€¦ · web viewthe supplier’s risk management of information security in respect of the...

Annex 4 –Requirements on Information Security

[Tender Guidance:The tenderer shall not complete this Annex 4 in connection with submission of the tender.

This Annex 4 is to be considered a Mandatory Requirement in its entirety. Thus the tenderer may not modify the content of the An-nex.

As stipulated in the Instructions to Tenderers, the Mandatory Re-quirements are fundamental requirements, which shall all uncondi-tionally be complied with.

This tender guidance will be removed by the contracting authority in connection with the conclusion of the Contract.]

June 1, 2017

J.nr. 2017-3280

Side 2 af 37

Table of Content

Annex 4 –Requirements on Information Security...................11. Introduction:.......................................................................42. Requirements......................................................................42.1. Customer’s Requirements for Safety..........................................42.1.1. Risk-based management system for information security management......................................................................................42.1.2. Supplier ISMS.........................................................................52.1.3. Information Security Policies..................................................52.1.3.1. Guidelines for the Management of Information Secu-rity.....................................................................................................52.1.4. Organizing Information Security.............................................62.1.4.1. Internal organization............................................................62.1.4.2. Segregation of duties...........................................................62.1.4.3 Contact with Authorities........................................................72.1.4.4. Contact with special interest groups....................................72.1.4.5. Mobile Equipment and teleworking.....................................72.1.5. Personnel Safety......................................................................82.1.5.1. Before joining.......................................................................82.1.5.2. During employment..............................................................92.1.5.3. Termination of employment or change...............................102.1.6. Management of Assets..........................................................102.1.6.1. Responsibility for Assets....................................................102.1.7. Access Control.......................................................................112.1.7.1. Commercial Requirements for access................................112.1.7.2. Administration of user access............................................142.1.7.3. User Responsibilities..........................................................192.1.7.4. Control of system and application access..........................192.1.8. Cryptography.........................................................................212.1.8.1. Cryptographic controls.......................................................212.1.9. Physical Insurance and Environmental Protection................222.1.9.1. Secure areas.......................................................................222.1.9.2. Physical security perimeter................................................222.1.9.3. Physical entry controls.......................................................222.1.9.4. Securing offices, rooms and facilities.................................222.1.9.5. Protection against external and environmental threats.....232.1.9.6. Working in secure areas.....................................................232.1.10. Equipment...........................................................................232.1.10.1. Equipment siting and protection......................................232.1.10.2. Supporting utilities...........................................................23

Side 3 af 37

2.1.10.3. Cabling security................................................................232.1.10.4. Equipment maintenance...................................................232.1.10.5. Secure disposal or reuse of equipment............................232.1.11. Operation Security..............................................................242.1.11.1. Operating procedures and responsibilities......................242.1.11.2. Malware Protection..........................................................242.1.11.3. Backup..............................................................................252.1.11.4. Logging and Monitoring...................................................262.1.11.4.1. Protection of log information.........................................262.1.11.4.2. Administrator and operator logs...................................272.1.11.4.3. Clock synchronization...................................................272.1.11.5. Control of operating software..........................................282.1.11.6. Vulnerability Management...............................................282.1.11.7. Considerations in connection with the audit of infor-mation systems................................................................................282.1.12. Communication Security.....................................................292.1.12.1. Managing Network Security............................................292.1.12.2. Information Transfer........................................................302.1.13. Acquisition, development and maintenance of systems......312.1.13.1. Safety of the information..................................................312.1.13.2. Security in development and support processes..............322.1.13.3. Test Data..........................................................................322.1.14. Supplier Relationship..........................................................332.1.14.1. Management of Supplier services....................................332.1.14.2. Addressing security within supplier agreements.............332.1.14.3. Information and communication technology supply chain................................................................................................332.1.15. Managing Information Security Breaches...........................332.1.15.1. Responsibilities and procedures.......................................332.1.15.2. Reporting information security event...............................342.1.15.3. Reporting information security weakness........................342.1.16. Information Security Aspects of Business Continuity Management....................................................................................352.1.16.1. Redundancies...................................................................362.1.17. Compliance..........................................................................362.1.17.1. Compliance with legal and contractual requirements.....372.1.17.2. Appropriate technical and organizational measures........38

Side 4 af 37

1. Introduction:This Annex 4 specifies the Customer’s requirements on information security.

Security-related terms used in the following are based on the vo-cabulary used in the ISO27000 standard. The security requirements are generally based on ISO/IEC 27001:2013 and ISO/IEC 27002:2014. In addition, this Annex 4 also includes security re-quirements based on the controls and implementation guidance provided in ISO/IEC 27017:2015 and ISO/IEC 27018:2014.

The Customer notes, that all requirements in this Annex 4 are con-sidered to be met in the event that the Supplier and sub-suppliers have obtained ISO/IEC 27001:2013-; ISO/IEC 27002:2014-; ISO/IEC 27017:2015- and ISO/IEC 27018:2014-certificates.

2. Requirements

2.1. Customer’s Requirements for Safety The following security requirements are based on the ISO/IEC 27001:2013, ISO/IEC 27002:2014, ISO/IEC 27017:2015 and ISO/IEC27018:2014 including the CIS Critical Security Controls for Ef-fective Cyber Defense, version 6, of 15 October 2015 (”CSC”).

2.1.1. Risk-based management system for information security management The Supplier shall in order to continuously ensure the safety re-quirements related to the provision of ongoing Cloud Services, re-lated support services and consultancy services, maintain a man-agement system for information security management (ISMS) based on the current version of ISO/IEC 27001:2013 or an equivalent (na-tional or international) standard on risk management processes rec-ognized by accredited bodies (see below) and in accordance with the specific requirements regarding the Supplier's ISMS set forth in this section 2.1.1. The Supplier and sub-suppliers shall also continu-ously adapt its ISMS, if the Supplier updates its risk assessment as required, as well as if the below requirements requires such an up-date.

Side 5 af 37

The Supplier’s risk management of information security in respect of the Supplier's fulfilment of the Contract shall be based on a docu-mented and regularly updated risk assessment. In relation to the risk assessment, the following applies:

The risk assessment shall include the Cloud Services, related support services and consultancy services and the parts of the Supplier's business, which may have implications for information security system,

The Supplier shall update its risk assessment as a minimum one (1) time annually, and in connection with impending changes to the Supplier's own organization, impending changes to any sub-supplier relationship or impending changes to the information security system, which may have implications for the informa-tion security,

The Supplier shall update its risk assessment, when ordered by the Customer, to include a specific threat in the risk assessment, including but not limited to threats identified by the Customer in connection with updates of the Customer's own risk assessment. Such mandatory updates of the Supplier's risk assessment shall be carried out by the Supplier within a reasonable period of time, which shall be determined taking into account the character and nature of the threat,

The Supplier shall ensure, that the Customer at all times has in his possession the Supplier’s most recent risk assessment.

2.1.2. Supplier ISMS The Supplier shall ensure that its ISMS as a minimum complies with the specific requirements stated in 2.1.3 – 2.1.16, which is based on the ISO/IEC27001:2013, Annex A, ISO/IEC27002:2014 and SANS CIS Critical Security Controls (version 6.1). The specific requirements shall be fulfilled no matter the implications to the Suppliers compliance of section 2.1.1.

