedures that are designed to prevent the offering, provision or acceptance of gifts, hospitality, donations and similar benefits where the offering, provision or acceptance is, or could reasonably be perceived as, bribery. NOTE
See Clause A.15 for guidance
arrangements, at appropriate stages, to verify that the product and service requirements have been met. The release of products and services to the customer shall not proceed until the planned arrangements have been satisfactorily completed, unless otherwise approved by a relevant authority and, as applicable, by the customer. The organization shall retain documented information on the release of produ cts and services. The documented information shall include: a) evidence of conformity with the acceptance criteria; b) traceability to the person(s) authorizing the release.
8.6.2 Service request management 8.6.3 Problem management
8.7 Control of nonconforming outputs
8.7 Service assurance
8.7.1 The organization shall ensure that outputs that do not conform to their requirements are identified and controlled to prevent their unintended use or delivery. The organization shall take appropriate action based on the nature of the nonconformity and its effect on the conformity of products and services. This shall also apply to nonconforming products and services detected after delivery of products, during or after the provision of services.
8.7.1 Service availability management
The organization shall deal with nonconforming outputs in one or more of the following ways: a) correction; b) segregation, containment, return or suspension of provision of products and services;
v02 14Oktober2017
40
8.7.2 Service continuity management 8.7.3 Information security management
c) informing the customer; d) obtaining authorization for acceptance under concession. Conformity to the requirements shall be verified when nonconforming outputs are corrected.
8.7.2 The organization shall retain documented information that: a) describes the nonconformity; b) describes the actions taken; c) describes any concessions obtained; d) identifies the authority deciding the action in respect of the nonconformity. 8.8 Managing inadequacy of anti-bribery controls Where the due diligence (see 8.2) conducted on a specific transaction, project, activity or relationship with a business associate establishes that the bribery risks cannot be managed by existing anti-bribery controls, and the organization cannot or does not wish to implement additional or enhanced anti-bribery controls or take other appropriate steps (such as changing the nature of the transaction, project, activity or relationship) to enable the organization to manage the relevant bribery risks, the organization shall: a) in the case of an existing transaction, project, activity or relationship, take steps appropriate to the bribery risks and the nature of the transaction, project, activity or relationship to terminate, discontinue, suspend or withdraw from it as soon as practicable; b) in the case of a proposed new transaction, project, activity or relationship, postpone or decline to continue with it. 8.9 Raising concerns The organization shall implement procedures which: a) encourage and enable persons to report in good faith or on the basis of a reasonable belief attempted,
v02 14Oktober2017
41
suspected and actual bribery, or any violation of or weakness in the anti-bribery management system, to the anti-bribery compliance function or to appropriate personnel (either directly or through an appropriate third party); b) except to the extent required to progress an investigation, require that the organization treats reports confidentially, so as to protect the identity of the reporter and of others involved o r referenced in the report; c) allow anonymous reporting; d) prohibit retaliation, and protect those making reports from retaliation, after they have in good faith, or on the basis of a reasonable belief, raised or reported a concern about attempted, actual or suspected bribery or violation of the anti- bribery policy or the anti-bribery management system; e) enable personnel to receive advice from an appropriate person on what to do if faced with a concern or situation which could involve bribery. The organization shall ensure that all personnel are aware of the reporting procedures and are able to use them, and are aware of their rights and protections under the procedures. NOTE 1 These procedures can be the same as, or form part of, those used for the reporting of other issues of concern (e.g. safety, malpractice, wrongdoing or other serious risk). NOTE 2 The organization can use a business associate to manage the reporting system on its behalf. NOTE 3 In some jurisdictions, the requirements in b) and c) above are prohibited by law. In these cases, the organization documents its inability to comply.
v02 14Oktober2017
42
8.10 Investigating and dealing with bribery The organization shall implement procedures that: a) require assessment and, where appropriate, investigation of any bribery, or violation of the antibribery policy or the anti-b ribery management system, which is reported, detected or reasonably suspected; b) require appropriate action in the event that the investigation reveals any bribery, or violation of the anti-bribery policy or the anti-bribery management system; c) empower and enable investigators; d) require co-operation in the investigation by relevant personnel; e) require that the status and results of the investigation are reported to the anti- bribery compliance function and other compliance functions, as appropriate; f) require that the investigation is carried out confidentially and that the outputs of the investigation are confidential. The investigation shall be carried out by, and reported to, personnel who are not part of the role or function being investigated. The organization can appoint a business associate to conduct the investigation and report the results to personnel who are not part of the role or function being investigated. NOTE 1 See Clause A.18 for guidance.
