Information Security Management System Manual Document Control Document Name Information Security Management System Manual Document Reference Number BONDAP LTD /ISMS/Manual Classification Internal Version Number V1.1 Date 13-04-2023 Reviewed by Approved by Revision History Date 13-04-2022 13-04-2023 Version V1.0 v1.1 Description First Release Minor Release Created by BONDAP LTD BONDAP ITS Distribution 1. File server Documentation status This is a controlled document. This document may be printed; however, any printed copies of the document are not controlled. The electronic version maintained in the file server and Commune are the controlled copy. Abbreviations, Acronyms & Definitions IS Information Security ISMS Information Security Management System ISO Information Security Officer Document Classification: Internal | Version: 1.0 Page 2 of 24 Information Security Management System Manual Table of Contents 1. Introduction.......................................................................................................................... 6 About BONDAP LTD (BONDAP LTD )................................................................................... 6 2. Purpose................................................................................................................................. 6 3. Context of the organization...................................................................................................6 3.1. Understanding the organization and its context............................................................ 7 3.2. Understanding the needs and expectations of interested parties................................. 7 3.2.1 Stakeholders (External and Internal)................................................................... 7 3.3. Organization’s Risk Acceptance Criteria......................................................................... 8 3.4. Determining the scope of the information security management systems................... 9 3.4.1 Out of Scope:-......................................................................................................9 3.4.2 Scope exclusion Justification:.............................................................................. 9 3.4.3 Interfaces and dependencies for activities:.........................................................9 3.5. Information security management system.................................................................... 9 4. Organizational roles, responsibilities and authorities......................................................... 10 4.1. Leadership and Commitment.......................................................................................10 4.2. Policy:........................................................................................................................... 10 4.3. Organizational roles, responsibilities and authorities.................................................. 11 5. Planning...............................................................................................................................15 5.1. Actions to address Risks and opportunities................................................................. 15 5.2. Information security risk assessment...........................................................................15 5.3. Information security objectives and planning to achieve them................................... 16 6. Support................................................................................................................................17 6.1. Resources..................................................................................................................... 17 6.2. Competence................................................................................................................. 17 6.3. Awareness.................................................................................................................... 17 6.4. Communication............................................................................................................ 17 6.5. Documentation Requirements..................................................................................... 18 6.5.1 General..............................................................................................................18 6.5.2 Creating and updating....................................................................................... 18 6.5.3 Control of documented information................................................................. 18 7. Operation information........................................................................................................ 19 Document Classification: Internal | Version: 1.0 Page 3 of 24 Information Security Management System Manual 7.1. Operational planning and control................................................................................ 19 7.2. Information security risk assessment...........................................................................19 7.3. Information security risk treatment............................................................................. 19 8. Performance Evaluation...................................................................................................... 19 8.1. Monitoring, measurement, analysis and evaluation....................................................19 8.2. Internal Audit............................................................................................................... 