2.1.3. Information Security Policies 2.1.3.1. Guidelines for the Management of Information Security This requirement is based on ISO/IEC 27001:2013, Annex A, clause 5.

Side 6 af 37

The Supplier shall apply the general information security require-ments stated in the information security policy approved by the Supplier’s top management and followed by the Supplier's own or-ganization, in any sub-supplier relationship and/or in respect of im-pending changes to the management system, which may have impli-cations for the management of information security.

This requirement is based on ISO/IEC 27017:2015 and ISO/IEC 27018:2014:

The Supplier shall augment its information security policy to ad-dress the Supplier’s provision and the Customer’s use of the Cloud Services, related support services and consultancy services, taking the following into account:

- the baseline information security requirements applicable to the design and implementation of the Cloud Services, related support services and consultancy services;

- risks from authorized insiders;- multi-tenancy and cloud service Customer isolation (includ-

ing virtualization);- access to cloud service Customer assets by staff of the Sup-

plier;- access control procedures, e.g. strong authentication for ad-

ministrative access to the Cloud Services, related support services and consultancy services;

- communication to cloud service Customers during change management;

- virtualization security;- access to and protection of cloud service Customer’s Data;- lifecycle management of cloud service Customer’s accounts;- communication of breaches and information sharing guide-

lines to aid investigations and forensics.

2.1.4. Organizing Information Security This section is based on ISO/IEC 27001:2013, Annex A, clause 6 on Organization information security and 27017:2015, clause 6 on the same matter:

2.1.4.1. Internal organization This requirement is based on ISO/IEC 27002, clause 6.1:

The Supplier shall be accountable for the information security re-lated to the Cloud Services, related support services and consul-

Side 7 af 37

tancy services provided under the Contract. The Supplier shall agree and document an appropriate allocation of information secu-rity roles and responsibilities with the Supplier’s organization, its Cloud Services, related support services and consultancy services, and its suppliers.

The security implementation and provisioning shall be made ac-cording to the roles and responsibilities determined within the Sup-plier’s organization.

The ownership of all assets and the party who have responsibilities for operations associated with these assets, such as back and recov-ery operations, shall be defined and documented by the Supplier.

The Supplier shall provide information to the Customer regarding the circumstances, under which it uses cryptography to protect the information it processes.

For the purposes of encryption of data-at-rest and in transit too, the Customer uses industry standard cryptographic algorithms. The Supplier shall support these algorithms.

The Supplier shall specify responsibilities, in particular:

a) identify and define information assets and information secu-rity processes,

b) document the entity responsible for each information asset or information security process and document the information, see clause 2.1.6 below,

c) identify and document the coordination and overview of in-formation safety aspects related to sub-supplier relation-ships.

2.1.4.2. Segregation of dutiesThis requirement is based on ISO/IEC 27001:2013, Annex A, control 6.1.2:

The Supplier shall ensure that conflicting functions and responsibil-ities are separated to reduce the possibility for unauthorized or ac-cidental use, modification or abuse of the information assets rele-vant to the fulfilment of the Contract.

This requirement is based on ISO/IEC 27002:2014, control 6.1.2:

Side 8 af 37

The Supplier shall ensure that no person can access, modify or use the information assets relevant to the fulfilment of the Contract without authorization and without such access, modification or use being detected.

The Supplier shall ensure that the initiation of an action (access, modification or use) is separated from the approval of such action.

2.1.4.3 Contact with AuthoritiesThis requirement is based on ISO/IEC27001:2013, Annex A, control 6.1.3:

The Supplier shall ensure the maintenance of the appropriate con-tact with the relevant authorities in order to fulfill the Contract.


The Supplier shall establish procedures, which specify when and by whom authorities (e.g. the police, the inspectorates, the supervisory authorities) shall be contacted, and how identified information secu-rity breaches is be reported in a timely manner.

2.1.4.4. Contact with special interest groupsThis requirement is based on ISO27001:2013, Annex A, control 6.1.4:

The Supplier shall ensure the maintenance of the appropriate con-tact with the special group of interest and other professional secu-rity forums and professional organizations associated with the fulfil-ment of the Contract.

2.1.4.5. Mobile Equipment and teleworking This requirement is based on ISO/IEC 27001:2013, Annex A, control 6.2.1:

The Supplier shall apply a policy and supporting safeguards to con-trol the risks arising from the application of mobile equipment in connection with the fulfilment of the Contract.

The Supplier shall ensure that business information is not compro-mised, when the Supplier in connection with the fulfilment of the Contract uses mobile equipment.

The Supplier shall take into account the risks of working with mo-bile equipment in unprotected environments.

Side 9 af 37

This requirement is based on ISO/IEC 27002:2014, clause 6.2:

The Supplier shall ensure the safeguarding of business information, when mobile equipment is used in connection with the fulfilment of the Contract.

The policy concerning such mobile equipment shall as a minimum include:

a) registration of the mobile equipment,b) physical protection requirements,c) limitation of the software installations,d) requirements for the software versions in mobile equipment

and the use of patches,e) limitation of connections to information services,f) access control,g) cryptography,h) malware protection,i) deactivation, deletion or blocking,j) backup,k) use of web services and web apps.

The Supplier shall apply a policy and the supporting security mea-sures in order to protect information that is accessed, processed or stored on remote teleworking in connection with the fulfilment of the Contract.

The Supplier shall ensure the following security requirements as a minimum:

a) requirements to the communications security, taking into ac-count the need for remote access to the organization's inter-nal systems, the sensitivity of the information that is avail-able and transmitted on the communication link and how sen-sitive the internal system is;

b) access to the virtual desktop, which prevents processing and storage of information on private equipment;

c) assessment of the threat related to unauthorized access to information or resources for other persons using the home, e.g. family and friends;

d) requirements for the use of private networks and require-ments or restrictions on the configuration of wireless net-work services;

Side 10 af 37

e) requirements for malware protection and firewalls;f) the definition of the tasks, working hours, classification of

information that can be accessed, as well as the internal sys-tems and services, which the teleworker is authorized to use;

g) the acquisition of adequate communication equipment, in-cluding methods for securing remote access;

h) rules and guidance on family and visitor access to equipment and information;

i) support and maintenance of hardware and software.

2.1.5. Personnel Safety 2.1.5.1. Before joining This requirement is based on ISO/IEC 27001:2013, Annex A, control 7.1.1

The Supplier shall perform background checks on all the Supplier’s employees and candidates, who participates or will be participating in the fulfilment of the Contract, in accordance with all relevant laws, regulations and ethical rules and taking into account the Sup-plier’s risk assessment cf. section 2.1.1.

This requirement is based on ISO/IEC 27002:2014, control 7.1.1.

The Supplier’s background checks shall take into account all rele-vant laws relating to privacy and personal data protection, as well as local employment regulation.

When an employee of the Supplier is assigned to or a candidate is hired for a specific information security role, the Supplier shall en-sure that the employee or candidate:

a) possess the necessary skills to fulfill the security role, andb) can be entrusted with the security role, especially if the secu-

rity role is critical to the fulfilment of the Contract.