9 Performance evaluation
v02 14Oktober2017
NOTE 2 In some jurisdictions, the requirement in f) above is prohibited by law. In this case, the organization documents its inability to comply. 9 Performance evaluation
9 Performance evaluation
43
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation The organization shall evaluate the information security performance and the effectiveness of the information security management system. The organization shall determine: a) what needs to be monitored and measured, including information security processes and controls; b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; NOTE : The methods selected should produce comparable and reproducible results to be considered valid. c) when the monitoring and measuring shall be performed; d) who shall monitor and measure; e) when the results from monitoring and measurement shall be analysed and evaluated; and f ) who shall analy se and evaluate these results.
9.1 Monitoring, measurement, analysis and evaluation The organization shall determine: a) what needs to be monitored and measured; b) who is responsible for monitoring; c) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results;
d) when the monitoring and measuring shall be performed; e) when the results from monitoring and measurement shall be analysed and evaluated; f) to whom and how such information shall be reported. The organization shall retain appropriate documented information as evidence of the methods and results. The organization shall evaluate the anti-bribery performance and the effectiveness and efficiency of the anti-bribery management system. NOTE
9.1 Monitoring, measurement, analysis and evaluation 9.1.1 General The organization shall determine: a) what needs to be monitored and measured; b) the methods for monitoring, measurement, analysis and evaluation needed to ensure valid results; c) when the monitoring and measuring shall be performed; d) when the results from monitoring and measurement shall be analysed and evaluated. The organization shall evaluate the performance and the effectiveness of the quality management system. The organization shall retain appropriate documented information as evidence of the results. 9.1.2 Customer satisfaction The organization shall monitor customers’ perceptions of the degree to which their needs and expectations have been fulfilled. The organization shall determine the methods for obtaining, monitoring and reviewing this information.
See Clause A.19 for guidance. NOTE Examples of monitoring customer perceptions can include customer surveys, customer feedback on delivered products and services, meetings with customers, market-share analysis, compliments, warranty claims and dealer reports.
The organization shall retain appropriate documented information as evidence of the monitoring and measurement results.
9.1.3 Analysis and evaluation The organization shall analyse and evaluate appropriate data and information arising from monitoring and measurement. The results of analysis shall be used to evaluate:
v02 14Oktober2017
44
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system: a) conforms to 1) the organization's own requirements for its information security management system; and 2) the requirements of this International Standard; b) is effectively implemented and maintained. The organization shall: c) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting.
9.2 Internal audit 9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the anti-bribery management system: a) conforms to: 1) the organization’s own requirements for it s anti-bribery management system; 2) the requirements of this standard; b) is effectively implemented and maintained. NOTE 1 Guidance on auditing management systems is given in ISO 19011. NOTE 2 The scope and scale of the organization’s internal audit activities can vary depending on a variety of factors, including organization size, structure, maturity and locations.
The audit programme(s) shall take into consideration the importance of the processes concerned and the results of
v02 14Oktober2017
45
a) conformity of products and services; b) the degree of customer satisfaction; c) the performance and effectiveness of the quality management system; d) if planning has been implemented effectively; e) the effectiveness of actions taken to address risks and opportunities; f) the performance of external providers; g) the need for improvements to the quality management system. NOTE Methods to analyse data can in clude statistical techniques. 9.2 Internal audit 9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system: a) conforms to: 1) the organization’s own requirements for its quality management system; 2) the requirements of this International Standard; b) is effectively implemented and maintained.