19 8.3. Management Review................................................................................................... 20 9. Improvements..................................................................................................................... 20 9.1. Nonconformity and Corrective action..........................................................................20 9.2. Continual Improvement............................................................................................... 21 10. Organization of Information Security................................................................................ 21 10.1. Internal Organisation................................................................................................. 21 10.1.1 Contact with authorities....................................................................................21 10.1.2 Contact with special interest groups................................................................. 21 10.1.3 Information Security in Project Management................................................... 21 Annexure 1: Communication Matrix....................................................................................... 22 Annexure 2: Dependencies................................................................................................ 10-24 1. Document Classification: Internal | Version: 1.0 Page 4 of 24 Information Security Management System Manual 1. Introduction About BONDAP LTD BONDAP LTD (BONDAP LTD) is Data Processing, Hosting and Related Activities. The purpose of this manual is to communicate management directives in the organization for conforming to ISO 27001:2013 standard and thereby ensuring consistent and appropriate protection of information assets in the Head Office, of BONDAP LTD. 2. Context of the organization ISO 27001:2013 is the only global international standard that provides requirements for establishing, implementing, maintaining and continually improving an information security management system, hereafter referred to as ISMS. The adoption of ISMS is a strategic decision of the Management of BONDAP LTD. The factors that influence the establishment and implementation of ISMS include the organization’s needs, objectives, security requirements, processes, size and structure. All these influencing factors are expected to change over time and so will the ISMS. The ISMS of BONDAP LTD takes a holistic view of the organization’s’ information security risk environment to implement a comprehensive suite of controls in line with the framework. It helps in protecting the confidentiality, integrity and availability of valuable information assets of the organization. The ISMS of BONDAP LTD is scaled in accordance with the organization’s need and is integrated with overall management structure. 2.1. Understanding the organization and its context The internal and external context of the organization that are relevant to achieve the outcome of establishing ISMS are mentioned below: 1. At an enterprise level, BONDAP LTD management understands that in order to deliver service to its customers, in various locations, protecting its existing assets is as important as accurately predicting risks. 2. Protecting the IPR (Intellectual Property Rights) of the organization (source code). 3. Cyber security is an enterprise-wide risk management issue and is important as the organization engages third parties that manage its critical systems and data. 4. ISMS has been established in the context of fulfilling the information security needs of BONDAP LTD ’s customers, employees, vendors, suppliers and stakeholders in the most efficient and effective manner. This includes physical, environmental, logical, information, communications, statutory and data security requirements. 2.2. Understanding the needs and expectations of interested parties 2.2.1 Stakeholders (External and Internal) a) Interested parties that are relevant to ISMS - All customers (Internal and External), Vendors, Supporting the Infrastructure in Server Room & other Business operation, Document Classification: Internal | Version: 1.0 Page 5 of 24 Information Security Management System Manual all employees providing & getting services to Server Room & other Business operation. b) The requirement of these interested parties relevant to Information Security The needs and expectations from external as well as internal customers are considered as under and will be reviewed and updated over a period of time as part of continual improvement. Internal Externa l Stake holders Issues Management Governance, Resource availability, organization structure, roles and accountabilities, Policies, objectives, and the strategies Employees Fulfilment of commitments, adherence to organization policies, processes and guidelines and to ensure seamless / uninterrupted operations. Expectation of employees in terms of commitment made by the organization need to be fulfilled. Shareholders Relationship with, and perceptions and values of, internal stakeholder’s Board of Directors Maintaining commitment to customers, goodwill and repute of the organization, and maintaining return on investment committed on the business, in totality Corporate requirements Standards, guidelines and models adopted by the organization Users / Other departments Information technology related requirements to the organization such