This requirement is based on ISO27001:2013, Annex A, control 7.1.2:

The Supplier shall ensure that the contracts with the Supplier’s em-ployees and sub-suppliers, who participate in the fulfilment of the Contract, include a specification of the individual information secu-rity requirements and responsibilities of which the employee and/or sub-supplier shall adhere to.

Side 11 af 37

2.1.5.2. During employmentThis requirement is based on ISO/IEC27001: 2013, Annex A, clause 7.2.:

The Supplier shall ensure that all the Supplier's employees and Contractors maintain the information security in accordance with the Supplier's established policies and procedures at any time.

This requirement is based on ISO/IEC27001: 2013, Annex A, control 7.2.2:

The Supplier shall ensure that, the Supplier's employees and - where appropriate - sub suppliers through education and training are made aware of the safety and are regularly kept up to date with the Supplier's policies and procedures to the extent that it is rele-vant to their job function and fulfilment of the Contract.

This requirement is based on ISO/IEC 27001: 2013, Annex A, con-trol 7.2.3:

The Supplier shall establish a formal policy and communicate the sanction process, so action can be taken against employees who have committed a breach of the information security.

This requirement is based on ISO/IEC 27002:2014, control 7.2.2 and ISO/IEC 27017:2015 control 7.2.2:

The Supplier shall provide awareness, education and training for employees, and request sub-suppliers to do the same, concerning the appropriate handling of the Customer’s Data. The Data consist of personally identifiable information, is confidential to the Cus-tomer, and subject to specific limitations, including regulatory re-strictions, on access and use by the Customer, cf. Annex 3.

Relevant measures shall be in place to make relevant staff aware of the possible consequences (e.g. legal consequences, loss of busi-ness, and reputational damages) on the Supplier as a Data Proces-sor and its employees of breaching privacy and security rules.

2.1.5.3. Termination of employment or change This requirement is based on ISO/IEC 27001:2013, Annex A, control 7.3.1:

The Supplier shall ensure that information security responsibilities, which are applicable after the termination of employment or change

Side 12 af 37

are defined and communicated to the employee and the sub-suppli-ers and consequently sanctioned hereafter.

2.1.6. Management of Assets 2.1.6.1. Responsibility for Assets This requirement is based on ISO/IEC27001:2013, Annex A, control 8.1.1:

The Supplier shall identify the information assets used for the fulfil-ment of the Contract, and establish and maintain an inventory of information assets.

The Supplier shall ensure that the inventory of information assets supports the Supplier’s risk assessment, cf. section 2.1. 1.

The Supplier shall explicitly list and maintain the following informa-tion in the Supplier’s inventory of information assets:

- Customer’s Data,- Data derived from the services

There are cloud service applications that provide functions for man-aging information by adding cloud services derived data to the Cus-tomer’s Data. Identifying such Cloud Services derived data as as-sets and maintaining them in the inventory of assets can contribute to improving information security.

This requirement is based on SANS CSC 1:

The Supplier shall actively control all hardware devices on the Sup-plier's infrastructure used in connection with the fulfilment of the Contract ensuring that only authorized devices can access the Sup-plier's infrastructure, and unauthorized uncontrolled devices, are found and prevented from gaining access.

This requirement is based on SANS CSC 1.1:

The Supplier shall deploy an automated asset inventory discovery tool for identifying hardware devices and systems and use this tool to create an inventory of the hardware devices and systems, which are connected to the Supplier's public and private networks. This requirement is based on SANS CSC 1.2:

Side 13 af 37

The Supplier shall dynamically assign addresses using Dynamic Host Configuration Protocol (DHCP). The Supplier shall deploy DHCP server logging, and use this information to improve the in-ventory of assets and help detect unknown hardware devices and systems.


The Supplier shall maintain an inventory of all hardware devices and systems connected to the Supplier's network, including the network devices themselves. This inventory shall include at least the network addresses, machine name(s), the purpose of each de-vice, the asset owner responsible for each device, and the depart-ment associated with each device.

This requirement is based on ISO/IEC27001:2013, Annex A, control 8.1.2:

The Supplier shall appoint asset owners of each information asset used in connection with the Contract. The ownership shall be recorded in the inventory of devices, including hardware devices and systems stated above.


The Supplier shall identify, document and apply rules for accepted use of information assets used in connection with the fulfilment of the Contract.


The Supplier shall ensure that all the Supplier's employees return all information assets in their possession, which have been used in connection with the fulfilment of the Contract, when their employ-ment with the Supplier or appointment to the Contract ends.

2.1.7. Access Control 2.1.7.1. Commercial Requirements for access This requirement is based on ISO/IEC2701:2013, Annex A, clause 9.1:

Side 14 af 37

The Supplier shall establish, document and apply a policy for access control in connection with the fulfilment of the Contract in accor-dance with the Supplier’s risk assessment, cf. section 2.1.1, in order to limit the access to information, Data and information processing facilities.


The Supplier shall use processes and tools to control (track, prevent and correct) the use, assignment and configuration of administra-tive privileged rights in connection with the Cloud Services, includ-ing computers, networks and applications.


The Supplier shall actively manage the life cycle of the system ac-counts related to the fulfilment of the Contract, including managing the creation, use, temporary deactivation and deletion, in order to minimize the risk of such accounts being exploited by attackers.

This requirement is based on ISO/IEC 27001:2013, Annex A, control 9.1.2:

The Supplier shall ensure that the Supplier’s users only have access to the network and network services they are specifically autho-rized to use in connection with the fulfilment of the Contract, cf. section 2.1.4.2.


The Supplier shall establish a policy regarding the Supplier’s users’ use of networks and network services in connection with the fulfil-ment of the Contract. This policy shall include:

a) the networks and network services that can be accessed,b) authorization procedures, which determines who can access

the networks and network services,c) management controls and procedures that protect access to

network connections and network services,d) the methods that can be used to gain access to networks and

network services (e.g. use of VPN or wireless networks),e) requirements regarding user authentication when accessing

network services andf) monitoring of the use of network services.

Side 15 af 37

The Supplier’s policy on use of networks and network services shall be in accordance with the Supplier’s policy on access control, cf. the second paragraph of this section 2.1.7.1.


The Supplier shall ensure that only ports, protocols and services with validated business purposes are used on each system in con-nection with the fulfilment of the Contract.


The Supplier shall ensure that the Supplier's users use separated workstations for all administrative tasks performed in connection with the fulfilment of the Contract, including tasks that require privileged rights.

Such workstations shall be isolated from the Supplier’s primary net-work and shall not be allowed internet access, and the Supplier shall ensure that these workstations are not used for common tasks such as e-mail, word processing and internet surfing.


The Supplier shall detect, prevent and correct the flow of informa-tion transfers between network segments with different trust levels.


The Supplier shall deny communications with (or restrict data flow to) known malicious IP addresses (black listing), or restrict access only to sites that the Supplier trust (white listing).

This requirement is based on SANS CSC 12. 2:

The Supplier shall, when using a DMZ network, configure monitor-ing systems to at least register information about the data packets header-content of data traffic passing through the network. This traffic shall be sent to a properly configured Security Information Event Management or log analytics system so that events can be correlated from all devices on the network.


Side 16 af 37

The Supplier shall ensure that all remote login access (including VPN, dial-up and similar access types that can allow login to inter-nal systems) requires the use of two-factor authentication.


