ISO/IEC 27001:2013
Information technology — Security
techniques — Information security
management systems —
Requirements
ISO 37001:2016
Anti-bribery management
systems
– Requirements with
guidance for use
ISO 9001:2015
Quality management systems Requirements
ISO 21001:2018
Educational organizations — Management
systems for educational organizations —
Requirements with guidance for use
1 Scope
1 Scope
1 Scope
1 Scope
This International Standard specifies
the requirements for
establishing,implementing,
maintaining and continually improving
an information security management
system within the context of the
organization.
This International Standard also
includes requirements for the
assessment and treatment of
information security risks tailored to
the needs of the organization.
This standard specifies
requirements and provides
guidance for establishing,
implementing, maintaining,
reviewing and improving an
anti-bribery management
system.
This International Standard specifies
requirements for a quality management
system when an organization:
This document specifies requirements for a management
system for educational organizations (EOMS) when such an
organization:
a) needs to demonstrate its ability to support the acquisition
and development of competence through teaching,
learning or research;
b) aims to enhance satisfaction of learners, other
beneficiaries and staff through the effective application of
its EOMS, including processes for improvement of the
system and assurance of conformity to the requirements
of learners and other beneficiaries.
The system can be standalone or can be integrated
into an overall management
system.
This standard addresses the
following in relation to the
organization's activities:
ó bribery in the public,
private and not-for- profit
sectors;
ó bribery by the organization;
ó bribery by the
organization's personnel acting
on the organization's behalf or
for its benefit;
ó bribery by the
organization's business
associates acting on the
organization's behalf or for its
benefit;
ó bribery of the organization;
ó bribery of the
organization's
personnel in relation to
a)
needs to demonstrate its ability
to consistently provide products
and services that meet customer
and applicable statutory and
regulatory requirements, and
b) aims to enhance customer
satisfaction through the
effective application of the
system, including processes for
improvement of the system and
the assurance of conformity to
customer and applicable
statutory and regulatory
requirements.
All the requirements of this International
Standard are generic and are intended to
be applicable to any organization,
regardless of its type or size, or the
products and services it provides.
NOTE 1 In this International Standard, the
terms “product” or “service” only apply to
products and services intended for, or
required by, a customer.
NOTE 2 Statutory and regulatory
requirements can be expressed as
legal requirements.
All requirements of this document are generic and intended to
be applicable to any organization that uses a curriculum to
support the development of competence through teaching,
learning or research, regardless of the type, size or method of
delivery.
This document can be applied to educational organizations
within larger organizations whose corebusiness is not
education, such as professional training departments.
This document does not apply to organizations that only
produce or manufacture educational products.
the organization’s
activities;
ó bribery of the
organization's business
associates in relation to the
organization’s activities;
ó direct and indirect bribery
(e.g. a bribe offered or
accepted through or by a third
party).
This standard is applicable
only to bribery. It sets out
requirements and provides
guidance for a management
system designed to help an
organization to prevent, detect
and respond to bribery and
comply with anti- bribery laws
and voluntary commitments
applicable to its activities
This standard does not
specifically address fraud,
cartels and other antitrust/competitionoffences,
money- laundering or other
activities
related to corrupt practices,
although an organization can
choose to extend the scope of
the management system to
include such activities.
The requirements set out in this
International Standard are generic
and are intended to be applicable to
all organizations, regardless of type,
size or nature. Excluding any of the
requirements specified in Clauses 4
to 10 is not acceptable when an
organization claims conformity to
this International Standard.
The requirements of this
standard are generic and are
intended to be applicable to all
organizations (or parts of an
organization), regardless of type,
size and nature of activity, and
whether in the public, private or
not- for- profit sectors. The
extent of application of these
requirements depends on the
factors specified in 4.1, 4.2
and 4.5.
NOTE 1 See Clause A.2 for
guidance. NOTE 2 The
measures necessary to
prevent, detect and mitigate the
risk of bribery by the
organization can be different
from the measures used to
prevent, detect and respond to
bribery
of the organization (or its
personnel or
2 Normative references
The following documents, in whole
or in part, are normatively
referenced in this document and are
indispensable for its application. For
dated references, only the edition
cited applies. For undated
references, the latest edition of the
referenced document (including
any amendments) applies.
ISO/IEC 27000, Information
technology — Security techniques
— Information security management
systems — Overview and
vocabulary
business associates acting on
the organization's behalf). See
A.8.4 for
guidance.
2 Normative references
There are no normative
references in this standard
2 Normative references
2 Normative references
The following documents, in whole or in
There are no normative references in this document.
part, are normatively referenced in this
document and are
indispensable for its application. For
dated references, only the edition cited
applies. For undated references, the
latest edition of the referenced document
(including any amendments) applies.
ISO 9000:2015, Quality management
systems — Fundamentals and vocabulary
3 Terms and definitions
3 Terms and definitions
3 Terms and definitions
3
For the purposes of this document,
the terms and definitions given in
ISO/IEC 27000 apply.
For the purposes of this
standard, the following terms
and definitions apply.
For the purposes of this document, the
terms and definitions given in ISO
9000:2015 apply
For the purposes of this document, the following terms and
definitions apply.
ISO and IEC maintain terminological databases for use in
standardization at the following addresses:
— ISO Online browsing platform: available at
https://www.iso.org/obp
— IEC Electropedia: available at http://www.electropedia.org/
ISO and IEC maintain
terminological databases for
use in standardization at the
following addresses:
ó ISO Online browsing
platform: available at
http://www.iso.org/obp
ó IEC Electropedia:
available at
http://www.electropedia
.org/
3.1 bribery
offering, promising,
giving, accepting or
soliciting of an undue advantage
of any value (which could be
financial or nonfinancial), directly or indirectly,
and
irrespective of location(s), in
violation
of applicable law, as an
inducement or
reward for a person acting or
refraining from acting in relation
to the
performance (3.16) of that
person's
duties
NOTE 1 to entry: The above is
a
generic definition. The meaning
of the
term “bribery” is as defined by
the
Terms and definitions
anti-bribery law applicable to
the
organization (3.2) and by the
antibribery management system
(3.5)
designed by the organization.
3.2 organization
person or group of people that
has its
own functions with
responsibilities,
authorities and relationships to
achieve its objectives (3.11)
NOTE 1 to entry: The concept
of
organization includes, but is not
limited to sole-trader, company,
corporation, firm, enterprise,
authority, partnership, charity or
institution, or part or
combination
thereof, whether incorporated
or not,
public or private.
NOTE 2 to entry: For
organizations
with more than one operating
unit,
one or more of the operating
units
can be defined as an
organization.
3.3
Interested party (preferred
term)
stakeholder (admitted term)
person or organization (3.2)
that can
affect, be affected by, or
perceive
itself to be affected by a
decision or
activity
NOTE 1 to entry: A stakeholder
can
be internal or external to the
organization
3.4 requirement
need that is stated and
obligatory
NOTE 1 to entry: The core
definition of
“requirement” in ISO
management
system standards is “need or
expectation that is stated,
generally
implied or obligatory”.
“Generally
implied requirements” are not
applicable in the context of antibribery management.
NOTE 2 to entry: “Generally
implied” means that it is custom
or
common practice for the
organization
and interested parties that the
need or
expectation under consideration
is
implied.
NOTE 3 to entry: A specified
requirement is one that is
stated, for
example in documented
information
3.5
management system
set of interrelated or interacting
elements of an organization
(3.2) to
establish policies (3.10) and
objectives
(3.11) and processes (3.15) to
achieve
those objectives
NOTE 1 to entry: A
management
system can address a single
discipline
or several disciplines.
NOTE 2 to entry: The
management
system elements include the
organization’s structure, roles
and responsibilities, planning
and operation.
NOTE 3 to entry: The scope
of a management system may
include the whole of the
organization, specific and
identified functions of the
organization, specific and
identified sections of the
organization, or one or more
functions across a group of
organizations.
<diringkas>
4 Context of the organization
4 Context of the organization
4 Context of the organization
4 Context of the organization
4.1 Understanding the
organization and its context
4.1 Understanding the
organization and its context
4.1 Understanding the organization and
its context
4.1 Understanding the organization and its context
The organization shall determine
external and internal issues that are
relevant to its purpose and that
affect its ability to achieve the
intended outcome(s) of its
information security management
system.
The organization shall
determine external and
internal issues that are
relevant to its purpose and that
affect its ability to achieve the
objectives of its anti-bribery
management system.
The organization shall determine external and internal
issues that are relevant to its purpose, its social
responsibility and its strategic direction, and that affect its
ability to achieve the intended outcomes of its EOMS.
NOTE Determining these issues
refers to establishing the external and
internal context of the organization
considered in Clause 5.3 of ISO
31000:2009[5].
These issues will include,
without limitation, the
following factors
a) the size, structure
and delegated
decision-making
authority of the
organization;
b) the locations and
sectors in which the
organization
operates or
anticipates
operating;
c) the nature, scale
and complexity of
the organization's
activities and
operations;
The organization shall determine external
and internal issues that are relevant to its
purpose and its strategic direction and that
affect its ability to achieve the intended
result(s) of its quality management
system.
The organization shall monitor and
review information about these
external and internal issues.
NOTE 1 Issues can include positive and
negative factors or conditions for
consideration.
NOTE 2 Understanding the external
context can be facilitated by considering
issues arising from legal, technological,
competitive, market, cultural, social and
economic environments, whether
international, national, regional or local.
NOTE 3 Understanding the internal
context can be facilitated by considering
issues related to values, culture,
knowledge and performance
of the organization.
The organization shall monitor and review information about
these external and internal issues.
NOTE 1 Issues can include positive and negative factors or
conditions for consideration.
NOTE 2 Understanding the external context can be
facilitated by considering issues arising from technological,
competitive, market, cultural, social, political, economic and
environmental factors, whether international,
national, regional or local.
NOTE 3 Understanding the internal context can be
facilitated by considering issues related to values, culture,
knowledge and performance of the organization.
NOTE 4 Strategic direction can be expressed through
documented information such as the organizational mission
or vision statement.
d)
e)
the organization’s
business model;
the entities over
which the
organization has
control and entities
which exercise
control over the
organization;
a)
b)
c)
4.2 Understanding the needs and
expectations of interested parties
The organization shall determine:
a) interested parties that are
relevant to the information
security management system; and
b) the requirements of these
interested parties relevant to
information security.
NOTE The requirements of
interested parties may include legal
and regulatory requirements and
contractual obligations.
the organization's
business
associates;
the nature and
extent of
interactions with
public officials;
applicable statutory,
regulatory,
contractual and
professional
obligations and
duties.
NOTE An organization has
control over another
organization if it directly or
indirectly controls the
management of
the organization (see A.13.1.3).
4.2 Understanding the
4.2 Understanding the needs and
needs and expectations of
expectations of interested parties
stakeholders
Due to their effect or potential effect on
The organization shall
the organization’s ability to consistently
determine:
provide products and services that
a) the stakeholders
meet customer and applicable statutory
that are relevant to
and regulatory requirements, the
the anti-bribery
organization shall determine:
management
a) the interested parties that are
system;
relevant to the quality management
b) the relevant
system;
requirements of these
b) the requirements of these interested
stakeholders.
parties that are relevant to the quality
management system.
NOTE In identifying the
requirements of stakeholders,
an organization can distinguish
between mandatory
requirements and the nonmandatory expectations of, and
The organization shall monitor and review
information about these interested parties
and their relevant requirements.
4.2 Understanding the needs and expectations of
interested parties
Due to their effect or potential effect on the
organization’s ability to consistently and sustainably
provide educational products and services, the
organization shall determine:
a) the interested parties that are relevant to the EOMS;
b) the relevant requirements of these interested parties.
These interested parties shall include:
— learners;
— other beneficiaries;
— staff of the organization.
The organization shall monitor and review information
about these interested parties and their relevant
requirements.