as access right, IT infra-availability to internal users and other departments. HR Resource availability, resource competence, training, background verification etc. Finance Approval of financial commitments Legal Vetting of Legal contracts and protecting the organization from non-compliance of legal, regulatory and contractual requirements Customers Service delivery Document Classification: Internal | Version: 1.0 Page 6 of 24 Information Security Management System Manual Customers Supply of goods and services to enable the organization to meet the requirement of the customer Customer Risk Assessment & Risk Treatment Procedure for assessment the risk for internal as well as external customer Customer For managing the customer related security aspects, the organization has deployed few policies, process and procedure such as Password Policy, IT Access control Policy, VPN-Virtual Private Network Policy, IEM-Internet & Electronic Messaging Usage Policy, Antivirus Policy, Information Classification, Labelling and Handling Policy, Asset Handling Process, Business Continuity Plan Process, Physical Security Management Procedure and many more. Users / Public Information technology related requirements to the organization such as access right, IT infra-availability to internal users and other departments. Government Submission of desired reports and statements and approvals to carry out the business. Fulfilling the legal, and regulatory requirement. Society environment Natural and competitive environment, Key drives and trends having impact on the objectives of the organization, Political, financial status of the country. and 2.3. Organization’s Risk Acceptance Criteria 1. The ISMS is designed to address all the major risks that are identified to the security of BONDAP LTD; 2. The identification of these risks is done on the basis of inputs from stakeholders and a detailed and repeatable process which takes into account the various Information Assets and the possible threats and risks applicable to them; 3. Based on BONDAP LTD ’s risk criteria, the risk assessment process segregates between acceptable and unacceptable risks and helps to select the option for managing these risks through a Risk Treatment Plan (Refer- Risk Assessment v1.0); 4. In general, BONDAP LTD ’s risk criteria are 12, i.e., the approach of the organization is not to accept anything but low levels of risks while making efforts to put in place the mechanisms to handle risks if they occur; Document Classification: Internal | Version: 1.0 Page 7 of 24 Information Security Management System Manual 2.4. Determining the scope of the information security management systems The Information Security Management System (ISMS) covers all business functions and processes associated with information assets to provide customers, employees and business partner’s benefits and secure services in BONDAP LTD at the following locations: This is in accordance with the latest Statement of Applicability. The scope embraces the following business functions, processes and departments in the Head Office: 1. 2. 3. 4. 5. 6. 7. IT Infrastructure IT Application Development Human Resources Legal Admin Operations CS Department 2.4.1 Out of Scope: Following Functions/Locations are not part of ISMS scope: Operations other than IT carried out at Regional and Branch office 2.4.2 Scope exclusion Justification: IT and other supporting functions which are currently taken into scope are custodians of the majority of critical data within the organization. We first plan to include these departments throughout the BONDAP LTD in the scope of ISMS. Then gradually the other departments will be brought under the scope of ISMS (based on ISO 27001). 2.4.3 Interfaces and dependencies for activities: Organization should identify the interfaces and dependencies for BONDAP LTD “Refer Annexure 2” 2.5. Information security management system An effective ISMS assures management and other stakeholders that the organization’s information assets are reasonably safe and protected against harm, thereby acting as a business enabler. Document Classification: Internal | Version: 1.0 Page 8 of 24 Information Security Management System Manual 3. Organizational roles, responsibilities and authorities 3.1. Leadership and Commitment A management framework is established to initiate and control the implementation of information security within the Organization. Management of BONDAP LTD actively supports security within the Organization by: 1. 2. 3. 4. 5. 6. 7. 8. Establishing the security policy Ensuring that ISMS objectives & plans are established Establishing roles & responsibilities of information security Communicating to the organization the importance of meeting information security objectives & conforming to the information security policy; Providing sufficient resources to establish, implement, operate, monitor, review, maintain & improve the ISMS Deciding the criteria for accepting risks & acceptable level of risks; Ensuring that internal audits are conducted as per defined frequency Conducting management reviews of the ISMS 3.2. Policy: BONDAP LTD is committed to meet the Information Security requirements of its customers, employees and business partners. It shall do so through effective implementation and continual improvement of its Information Security Management System (ISMS) by identifying, evaluating and controlling risks to ensure the confidentiality, integrity and availability of its Critical and sensitive information assets, and meet legal and statutory requirements. Objectives: This policy ensures: 1. Confidentiality of information by protecting it from deliberate or unintentional unauthorized access and acquisition. 