The Supplier shall ensure that the processes and tools used to pre-vent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.


The Supplier shall, in the event of an attack, detect the hostile con-nections, terminate such connections and restore the infected sys-tem.

2.1.7.2. Administration of user access This requirement is based on ISO/IEC27001:2013, control 9.2.1:

The Supplier shall apply a formal procedure for registration and deregistration of the Supplier’s users to the system with respect to the correct access right and access rights management in connec-tion with the fulfilment of the Contract.

This requirement is based on ISO/IEC27002:2014, control 9.2.1:

The Supplier shall ensure that the procedure of the administration of the Supplier’s users contains the following:

a) requirement of the use of unique user accounts so that the Supplier’s users can be identified and be held accountable for their actions,

b) requirement of the use of joint accounts only is allowed, if it is necessary for business or operational reasons, and shall be approved and documented,

c) requirement of the immediate blocking or deleting user ac-counts of users, who have left the Supplier's organization, (see below on SANS CSC 16),

d) requirements on the identification and deletion or blocking of redundant user accounts, at least every 6 months,

e) requirements to protect against the allocation of redundant user accounts to the Supplier’s new users.

This requirement is based on ISO/IEC 27017:2015 and ISO/IEC 27018:2014, section 9.2.1:

Side 17 af 37

The Supplier shall provide user registration and de-registration functions to manage access to the Cloud Services, related support services and consultancy services by the Customer’s users, and specifications for the use of these functions are made aware to the Customer.

Procedures for user registration and de-registration shall address the situation where user access control is compromised, such as the corruption or compromising of passwords or other user registration data (e.g. as a result of inadvertent disclosure).


The Supplier shall ensure that all of the Supplier's use of user ac-counts has an expiration date, which is monitored and enforced.


The Supplier shall apply a formal procedure for granting user ac-cess to the Supplier's users, in order to grant or revoke access rights for all user types in relation to all information assets used in connection with the fulfilment of the Contract.

The Supplier shall ensure procedures related to the above, which shall include the following:

a) authorization from the information asset’s active owner to use the information asset, cf. section 2.1.6.1 above, or alter-natively separate approval of access rights from the Sup-plier's management, if required,

b) verification of the access level in accordance with the access policies, cf. the SANS CSC 5 requirement above,

c) assurance that access rights cannot be activated, for example by the Supplier of the service until the right approval proce-dures are in place,

d) the maintenance of a central registry of access rights as-signed to the user accounts, of information assets,

e) adjusting the access rights of the Supplier users, who have a new function or position, and the immediate suspension or revocation of access rights for the Supplier users who have left the Supplier's organization,

f) review of access rights with the owners of information assets, at least every 6 months.

Side 18 af 37


The Supplier shall provide functions for managing the access rights to the Customer’s users, and specifications for the use of these functions.

The Supplier’s shall support third-party identity and access man-agement technologies for its Services and the associated adminis-tration interfaces. These technologies can enable easier integration and easier user identity administration between the Customer’s sys-tem and the Supplier, and can ease the use of multiple cloud ser-vices, supporting such capabilities as single sign-on.

The Supplier shall use and configure locking of the Supplier users user accounts, in order for the user account to be locked after a given number of failed login attempts.


The Supplier shall limit and control the allocation and use of privi-leged access rights in relation to the fulfilment of the Contract.


The Supplier shall control the allocation of privileged access rights to the Supplier’s users through a formal approval process in accor-dance with the appropriate access policy management, cf. section 2.1.7.1 above.

This formal approval process shall include the following:

a) the privileged access rights associated with any active infor-mation, as well as the Supplier’s users who shall have been granted the privileges, shall be identified,

b) the privileged access rights are granted to the Supplier's users based on a need-to-use basis and from time to time in accordance with the access policy management, cf. above section 2.1.7.1 (i.e. based on the minimum requirements for their functions),

c) maintaining an approval procedure and a record of all the rights granted. No privileged access rights are to be granted prior the completion of the final approval process,

d) defined requirements for expiry of privileged access rights,

Side 19 af 37

e) privileged access rights assigned to the user accounts that are different from those accounts to be used for general cor-porate purposes,

f) competences of the Supplier users with privileged access rights are reviewed monthly, to verify that they comply with their duties in connection with the fulfilment of the Contract.


The Supplier shall apply specific audits of the use of accounts with privileged rights, and monitor any abnormal behavior with accounts with privileged rights in connection with the fulfilment of the Con-tract.


The Supplier shall ensure that all default passwords on information assets in relation to the Contract, are changed prior to the use of any new information assets in order to ensure that the quality of the password is equivalent to the same level of quality on passwords for privileged accounts.


The Supplier shall register in the log system, when a privileged user account is added to or removed from a domain administrators’ group.


The Supplier shall configure the system to register in the log sys-tem, every time a log-on to a privileged user account fails.


The Supplier shall use multi-factor authentication for all privileged user accounts in connection with the fulfilment of the Contract.

This requirement is based on ISO/IEC 27017: 2015, control 9.2.3:

The Supplier shall provide sufficient authentication techniques for authenticating the cloud service administrators of the Customer to the administrative capabilities of the Cloud Services, related sup-port services and consultancy services, according to the identified risks.

Side 20 af 37

This requirement is based on ISO/IEC 27001:2013, Annex A, control 9.2.4 on Managing the secret authentication information about users:

The Supplier shall control the allocation of secret information on authentication of Supplier's users applying a formal management process.


The Supplier shall ensure that the formal management process in-cludes the following requirements:

a) Supplier's users shall sign a statement that they will treat the personal, secret authentication information confidential and that they will hold the common (i.e. shared) secret authenti-cation information within the group,

b) when the Supplier’s users maintain their own secret authen-tication information, they shall initially use temporary safe secret authentication information, which they need to change, the first time they use it,

c) that procedures are applied in order to verify the user's iden-tity, before a new is given, modified or temporary secret au-thentication information,

d) temporary secret authentication information to the Supplier’s users is provided carefully - use of external parties or unpro-tected (clear text) electronic mail messages shall be avoided,

e) the temporary secret authentication information is unique to a person,

f) the Supplier’s users shall acknowledge receipt of secret au-thentication information,

g) pre-determine secret authentication information from a sub-supplier is changed after the installation of systems or soft-ware.


The Supplier shall provide information on procedures for the man-agement of the secret authentication information of the Customer, including the procedure for allocating such information and for user authentication.

The Supplier shall ensure that any communication of authentication information is encrypted.

Side 21 af 37


The Supplier shall ensure that asset owners, in accordance with section 2.1.6.1 above, review of access rights in connection with the fulfilment of the Contract, shall comply with the following:

a) the Supplier's users' access rights are reviewed at least every 6 months and is changed if their position of employment is changed,

b) the Supplier’s users' access rights are reviewed and re-allo-cated when moving from one function to another within the Supplier's organization,

c) authorization for privileged access rights are reviewed monthly,

d) privileged access rights are reviewed at least monthly to en-sure that no one has been granted unauthorized privileges,

e) changes in authorizations for privileged access privileges are logged and reviewed monthly.