NOTE Annex C gives a classification of interested
parties in educational organizations.
voluntary commitments to,
stakeholders
4.3 Determining the scope of the
information security
management system
The organization shall determine the
boundaries and applicability
4.3 Determining the scope of the 4.3 Determining the scope of the
anti- bribery management
quality management system
system
The organization shall
determine the boundaries and
applicability of the
The organization shall determine the
boundaries and applicability of the
4.3 Determining the scope of the management system for
educational organizations
The organization shall determine the boundaries and
applicability of the EOMS to establish its scope.
When determining this scope, the organization shall consider:
a) the external and internal issues referred to in 4.1;
b) the requirements of relevant interested parties referred to in
4.2;
c) the products and services of the organization.
The organization shall apply all the requirements of this
document if they are applicable within the
determined scope of its EOMS.
The scope of the EOMS shall be available and be maintained
as documented information. The scope shall state the types of
products and services covered, and provide justification for
any requirement of this document that the organization
determines is not applicable to its EOMS.
Conformity to this document may only be claimed if the
requirements determined as not being applicable do not affect
the organization’s ability or responsibility to ensure the
conformity of its products and services and the enhancement
of learners' and other beneficiaries' satisfaction.
All products and services provided to learners by an
educational organization shall be included within
the scope of this EOMS.
of the information security
management system to establish its
scope.
anti-bribery management
system to establish its
scope.
When determining this scope, the
organization shall consider:
a) the external and internal issues
referred to in 4.1;
b) the requirements referred to in 4.2;
and
c) interfaces and dependencies
between activities performed by the
organization, and those that are
performed by other organizations.
When determining this scope,
the organization shall consider:
a) the external and internal
issues referred to in 4.1;
b) the requirements referred to in
4.2
c) the results of the
bribery risk assessment
referred to in 4.5
The scope shall be available as
documented information.
The scope shall be
available as
documented
information.
NOTE See Clause A.2 for
guidance.
4.4 Information security management 4.4 Anti-bribery management
system
system
quality management system to
establish its scope.
When determining this scope, the
organization shall consider:
a) the external and internal issues
referred to in 4.1;
b) the requirements of relevant
interested parties referred to in 4.2;
c) the products and services of the
organization.
The organization shall apply all the
requirements of this International
Standard if they are applicable within
the determined scope of its quality
management system.
The scope of the organization’s quality
management system shall be available and
be maintained as documented
information. The scope shall state the
types of products and services covered,
and provide justification for any
requirement of this International Standard
that the organization determines is not
applicable to the scope of its quality
management system.
Conformity to this International Standard
may only be claimed if the requirements
determined as not being applicable do not
affect the
organization’s ability or responsibility to
ensure the conformity of its products and
services and the enhancement of
customer satisfaction.
4.4 Quality management system and its
processes
The organization shall establish,
implement, maintain and continually
improve an information security
management system, in accordance
with the requirements of this
International Standard.
The organization shall
establish, document, implement,
maintain and continually review
and, where necessary, improve
an anti- bribery management
system, including the processes
needed and their interactions, in
accordance with the
requirements of this standard.
The anti-bribery management
system shall contain
measures designed to identify
and evaluate the risk of, and to
prevent, detect and respond
to, bribery.
NOTE 1 It is not possible to
completely eliminate the risk of
bribery, and no anti-bribery
management system will be
capable of preventing and
detecting all bribery.
The anti-bribery management
system shall be reasonable and
proportionate, taking into
account the factors referred to
in 4.3.
NOTE 2 See Clause A.3 for
guidance
4.4.1 The organization shall establish,
implement, maintain and continually
improve a quality management system,
including the processes needed and
their interactions, in accordance with the
requirements of this International
Standard.
The organization shall determine the
processes needed for the quality
management system and their
application throughout the
organization, and shall:
a) determine the inputs required and the
outputs expected from these
processes;
b) determine the sequence and
interaction of these processes;
c) determine and apply the criteria and
methods (including monitoring,
measurements and related performance
indicators) needed to ensure the
effective operation and control of these
processes;
d) determine the resources needed for
these processes and ensure their
availability;
e) assign the responsibilities and
authorities for these processes;
f) address the risks and opportunities as
determined in accordance with the
requirements of 6.1;
g) evaluate these processes and
implement any changes needed to
ensure that these processes achieve their
intended results;
h) improve the processes and the
quality management system.
4.4.2 To the extent necessary, the
organization shall:
a) maintain documented information
to support the operation of its
processes;
b) retain documented information to have
confidence that the processes are
being carried out as planned.
4.5 Bribery risk assessment
4.5.1 The organization shall
undertake regular bribery risk
assessment(s) which shall:
a) identify the bribery risks
the organization might
reasonably anticipate given
the factors listed in 4.1
b) analyse, assess and
prioritize the identified
bribery risks;
c) evaluate the suitability
and effectiveness of the
organization's existing
controls to mitigate the
assessed bribery risks
4.5.2 The organization shall
establish criteria for evaluating
its level of bribery risk, which
shall take into account the
organization's policies and
objectives.
4.5.3 The bribery risk
assessment shall be reviewed:
a) on a regular basis so that
changes and new information
can be properly assessed
based on timing and frequency
defined by the organization;
b) in the event of a significant
change to the structure or
activities of the organization.
4.5.4 The organization shall
retain documented
information that
demonstrates that the
bribery risk
assessment has been conducted
and
used to design or improve
the anti- bribery
management system.
NOTE See Clause A.4 for
guidance.
5 Leadership
5 Leadership
5 Leadership
5.1 Leadership and commitment
5.1 Leadership and
commitment
5.1.1 Governing body
5.1 Leadership and commitment
5.1.1 General
Top management shall demonstrate
leadership and commitment with
respect to the information security
management system by:
a) ensuring the information
security policy and the
information security objectives are
established and are compatible
with the strategic direction of the
organization;
b) ensuring the integration of the
information security management
system requirements into the
organization's processes;
c) ensuring that the resources
needed for the information security
management system are available;
d) communicating the importance of
effective information security
management and of conforming to
the information security
management system requirements;
e) ensuring that the information
security management system
achieves its intended outcome(s); f )
directing and supporting persons to
contribute to the
When the organization has a
governing body, that body shall
demonstrate leadership and
commitment with respect to
the anti-bribery management
system by:
a) approving
the
organization’s anti- bribery
policy;
b) ensuring
that
the
organization’s strategy and
anti-bribery
policy
are
aligned;
c) at planned intervals
receiving and reviewing
information about the
content and operation of the
organization’s anti- bribery
management system;
d) requiring that adequate and
appropriate resources needed
for effective operation of the
anti-bribery management
system are allocated and
assigned;
e) exercising reasonable
oversight over the
implementation of the
organization’s anti-bribery
management system by
top management and its
effectiveness.
These activities shall be carried
out by top management if the
organization does not have a
Top management shall demonstrate
leadership and commitment with
respect to the quality management
system by:
a) taking accountability for the
effectiveness of the quality
management system;
b) ensuring that the quality policy and
quality objectives are established for the
quality management
system and are compatible with the
context and strategic direction of the
organization;
c) ensuring the integration of the
quality management system
requirements into the organization’s
business processes;
d) promoting the use of the process
approach and risk-based thinking;
e) ensuring that the resources needed for
the quality management system are
available;
f) communicating the importance of
effective quality management and of
conforming to the quality management
system requirements;
g) ensuring that the quality
management system achieves its
intended results;
h) engaging, directing and supporting
persons to contribute to the
effectiveness of the quality
governing body
effectiveness of the information
security management system;
g) promoting continual
improvement; and
h) supporting other relevant
management roles to demonstrate
their leadership as it applies to their
areas of responsibility.
management system;
i) promoting improvement;
j) supporting other relevant
management roles to demonstrate their
leadership as it applies to their areas of
responsibility.
NOTE Reference to “business” in this
International Standard can be
interpreted broadly to mean those
activities that are core to the purposes of
the organization’s existence, whether
the organization is public, private, for
profit or not for profit.
5.1.2 Top management
5.1.2 Customer focus
Top management shall
demonstrate leadership and
commitment with respect to
the anti-bribery
management system by:
a) ensuring that the antibribery management system,
including policy and
objectives, is established,
implemented, maintained
and reviewed to adequately
address the organization's
bribery risks;
b) ensuring the integration of
the anti- bribery management
system
requirements into the
organization’s processes;
c) deploying adequate and
appropriate resources for the
effective operation of the antibribery management system;
d) communicating internally
and externally regarding the
anti-bribery policy;
Top management shall demonstrate
leadership and commitment with respect
to customer focus by ensuring that:
a) customer and applicable statutory and
regulatory requirements are
determined, understood and
consistently met;
b) the risks and opportunities that can
affect conformity of products and
services and the ability to enhance
customer satisfaction are determined and
addressed;
c) the focus on enhancing customer
satisfaction is maintained.
e) communicating internally the
importance of effective antibribery management and of
conforming to
ISO/IEC 27001:2013
ISO 37001:2016
the anti-bribery management system
requirements
f) ensuring that the anti-bribery
management system is appropriately
designed to achieve its objectives;
g) directing and supporting
personnel to contribute to the
effectiveness of the anti- bribery
management system;
h) promoting an appropriate antibribery culture within the
organization;
i) promoting continual improvement;
j) supporting other relevant
management roles to demonstrate
their leadership in preventing and
detecting bribery as it applies to their
areas of responsibility;
k) encouraging the use of reporting
procedures for suspected and actual
bribery (see 8.9);
l) ensuring that no personnel will
suffer retaliation, discrimination or
disciplinary action (see 7.2.2.1 d)) for
reports made in good faith or on the
basis of a reasonable belief of violation
or suspected violation of the
organization’s anti-bribery policy, or
for refusing to engage in bribery, even
if such refusal can result in the
organization losing business (except
where the individual participated in
the violation);
m) at planned intervals, reporting to
the governing body (if any) on the
content and
operation of the
anti-bribery management system and
of allegations of serious or systematic
bribery.
ISO 9001:2015
ISO/IEC 20000-1:2018
NOTE See Clause A.5 for guidance.
5.2 Policy
5.2 Anti-bribery policy
5.2 Policy
5.2.1 Developing the quality policy
5.2 Policy
5.2.1 Establishing the service management policy
Top management shall establish
an information security policy
that:
Top management shall establish,
maintain and review an anti-bribery
policy that:
Top management shall establish,
implement and maintain a quality
policy that:
a) is appropriate to the purpose and
context of the organization and
supports its strategic direction;
b) provides a framework for setting
quality objectives;
c) includes a commitment to satisfy
applicable requirements;
d) includes a commitment to continual
improvement of the quality
management system.
5.2.2 Communicating the quality
policy
The quality policy shall:
a) be available and be maintained as
documented information;
b) be communicated, understood and
applied within the organization;
c) be available to relevant interested
parties, as appropriate
Top management shall establish a service management policy that:
a) is appropriate to the purpose of the organization;
b) provides a framework for setting service management objectives;
c) includes a commitment to satisfy applicable requirements;
d) includes a commitment to continual improvement of the SMS and the
services.
a) prohibits bribery;
b) requires compliance with antibribery laws that are applicable to the
organization;
a) is appropriate to the purpose
of the organization;
b) includes information security
objectives (see 6.4) or provides
the frameworP for setting
information security objectives;
c) includes a commitment to
satisfy applicable requirements
related to information security;
and
d) includes a commitment to
continual improvement of the
information security management
system. The information security
policy shall:
e) be available as documented
information;
f) be communicated within the
organization; and
g) be available to interested
parties, as appropriate.
c) is appropriate to the purpose of
the organization;
d) provides a framework for setting,
reviewingand achieving anti-bribery
objectives;
e) includes a commitment to satisfy
anti-bribery management system
requirements;
f) encourages raising concerns in good
faith or on the basis of a reasonable
belief in confidence without fear of
reprisal;
g) includes a commitment to continual
improvement of the anti-bribery
management system;
h) explains the authority and
independence of the anti-bribery
compliance function;
i) explains the consequences of not
complying with the anti-bribery policy.