2. Integrity of information by protecting it from unauthorized modification 3. Availability of information to authorized users when needed 4. Classification of information according to its sensitivity 5. Compliance to regulatory, legislative and contractual requirements 6. Adopting a formal and sustainable Risk Assessment and Management approach for effective ISMS. 7. Preparing & testing a Business Continuity / Disaster Recovery Plan 8. Training of employees and business partners to achieve a high information security awareness level. Document Classification: Internal | Version: 1.0 Page 9 of 24 Information Security Management System Manual Responsibility: 1. The Chief Information Security Officer has direct responsibility for maintaining the Policy and providing advice and guidance on its implementation. 2. All employees are responsible to implement this Information Security Policy in carrying out their respective functions. All process owners are responsible for the effective implementation of their respective processes. Review of the Policy: 1. The Information Security Policy shall be reviewed at least once a year or as and when there are major changes in business requirements. 3.3. Organizational roles, responsibilities and authorities A formal information security organization structure has been defined as given below: Document Classification: Internal | Version: 1.0 Page 10 of 24 Information Security Management System Manual Document Classification: Internal | Version: 1.0 Page 11 of 24 Information Security Management System Manual Roles Information Steering Committee Information Security Responsibilities Chief Information Security Officer 1. Ensuring that information security system conforms to the requirements of this international standard: and 2. Reporting on the performance of the information security management system to top management. 3. Report to Information Steering Committee(ISC) on any security incidents affecting the shareholders, the business or the organization’s reputation 4. Review audit reports dealing with the information security issues and ensure that they are placed before 1. Developing and facilitating of the implementation of information security policy and cyber security policy, standards and procedures to ensure that all identified information/system security risks are managed. 2. Approving and monitoring major information security projects including cyber security and the status of information and cyber security plans and budgets, establishing priorities, approving procedures and guidelines. 3. Supporting the development and implementation of Information security management programmer including information and cyber security. 4. Reviewing the position of security incidents and various information and cyber security assessments and monitoring activities across the BONDAP LTD. 5. Reviewing the status of security awareness programs 6. Assessing new developments or issues relating to information security including cyber security. 7. A review on future information security including cyber security needs on a yearly basis. 8. Minutes of the ISC meetings should be maintained to document the committee’s activities and decisions. 9. Take Strategic decision pertaining to information security related issues. 10. Address Security Incidents affecting the shareholders, the business or the organization’s reputation. 11. Review audit reports pertaining to information systems 12. Check effectiveness of security implementation of controls 13. Analyze cost effectiveness of security implementation 14. Review security incidents 15. Approve security initiatives Document Classification: Internal | Version: 1.0 Page 12 of 24 Information Security Management System Manual 5. 6. 7. 8. 9. the IT Steering committee (ISC) at pre-determined intervals. Ensure that the relevant security policy and procedure are followed by the IT Team, IT suppliers and partners etc. Understand the business purpose of the organization, so as to provide appropriate security protection. Drive BCP/DRP activities Reviewing the status of security awareness programs Assessing new developments or issues relating to information security including cyber security. ISO 1. Assist the CISO in managing the overall information systems security programs 2. Maintaining the Information System Security Policies and Standards for use throughout the organization 3. Assist business units in the development of specific standards or guidelines that meet the information security policies for specific products within the business unit 4. Remain current/up-to-date on the threats against the information assets, information protection methods and controls by receiving internal education, attending information security seminars and through on-the-job training. 5. Assume responsibility or assist in tackling potentially serious and imminent threats to the organization’s information assets e.g., outbreak of computer virus etc. 6. Co-ordinate or assist in the investigation of security threats or other attacks on the information assets 7. Assist CISO in BCP/DR Drills Management Representatives 1. Should be responsible for managing the overall information security within the department. 