The Supplier shall involve all employees and external users' access rights as information and information processing facilities in con-nection with the fulfilment of the Contract, when their employment contract or agreement ends or be adapted to a change.


The Supplier shall actively manage lifecycle of system and applica-tion of the Supplier’s user accounts – their creation, use, dormancy, deletion – in order to prevent any information security breach.

The Supplier’s user accounts, which have not been used for 3 months, shall be disabled, and the Supplier shall register and docu-ment any exceptions for this (e.g. vendor maintenance accounts that are needed for system recovery or other ongoing actions).

The Supplier shall disable accounts rather than deleting them to preserve the audit trail in connection with the fulfilment of the Con-tract.

The Supplier shall ensure that:

Side 22 af 37

1) a supervisor matches active employees and external users with any account that a supervisory is responsible of,

2) a privileged user shall disable accounts that are not assigned to an employee or external user.

2.1.7.3. User ResponsibilitiesThis requirement is based on ISO/IEC 27001:2013, Annex A, control 9.3.1:

The Supplier shall ensure that the Supplier’s users follow the Sup-plier’s practice using authentication information in connection with the fulfilment of the Contract.


The Supplier shall when using authentication information ensure that all the Supplier’s users:

a) treat secret authentication information confidential and en-sures that information does not spread to other parties, in-cluding officials,

b) void any records on (e.g. the paper, software file or hand-held devices) secret authentication information unless it can be stored securely and storage method is recognized (e.g. pass-word vault),

c) change the secret authentication information by any sus-pected actions,

d) choose strong passwords,e) avoid sharing information about secret user authentication

with other,f) ensures appropriate protection of passwords, when used as a

secret authentication information for automatic log-on proce-dures and stored,

g) avoid using the same secret authentication information for private and work purposes.

2.1.7.4. Control of system and application access This requirement is based on ISO/IEC 27001:2013, Annex A, control 9.4.1:

The Supplier shall restrict access to the system in accordance with the access policy management, cf. section 2.1.7.1 above.

This requirement is based on ISO/IEC 27017:2015 control 9.4.1:

Side 23 af 37

The Supplier shall provide access controls that allow the Customer to restrict access to its Cloud Services, related support services and consultancy services, its functions and the Customer’s Data main-tained in the respective services.

This requirement is based on ISO/IEC 27018:2014 control 9.4.2:

The Supplier shall provide secure log-on procedures for any ac-counts requested by the Customer for cloud service under its con-trol in order to safeguard the unauthorized access to systems and applications.


The Supplier shall effectively limit and control the use of system programs in connection with the fulfilment of the Contract, which can bypass the system and application controls.


The Supplier shall ensure that the following guidelines for the use of system programs in connection with the fulfilment of the Con-tract, which can bypass the system and application controls are im-plemented and complied with:

a) use of identification, authentication and authorization proce-dures for system utilities,

b) segregation of system software from application software,c) limitation of the use of system applications to a minimum of

trusted and authorized users, cf. section 2.1.7.2 above,d) authorization of ad hoc use of system programs,e) limited availability of system applications during an unautho-

rized change,f) logging of all use of system utilities,g) defining and documenting of powers system programs,h) removal or disabling of all unnecessary system applications,i) avoid to make the system programs available to the Sup-

plier’s users, who have access to the system where segrega-tion of duties is required.


Side 24 af 37

The Supplier shall identify the requirements for any utility pro-grams used within the Cloud Services, related support services and consultancy services. The Supplier shall ensure that any use of util-ity programs capable of bypassing normal operating or security pro-cedures is strictly limited to authorized personnel, and that the use of such programs is reviewed and audited regularly.


The Supplier shall limit access to the source codes for software used in connection with the fulfilment of this Contract.


The Supplier shall ensure that access to source code to software used in connection with the fulfilment of the Contract and related documentation (such as designs, specifications, verification plans and validation plans) are under control to prevent unauthorized functionality, avoid accidental changes, as well as maintain the con-fidentiality of valuable intellectual property. The Supplier shall also store the source code centrally under controlled circumstances.

Further to the control access to the source code, the Supplier shall ensure that:

a) the source code and the libraries is controlled in accordance with established procedures,

b) support staff only have work-related access to the source code,

c) update the program libraries and the related documentation and any disclosure of the source code to programmers, will only take place after the permission hereof,

d) an audit Log is maintained of all changes to program libraries and source code,

e) maintenance and copying of source code and libraries are subject to procedures of change management, cf. below.

This requirement is based on ISO/IEC 27017:2015, CLD 9.5.1:

The Supplier shall keep the Customer’s virtual environment running on a cloud service protected from other cloud services customers and unauthorized persons and shall enforce appropriate logical seg-regation of the Customer’s Data, virtualized applications, operating systems, storage, and network for:

Side 25 af 37

- the separation of resources used by the Customer in multi-tenant environments;

- the separation of the Supplier’s internal administration from resources used by the Customer.

Where the Customer involves multi-tenancy, the Supplier shall ap-ply information security controls to ensure appropriate isolation of resources used by different tenants.


The Supplier shall manage the security lifecycle for all in-house de-veloped and acquired software used for this Contract fulfilment, in order to prevent, detect and correct security vulnerabilities.

2.1.8. Cryptography 2.1.8.1. Cryptographic controls The Supplier shall establish and implement a policy on the use of cryptography to protect information in connection with the fulfil-ment of the Contract.

This requirement is based on ISO/IEC 27001:2013, Annex A, clause 10:

The Supplier shall ensure that:- the policy of the use of cryptography, supports the risk as-

sessment as required,- the policy of the use of cryptography supports, in accordance

with the section on information transfer,- select cryptographic algorithms, key lengths and uses pur-

suant to Best Practice,- protect encryption keys against modification and loss,- protect secret and private cryptographic keys from unautho-

rized use and disclosure,- physically protect the equipment that is used to generate,

store and archive encryption keys.

This requirement is based on ISO/IEC 27017:2015 and ISO/IEC 27018: 2014, control 10.1.1:

The Supplier shall provide information to the Customer regarding the circumstances in which it uses cryptography to protect the in-formation, which the Supplier processes.

Side 26 af 37

For the purpose of encryption of Data in transit, the Supplier shall use cryptographic algorithms and key lengths that are industry standard and in accordance with Best Practice.


The Supplier shall use processes and tools in connection with the fulfilment of the Contract, which prevents the risk and minimizes the consequences of extracting the Data and ensure confidentiality and integrity of sensitive information.

2.1.9. Physical Insurance and Environmental Protection2.1.9.1. Secure areasThis requirement is based on ISO/IEC 27001:2013, Annex A, control 11.1.1:

The Supplier shall define and apply perimeter security to protect physical areas containing either sensitive or critical information and information processing facilities used in connection with the fulfil-ment of the Contract.

2.1.9.2. Physical security perimeterThis requirement is based on ISO/IEC 27002:2014, control 11.1.1:

The Supplier shall ensure that the equipment used in connection with the fulfilment of the Contract, is located and protected in a matter reducing the risk of environmental threats and hazards and the possibility of unauthorized access.

Location and protective equipment shall reflect the current risk as-sessment as required.

2.1.9.3. Physical entry controlsThis requirement is based on ISO/IEC 27001:2013, Annex A, clause 11.1.2:

The Supplier shall safeguard the areas relating to the fulfilment of the Contract with appropriate access control to authorize only right personnel to access the physical areas.

