IS.D.OR.255
Changes to the information security management system
(a) Changes to the ISMS may be managed and notified to the competent authority in a procedure developed by the organisation. This procedure shall be approved by the competent authority.
(b) With regard to changes to the ISMS not covered by the procedure referred to in point (a), the organisation shall apply for and obtain an approval issued by the competent authority.
With regard to these changes:
(1) the application shall be submitted before any such change takes place, in order to enable the competent authority to determine continued compliance with this Regulation and to amend, if necessary, the organisation certificate and related terms of approval attached to it;
(2) the organisation shall make available to the competent authority any information it requests to evaluate the change;
(3) the change shall be implemented only upon receipt of a formal approval by the competent authority;
(4) the organisation shall operate under the conditions prescribed by the competent authority during the implementation of such changes.
Loading collections...