2. Report incident to the appropriate authorities as per defined procedure. 3. Create security awareness among other employees 4. Responsible for managing the appropriate use of the information system by the staff. 5. Ensures that any information processing work has segregation of duties in line with the internal roles so that there is no opportunity of fraud. Document Classification: Internal | Version: 1.0 Page 13 of 24 Information Security Management System Manual End Users 4. 1. Complies with end-user policy, namely IT Acceptable Usage Policy, which provides guidelines for description of appropriate information assets usage. 2. Reports security weakness/incidents to the IT representatives. 3. End Users do not exploit known security weaknesses. 4. Attend yearly User awareness training. Planning 4.1. Actions to address Risks and opportunities The information security management system of BONDAP LTD is planned taking into consideration of requirements, risks and opportunities that need to be addressed to: 1. Ensure the information security management system can achieve its intended outcomes; 2. Prevent or reduce undesired effects; 3. Achieve continual improvement; The organization plans to address the above-mentioned risks and opportunities and to take action to implement control measures. Effectiveness of the actions taken are also evaluated and assessed. 4.2. Information security risk assessment An information security risk assessment process is defined and applied that: 1. Establishes and maintains information security risk criteria, including: ● Criteria for accepting risks; ● Criteria for performing information security risk assessments; 2. Ensures that repeated risk assessments produce consistent, valid and comparable results; 3. Identifies the information security risks; ● Risk assessment process is applied to identify risks associated with financial, operational, reputational and legal loss of information assets within the scope of the information security management system; ● Risk owners are identified; 4. The information security risks are analysed by the organization; ● The potential consequences that would result, if the risks identified were to materialize are assessed; ● The realistic likelihood of the occurrence of the risks identified is assessed; ● The levels of risks are determined; 5. Information security risks are evaluated; ● Results of risk analysis are compared with the risk criteria that are established; Document Classification: Internal | Version: 1.0 Page 14 of 24 Information Security Management System Manual ● Analysed risks are prioritized for risk treatment; 6. All documented information about information security risk assessment process is retained by the organization; 7. Information security risk treatment; Organization has defined and applied an information security risk treatment process by: ● Selecting appropriate information security risk treatment options, taking account of the risk assessment results; ● Determining all controls that are necessary to implement the information security risk treatment options are chosen; ● Comparing the controls determined in the above point with those in Annexure-A of ISO 27001:2013 standard, and verifying that no necessary controls have been omitted; 8. A Statement of applicability that contains the necessary controls and justification for inclusions; whether they are implemented or not; and the justification for exclusions of controls from ISO 27001:2013 Annexure-A is produced. Refer: Statement of Applicability v1.0 9. Information security risk treatment plan is formulated; 10. Risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks is obtained; ● Documented information about information security risk treatment process is retained by the organization; Please refer Risk assessment Methodology v1.0 and Risk Assessment v1.0 4.3. Information security objectives and planning to achieve them Information security objectives at relevant functions and levels in the organization are established. The information security objectives are: 1. Consistent with the information security policy; 2. Measurable (wherever practicable); 3. Taken into account the applicable information security requirements and the results from risk assessment and risk treatment: Are communicated Are updated as appropriate Documented information on information security objectives is retained by the organization. The organization has determined the following when planning how to achieve its information security objectives: 1. 2. 3. 4. 5. What needs to be done; What resources are required; Who all are responsible; When it will be completed; How the result is evaluated. Document Classification: Internal | Version: 1.0 Page 15 of 24 Information Security Management System Manual Please Refer Information Security Objectives v1.0 Document Classification: Internal | Version: 1.0 Page 16 of 24 Information Security Management System Manual 5. Support 5.1. Resources The resources needed for establishment, implementation, maintenance and continual improvement of the information security management system are identified and made available by the management of BONDAP LTD. 5.2. Competence 1. It is ensured that the person(s) is competent to perform Information security role related to their area of work; 2. It is ensured that the persons are competent on the basis of appropriate education, training and experience; 3. Actions to acquire the necessary competence and to evaluate the effectiveness of the actions are ensured; 4. Appropriate documented information is retained as evidence of competence; Please Refer Competency Matrix v1.0 5.3. Awareness Persons doing work under the organization’s control are aware of: 1. The information security policy; 2. Their contribution to the effectiveness of the information security management system; 3. The implications of not conforming to the information security management system requirements of the organization; The awareness training will be conducted on ongoing basis throughout the year for all the population under purview of ISMS. This will also ensure that all the employee have at least undergone one cycle of awareness training session. 