2.1.9.4. Securing offices, rooms and facilitiesThis requirement is based on ISO/IEC 27001:2013, Annex A, control 11.1.3:

Side 27 af 37

The Supplier shall organize and set up physical security of offices, rooms and facilities used in connection with the fulfilment of the Contract.

2.1.9.5. Protection against external and environmental threatsThis requirement is based on ISO/IEC 27001:2013, Annex A, control 11.1.4:

The Supplier shall organize and set up the physical protection of facilities used for the fulfilment of the Contract against natural dis-asters, malicious attacks or accidents.

2.1.9.6. Working in secure areasThis requirement is based on ISO/IEC 27001:2013, Annex A, control 11.1.5:

The Supplier shall organize and set up procedures for the work in secure physical areas in relation to the fulfilment of the Contract.

2.1.10. Equipment 2.1.10.1. Equipment siting and protectionThe control and safeguard of the equipment siting and protection shall reflect the updated and recent risk assessment.

2.1.10.2. Supporting utilitiesThis requirement is based on ISO/IEC 27001: 2013, Annex A, con-trol 11.2.:

The Supplier shall ensure that the equipment used in connection with the fulfilment of the Contract shall be protected against power failures and other disruptions caused by failures of supporting sup-plies.

2.1.10.3. Cabling securityThis requirement is based on ISO/IEC 27001:2013, Annex A, control 11.2.3:

The Supplier shall ensure that the cables for electricity and telecommunications, carrying Data or supporting information ser-vices used in connection with the fulfilment of the Contract shall be protected against tampering, interference and damage.

Side 28 af 37

2.1.10.4. Equipment maintenanceThis requirement is based on ISO/IEC 27001:2013, Annex A, control 11.2.4:

The Supplier shall ensure that the equipment used in connection with the fulfilment of the Contract is properly maintained to ensure the equipment continued availability and integrity.

2.1.10.5. Secure disposal or reuse of equipmentThis requirement is based on ISO/IEC 27002:2014, clause 11.2.7:

The Supplier shall ensure that arrangements are made for the se-cure disposal or reuse of resources (e.g., equipment, data storage, files, memory) in a timely manner. Equipment containing storage that may possibly contain personal identifiable information shall be treated as though it does.

2.1.11. Operation Security2.1.11.1. Operating procedures and responsibilities The requirement is based on ISO/IEC 27001:2013, Annex A, control 12.1.1:

The Supplier shall apply operating procedures used in connection with the fulfilment of the Contract, and make these operational pro-cedures available to all the Supplier's relevant users.

The Supplier shall in relation to the above establish documented procedures for operating activities associated with information pro-cessing and communication equipment such as but not limited to, procedures for start-up and shutdown of information assets, includ-ing computers, backup, equipment maintenance, media handling, computer room and mail handling and safety.


The Supplier shall manage changes to the Supplier's organization, business processes, information processing facilities and systems that may affect the information security in connection with the ful-filment of the Contract. The following information shall be attached;

- categories of changes,- planned date and time of the changes,

Side 29 af 37

- technical description of the changes to the Cloud Services, related support services and consultancy services and under-lying systems,

- notifications of the start and the completion of the changes.


The Supplier shall provide the Customer with information regarding changes to the cloud services that could adversely affect the Cloud Services, related support services and consultancy services.


The Supplier shall monitor the total resource capacity to prevent information security incidents caused by resources shortages.

2.1.11.2. Malware Protection This requirement is based on ISO/IEC 27001:2013, Annex A, clause 12.2:

The Supplier shall base the protection against malware on malware-track and repair software, information security awareness and ap-propriate controls for system access and change management.

The Supplier shall include the following:

a) establish a formal policy that prevents the use of unautho-rized software,

b) apply controls that prevent or track the use of unauthorized software (e.g. whitelisting applications),

c) apply controls that prevent or track the use of malicious or suspicious websites (e.g. blacklisting),

d) establish a formal policy to protect against the risks associ-ated with receiving files and software either from or via ex-ternal networks or other media indicating the same,

e) apply procedures to collect information on a regular basis, such as subscribing to mailing lists or verification of websites that provide information about new malware,

f) apply procedures to verify information relating to malware, and ensure that warning bulletins are accurate and informa-tive. The Supplier shall ensure that qualified sources, for ex-ample reputable journals, reliable internet sites or sub-sup-pliers of software to protect against malware, is used to dif-ferentiate between hoaxes and real malware; all the Sup-

Side 30 af 37

plier’s users shall be made aware of the problem of hoaxes and know what to do when they receive them.


The Supplier shall control the installation, distribution and execu-tion of malicious code from multiple points in the organization, as well as optimize the use of automatically functions to enable rapid updating of protection tools, data collection and implementation of corrective actions.

The Supplier shall employ automatically tools to continuously moni-tor workstations, servers and mobile devices using anti-virus, anti-spyware, and personal firewalls- and host-based IPS functionality. It shall be reported immediately to the Customer, when malware is found.

The Supplier shall also ensure that the detections of malware re-ported to the Supplier's anti-malware management tools and event log servers, including the detections reported to the Customer as part of the monthly report.

The Supplier shall use anti-malware software with a centralized in-frastructure.

2.1.11.3. Backup This requirement is based on ISO/IEC 27001:2013, Annex A, clause 12.3:

The Supplier shall as an integrated part of the Cloud Services, re-lated support services and consultancy services deliver back-up in accordance with the Contract.


The Supplier shall provide the specifications of its backup capabili-ties to the Customer. The specifications shall include the following information, as appropriate:

- backup methods and data formats, including encryption, if relevant;

- procedures and timescales involved in restoring data from backup;

- procedures to test the backup capabilities;

Side 31 af 37

- storage location of backups in accordance with the Contract clause 3.2.

The Supplier shall provide secure and segregated access to back-ups, such as virtual snapshots, if such service is offered to cloud service Customers.

The Supplier shall explicitly provide backup and restore Cloud Ser-vices, related support services and consultancy services to the Cus-tomer. The Supplier shall provide clear information to the Customer about the capabilities of the Cloud Services, related support ser-vices and consultancy services with respect to backup and restora-tion of services relevant to the Customer.

Supplier procedures shall be established to allow for restoration of data processing operations within a specified, documented period after a disruptive event.

2.1.11.4. Logging and Monitoring 2.1.11.4.1. Protection of log informationThis requirement is based on ISO/IEC 27018:2014, clause 12.4:

The Supplier shall ensure that the event logging when recording user activities, exceptions, errors and information security events shall be carried out, stored and regularly reviewed, according to the then-current risk assessment. Log information recorded for purposes such as security monitoring and operational diagnostics may contain personally identifiable in-formation. Measures, such as controlling access shall be estab-lished to ensure that logged information is only used for its in-tended purposes.

A procedure, preferably automatic, shall be established to ensure that the Supplier’s logged information is deleted within a specific and documented period – (6 months).