The anti-bribery policy shall:
ó be available as documented
information;
ó be communicated in appropriate
languages within the organization and
5.2.2 Communicating the service management policy
The service management policy shall:
a) be available as documented information;
b) be communicated within the organization;
c) be available to interested parties, as appropriate.
5.3 Organizational roles,
responsibilities and authorities
to business associates who pose more
than a low risk of bribery;
— be available to relevant
stakeholders, as appropriate.
5.3 Organizational roles,
responsibilities and authorities
5.3 Organizational roles,
responsibilities and authorities
5.3.1 Roles and responsibilities
Top management shall ensure
that the responsibilities and
authorities for roles relevant to
information security are assigned
and communicated.
Top management shall have overall
responsibility for the implementation
of, and compliance with, the antibribery management system, as
described in 5.1.2.
Top management shall ensure that the
responsibilities and authorities for
relevant roles are assigned,
communicated and understood within
the organization.
Top management shall assign the
responsibility and authority for:
Top management shall ensure that the
responsibilities and authorities for
relevant roles are assigned and
communicated within and throughout
every level of the organization.
Top management shall assign the
responsibility and authority for:
a) ensuring that the quality
management system conforms to the
requirements of this International
Standard;
b) ensuring that the processes are
delivering their intended outputs;
c) reporting on the performance of the
quality management system and on
opportunities for
improvement (see 10.1), in particular
to top management;
d) ensuring the promotion of customer
focus throughout the organization;
e) ensuring that the integrity of the
quality management system is
maintained when changes to the
quality management system are
planned and implemented.
a) ensuring that the information
security management system
conforms to the requirements of
this
International Standard; and
b) reporting on the performance
of the information security
management system to top
management.
NOTE Top management may
also assign responsibilities and
authorities for reporting
performance of the information
security management system
within the organization.
Managers at every level shall be
responsible for requiring that the
anti-bribery management system
requirements are applied and
complied with in their department or
function.
The governing body (if any), top
management and all other personnel
shall be responsible for
understanding, complying with and
applying the anti-bribery management
system requirements, as they relate to
their role in the organization.
5.3.2 Anti-bribery compliance
function
Top management shall assign to an
anti- bribery compliance function the
responsibility and authority for:
5.3 Organizational roles, responsibilities and authorities
Top management shall ensure that the responsibilities and authorities
for roles relevant to the SMS and the services are assigned and
communicated within the organization.
Top management shall assign the responsibility and authority for:
a) ensuring that the SMS conforms to the requirements of this
document;
b) reporting on the performance of the SMS and the services to top
management.
a) overseeing the design and
implementation by the organization of
the anti-bribery management system;
b) providing advice and guidance
to personnel on the anti-bribery
management system and issues
relating to bribery;
c) ensuring that the anti-bribery
management system conforms to the
requirements of this standard;
d) reporting on the performance of the
anti-bribery management system to
the governing body (if any) and top
management and other compliance
functions, as appropriate.
The anti-bribery compliance function
shall be adequately resourced and
assigned to person(s) who have the
appropriate competence, status,
authority and independence.
The anti-bribery compliance function
shall have direct and prompt access to
the governing body (if any) and top
management in the event that any
issue or concern needs to be raised in
relation to bribery or the anti- bribery
management system.
Top management can assign some or
all of the anti-bribery compliance
function to persons external to the
organization. If it does, top
management shall ensure that specific
personnel have responsibility for,
and authority over, those externally
assigned parts of the function.
NOTE See Clause A.6 for guidance.
5.3.3 Delegated decision-making
Where top management delegates to
personnel the authority for the making
of decisions in relation to which there
is more than a low risk of bribery, the
organization shall establish and
maintain a decision- making process or
set of controls which requires that the
decision process and the level of
authority of the decision-maker(s) are
appropriate and free of actual or
potential conflicts of interest. Top
management shall ensure that these
processes are reviewed periodically as
part of its role and responsibility for
implementation of, and compliance
with, the anti-bribery management
system outlined in 5.3.1
NOTE Delegation of decision-making
will not exempt top management or
the governing body (if any) of their
duties and responsibilities as described
in 5.1.1, 5.1.2 and 5.3.1, nor does it
necessarily transfer to the delegated
personnel potential legal
responsibilities.
5.4 Control of parties involved in the service lifecycle
6 Planning
6 Planning
6 Planning
6 Planning
6.1 Actions to address risks and
opportunities
6.1 Actions to address risks and
opportunities
6.1 Actions to address risks and
opportunities
6.1 Actions to address risks and opportunities
When planning for the anti-bribery
management system, the organization
shall consider the issues referred to in
4.1, the requirements referred to in
4.2, the risks identified in 4.5, and
6.1.1 When planning for the quality
management system, the organization
shall consider the issues referred to in
4.1 and the requirements referred to
in 4.2 and determine the risks and
opportunities that need to be
6.1.1 General
When planning for the
information security management
system, the organization shall
consider the issues referred to in
4.1 and the requirements referred
6.1.1
When planning for the SMS, the organization shall consider the issues
referred to in 4.1 and the requirements referred to in 4.2 and determine
the risks and opportunities that need to be addressed to:
a) give assurance that the SMS can achieve its intended outcome(s);
b) prevent, or reduce, undesired effects;
c) achieve continual improvement of the SMS and the services.
to in 4.2 and determine the risks
and opportunities that need to be
addressed to:
a) ensure the information security
management system can achieve
its intended outcome(s);
b) prevent, or reduce, undesired
effects; and
c) achieve continual
improvement.
The organization shall plan:
d) actions to address these risks
and opportunities; and
e) how to
1) integrate and
implement the actions
into its information
security management
system processes; and
2) evaluate the
effectiveness of these
actions.
6.1.2 Information security risk
assessment
The organization shall define and
apply an information security risk
assessment process that:
a) establishes and maintains
information security risk criteria
that include:
1) the risk acceptance
criteria; and
2) criteria for performing
information security risk
assessments;
opportunities for improvement that
need to be addressed to:
a) give reasonable assurance that the
anti- bribery management system can
achieve its objectives;
b) prevent, or reduce, undesired
effects relevant to the anti-bribery
policy and objectives;
c) monitor the effectiveness of the
anti- bribery management system;
d) achieve continual improvement.
The organization shall plan:
ó actions to address these bribery
risks and opportunities for
improvement;
ó how to:
ó integrate and implement these
actions into its anti-bribery
management system processes;
ó evaluate the effectiveness of these
actions..
addressed to:
a) give assurance that the quality
management system can achieve its
intended result(s);
b) enhance desirable effects;
c) prevent, or reduce, undesired
effects;
d) achieve improvement.
6.1.2 The organization shall plan:
a) actions to address these risks and
opportunities;
b) how to:
1) integrate and implement the actions
into its quality management system
processes (see 4.4);
2) evaluate the effectiveness of these
actions.
Actions taken to address risks and
opportunities shall be proportionate to
the potential impact on the
conformity of products and services.
NOTE 1 Options to address risks can
include avoiding risk, taking risk in
order to pursue an opportunity,
eliminating the risk source, changing
the likelihood or consequences,
sharing the risk, or retaining risk by
informed decision.
NOTE 2 Opportunities can lead to the
adoption of new practices, launching
new products, opening new markets,
addressing new clients, building
partnerships, using new technology
and other desirable and viable
possibilities to address the
organization’s or its customers’ needs.
6.1.2.
The organization shall determine and document:
a) risks related to:
1) the organization;
2) not meeting the service requirements;
3) the involvement of other parties in the service lifecycle;
b) the impact on customers of risks and opportunities for the SMS and
the services;
c) risk acceptance criteria;
d) approach to be taken for the management of risks.
6.1.3 The organization shall plan:
a) actions to address these risks and opportunities and their priorities;
b) how to:
1) integrate and implement the actions into its SMS processes;
2) evaluate the effectiveness of these actions.
NOTE 1 Options to address risks and opportunities can include: avoiding
the risk, taking or increasing the risk in order to pursue an opportunity,
removing the risk source, changing the likelihood or consequence of the
risk, mitigating the risk through agreed actions, sharing the risk with
another party or accepting the risk by informed decision.
NOTE 2 ISO 31000 provides principles and generic guidance on risk
management.
b) ensures that repeated
information security risk
assessments produce
consistent, valid and
comparable results;
c) identifies the information
security risks:
1) apply the information
security risk assessment
process to identify risks
associated with the loss
of confidentiality,
integrity and availability
for information within
the scope of the
information security
management system;
and
2) identify the risk owners;
d) analyses the information
security risks:
1) assess the potential
consequences that
would result if the risks
identified in 6...4 c) 1)
were to materialize;
2) assess the realistic
liPelihood of the
occurrence of the risks
identified in 6...4 c) .);
and
3) determine the levels of
risk;
e) evaluates the information
security risks:
1) .) compare the results of
risk analysis with the risk
criteria established in
6...4a); and
2) prioritize the analysed
risks for risk treatment.
The organization shall retain
documented information about
the information security risk
assessment process.
6.1.3 Information security risk
treatment
The organization shall define and
apply an information security risk
treatment process to:
a) select appropriate information
security risk treatment options,
taking account of the risk
assessment results;
b) determine all controls that are
necessary to implement the
information security risk
treatment option(s) chosen;
NOTE Organizations can design
controls as required, or identify
them from any source.
c) compare the controls
determined in 6.1.3 b) above with
those in Annex A and verify that
no necessary controls have been
omitted;
NOTE 1 Annex A contains a
comprehensive list of control
objectives and controls. Users of
this International Standard are
directed to Annex A to ensure
that no necessary controls are
overlooPed.
NOTE 4 Control objectives are
implicitly included in the controls
chosen. The control objectives
and controls listed in Annex A are
not exhaustive and additional
control objectives and controls
may be needed.
d) produce a Statement of
Applicability that contains the
necessary controls (see 6.1.3 b)
and c)) and justification for
inclusions, whether they are
implemented or not, and the
justification for exclusions of
controls from Annex A;
e) formulate an information
security risk treatment plan; and
f ) obtain risk owners' approval of
the information security risk
treatment plan and acceptance of
the residual information security
risks.
The organization shall retain
documented information about
the information security risk
treatment process.
NOTE The information security
risk assessment and treatment
process in this International
Standard aligns with the
principles and generic guidelines
provided in ISO 31000[5].
6.2 Information security
objectives and planning to
achieve them
6.2 Anti-bribery objectives and
planning to achieve them
The organization shall establish antibribery management system
6.2 Quality objectives and planning to
achieve them
6.2.1 The organization shall establish
quality objectives at relevant
functions, levels and processes needed
6.2 Service management objectives and planning to achieve them
6.2.1 Establish objectives
The organization shall establish service management objectives at
relevant functions and levels. The service management objectives shall:
The organization shall establish
information security objectives at
relevant functions and levels.
objectives at relevant functions and
levels.
The anti-bribery management system
objectives shall:
The information security
objectives shall:
a) be consistent with the
information security policy;
b) be measurable (if practicable);
c) take into account applicable
information security
requirements, and results from
risk assessment and risk
treatment;
d) be communicated; and
e)be updated as appropriate.
The organization shall retain
documented information on the
information security objectives.
a) be consistent with the anti-bribery
policy;
b) be measurable (if practicable);
c) take into account applicable factors
referredto in 4.1, the requirements
referred to in 4.2 and the bribery risks
identified in 4.5;
d) be achievable;
e) be monitored;
f) be communicated in accordance
with 7.4;
g) be updated as appropriate.
The organization shall retain
documented information on the antibribery management system
objectives.
When planning how to achieve its
When planning how to achieve its anti- bribery management system
information security objectives, objectives, the organization shall
the organization shall determine: determine:
ó what will be done;
ó what resources will be required;
f ) what will be done;
ó who will be responsible;
g) what resources will be
ó when the objectives will be
required;
achieved;
h) who will be responsible;
i) when it will be completed; and ó how the results will be evaluated
and reported;
j) how the results will be
ó who will impose sanctions or
evaluated.
penalties
for the quality management system.