5.4. Communication The need for internal and external communications relevant to the information security management system including the following is determined and defined in the communication matrix (Refer: Annexure 1): 1. 2. 3. 4. 5. What to communicate; When to communicate; With whom to communicate; Who will communicate; Process for effective communication. Document Classification: Internal | Version: 1.0 Page 17 of 24 Information Security Management System Manual 5.5. Documentation Requirements 5.5.1 General BONDAP LTD has established the ISMS which include: 1. 2. 3. 4. ISMS Policies & Objectives Scope of ISMSs Processes & controls in support to the ISMS Risk Assessment Process including methodology and treatment plan ● A risk assessment methodology that is in line with the business information security, legal and regulatory requirements is identified ● The acceptable level of risk and residual risk values are also identified. This methodology ensures that risk assessments produce comparable and reproducible results. 5. Documented processes to ensure effective planning, operation & control of ISMS (Risk Assessment process Various records) 6. Statement of Applicability ● The control objectives and controls selected in ISMS and reasons for their inclusion. ● The control objectives and controls currently implemented. ● The exclusion of any control objectives and controls and the justification for their exclusion 5.5.2 Creating and updating The following are ensured while creating and updating documented information in the organization: 1. Identification and description; 2. Format; 3. Review and approval; 5.5.3 Control of documented information Documented information required by the Information security management system of the organization and by the International Standard ISO 27001:2013 is controlled to ensure that: 1. It is available and suitable for use, where and when it is needed; 2. It is adequately protected; The following activities are addressed as applicable for the control of documented information: 1. 2. 3. 4. Distribution, access, retrieval and use; Storage and preservation including preservation of legibility; Control of changes (version control, etc.); Retention and disposal; Document Classification: Internal | Version: 1.0 Page 18 of 24 Information Security Management System Manual 6. Operation information 6.1. Operational planning and control The processes needed to meet the information security requirements and to implement the actions determined are planned, implemented and controlled by the organization. The documented information is to have confidence that the processes have been carried out as planned, is kept by the organization. Planned changes are controlled and consequences of unintended changes, taking action to mitigate any adverse effects, are reviewed. Outsourced processes are determined and controlled by the organization. 6.2. Information security risk assessment Information security risk assessments are planned to be conducted on the frequency of once in a year, taking into account, the risk acceptance criteria. Documented information of the result of the information security risk assessment is retained by the organization. 6.3. Information security risk treatment Information security risk treatment plan is implemented. Documented information of the result of the information security risk treatment is retained by the organization. 7. Performance Evaluation 7.1. Monitoring, measurement, analysis and evaluation The information security performance and the effectiveness of the information security management system are evaluated. 7.2. Internal Audit Comprehensive audits are conducted at least once in six months to evaluate the: 1. Conformance to the requirements of ISO 27001:2013 & relevant legislation or regulations 2. Conforms to the identified information security requirements 3. ISMS is effectively implemented & maintained 4. ISMS performed as expected. The responsibilities & requirements for planning & conducting audits and for reporting results & maintaining records of these audits as per the Internal Audit process. Audits are scheduled for each activity based on the process & areas to be audited as well as results of previous audits. Trained personnel independent of those having the direct responsibility for the process being audited carry out audits. CISO ensures that actions are taken to eliminate detected nonconformities and their causes. Follow up activities includes the verification of the actions taken & documentation of verification results. Please refer IS Audit Framework v1.0. Document Classification: Internal | Version: 1.0 Page 19 of 24 Information Security Management System Manual 7.3. Management