The Supplier shall ensure that the event log includes:

a) User IDs,b) Users' activities,

Side 32 af 37

c) the dates, times and information on the important events, for example. log-on and log-off,

d) records of successful and rejected access attempts to system,e) changes to the system configuration,f) use of privileged rights,g) network addresses and protocols,h) alarms triggered by the access control system,i) activation and deactivation of protection systems such as an-

tivirus systems and IDS systems,j) records of transactions undertaken by users in applications.

This requirement is based on section 19, paragraph 1, of the Execu-tive Order on Data Safety, cf. Clause 3.2 of the Contract:

The Supplier shall log all usage of Data. These logs shall contain at least information on time, user ID, type of use and the name of the person, the used information given, or the used search criteria.

The Supplier shall provide capabilities that enable the Customer to monitor specified aspects, relevant to the Customer, for example to monitor and detect if the Cloud Service, the related support ser-vices and the consultancy services are being used as a platform to attack other, or if sensitive data is being leaked from the services.

Appropriate access controls shall secure the use of the monitoring capabilities. The capabilities shall provide access only to informa-tion about the Customer’s own Cloud Service instances. The docu-mentation and the scope of the service monitoring capabilities shall be documented to the Customer.

2.1.11.4.2. Administrator and operator logsThis requirement is based on ISO/IEC 27001:2013, Annex A, control 12.4.3:

The Supplier shall control privileged user’s logs on a weekly basis in order to minimize any risk related hereto. The Supplier shall en-sure track-logs on the mentioned users.

2.1.11.4.3. Clock synchronizationThis requirement is based on ISO/IEC 27002:2014, control 12.4.4:

The Supplier shall provide information to the Customer regarding the clock used by the Supplier’s systems and information about how the Customer can synchronize local clocks with the cloud service

Side 33 af 37

clock. Without this synchronization, it can be difficult to reconcile events on the Supplier’s systems with events on the Customer’s sys-tems.

2.1.11.5. Control of operating software This requirement is based on SANS CSC 2:

The Supplier shall actively manage (inventory, track and correct) all software on the network so that only authorized software is in-stalled and can be executed, so that unauthorized and unmanaged software is detected and prevented from being installed and dis-mantled.

The Supplier shall establish, apply and maintain a list (whitelisting) of approved software and approved versions for all information as-sets in all variants and use situations.

The Supplier shall apply whitelisting to ensure that only software that is listed shall be detected.

2.1.11.6. Vulnerability Management This requirement is based on ISO/IEC 27001:2013, clause 12.6:

The Supplier shall continuously obtain information on actual techni-cal vulnerabilities in the system. The Supplier shall also evaluate the system's exposure to such vulnerabilities and the associated risk of information security system. Such vulnerabilities are to be included in the Supplier's risk assessment as required.

The Supplier shall perform due diligence in response to the identifi-cation of potential technical vulnerabilities. The Supplier shall also document and apply procedures for the establishment of an effec-tive hedge against technical vulnerabilities.


The Supplier shall in respect of third-party software, verify that the version used, is still supported by the manufacturer. In case it is not, the Supplier shall update the third-party software to the most recent version and all relevant patches and Supplier safety recom-mendations shall be installed.


Side 34 af 37

The Supplier shall apply rules on software installation, carried out by the Supplier's users.

The Supplier shall make available to the Customer information about the management of technical vulnerabilities that can affect the Cloud Services, related support services and consultancy ser-vices provided.

2.1.11.7. Considerations in connection with the audit of information systems The requirement is based on ISO/IEC 27001:2013, clause 12.7:

The Supplier shall ensure that audits are planned in order to mini-mize the disruption in the working process.

The Supplier is obliged, on proof of identity, to give access to the Supplier's physical facilities to the Customer and the authorities which under applicable law have access to the Customer's and the Supplier's facilities or to representatives acting on behalf of such authorities.

2.1.12. Communication Security 2.1.12.1. Managing Network Security The requirement is based on ISO/IEC 27001:2013, Annex A, control 13.1.1:

The Supplier shall ensure that the network is managed and con-trolled so that the information in the system is protected. The Sup-plier shall also ensure that the management and control of network reflects the current risk assessment as required.


The Supplier shall apply controls to ensure information in the net-work and protect the connected services from unauthorized access. The Supplier shall also apply appropriate controls to ensure this, which among other things shall include the following:

a) establishment of responsibilities and procedures for manage-ment of network,

b) establishment of special controls to ensure confidentiality and integrity of Data transmitted over public networks or over wireless networks, and to protect the connected System,

c) use logging and monitoring to enable recording and detec-tion of acts that can affect or are relevant to the information security.

Side 35 af 37


The Supplier shall on a monthly basis make automatic scans of net-work ports used, in order to track and assess changes related to network ports and correcting unauthorized changes.


The Supplier shall ensure that critical services are running on sepa-rate host machines, such as DNS, file, mail, web and database servers.


The Supplier shall disable the option of using wireless peer-to-peer data network on wireless devices.


The Supplier shall identify and reach agreements on security mech-anisms, service levels and management requirements of all third-party network services used in connection with the fulfilment of the Contract.


The Supplier shall regularly assess and monitor the sub-supplier’s ability to handle the agreed services used in connection with the fulfilment of the Contract.

The Supplier shall also identify the security arrangements neces-sary for particular services, such as safety measures, service levels and management requirements.


The Supplier shall divide information assets in network segments.

The Supplier shall enforce segregation of network access in the fol-lowing cases:

- segregation between tenants in a multi-tenant environment;

Side 36 af 37

- segregation between the Supplier’s internal administration environment and the Customer’s cloud computing environ-ment.

Where appropriate, the Supplier shall assist the Customer in verify-ing the segregation implemented by the Supplier.

2.1.12.2. Information Transfer The Supplier shall ensure that there is formal transfer policies, pro-cedures and controls to protect information transfer, using any means of communication in connection with fulfilment of the Con-tract.


The Supplier's policies and procedures for information transfer shall contain the following:

a) procedures to protect transferred information from intercep-tion, copying, modification, misdirected and destruction,

b) procedures for tracking and protecting against malware, which can be transmitted via electronic communication,

c) procedures for protecting communicated sensitive electronic information of an attachment.

The Supplier shall furthermore ensure that the employees are aware that, they shall not have confidential conversations in public places or over insecure communication channels in open offices or meeting places.


The Supplier shall conclude agreements that support the secure transfer of information between the Supplier and the Supplier’s ex-ternal parties in connection with fulfilment of the Contract. The Supplier shall also ensure that the agreements support the current risk assessment as required.


The Supplier shall in connection with agreements on information transfers ensure, to;

a) establish and maintain policies, procedures and standards to protect information and physical media in transit,

Side 37 af 37

b) ensure that the system is referred to in such transportation contracts.


The Supplier shall ensure that special security measures are made for the protection of information in electronic messages.


The Supplier shall include the following safeguards:

a) protecting messages from unauthorized access, modification or deletion,

b) ensuring correct addressing and transport of messages,c) legal considerations, for example requirements for electronic

signature.

2.1.13. Acquisition, development and maintenance of systems 2.1.13.1. Safety of the information The Supplier shall ensure that the information security related re-quirements are included in the requirements relating to improve-ments in the information systems.


The Supplier shall protect the information associated with that sys-tem exhibitor application services against public network from fraud, contractual disputes and unauthorized disclosure and modifi-cation, as well as to prevent incomplete transmission, error mail, unauthorized modification of messages, unauthorized disclosure, unauthorized copying or retransmission of messages.