The quality objectives shall:
a) be consistent with the quality
policy;
b) be measurable;
c) take into account applicable
requirements;
d) be relevant to conformity of
products and services and to
enhancement of customer satisfaction;
e) be monitored;
f) be communicated;
g) be updated as appropriate.
The organization shall maintain
documented information on the
quality objectives.
6.2.2 When planning how to achieve
its quality objectives, the organization
shall determine:
a) what will be done;
b) what resources will be required;
c) who will be responsible;
d) when it will be completed;
e) how the results will be evaluated.
6.3 Planning of changes
When the organization determines the
need for changes to the quality
management system, the changes
a) be consistent with the service management policy;
b) be measurable;
c) take into account applicable requirements;
d) be monitored;
e) be communicated;
f) be updated as appropriate.
The organization shall retain documented information on the service
management objectives.
6.2.2 Plan to achieve objectives
When planning how to achieve its service management objectives, the
organization shall determine:
a) what will be done;
b) what resources will be required;
c) who will be responsible;
d) when it will be completed;
e) how the results will be evaluated.
6.3 Plan the service management system
The organization shall create, implement and maintain a service
management plan. Planning shall take into consideration the service
management policy, service management objectives, risks and
shall be carried out in a planned
manner (see 4.4)..
The organization shall consider:
a) the purpose of the changes and
their potential consequences;
b) the integrity of the quality
management system;
c) the availability of resources;
d) the allocation or reallocation of
responsibilities and authorities.
7 Support
7 Support
7.1 Resources
7.1 Resources
The organization shall determine
and provide the resources needed
for the establishment,
implementation, maintenance
and continual improvement of
the information security
management system.
7 Support
7.1 Resources
7.1.1 General
The organization shall determine and
The organization shall determine and
provide the resources needed for the
provide the resources needed for the
establishment, implementation,
establishment,
maintenance and continual
implementation, maintenance and
improvement of the anti-bribery
continual improvement of the quality
management system.
management system.
The organization shall consider:
NOTE See Clause A.7 for guidance. a) the capabilities of, and constraints
on, existing internal resources;
b) what needs to be obtained from
external providers.
7.1.2 People
The organization shall determine and
provide the persons necessary for the
effective implementation of
its quality management system and for
the operation and control of its
processes.
opportunities, service requirements and requirements specified in this
document.
The service management plan shall include or contain a reference to:
a) list of services;
b) known limitations that can impact the SMS and the services;
c) obligations such as relevant policies, standards, legal, regulatory and
contractual requirements, and how these obligations apply to the SMS
and the services;
d) authorities and responsibilities for the SMS and the services;
e) human, technical, information and financial resources necessary to
operate the SMS and the services;
f) approach to be taken for working with other parties involved in the
service lifecycle;
g) technology used to support the SMS;
h) how the effectiveness of the SMS and the services will be measured,
audited, reported and improved.
Other planning activities shall maintain alignment with the service
management plan.
7 Support of the service management system
7.1 Resources
The organization shall determine and provide the human, technical,
information and financial resourcesneeded for the establishment,
implementation, maintenance and continual improvement of the SMS
and the operation of the services to meet the service requirements and
achieve the service management objectives.
7.1.3 Infrastructure
The organization shall determine,
provide and maintain the
infrastructure necessary for the
operation of its processes and to
achieve conformity of products and
services.
NOTE Infrastructure can include:
a) buildings and associated utilities;
b) equipment, including hardware and
software;
c) transportation resources;
d) information and communication
technology.
7.1.4 Environment for the operation
of processes
The organization shall determine,
provide and maintain the environment
necessary for the operation of its
processes and to achieve conformity of
products and services.
NOTE A suitable environment can be a
combination of human and physical
factors, such as:
a) social (e.g. non-discriminatory, calm,
non-confrontational);
b) psychological (e.g. stress-reducing,
burnout prevention, emotionally
protective);
c) physical (e.g. temperature, heat,
humidity, light, airflow, hygiene,
noise).
These factors can differ substantially
depending on the products and
services provided.
7.1.5 Monitoring and measuring
resources
7.1.5.1 General
The organization shall determine and
provide the resources needed to
ensure valid and reliable results when
monitoring or measuring is used to
verify the conformity of products and
services to requirements.
The organization shall ensure that the
resources provided:
a) are suitable for the specific type of
monitoring and measurement
activities being undertaken;
b) are maintained to ensure their
continuing fitness for their purpose.
The organization shall retain
appropriate documented information
as evidence of fitness for purpose of
the monitoring and measurement
resources.
7.1.5.2 Measurement traceability
When measurement traceability is a
requirement, or is considered by the
organization to be an essential part of
providing confidence in the validity of
measurement results, measuring
equipment shall be:
a) calibrated or verified, or both, at
specified intervals, or prior to use,
against measurement standards
traceable to international or national
measurement standards; when no
such standards exist, the basis used for
calibration or verification shall be
retained as documented information;
b) identified in order to determine
their status;
c) safeguarded from adjustments,
damage or deterioration that would
invalidate the calibration status and
subsequent measurement results.
The organization shall determine if the
validity of previous measurement
results has been adversely affected
when measuring equipment is found
to be unfit for its intended purpose,
and shall take appropriate action as
necessary.
7.1.6 Organizational knowledge
The organization shall determine the
knowledge necessary for the operation
of its processes and to achieve
conformity of products and services.
This knowledge shall be maintained
and be made available to the extent
necessary.
When addressing changing needs and
trends, the organization shall consider
its current knowledge and determine
how to acquire or access any
necessary additional knowledge and
required updates.
NOTE 1 Organizational knowledge is
knowledge specific to the
organization; it is gained by
experience. It is information that is
used and shared to achieve the
organization’s objectives.
NOTE 2 Organizational knowledge can
be based on:
a) internal sources (e.g. intellectual
property; knowledge gained from
experience; lessons learned from
failures and successful projects;
capturing and sharing undocumented
7.2 Competence
The organization shall:
a) determine the necessary
competence of person(s) doing
worP under its control that affects
its information security
performance;
b) ensure that these persons are
competent on the basis of
appropriate education, training,
or experience;
c) where applicable, take actions
to acquire the necessary
competence, and evaluate the
effectiveness of the actions taken;
and
d) retain appropriate documented
information as evidence of
competence.
NOTE Applicable actions may
include, for example: the
provision of training to, the
mentoring of, or the reassignment of current employees;
or the hiring or contracting of
competent persons.
7.2 Competence
7.2.1 General
The organization shall:
a) determine the necessary
competence of person(s) doing work
under its control that affects its antibribery performance;
b) ensure that these persons are
competent on the basis of appropriate
education, training, or experience;
c) where applicable, take actions to
acquire and maintain the necessary
competence, and evaluate the
effectiveness of the actions taken;
d) retain appropriate documented
information as evidence of
competence.
NOTE Applicable actions can include,
for example, the provision of training
to, the coaching of, or the reassignment of personnel or business
associates; or the hiring or contracting
of the same.
7.2.2 Employment process
knowledge and experience; the results
of
improvements in processes, products
and services);
b) external sources (e.g. standards;
academia; conferences; gathering
knowledge from customers or external
providers).
7.2 Competence
7.2 Competence
The organization shall:
a) determine the necessary competence of persons doing work under its
The organization shall:
control that affects the performance and effectiveness of the SMS and
a) determine the necessary
the services;
competence of person(s) doing work
b) ensure that these persons are competent on the basis of appropriate
under its control that affects the
education, training or experience;
performance and effectiveness of the
c) where applicable, take actions to acquire the necessary competence
quality management system;
and evaluate the effectiveness of the actions taken;
b) ensure that these persons are
d) retain appropriate documented information as evidence of
competent on the basis of appropriate competence.
education, training, or experience;
NOTE Applicable actions can include, for example: the provision of
c) where applicable, take actions to
training to, the mentoring of, or the reassignment of currently
acquire the necessary competence,
employed persons; or the hiring or contracting of competent persons.
and evaluate the effectiveness of the
actions taken;
d) retain appropriate documented
information as evidence of
competence.
NOTE Applicable actions can include,
for example, the provision of training
to, the mentoring of, or the
reassignment of currently employed
persons; or the hiring or contracting of
competent persons.
7.2.2.1 In relation to all of its
personnel, the organization shall
implement procedures such that:
a) conditions of employment require
personnel to comply with the antibribery policy and anti-bribery
management system, and give the
organization the right to discipline
personnel in the event of noncompliance;
b) within a reasonable period of their
employment commencing, personnel
receive a copy of, or are provided with
access to, the anti-bribery policy and
training in relation to that policy;
c) the organization has procedures
which enable it to take appropriate
disciplinary action against personnel
who violate the anti-bribery policy or
anti-bribery management system; and
d) personnel will not suffer retaliation,
discrimination or disciplinary action
(e.g. by threats, isolation, demotion,
preventing advancement, transfer,
dismissal, bullying, victimization, or
other forms of harassment) for:
1) refusing to participate in, or for
turning down, any activity in respect of
which they have reasonably judged
there to be a more than low risk of
bribery which has not been mitigated
by the organization; or
2) concerns raised or reports made
in good faith, or on the basis of a
reasonable belief, of attempted, actual
or suspected bribery or violation of the
anti-bribery policy or the anti-bribery
management system (except where
the individual participated in the
violation).
7.2.2.2 In relation to all positions
which are exposed to more than a low
bribery risk as determined in the
bribery risk assessment (see 4.5), and
to the anti-bribery compliance
function the organization shall
implement procedures which provide
that:
a) due diligence (see 8.2) is conducted
on persons before they are employed,
and on personnel before they are
transferred or promoted by the
organization, to ascertain as far as is
reasonable that it is appropriate to
employ or redeploy them and that it is
reasonable to believe that they will
comply with the anti-bribery policy
and anti-bribery management system
requirements;
b) performance bonuses, performance
targets and other incentivizing
elements of remuneration are
reviewed periodically to verify that
there are reasonable safeguards in
place to prevent them from
encouraging bribery;
c) such personnel, top management,
and the governing body (if any), file a
declaration at reasonable intervals
proportionate with the identified
bribery risk, confirming their
compliance with the anti-bribery
policy.
NOTE 1 The anti-bribery compliance
declaration can stand alone or be a
component of a broader compliance
declaration process.
NOTE 2 See Clause A.8 for guidance.
ISO/IEC 27001:2013
7.3 Awareness
ISO 37001:2016
7.3 Awareness and training
ISO 9001:2015
7.3 Awareness
ISO/IEC 20000-1:2018
7.3 Awareness
Persons doing worP under the
organization's control shall be
aware of:
a) the information security policy;
b) their contribution to the
effectiveness of the information
security management system,
including the benefits of
improved information security
performance; and
c) the implications of not
conforming with the information
security management system
requirements.
The organization shall provide
adequate and appropriate anti-bribery
awareness and training to personnel.
Such training shall address the
following issues, as appropriate, taking
into account the results of the bribery
risk assessment (see 4.5):
a) the organization’s anti-bribery
policy, procedures and anti-bribery
management system, and their duty to
comply;
b) the bribery risk and the damage to
them and the organization which
can result from bribery;
c) the circumstances in which bribery
can occur in relation to their duties,
and how to recognize these
circumstances;
d) how to recognize and respond to
solicitations or offers of bribes;
e) how they can help prevent and
avoid bribery and recognize key
bribery risk indicators;
f) their contribution to the
effectiveness of the anti-bribery
management system, including the
benefits of improved anti-bribery
performance and of reporting
suspected bribery;
g) the implications and potential
consequences of not conforming with
the anti-bribery management
system requirements;
h) how and to whom they are able to
report any concerns (see 8,9);
i) information on available training
and resources.