Review Management Reviews (Steering Committee Review) are conducted at least twice in a year, in which the ISMS is reviewed for its effectiveness, as per the Management Review Process. This review includes assessing opportunities for improvement and the need for changes to the ISMS including the security policy and security objectives. Steering Committee is a cross functional steering team of management representatives from various departments in the Organization. It is set up to monitor, review, maintain and continuously improve the ISMS. The management review shall include consideration of: a) the status of actions from previous management reviews; b) changes in external and internal issues that are relevant to the information security management system; c) feedback on the information security performance, including trends in: 1) nonconformities and corrective actions; 2) monitoring and measurement results; 3) audit results; and 4) Fulfilment of information security objectives; d) feedback from interested parties; e) results of risk assessment and status of risk treatment plan; and f) Opportunities for continual improvement. Records for the Management Reviews are maintained & tracked for the actions if any. 8. Improvements 8.1. Nonconformity and Corrective action In order to prevent the recurrence of nonconformities, BONDAP LTD takes action to minimize the causes of non-conformities. 1. 2. 3. 4. 5. 6. Determining nonconformities Determining the causes of nonconformities, Evaluating the need for action to control re-occurrence of non-conformities, Determining and implementing corrective action needed, Records of the results of action taken, and Reviewing the effectiveness of the corrective action taken. Document Classification: Internal | Version: 1.0 Page 20 of 24 Information Security Management System Manual 8.2. Continual Improvement The organization aims to continually improve the effectiveness of the ISMS through the use of security policy, security objectives and feedback for improvements through audit results, analysis of monitored events, corrective and preventive actions and through management reviews. 9. Organization of Information Security 9.1. Internal Organisation 9.1.1 Contact with authorities Establish contact with appropriate authorities, whenever required, like law enforcement, fire department, supervisory authorities, telecommunication providers, water suppliers, other utilities, emergency services, health and safety, etc. to support information security incident management procedures, business continuity and contingency planning processes. 9.1.2 Contact with special interest groups Appropriate contacts with special interest groups or other specialist security forums or associations shall be maintained as a means to: 1. Improve knowledge about best practices and staying up to date with relevant security information 2. Ensure the understanding of information security environment is current and complete 3. Receive early warning of alerts, advisories, and patches pertaining to attacks and vulnerabilities 4. Gain access to specialist information security advice 5. Share and exchange information about new technologies, products, threats or vulnerabilities 6. Provide suitable liaison points when dealing with information security incidents 9.1.3 Information Security in Project Management Information Security is addressed in project management regardless of the type of the project. It includes: 1. 2. 3. 4. 5. Include security objectives in overall project objectives Include security specifications in project description Perform a risk assessment specifically for the project to be undertaken Ensure security rules/technology are included in all the steps/tasks of the project Test if the project deliverables are compliant with security specifications Document Classification: Internal | Version: 1.0 Page 21 of 24 Information Security Management System Manual Annexure 1: Communication Matrix Who Shall Communicat e What to Communicate When to Communicate With Whom to Communicate How to Communicate Information Security Management System Manual Whenever any change is made The members of ISC Email and ISC Meetings CISO/ISO Processes related to the ISMS (Policies and Procedures) Whenever any change is made Members of the ISC and Strategy Committee, all the internal stakeholders as per the scope of ISMS Email CISO/ISO Minutes of Management Review Meeting After Management Review Meeting Members of the ISC and other internal stakeholders as per the scope of ISMS Email CISO/ISO Notification for Management Review Meeting As and when review meeting is scheduled based on availability. Members of the ISC Email CISO/ISO Internal/Externa l Audit Schedule 15 days before Audit All the Auditees Email CISO/ISO Internal Audit Findings After the Audit All the Auditees Email and Meetings Internal Auditor Internal Audit Report After the Audit Members of the ISC Email and Meetings Internal Auditor External Audit Findings After the Audit All the Auditees Email and Meetings External Auditor Document Classification: Internal | Version: 1.0 Page 22 of 24 Information Security Management System Manual External Audit Report After the Audit Members of the ISC Email and Meetings External Auditor Potential Risks As and when identified. Members of ISC and other stakeholders as per scope of ISMS Email and Meeting CISO/ISO Document Classification: Internal | Version: 1.0 Page 23 of 24 Annexure 2: Dependencies