2.1.13.2. Security in development and support processes This requirement is based on ISO/IEC 27001:2013, control 14.2.1:

The Supplier shall establish and enforce rules for the development of software.


Side 38 af 37

The Supplier shall manage changes to the software within the de-velopment life cycle in accordance to formal procedures for change management.

The Supplier shall provide information about its use of secure de-velopment procedures and practices to the extent compatible with its policy for disclosure.


The Supplier shall review and test the system, by changing the plat-form to ensure that the change does not adversely affect opera-tional safety.

The Supplier shall ensure that changes to the software is limited to necessary changes, and all changes are managed effectively.


The Supplier shall ensure that the principles of safe systems are established, documented, maintained and used in connection with the fulfilment of the Contract.

This requirement is based on ISO/IEC 27001:2013, Annex A, control 14.2.6 and control 14.2.7:

The Supplier shall establish safe development environments for sys-tems development and integration, covering the entire system de-velopment lifecycle. Further, the Supplier shall control and monitor the system's development activities related to the fulfilment of the Contract.


The Supplier shall perform tests of the security functionality in de-velopment.

2.1.13.3. Test Data The Customer’s test Data consists of personally identifiable infor-mation, confidential information as well as sensitive information and shall be treated with the same level of security and protection as operational data.

Side 39 af 37

The Supplier shall ensure the protection of the test Data with the same level of safeguard as operational Data.

2.1.14. Supplier Relationship 2.1.14.1. Management of Supplier services This requirement is based on ISO/IEC 27001:2013, control 15.1.1:

The Supplier shall establish a suitable policy on the management of sub-supplier services and ensure implementation of appropriate safeguards to minimize any sub-supplier’s access to the Supplier’s organization.

2.1.14.2. Addressing security within supplier agreementsThe requirement is based on ISO/IEC 27001: 2013, Annex A, con-trol 15.1.2:

The Supplier shall agree appropriate safeguard with each sub-sup-plier addressing the special security.

2.1.14.3. Information and communication technology supply chain

This requirement is based on ISO/IEC 27001: 2013, Annex A, con-trol 15.2.1:

The Supplier shall control, monitor and carry out audits, in regards to sub-suppliers in accordance with the risk assessment, cf. section 2.1.1.

2.1.15. Managing Information Security Breaches This requirement is based on ICO/IEC 27001:2013, Annex A, clause 16.

2.1.15.1. Responsibilities and proceduresThis requirement is based on ISO/IEC 27001:2013, Annex A, control 16.1.1:

The Supplier shall establish management responsibilities and pro-cedures to ensure promptly, effective and timely management of information security breach related to the fulfilment of the Con-tract.


Side 40 af 37

The Supplier shall ensure that the objectives for management of information security breach is agreed with the Supplier's manage-ment and communicated to the employees of the Supplier who are responsible for the management of information security breaches.

An information security incident shall trigger a review by the Sup-plier as part of its information security incident management process, to determine if a data breach has taken place.

A review does not have to be triggered, if the information security event is one that does not result in actual, or the significant proba-bility of, unauthorized access to Data or to any of the equipment or facilities storing Data.

The Supplier shall provide the Customer with documentation cover-ing;

- the scope of information security incidents that the Supplier will report to the Customer;

- the level of disclosure of the detection of information security incidents and the associated responses;

- the timeframe in which notifications of information security incidents will occur;

- contact information for the handling of issues relating to in-formation security incidents;

- any remedies that can implement if certain information secu-rity incidents occur.

2.1.15.2. Reporting information security eventThis requirement is based on ISO/IEC 27002:2014, control 16.1.2:

The Supplier shall ensure that information security events are re-ported as soon as possible to the Customer.

The Supplier shall provide mechanisms for;

- the Customer to report an information security event to the Supplier,

- the Supplier to report an information security event to the Customer, and

- the Customer to track the status of a reported information security event.

The report of an information security event shall be in accordance with the procedure, cf. section 2.1.15.1, and shall contain essential information such as contact phone number and email address.

Side 41 af 37

The Supplier shall ensure that the Supplier’s employees and sub-suppliers involved in the fulfilment of the Contract are made aware of their responsibilities, including made familiar with the procedure for reporting information security event as well as the contact point to which information security events are to be reported.

2.1.15.3. Reporting information security weaknessThis requirement is based on ISO/IEC 27001: 2013, Annex A, con-trol 16.1.3:

The Supplier shall ensure that employees and sub-suppliers who use the information assets, have a duty to record and report any observed weaknesses or suspected weaknesses of these information assets.


The Supplier shall ensure that information security incidents are assessed and a decision had been made to classify it as an informa-tion security breach.

This requirement is based on ISO27001: 2013, Annex A, control 16.1.5:

The Supplier shall ensure that information security breaches are handled and analyzed in accordance with documented procedures.

This requirement is based on the General Data Protection Regula-tion art. 33, paragraph. 2 and 3, in case the information security breach involves Data, i.e. personal data:

The Supplier shall notify the Customer in accordance with the Data Processing Agreement, cf. Annex 3.


The Supplier shall ensure that the knowledge gained by analyzing and managing information security breach, are used to reduce the likelihood or impact of future information security breach.


Side 42 af 37

The Supplier shall at least on an annually basis, conduct incident scenario sessions for the employees who are responsible for manag-ing the Information Security Incidents, to ensure that they are aware of current threats and risks, as well as their responsibilities in supporting the incident handling team.


The Supplier shall ensure that procedures are in place for the iden-tification, collection, acquisition and storage of information, which can serve as proof.

2.1.16. Information Security Aspects of Business Continuity ManagementThe Supplier shall establish requirements to the information secu-rity and information security continuity in critical situations, for ex-ample in case of an emergency or disaster.


The Supplier shall establish, document, apply and maintain pro-cesses, procedures and controls to ensure the necessary informa-tion security continuity in a critical situation.

The Supplier shall also prepare and as a minimum one (1) time an-nually update a contingency plan.


The Supplier shall ensure that:

a) an appropriate governance structure is in place in order for the Supplier to prepare for, mitigate and respond to a disrup-tive incident related to the fulfilment of the Contract by em-ployees with adequate authority, experience and compe-tence,

b) designated emergency personnel with the necessary respon-sibility, authority and jurisdiction to handle an information security breach and maintain information security,

c) produce documented plans and recovery procedures, describ-ing how the Supplier will handle a devastating event in con-

Side 43 af 37

nection with the fulfilment of the Contract and maintain the information security.


The Supplier shall at least annually verify the established and ap-plied controls on Information Security Continuity in order to ensure that they are timely and effective in critical situations.

The Supplier shall ensure that the continuity on processes, proce-dures and controls for information security are reviewed in relation to changing requirements on information security, continuity, for example based on organizational, technical, procedural and process-related changes in operational or continuity purposes.

The Supplier shall also:

- test backup and restore, - test the emergency plan.

2.1.16.1. Redundancies The Supplier shall establish appropriate redundancies on the infor-mation assets to comply with the availability requirements of the system.

€¦ · web viewthe supplier’s risk management of information security in respect of the...

Documents