Personnel shall be provided with antibribery awareness and training on a
The organization shall ensure that
persons doing work under the
organization’s control are aware of:
a) the quality policy;
b) relevant quality objectives;
c) their contribution to the
effectiveness of the quality
management system, including the
benefits of improved performance;
d) the implications of not conforming
with the quality management system
requirements.
Persons doing work under the organization’s control shall be aware of:
a) the service management policy;
b) the service management objectives;
c) the services relevant to their work;
d) their contribution to the effectiveness of the SMS, including the
benefits of improved performance;
e) the implications of not conforming with the SMS requirements.
ISO/IEC 27001:2013
ISO 37001:2016
regular basis (at planned intervals
determined by the organization), as
appropriate to their roles, the risks of
bribery to which they are exposed,
and any changing circumstances. The
awareness and training programmes
shall be periodically updated as
necessary to reflect relevant new
information.
Taking into account the bribery risks
identified (see 4.5), the organization
shall also implement procedures
addressing anti-bribery awareness and
training for business associates acting
on its behalf or for its benefit, and
which could pose more than a low
bribery risk to the organization. These
procedures shall identify the business
associates for which such awareness
and training is necessary, its content,
and the means by which the training
shall be provided.
ISO 9001:2015
ISO/IEC 20000-1:2018
7.4 Communication
7.4 Communication
The organization shall retain
documented information on the
training procedures, the content of
the training, and when and to
whom it was provided.
NOTE 1 The awareness and training
requirements for business associates
can be communicated through
contractual or similar requirements,
and be implemented by the
organization, the business associate or
by other parties appointed for that
purpose.
7.4 Communication
NOTE 2 See Clause A.9 for guidance.
7.4 Communication
The organization shall determine
the need for internal and external
communications relevant to the
information security management
system including:
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) who shall communicate; and
e) the processes by which
communication shall be effected.
7.5 Documented information
7.4.1 The organization shall determine
the internal and external
communications relevant to the antibribery management system including:
a) on what it will communicate;
b) when to communicate;
c) with whom to communicate;
d) how to communicate;
e) who will communicate;
f) the languages in which to
communicate
7.4.2 The anti-bribery policy shall be
made available to all the organization’s
personnel and business associates, be
communicated directly to both
personnel and business associates who
pose more than a low risk of bribery,
and shall be published through the
organization’s internal and external
communication channels, as
appropriate.
7.5 Documented Information
7.5 Documented information
7.5 Documented information
7.5.1 General
7.5.1 General
7.5.1 General
7.5.1 General
The organization's information
security management system
shall include:
a) documented information
required by this International
Standard; and
b) documented information
determined by the organization
as being necessary for the
effectiveness of the information
security management system.
The organization’s anti-bribery
management system shall include:
a) documented information required
by this standard;
b) documented information
determined by the organization as
being necessary for the effectiveness
of the anti-bribery management
system.
The organization’s quality
management system shall include:
a) documented information required
by this International Standard;
b) documented information
determined by the organization as
being necessary for the effectiveness
of the quality management system.
The organization’s SMS shall include:
a) documented information required by this document;
b) documented information determined by the organization as being
necessary for the effectiveness of the SMS.
NOTE The extent of documented information for an SMS can differ from
one organization to another due to:
ó the size of organization and its type of activities, processes, products
and services;
ó the complexity of processes, services and their interfaces;
— the competence of persons.
NOTE The extent of documented
information for an information
security management system can
NOTE 1 The extent of documented
information for an anti-bribery
management system can differ from
one organization to another due to:
The organization shall determine the
internal and external communications
relevant to the quality management
system, including:
a) on what it will communicate;
b) when to communicate;
c) with whom to communicate;
d) how to communicate;
e) who communicates.
NOTE The extent of documented
information for a quality management
system can differ from one
organization to another due to:
— the size of organization and its type
of activities, processes, products and
services;
The organization shall determine the internal and external
communications relevant to the SMS and
the services including:
a) on what it will communicate;
b) when to communicate;
c) with whom to communicate;
d) how to communicate;
e) who will be responsible for the communication.
differ from one organization to
another due to:
1) the size of organization
and its type of activities,
processes, products and
services;
2) the complexity of
processes and their
interactions; and
3) the competence of
persons.
ó the size of organization and its type
of activities, processes, products and
services;
ó the complexity of processes and
their interactions;
ó the complexity of processes and
their interactions;
ó the competence of persons.
ó the competence of personnel.
NOTE 2 Documented information can
be retained separately as part of the
anti-bribery management system, or
can be retained as part of other
management systems (e.g.
compliance, financial, commercial,
audit).
NOTE 3 See Clause A.17 for guidance.
7.5.2 Creating and updating
7.5.2 Creating and updating
7.5.2 Creating and updating documented information
When creating and updating
documented information the
organization shall ensure
appropriate:
a) identification and description
(e.g. a title, date, author, or
reference number);
b) format (e.g. language, software
version, graphics) and media (e.g.
paper, electronic); and
c) review and approval for
suitability and adequacy
When creating and updating
documented information the
organization shall ensure appropriate:
a) identification and description (e.g. a
title, date, author, or reference
number);
b) format (e.g. language, software
version, graphics) and media (e.g.
paper, electronic);
c) review and approval for suitability
and adequacy.
When creating and updating
documented information, the
organization shall ensure appropriate:
a) identification and description (e.g. a
title, date, author, or reference
number);
b) format (e.g. language, software
version, graphics) and media (e.g.
paper, electronic);
c) review and approval for suitability
and adequacy.
When creating and updating documented information, the organization
shall ensure appropriate:
a) identification and description (e.g. a title, date, author or reference
number);
b) format (e.g. language, software version, graphics) and media (e.g.
paper, electronic);
c) review and approval for suitability and adequacy
7.5.3 Control of documented
Information
7.5.3 Control of documented
information
7.5.3 Control of documented
information
7.5.2 Creating and updating
Documented information
required by the information
security management system and
by this International Standard
shall be controlled to ensure:
7.5.3 Control of documented information
7.5.3.1 Documented information required by the SMS and by this
document shall be controlled to ensure:
a) it is available and suitable for use, where and when it is needed;
Documented information required by
7.5.3.1 Documented information
b) it is adequately protected (e.g. from loss of confidentiality, improper
the anti-bribery management system
required by the quality management
use or loss of integrity).
and by this standard shall be
system and by this International
7.5.3.2 For the control of documented information, the organization
controlled to ensure:
Standard shall be controlled to ensure: shall address the following activities, as applicable:
a) it is available and suitable for use, a) it is available and suitable for use, a) distribution, access, retrieval and use;
where and when it is needed;
where and when it is needed;
b) storage and preservation, including preservation of legibility;
a) it is available and suitable for
use, where and when it is needed;
and
b) it is adequately protected (e.g.
from loss of confidentiality,
improper use, or loss of integrity).
For the control of documented
information, the organization
shall address the following
activities,
as applicable:
c) distribution, access, retrieval
and use;
d) storage and preservation,
including the preservation of
legibility;
e) control of changes (e.g. version
control); and
f ) retention and disposition.
Documented information of
external origin, determined by
the organization to be
necessary for the planning and
operation of the information
security management system,
shall be identified as appropriate,
and controlled.
NOTE Access implies a decision
regarding the permission to view
the documented information
only, or the permission and
authority to view and change the
documented information, etc.
b) it is adequately protected (e.g. from
loss of confidentiality, improper use,
or loss of integrity).
b) it is adequately protected (e.g. from
loss of confidentiality, improper use,
or loss of integrity).
For the control of documented
information, the organization shall
address the following activities, as
applicable:
ó distribution, access, retrieval and
use;
ó storage and preservation, including
preservation of legibility;
ó control of changes (e.g. version
control);
ó retention and disposition.
Documented information of external
origin determined by the organization
to be necessary for the planning and
operation of the anti-bribery
management system shall be
identified as appropriate, and
controlled.
7.5.3.2 For the control of documented
information, the organization shall
address the following activities, as
applicable:
a) distribution, access, retrieval and
use;
b) storage and preservation, including
preservation of legibility;
c) control of changes (e.g. version
control);
d) retention and disposition.
Documented information of external
origin determined by the organization
to be necessary for the planning and
operation of the quality management
system shall be identified as
appropriate, and be controlled.
Documented information retained as
evidence of conformity shall be
protected from unintended
alterations.
NOTE Access can imply a decision
regarding the permission to view the
documented information only, or the
permission and authority to view and
change the documented information.
NOTE Access can imply a decision
regarding the permission to view the
documented information only, or the
permission and authority to view and
change the documented information.
c) control of changes (e.g. version control);
d) retention and disposition.
Documented information of external origin determined by the
organization to be necessary for the planning and operation of the SMS
shall be identified as appropriate and controlled.
NOTE Access can imply a decision regarding the permission to view the
documented information only, or the permission and authority to view
and change the documented information.
7.5.4 Service management system documented information
The documented information for the SMS shall include:
a) scope of the SMS;
b) policy and objectives for service management;
c) service management plan;
d) change management policy, information security policy and service
continuity plan(s);
e) processes of the organization’s SMS;
f) service requirements;
g) service catalogue(s);
h) service level agreement(s) (SLA);
i) contracts with external suppliers;
j) agreements with internal suppliers or customers acting as a supplier;
k) procedures that are required by this document;
l) records required to demonstrate evidence of conformity to the
requirements of this document and the organization’s SMS.
NOTE Clause 7.5.4 provides a list of the key documents for an SMS.
There are other specified requirements in this document for information
to be held as documented information, to be documented or to be
recorded.
ISO/IEC 20000-2 provides additional guidance.
7.6 Knowledge
The organization shall determine and maintain the knowledge necessary
to support the operation of the SMS and the services.
The knowledge shall be relevant, usable and available to appropriate
persons.
8 Operation
8 Operation
8 Operation
8.1 Operational planning and
control
8.1 Operational planning and control
8.1 Operational planning and control
The organization shall plan,
implement, review and control the
processes needed to meet
requirements of the anti-bribery
management system, and to
implement the actions determined in
6.1, by:
a) establishing criteria for the
processes;
b) implementing control of the
processes in accordance with the
criteria;
c) keeping documented information to
the extent necessary to have
confidence that the processes have
been carried out as planned.
The organization shall plan, implement
and control the processes (see 4.4)
needed to meet the requirements for
the provision of products and services,
and to implement the actions
determined in Clause 6, by:
a) determining the requirements for
the products and services;
b) establishing criteria for:
1) the processes;
2) the acceptance of products and
services;
c) determining the resources needed
to achieve conformity to the product
and service requirements;
d) implementing control of the
processes in accordance with the
criteria;
e) determining and keeping
documented information to the extent
necessary:
1) to have confidence that the
processes have been carried out as
planned;
2) to demonstrate the conformity of
products and services to their
requirements.
The organization shall plan,
implement and control the
processes needed to meet
information security
requirements, and to implement
the actions determined in 6.1.
The organization shall also
implement plans to achieve
information security objectives
determined in 6.4.
The organization shall Peep
documented information to the
extent necessary to have
confidence that the processes
have been carried out as planned.
These processes shall include the
specific controls referred to in 8.2 to
8.10.
The organization shall control
planned changes and review the
consequences of unintended
changes, taking action to mitigate
any adverse effects, as necessary.
The organization shall ensure that
outsourced processes are
determined and controlled.
The organization shall control planned
changes and review the consequences
of unintended changes, taking action
to mitigate any adverse effects, as
necessary.
The organization shall ensure that
outsourced processes are controlled.
NOTE The core text of ISO
management system standards
NOTE “Keeping” implies both the
maintaining and the retaining of
documented information.
The output of this planning shall be
NOTE Knowledge is specific to the organization, its SMS, services and
interested parties. Knowledge is used and shared to support the
achievement of the intended outcome(s) and the operation of the SMS
and the services.
