IS.D.OR.250 Information security management manual (ISMM)

Regulation (EU) 2022/1645

(a)     The organisation shall make available to the competent authority an information security management manual (ISMM) and, where applicable, any referenced associated manuals and procedures, containing:

(1)     a statement signed by the accountable manager or, in the case of design organisations, by the head of the design organisation, confirming that the organisation will at all times work in accordance with this Annex and with the ISMM. If the accountable manager or, in the case of design organisations, the head of the design organisation, is not the chief executive officer (CEO) of the organisation, then such CEO shall countersign the statement;

(2)     the title(s), name(s), duties, accountabilities, responsibilities and authorities of the person or persons referred to in point IS.D.OR.240(b) and (c);

(3)     the title, name, duties, accountabilities, responsibilities and authorities of the common responsible person referred to in point IS.D.OR.240(d), if          applicable;

(4)     the information security policy of the organisation as referred to in point IS.D.OR.200(a) (1);

(5)     a general description of the number and categories of staff and of the system in place to plan the availability of staff as required by point IS.D.OR.240;

(6)     the title(s), name(s), duties, accountabilities, responsibilities and authorities of the key persons responsible for the implementation ofpoint IS.D.OR.200, including the person or persons responsible for the compliance monitoring function referred to in point IS.D.OR.200(a)(12);

(7)     an organisation chart showing the associated chains of accountability and responsibility for the persons referred to in points (2) and (6);

(8)     the description of the internal reporting scheme referred to in point IS.D.OR.215;

(9)     the procedures that specify how the organisation ensures compliance with this Part, and in particular: 

(i)      the documentation point IS.D.OR.200(c;)

(ii)     the procedures that define how the organisation controls any contracted activities referred to in point IS.D.OR.200(a)(9);

(iii)     the ISMM amendment procedure defined in point (c);

(10)    the details of currently approved alternative means of compliance.

(b)     The initial issue of the ISMM shall be approved and a copy shall be retained by the competent authority. The ISMM shall be amended as necessary to remain an up-to-date description of the ISMS of the organisation. A copy of any amendments to the ISMM shall be provided to the competent authority.

(c)      Amendments to the ISMM shall be managed in a procedure established by the organisation. Any amendments that are not included within the scope of this procedure and any amendments related to the changes referred to in point IS.D.OR.255(b), shall be approved by the competent authority.

(d)     The organisation may integrate the ISMM with other management expositions or manuals it holds, provided there is a clear cross reference that indicates which portions of the management exposition or manual correspond to the different requirements contained in this Annex.