IS.D.OR.245 Record-keeping

• Regulation (EU) 2022/1645 found in: Information Security (No 2023/203 and 2022/1645) Part-IS (Jun 2024)

IS.D.OR.245 Record-keeping Regulation (EU) 2022/1645 (a)     The organisation shall keep records of its information security management activities (1)     The organisation shall ensure that the following records are archived and traceable: (i)      any approval received and any associated information security risk assessment in accordance with point [IS.D.OR.200](#_DxCrossRefBm1193569683)(e;) (ii)     contracts for activities referred to in point [IS.D.OR.200](#_DxCrossRefBm1193569683)(a)(9); (iii)     records of the key processes referred to in point [IS.D.OR.200](#_DxCrossRefBm1193569683)(d); (iv)     records of the risks identified in the risk assessment referred to in point [IS.D.OR.205](#_DxCrossRefBm1193569684) along with the associated risk treatment measures referred to in point [IS.D.OR.210](#_DxCrossRefBm1193569694); (v)      records of information security incidents and vulnerabilities reported in accordance with the reporting schemes referred to in points [IS.D.OR.215](#_DxCrossRefBm1193569693) and [IS.D.OR.230](#_DxCrossRefBm1193569509); (vi)     records of those information security events which may need to be reassessed to reveal undetected information security incidents or vulnerabilities. (2)     The records referred to in point (1)(i) shall be retained at least until 5 years after the approval has lost its validity. (3)     The records referred to in point (1)(ii) shall be retained at least until 5 years after the contract has been amended or terminated. (4)     The records referred to in point (1)(iii), (iv) and (v) shall be retained at least for a period of 5 years. (5)     The records referred to in point (1)(vi) shall be retained until those information security events have been reassessed in accordance with a periodicity defined in a procedure established by the organisation. (b)     The organisation shall keep records of qualification and experience of its own staff involved in information security management activities (1)     The personnel’s qualification and experience records be retained for as long as the person works for the organisation, and for at least 3 years after the person has left the organisation. (2)     Members of the staff shall, upon their request, be given access to their individual records. In addition, upon their request, the organisation shall provide them with a copy of their individual records on leaving the organisation. (c)      The format of the records shall be specified in the organisation’s procedures. (d)     Records shall be stored in a manner that ensures protection from damage, alteration and theft, with information being identified, when required, according to its security classification level. The organisation shall ensure that the records are stored using means to ensure integrity, authenticity and authorised access.