8 Operation of the service management system
8.1 Operational planning and control
The organization shall plan, implement and control the processes
needed to meet requirements and to implement the actions determined
in Clause 6 by:
a) establishing performance criteria for the processes based on
requirements;
b) implementing control of the processes in accordance with the
established performance criteria;
c) keeping documented information to the extent necessary to have
confidence that the processes have been carried out as planned.
The organization shall control planned changes to the SMS and review
the consequences of unintended changes, taking action to mitigate any
adverse effects, as necessary (see 8.5.1).
The organization shall ensure that outsourced processes are controlled
(see 8.2.3).
contains a requirement in relation
to outsourcing, which is not used in
this standard, as outsourcing providers
are included within the definition of
business associate.
8.2 Information security risk
assessment
The organization shall perform
information security risk
assessments at planned intervals
or when significant changes are
proposed or occur, taking account
of the criteria established in 6.1.2
a).
The organization shall retain
documented information of the
results of the information security
risk assessments.
8.2 Due diligence
Where the organization's bribery risk
assessment, as conducted in 4,5, has
assessed a more than low bribery risk
in relation to:
a) specific categories of transactions,
projects or activities,
b) planned or on-going relationships
with specific categories of business
associates, or
c) specific categories of personnel in
certain positions (see 7.2.2.2), the
organization shall assess the nature
and extent of the bribery risk in
relation to specific transactions,
projects, activities, business associates
and personnel falling within those
categories. This assessment shall
include any due diligence necessary to
obtain sufficient information to assess
the bribery risk. The due diligence shall
be updated at a defined frequency, so
that changes and new information can
be properly taken into account.
NOTE 1 The organization can conclude
that it is unnecessary, unreasonable or
disproportionate to undertake due
suitable for the organization’s
operations.
The organization shall control planned
changes and review the consequences
of unintended changes, taking action
to mitigate any adverse effects, as
necessary.
The organization shall ensure that
outsourced processes are controlled
(see 8.4).
8.2 Requirements for products and
services
8.2.1 Customer communication
Communication with customers shall
include:
a) providing information relating to
products and services;
b) handling enquiries, contracts or
orders, including changes;
c) obtaining customer feedback
relating to products and services,
including customer complaints;
d) handling or controlling customer
property;
e) establishing specific requirements
for contingency actions, when
relevant.
8.2.2 Determining the requirements
related to products and services
When determining the requirements
for the products and services to be
offered to customers, the
organization shall ensure that:
a) the requirements for the products
and services are defined, including:
1) any applicable statutory and
regulatory requirements;
2) those considered necessary by the
8.2 Service portfolio
8.2.1 Service delivery
The organization shall operate the SMS ensuring co-ordination of the
activities and the resources. The organization shall perform the activities
required to deliver services.
NOTE A service portfolio is used to manage the entire lifecycle of all
services including proposed services, those in development, live services
defined in the service catalogue(s) and services that are to be removed.
The management of the service portfolio ensures that the service
provider has the right mix of services. Service portfolio activities in this
document include planning the services, control of parties involved in
the service lifecycle, service catalogue management, asset management
and configuration management.
8.2.2 Plan the services
The service requirements for existing services, new services and changes
to services shall be determined and documented.
The organization shall determine the criticality of services based on the
needs of the organization, customers, users and other interested
parties. The organization shall determine and manage dependencies
and duplication between services.
The organization shall propose changes where needed to align the
services with the service management policy, service management
objectives and service requirements, taking into consideration known
limitations and risks.
The organization shall prioritize requests for change and proposals for
new or changed services to align with business needs and service
management objectives, taking into consideration available resources.
diligence on certain categories of
personnel and business associate.
NOTE 2 The factors listed in a), b) and
c) above are not exhaustive.
organization;
b) the organization can meet the
claims for the products and services it
offers.
8.2.3 Review of requirements related
NOTE 3 See Clause A.10 for guidance. to products and services
8.2.3.1 The organization shall ensure
that it has the ability to meet the
requirements for products and
services to be offered to customers.
The organization shall conduct a
review before committing to supply
products and services to a customer,
to include:
a) requirements specified by the
customer, including the requirements
for delivery and postdelivery activities;
b) requirements not stated by the
customer, but necessary for the
specified or intended use, when
known;
c) requirements specified by the
organization;
d) statutory and regulatory
requirements applicable to the
products and services;
e) contract or order requirements
differing from those previously
expressed.
The organization shall ensure that
contract or order requirements
differing from those previously defined
are resolved.
The customer’s requirements shall be
confirmed by the organization before
acceptance, when the customer does
not provide a documented statement
of their requirements.
8.2.3 Control of parties involved in the service lifecycle
8.2.3.1 The organization shall retain accountability for the requirements
specified in this document and the delivery of the services regardless of
which party is involved in performing activities to support the service
lifecycle.
The organization shall determine and apply criteria for the evaluation
and selection of other parties involved in the service lifecycle. Other
parties can be an external supplier, an internal supplier or a customer
acting as a supplier.
Other parties shall not provide or operate all services, service
components or processes within the scope of the SMS.
The organization shall determine and document:
a) services that are provided or operated by other parties;
b) service components that are provided or operated by other parties;
c) processes, or parts of processes, in the organization’s SMS that are
operated by other parties.
The organization shall integrate services, service components and
processes in the SMS that are provided or operated by the organization
or other parties to meet the service requirements. The organization
shall co-ordinate activities with other parties involved in the service
lifecycle including the planning, design, transition, delivery and
improvement of services.
8.2.3.2 The organization shall define and apply relevant controls for
other parties from the following:
a) measurement and evaluation of process performance;
b) measurement and evaluation of the effectiveness of services and
service components in meeting the service requirements.
NOTE ISO/IEC 20000-3 provides guidance on the control of other parties
involved in the service lifecycle.8.2.4 Configuration management
8.2.4 Service catalogue management
The organization shall create and maintain one or more service
catalogues. The service catalogue(s) shall include information for the
organization, customers, users and other interested parties to describe
the services, their intended outcomes and dependencies between the
services.
The organization shall provide access to appropriate parts of the service
catalogue(s) to its customers, users and other interested parties.
8.2.5 Asset management
NOTE In some situations, such as
internet sales, a formal review is
impractical for each order. Instead, the
review can cover relevant product
information, such as catalogues or
advertising material.
8.2.3.2 The organization shall retain
documented information, as
applicable:
a) on the results of the review;
b) on any new requirements for the
products and services.
8.2.4 Changes to requirements for
products and services
The organization shall ensure that
relevant documented information is
amended, and that relevant persons
are made aware of the changed
requirements, when the requirements
for products and services are changed.
8.3 Information security risk
treatment
The organization shall implement
the information security risk
treatment plan.
8.3 Financials controls
8.3 Design and development of
products and services
The organization shall implement
financial controls that manage bribery
risk.
8.3.1 General
The organization shall establish,
implement and maintain a design and
development process that is
appropriate to ensure the subsequent
provision of products and services.
NOTE See Clause A.11 for guidance.
The organization shall retain
documented information of the
results of the information securit
y risk treatment.
8.3.2 Design and development
planning
In determining the stages and controls
for design and development, the
The organization shall ensure that assets used to deliver services are
managed to meet the service requirements and the obligations in 6.3 c).
NOTE 1 ISO 55001 and ISO/IEC 19770-1 specify requirements to support
the implementation and operation of asset and IT asset management.
NOTE 2 In addition, see configuration management when an asset is
also a configuration item (CI).
8.2.6 Configuration management
The types of CI shall be defined. Services shall be classified as CIs.
Configuration information shall be recorded to a level of detail
appropriate to the criticality and type of services. Access to
configuration information shall be controlled. The configuration
information recorded for each CI shall include:
a) unique identification;
b) type of CI;
c) description of the CI;
d) relationship with other CIs;
e) status.
CIs shall be controlled. Changes to CIs shall be traceable and auditable
to maintain the integrity of the configuration information. The
configuration information shall be updated following the deployment of
changes to CIs.
At planned intervals, the organization shall verify the accuracy of the
configuration information. Where deficiencies are found, the
organization shall take necessary actions.
Configuration information shall be made available for other service
management activities as appropriate.
8.3 Relationship and agreement
8.3.1 General
The organization may use suppliers to:
a) provide or operate services;
b) provide or operate service components;
c) operate processes, or parts of processes, that are in the
organization’s SMS.
Figure 2 illustrates the usage, agreements and relationships between
business relationship management, service level management and
supplier management.
organization shall consider:
a) the nature, duration and complexity
of the design and development
activities;
b) the required process stages,
including applicable design and
development reviews;
c) the required design and
development verification and
validation activities;
d) the responsibilities and authorities
involved in the design and
development process;
e) the internal and external resource
needs for the design and development
of products and services;
f) the need to control interfaces
between persons involved in the
design and development process;
g) the need for involvement of
customers and users in the design and
development process;
h) the requirements for subsequent
provision of products and services;
i) the level of control expected for the
design and development process by
customers and other relevant
interested parties;
j) the documented information needed
to demonstrate that design and
development requirements have been
met.
8.3.3 Design and development inputs
The organization shall determine the
requirements essential for the specific
types of products and services to be
designed and developed. The
organization shall consider:
a) functional and performance
requirements;
Figure 2 — Relationships and agreements between parties involved in
the service lifecycle
NOTE 1 ISO/IEC 20000-3 includes examples of supply chain relationships
with their potential applicability and scope.
NOTE 2 Supplier management in this document excludes the
procurement of suppliers.
8.3.2 Business relationship management The customers, users and
other interested parties of the services shall be identified and
documented. The organization shall have one or more designated
individuals responsible for managing customer relationships and
maintaining customer satisfaction.
The organization shall establish arrangements for communicating with
its customers and other interested parties. The communication shall
promote understanding of the evolving business
environment in which the services operate and shall enable the
organization to respond to new or changed service requirements.
At planned intervals, the organization shall review the performance
trends and the outcomes of the services.
At planned intervals, the organization shall measure satisfaction with
the services based on a representative sample of customers. The results
shall be analysed, reviewed to identify opportunities for improvement
and reported.
Service complaints shall be recorded, managed to closure and reported.
Where a service complaint is not resolved through the normal channels,
a method of escalation shall be provided.
b) information derived from previous
similar design and development
activities;
c) statutory and regulatory
requirements;
d) standards or codes of practice that
the organization has committed to
implement;
e) potential consequences of failure
due to the nature of the products and
services. Inputs shall be adequate for
design and development purposes,
complete and unambiguous.
Conflicting design and development
inputs shall be resolved.
The organization shall retain
documented information on design
and development inputs.
8.3.4 Design and development
controls
The organization shall apply controls
to the design and development
process to ensure that:
a) the results to be achieved are
defined;
b) reviews are conducted to evaluate
the ability of the results of design and
development to meet requirements;
c) verification activities are conducted
to ensure that the design and
development outputs meet the input
requirements;
d) validation activities are conducted
to ensure that the resulting products
and services meet the requirements
for the specified application or
intended use;
e) any necessary actions are taken on
problems determined during the
reviews, or verification and validation
8.3.3 Service level management
The organization and the customer shall agree the services to be
delivered.
For each service delivered, the organization shall establish one or more
SLAs based on the documented
service requirements. The SLA(s) shall include service level targets,
workload limits and exceptions.
At planned intervals, the organization shall monitor, review and report
on:
a) performance against service level targets;
b) actual and periodic changes in workload compared to workload limits
in the SLA(s).
Where service level targets are not met, the organization shall identify
opportunities for improvement.
NOTE Agreement of the services to be delivered between the
organization and its customers can take many forms such as a
documented agreement, minutes of verbal agreement in a meeting,
agreement indicated by email or agreement to terms of service.
8.3.4 Supplier management
8.3.4.1 Management of external suppliers
The organization shall have one or more designated individuals
responsible for managing the relationship, contracts and performance
of external suppliers.