9.2 Internal audit
previous audits; d) define the audit criteria and scope for each audit; e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process; f ) ensure that the results o f the audits are reported to relevant management; and g) retain documented information as evidence of the audit programme(s) and the audit results.
9.2.2 The organization shall: a) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits; b) define the audit criteria and scope for each audit; c) select competent auditors and conduct audits to ensure objectivity and the impartiality of the audit process; d) ensure that the results of the audits are reported to relevant management, the anti-bribery compliance function, top management and, as appropriate, the governing body (if any); e) retain documented information as evidence of the implementation of the audit programme and the audit results
9.2.2 The organization shall: a) plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits; b) define the audit criteria and scope for each audit; c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; d) ensure that the results of the audits are reported to relevant management; e) take appropriate correction and corrective actions without undue delay; f) retain documented information as evidence of the implementation of the audit programme and the audit results. NOTE See ISO 19011 for guidance
9.2.3 These audits shall be reasonable, proportionate and risk-based. Such audits shall consist of internal audit processes or other procedures which review procedures, controls and systems for: a) bribery or suspected bribery; b) violation of the anti-bribery policy or anti-bribery management system requirements;
v02 14Oktober2017
46
c) failure of business associates to conform to the applicable anti-bribery requirements of the organization; d) weaknesses in, or opportunities for improvement to, the anti-bribery management system. 9.2.4 To ensure the objectivity and impartiality of these audit programmes, the organization shall ensure that these audits are undertaken by one of the following: a) an independent function or personnel established or appointed for this process; or b) the anti-bribery compliance function (unless the scope of the audit includes an evaluation of the antibribery management system itself, or similar work fo r which the anti-bribery compliance function is responsible); or c) an appropriate person from a department or function other than the one being audited; or d) an appropriate third party; or e) a group comprising any of a) to d). The organization shall ensure that no auditor is auditing his or her own area of work.
9.3 Management review
Top management shall review the organization's information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: a) the status of actions from previous
v02 14Oktober2017
NOTE See Clause A.16 for guidance. 9.3 Management review
9.3 Management review
9.3.1 Top management review Top management shall review the organization's antibribery management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. The top management review shall include consideration of: a) the status of actions from p revious management reviews; b) changes in external and internal issues that are
47
9.3.1 General Top management shall review the organization’s quality management system, at planned intervals, to ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction of the organization.
9.3 Management review
management reviews; b) changes in external and internal issues that are relevant to the information security management system; c) feedback on the information security performance, including trends in: 1) nonconformities and corrective actions; 3) monitoring and measurement results; 4) audit results; and 5) fulfilment of information security objectives; d) feedback from interested parties; e) results of risk assessment and status of risk treatment plan; and f ) opportunities for continual improvement. The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews.
relevant to the anti-bribery management system; c) information on the performance of the antibribery management system, including trends in: 1) nonconformities and corrective actions; 2) monitoring and measurement results; 3) audit results; 4) reports of bribery; 5) investigations; 6) the nature and extent of the bribery risks faced by the organization; d) effectiveness of actions taken to address bribery risks; e) opportunities for continual improvement of the anti-bribery management system, as referred to in 10.2. The outputs of the top management review shall include decisions related to continual improvement opportunities and any need for changes to the antibribery management system. A summary of the results of the top management review shall be reported to the governing body (if any). The organization shall retain documented information as evidence of the results of top management reviews. 9.3.2 Governing body review The governing body (if any) shall undertake periodic reviews of the anti-bribery management system based on information provided by top management and the anti-bribery compliance function and any other information that the governing body requests or obtains.
v02 14Oktober2017
48
9.3.2 Management review inputs The management review shall be planned and carried out taking into consideration: a) the status of actions from p revious management reviews; b) changes in external and in ternal issues that are relevant to the quality management system; c) information on the performance and effectiveness of the quality management system, including trends in:
The organization shall retain summary documented information as evidence of the results of governing body reviews.