For each external supplier, the organization shall agree a documented
contract. The contract shall include or contain a reference to:
a) scope of the services, service components, processes or parts of
processes to be provided or operated by the external supplier;
b) requirements to be met by the external supplier;
c) service level targets or other contractual obligations;
d) authorities and responsibilities of the organization and the external
supplier.
The organization shall assess the alignment of service level targets or
other contractual obligations for the external supplier against SLAs with
customers, and manage identified risks.
The organization shall define and manage the interfaces with the
external supplier.
At planned intervals, the organization shall monitor the performance of
the external supplier. Where service level targets or other contractual
activities;
f) documented information of these
activities is retained.
NOTE Design and development
reviews, verification and validation
have distinct purposes. They can be
conducted separately or in any
combination, as is suitable for the
products and services of the
organization.
8.3.5 Design and development
outputs
The organization shall ensure that
design and development outputs:
a) meet the input requirements;
b) are adequate for the subsequent
processes for the provision of products
and services;
c) include or reference monitoring and
measuring requirements, as
appropriate, and acceptance criteria;
d) specify the characteristics of the
products and services that are
essential for their intended purpose
and their safe and proper provision.
The organization shall retain
documented information on design
and development outputs.
8.3.6 Design and development
changes
The organization shall identify, review
and control changes made during, or
subsequent to, the design and
development of products and services,
to the extent necessary to ensure that
there is no adverse impact on
conformity to requirements.
The organization shall retain
obligations are not met, the organization shall ensure that opportunities
for improvement are identified.
At planned intervals, the organization shall review the contract against
current service requirements. Changes identified for the contract shall
be assessed for the impact of the change on the SMS and the
services before the change is approved.
Disputes between the organization and the external supplier shall be
recorded and managed to closure.
8.3.4.2 Management of internal suppliers and customers acting as a
supplier
For each internal supplier or customer acting as a supplier, the
organization shall develop, agree and maintain a documented
agreement to define the service level targets, other commitments,
activities and interfaces between the parties.
At planned intervals, the organization shall monitor the performance of
the internal supplier or the customer acting as a supplier. Where service
level targets or other agreed commitments are not met, the
organization shall ensure that opportunities for improvement are
identified.
8.4 Non-financials controls
The organization shall implement nonfinancial controls that manage
bribery risk with respect to such areas
as procurement, operational, sales,
commercial, human resources, legal
and regulatory activities.
documented information on:
a) design and development changes;
b) the results of reviews;
c) the authorization of the changes;
d) the actions taken to prevent
adverse impacts
8.4 Control of externally provided
processes, products and services
8.4.1 General
The organization shall ensure that
externally provided processes,
products and services conform to
requirements.
The organization shall determine the
NOTE 1 Any particular transaction,
controls to be applied to externally
activity or relationship can be subject
provided processes, products and
to financial as well as non-financial
services when:
controls.
a) products and services from external
providers are intended for
NOTE 2 See Clause A.12 for guidance. incorporation into the organization’s
own products and services;
b) products and services are provided
directly to the customer(s) by external
providers on behalf of the
organization;
c) a process, or part of a process, is
provided by an external provider as a
result of a decision by the
organization.
The organization shall determine and
apply criteria for the evaluation,
selection, monitoring of performance,
and re-evaluation of external
providers, based on their ability to
provide processes or products and
services in accordance with
requirements. The organization shall
retain documented information of
these activities and any necessary
actions arising from the evaluations.
8.4 Supply and demand
8.4.1 Budgeting and accounting for services
The organization shall budget and account for services or groups of
services in accordance with its financial management policies and
processes.
Costs shall be budgeted to enable effective financial control and
decision-making for services.
At planned intervals, the organization shall monitor and report on actual
costs against the budget, review the financial forecasts and manage
costs.
NOTE Many, but not all, organizations charge for their services.
Budgeting and accounting for services in this document excludes
charging, to ensure applicability to all organizations.
8.4.2 Demand management
At planned intervals, the organization shall:
a) determine current demand and forecast future demand for services;
b) monitor and report on demand and consumption of services.
NOTE Demand management is responsible for understanding current
and future customer demand for services. Capacity management works
with demand management to plan and provide sufficient capacity to
meet the demand.
8.4.3 Capacity management
The capacity requirements for human, technical, information and
financial resources shall be determined, documented and maintained
taking into consideration the service and performance requirements.
The organization shall plan capacity to include:
a) current and forecast capacity based on demand for services;
b) expected impact on capacity of agreed service level targets,
requirements for service availability and service continuity;
c) timescales and thresholds for changes to service capacity.
8.4.2 Type and extent of control
The organization shall ensure that
externally provided processes,
products and services do not adversely
affect the organization’s ability to
consistently deliver conforming
products and services to its customers.
The organization shall:
a) ensure that externally provided
processes remain within the control of
its quality management system;
b) define both the controls that it
intends to apply to an external
provider and those it intends to apply
to the resulting output;
c) take into consideration:
1) the potential impact of the
externally provided processes,
products and services on the
organization’s ability to consistently
meet customer and applicable
statutory and regulatory
requirements;
2) the effectiveness of the controls
applied by the external provider;
d) determine the verification, or other
activities, necessary to ensure that the
externally provided processes,
products and services meet
requirements.
8.4.3 Information for external
providers
The organization shall ensure the
adequacy of requirements prior to
their communication to the external
provider.
The organization shall communicate to
external providers its requirements
The organization shall provide sufficient capacity to meet agreed
capacity and performance requirements. The organization shall monitor
capacity usage, analyse capacity and performance data and identify
opportunities to improve performance.
8.5 Implementation of anti-bribery
controls by controlled organizations
and by business associates
8.5.1 The organization shall implement
procedures which require that all
other organizations over which it has
control either:
a) implement the organization’s antibribery management system, or
b) implement their own anti-bribery
controls, in each case only to the
extent that is reasonable and
proportionate with regard to the
bribery risks faced by the controlled
organizations, taking into account the
bribery risk assessment conducted in
accordance with 4.5.
NOTE An organization has control
over another organization if it directly
or indirectly controls the management
of the organization (see A.13.1.3).
for:
a) the processes, products and services
to be provided;
b) the approval of:
1) products and services;
2) methods, processes and equipment;
3) the release of products and services;
c) competence, including any required
qualification of persons;
d) the external providers’ interactions
with the organization;
e) control and monitoring of the
external providers’ performance to be
applied by the organization;
f) verification or validation activities
that the organization, or its customer,
intends to perform at the
external providers’ premises.
8.5 Production and service provision
8.5 Service design, build and transition
8.5.1 Change management
8.5.1 Control of production and
service provision
The organization shall implement
production and service provision
under controlled conditions.
Controlled conditions shall include, as
applicable:
a) the availability of documented
information that defines:
1) the characteristics of the products
to be produced, the services to be
provided, or the activities to be
performed;
2) the results to be achieved;
b) the availability and use of suitable
monitoring and measuring resources;
c) the implementation of monitoring
and measurement activities at
appropriate stages to verify that
criteria for control of processes or
8.5.1.1 Change management policy
A change management policy shall be established and documented to
define:
a) service components and other items that are under the control of
change management;
b) categories of change, including emergency change, and how they are
to be managed;
c) criteria to determine changes with the potential to have a major
impact on customers or services.
8.5.1.2 Change management initiation
Requests for change, including proposals to add, remove or transfer
services, shall be recorded and classified.
The organization shall use service design and transition in 8.5.2 for:
a) new services with the potential to have a major impact on customers
or other services as determined by the change management policy;
b) changes to services with the potential to have a major impact on
customers or other services as determined by the change management
policy;
outputs, and acceptance criteria for
products and services, have been met;
d) the use of suitable infrastructure
and environment for the operation of
processes;
e) the appointment of competent
persons, including any required
qualification;
f) the validation, and periodic
revalidation, of the ability to achieve
planned results of the processes
for production and service provision,
where the resulting output cannot be
verified by subsequent monitoring or
measurement;
g) the implementation of actions to
prevent human error;
h) the implementation of release,
delivery and post-delivery activities.
8.5.2 Identification and traceability
The organization shall use suitable
means to identify outputs when it is
necessary to ensure the conformity of
products and services.
The organization shall identify the
status of outputs with respect to
monitoring and measurement
requirements throughout production
and service provision.
The organization shall control the
unique identification of the outputs
when traceability is a requirement,
and shall retain the documented
information necessary to enable
traceability.
c) categories of change that are to be managed by service design and
transition according to the change management policy;
d) removal of a service;
e) transfer of an existing service from the organization to a customer or
other party;
f) transfer of an existing service from a customer or other party to the
organization.
Assessing, approving, scheduling and reviewing of new or changed
services in the scope of 8.5.2 shall be managed through the change
management activities in 8.5.1.3.
Requests for change not being managed through 8.5.2 shall be managed
through the change management activities in 8.5.1.3.
8.5.1.3 Change management activities
The organization and interested parties shall make decisions on the
approval and priority of requests for change. Decision-making shall take
into consideration the risks, business benefits, feasibility and financial
impact. Decision making shall also consider potential impacts of the
change on:
a) existing services;
b) customers, users and other interested parties;
c) policies and plans required by this document;
d) capacity, service availability, service continuity and information
security;
e) other requests for change, releases and plans for deployment.
Approved changes shall be prepared, verified and, where possible,
tested. Proposed deployment dates and other deployment details for
approved changes shall be communicated to interested parties.
The activities to reverse or remedy an unsuccessful change shall be
planned and, where possible, tested.
Unsuccessful changes shall be investigated and agreed actions taken.
The organization shall review changes for effectiveness and take actions
agreed with interested parties.
At planned intervals, request for change records shall be analysed to
detect trends. The results and conclusions drawn from the analysis shall
be recorded and reviewed to identify opportunities for improvement.
8.5.3 Property belonging to customers 8.5.2 Service design and transition
or external providers
The organization shall exercise care 8.5.2.1 Plan new or changed services
with property belonging to customers
or external providers while it is under
the organization’s control or being
used by the organization.
The organization shall identify, verify,
protect and safeguard customers’ or
external providers’ property provided
for use or incorporation into the
products and services.
When the property of a customer or
external provider is lost, damaged or
otherwise found to be unsuitable for
use, the organization shall report this
to the customer or external provider
and retain documented information on
what has occurred.
NOTE A customer’s or external
provider’s property can include
material, components, tools and
equipment, premises, intellectual
property and personal data..
8.5.4 Preservation
The organization shall preserve the
outputs during production and service
provision, to the extent necessary to
ensure conformity to requirements.
NOTE Preservation can include
identification, handling, contamination
control, packaging, storage,
transmission or transportation, and
protection.
8.5.5 Post-delivery activities
The organization shall meet
requirements for post-delivery
activities associated with the products
and services.
In determining the extent of postdelivery activities that are required,
the organization shall consider:
Planning shall use the service requirements for the new or changed
services determined in 8.2.2 and shall include or contain a reference to:
a) authorities and responsibilities for design, build and transition
activities;
b) activities to be performed by the organization or other parties with
their timescales;
c) human, technical, information and financial resources;
d) dependencies on other services;
e) testing needed for the new or changed services;
f) service acceptance criteria;
g) intended outcomes from delivering the new or changed services,
expressed in measurable terms;
h) impact on the SMS, other services, planned changes, customers,
users and other interested parties.
For services that are to be removed, the planning shall additionally
include the date(s) for the removal of the services and the activities for
archiving, disposal or transfer of data, documented information and
service components.
For services that are to be transferred, the planning shall additionally
include the date(s) for the transfer of the services and the activities for
the transfer of data, documented information, knowledge
and service components.
The CIs affected by new or changed services shall be managed through
configuration management.
8.5.2.2 Design
The new or changed services shall be designed and documented to
meet the service requirements determined in 8.2.2. The design shall
include relevant items from the following:
a) authorities and responsibilities of the parties involved in the delivery
of the new or changed services;
b) requirements for changes to human, technical, information and
financial resources;
c) requirements for appropriate education, training and experience;
d) new or changed SLAs, contracts and other documented agreements
that support the services;
e) changes to the SMS including new or changed policies, plans,
processes, procedures, measures and knowledge;
f) impact on other services;
g) updates to the service catalogue(s).
a) statutory and regulatory
requirements;
b) the potential undesired
consequences associated with its
products and services;
c) the nature, use and intended
lifetime of its products and services;
d) customer requirements;
e) customer feedback.