1) customer satisfaction and feedback from relevant interested parties; 2) the extent to which q uality objectives have been met; 3) process performance and conformity of products and services; 4) nonconformities and corrective actions; 5) monitoring and measurement results; 6) audit results; 7) the performance of external providers; d) the adequacy of resources; e) the effectiveness of actions taken to address risks and opportunities (see 6.1); f) opportunities for improvement.
9.3.3 Management review outputs The outputs of the management review shall include decisions and actions related to: a) opportunities for improvement; b) any need for changes to the quality management system; c) resource needs. The organization shall retain documented information as evidence of the results of management reviews. 9.4 Review by anti-bribery compliance function
9.4 Service reporting
The anti-bribery compliance function shall assess on a continual basis whether the anti- bribery management system is: a) adequate to manage effectively the bribery risks faced by the organization; b) being effectively implemented. The anti-bribery compliance function shall report at planned intervals, and on an ad hoc basis, as appropriate, to the governing body (if any) and top management, or to a suitable committee of the governing body or top management, on the adequacy
v02 14Oktober2017
49
and implementation of the anti-bribery management system, including the results of investigations and audits. NOTE 1 The frequency of such reports depends on the organization's requirements, but is recommended to be at least annually. NOTE 2 The organization can use a business associate to assist in the review, as l ong as the business associate’s observations are appropriately communicated to the anti-bribery compliance function, top management and, as appropriate, the governing body (if any).
10 Improvement
10 Improvement
10 Improvement
10 Improvement
10.1 Nonconformity and corrective action
10.1 Nonconformity and corrective action
10.1 General The organization shall determine and select opportunities for improvement and implement any necessary actions to meet customer requirements and enhance customer satisfaction.
10.1 Nonconformity and corrective action
When a nonconformity occurs, the organization shall: a) react to the nonconformity, and as applicable: 1) take action to control and correct it; and 2) deal with the consequences; b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by: 1) reviewing the nonconformity;
v02 14Oktober2017
When a nonconformity occurs, the organization shall: a) react promptly to the nonconformity, and as applicable: 1) take action to control and correct it; 2) deal with the consequences; b) evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere, by: 1) reviewing the nonconformity; 2) determining the causes of the nonconformity; 3) determining if similar nonconformities exist, or could potentially occur; c) implement any action needed; d) review the effectiveness of any corrective action
50
These shall include: a) improving products and services to meet requirements as well as to address future needs and expectations; b) correcting, preventing or reducing undesired effects; c) improving the performance and effectiveness of the quality management system. NOTE Examples of improvement can include correction, corrective action, continual improvement,
2)
determining the causes of the nonconformity; and 3) determining if similar nonconformities exist, or could potentially occur; c) implement any action needed; d) review the effectiveness of any corrective action taken; and e) maPe changes to the information security management system, if necessary.
taken; e) make changes to the anti-bribery management system, if necessary.
breakthrough change, innovation and reorganization.
Corrective actions shall be appropriate to the effects of the nonconformities encountered. The organization shall retain documented information as evidence of: f ) the nature of the nonconformities and any subsequent actions taken, and g) the results of any corrective action.
NOTE
10.2 Continual improvement
10.2 Continual improvement
10.2 Nonconformity and corrective action
The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system.
The organization shall continually improve the suitability, adequacy and effectiveness of the antibribery management system.
10.2.1 When a nonconformity occurs, including any arising from complaints, the organization shall: a) react to the nonconformity and, as applicable: 1) take action to control and correct it; 2) deal with the consequences; b) evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere, by: 1) reviewing and analysing the nonconformity; 2) determining the causes of the nonconformity; 3) determining if similar nonconformities exist, or could potentially occur; c) implement any action needed; d) review the effectiveness of any corrective action
Corrective actions shall be appropriate to the effects of the nonconformities encountered. The organization shall retain documented information as evidence of: — the nature of the nonconformities and any subsequent actions taken; — the results of any corrective action. See Clause A.20 for guidance.
NOTE See Clause A.20 for guidance.
v02 14Oktober2017
51
10.2 Continual improvement