NOTE Post-delivery activities can
include actions under warranty
provisions, contractual obligations
such as maintenance services, and
supplementary services such as
recycling or final disposal.
8.5.2.3 Build and transition
The new or changed services shall be built and tested to verify that they
meet the service requirements, conform to the documented design and
meet the agreed service acceptance criteria. If the service acceptance
criteria are not met, the organization and interested parties shall make a
decision on necessary actions and deployment.
Release and deployment management shall be used to deploy approved
new or changed services into the live environment.
Following the completion of the transition activities, the organization
shall report to interested parties on the achievements against the
intended outcomes.
8.6 Anti-bribery commitments
8.6 Release of products and services
8.5.3 Release and deployment management
The organization shall define the types of release, including emergency
release, their frequency and how they are to be managed.
The organization shall plan the deployment of new or changed services
and service components into the live environment. Planning shall be coordinated with change management and include references to the
related requests for change, known errors or problems which are being
closed through the release. Planning shall include the dates for
deployment of each release, deliverables and methods of deployment.
The release shall be verified against documented acceptance criteria
and approved before deployment. If the acceptance criteria are not
met, the organization and interested parties shall make a decision on
necessary actions and deployment.
Before deployment of a release into the live environment, a baseline of
the affected CIs shall be taken.
The release shall be deployed into the live environment so that the
integrity of the services and service components is maintained.
The success or failure of releases shall be monitored and analysed.
Measurements shall include incidents related to a release in the period
following deployment of a release. The results and conclusions drawn
from the analysis shall be recorded and reviewed to identify
opportunities for improvement.
Information about the success or failure of releases and future release
dates shall be made available for other service management activities as
appropriate.
8.6 Resolution and fulfilment
For business associates which pose
more than a low bribery risk, the
The organization shall implement
planned arrangements, at appropriate
8.6.1 Incident management
Incidents shall be:
8.5.6 Control of changes
The organization shall review and
control changes for production or
service provision, to the extent
necessary to ensure continuing
conformity with requirements.
The organization shall retain
documented information describing
the results of the review of changes,
the person(s) authorizing the change,
and any necessary actions arising from
the review.
organization shall implement
procedures which require that, as far
as practicable:
a) business associates commit to
preventing bribery by, on behalf of, or
for the benefit of the business
associate in connection with the
relevant transaction, project, activity,
or relationship;
b) the organization is able to terminate
the relationship with the business
associate in the event of bribery by, on
behalf of, or for the benefit of the
business associate in connection with
the relevant transaction, project,
activity, or relationship.
Where it is not practicable to meet the
requirements of a) or b) above, this
shall be a factor taken into account in
evaluating the bribery risk of the
relationship with this business
associate (see 4.5 and 8.2) and the way
in which the organization manages
such risks (see 8.3, 8.4 and 8.5).
NOTE See Clause A.14 for guidance.
stages, to verify that the product and
service requirements have been met.
The release of products and services to
the customer shall not proceed until
the planned arrangements have been
satisfactorily completed, unless
otherwise approved by a relevant
authority and, as applicable,
by the customer.
The organization shall retain
documented information on the
release of products and services. The
documented information shall include:
a) evidence of conformity with the
acceptance criteria;
b) traceability to the person(s)
authorizing the release.
a) recorded and classified;
b) prioritized taking into consideration impact and urgency;
c) escalated if needed;
d) resolved;
e) closed.
Records of incidents shall be updated with actions taken.
The organization shall determine criteria to identify a major incident.
Major incidents shall be classified and managed according to a
documented procedure. Top management shall be kept informed of
major incidents. The organization shall assign responsibility for
managing each major incident. After the incident has been resolved, the
major incident shall be reported and reviewed to identify opportunities
for improvement.
8.6.2 Service request management
Service requests shall be:
a) recorded and classified;
b) prioritized;
c) fulfilled;
d) closed.
Records of service requests shall be updated with actions taken.
Instructions for the fulfilment of service requests shall be made
available to persons involved in service request fulfilment.
8.6.3 Problem management
The organization shall analyse data and trends on incidents to identify
problems. The organization shall undertake root cause analysis and
determine potential actions to prevent the occurrence or recurrence of
incidents.
Problems shall be:
a) recorded and classified;
b) prioritized;
c) escalated if needed;
d) resolved if possible;
e) closed.
Records of problems shall be updated with actions taken. Changes
needed for problem resolution shall be managed according to the
change management policy.
Where the root cause has been identified, but the problem has not been
permanently resolved, the organization shall determine actions to
reduce or eliminate the impact of the problem on the services.
Known errors shall be recorded. Up-to-date information on known
errors and problem resolutions shall be made available for other service
management activities as appropriate.
At planned intervals, the effectiveness of problem resolution shall be
monitored, reviewed and reported.
8.7 Gifts, hospitality, donations and
similar benefits
8.7 Control of nonconforming outputs
8.7.1 The organization shall ensure
that outputs that do not conform to
their requirements are identified and
controlled to prevent their unintended
use or delivery.
The organization shall take appropriate
action based on the nature of the
nonconformity and its effect on the
conformity of products and services.
This shall also apply to nonconforming
NOTE See Clause A.15 for guidance products and services detected after
delivery of products, during or after
the provision of services.
The organization shall implement
procedures that are designed to
prevent the offering, provision or
acceptance of gifts, hospitality,
donations and similar benefits where
the offering, provision or acceptance
is, or could reasonably be perceived as,
bribery.
The organization shall deal with
nonconforming outputs in one or more
of the following ways:
a) correction;
b) segregation, containment, return or
suspension of provision of products
and services;
c) informing the customer;
d) obtaining authorization for
acceptance under concession.
Conformity to the requirements shall
be verified when nonconforming
outputs are corrected.
8.7.2 The organization shall retain
documented information that:
a) describes the nonconformity;
b) describes the actions taken;
c) describes any concessions obtained;
8.7 Service assurance
8.7.1 Service availability management
At planned intervals, the risks to service availability shall be assessed
and documented. The organization shall determine the service
availability requirements and targets. The agreed requirements shall
take into consideration relevant business requirements, service
requirements, SLAs and risks.
Service availability requirements and targets shall be documented and
maintained.
Service availability shall be monitored, the results recorded and
compared with the targets. Unplanned non-availability shall be
investigated and necessary actions taken.
NOTE Risks identified in 6.1 can provide input to the risks for service
availability, service continuity and information security.
8.7.2 Service continuity management
At planned intervals, the risks to service continuity shall be assessed and
documented. The organization shall determine the service continuity
requirements. The agreed requirements shall take into consideration
relevant business requirements, service requirements, SLAs and risks.
The organization shall create, implement and maintain one or more
service continuity plans. The service continuity plan(s) shall include or
contain a reference to:
a) criteria and responsibilities for invoking service continuity;
b) procedures to be implemented in the event of a major loss of service;
c) targets for service availability when the service continuity plan is
invoked;
d) service recovery requirements;
e) procedures for returning to normal working conditions.
The service continuity plan(s) and list of contacts shall be accessible
when access to the normal service location is prevented.
At planned intervals, the service continuity plan(s) shall be tested
against the service continuity requirements. The service continuity
plan(s) shall be re-tested after major changes to the service
d) identifies the authority deciding the
action in respect of the nonconformity.
environment. The results of the tests shall be recorded. Reviews shall be
conducted after each test and after the service continuity plan(s) has
been invoked. Where deficiencies are found, the organization shall take
necessary actions.
The organization shall report on the cause, impact and recovery when
the service continuity plan(s) has been invoked.
8.7.3 Information security management
8.7.3.1 Information security policy
Management with appropriate authority shall approve an information
security policy relevant to the organization. The information security
policy shall be documented and take into consideration the service
requirements and the obligations in 6.3 c).
The information security policy shall be made available as appropriate.
The organization shall communicate the importance of conforming to
the information security policy and its applicability to the SMS and the
services to appropriate persons within:
a) the organization;
b) customers and users;
c) external suppliers, internal suppliers and other interested
parties.
8.7.3.2 Information security controls
At planned intervals, the information security risks to the SMS and the
services shall be assessed and documented. Information security
controls shall be determined, implemented and operated to support the
information security policy and address identified information security
risks. Decisions about information security controls shall be
documented.
The organization shall agree and implement information security
controls to address information security risks related to external
organizations.
The organization shall monitor and review the effectiveness of
information security controls and take necessary actions.
8.7.3.3 Information security incidents
Information security incidents shall be:
a) recorded and classified;
b) prioritized taking into consideration the information security risk;
c) escalated if needed;
d) resolved;
e) closed.
The organization shall analyse the information security incidents by
type, volume and impact on the SMS, services and interested parties.
Information security incidents shall be reported and reviewed to
identify opportunities for improvement.
NOTE The ISO/IEC 27000 series specifies requirements and provides
guidance to support the implementation and operation of an
information security management system. ISO/IEC 27013 provides
guidance on the integration of ISO/IEC 27001 and ISO/IEC 20000-1 (this
document).
8.8 Managing inadequacy of antibribery controls
Where the due diligence (see 8.2)
conducted on a specific transaction,
project, activity or relationship with a
business associate establishes that the
bribery risks cannot be managed by
existing anti-bribery controls, and the
organization cannot or does not wish
to implement additional or enhanced
anti-bribery controls or take other
appropriate steps (such as changing
the nature of the transaction, project,
activity or relationship) to enable the
organization to manage the relevant
bribery risks, the organization shall:
a) in the case of an existing
transaction, project, activity or
relationship, take steps appropriate to
the bribery risks and the nature of the
transaction, project, activity or
relationship to terminate, discontinue,
suspend or withdraw from it as soon
as practicable;
b) in the case of a proposed new
transaction, project, activity or
relationship, postpone or decline to
continue with it.
8.9 Raising concerns
The organization shall implement
procedures which:
a) encourage and enable persons to
report in good faith or on the basis of a
reasonable belief attempted,
suspected and actual bribery, or any
violation of or weakness in the antibribery management system, to the
anti-bribery compliance function or to
appropriate personnel (either directly
or through an appropriate third party);
b) except to the extent required to
progress an investigation, require that
the organization treats reports
confidentially, so as to protect the
identity of the reporter and of others
involved or referenced in the report;
c) allow anonymous reporting;
d) prohibit retaliation, and protect
those making reports from retaliation,
after they have in good faith, or on the
basis of a reasonable belief, raised or
reported a concern about attempted,
actual or suspected bribery or violation
of the anti- bribery policy or the antibribery management system;
e) enable personnel to receive advice
from an appropriate person on what
to do if faced with a concern or
situation which could involve bribery.
The organization shall ensure that all
personnel are aware of the reporting
procedures and are able to use them,
and are aware of their rights and
protections under the procedures.
NOTE 1 These procedures can be the
same as, or form part of, those used
for the reporting of other issues of
concern (e.g. safety, malpractice,
wrongdoing or other serious risk).
NOTE 2 The organization can use a
business associate to manage the
reporting system on its behalf.
NOTE 3 In some jurisdictions, the
requirements in b) and c) above are
prohibited by law. In these cases, the
organization documents its inability to
comply.
8.10 Investigating and dealing with
bribery
The organization shall implement
procedures that:
a) require assessment and, where
appropriate, investigation of any
bribery, or violation of the anti-bribery
policy or the anti-bribery management
system, which is reported, detected or
reasonably suspected;
b) require appropriate action in the
event that the investigation reveals
any bribery, or violation of the antibribery policy or the anti-bribery
management system;
c) empower and enable investigators;
d) require co-operation in the
investigation by relevant personnel;
e) require that the status and results of
the investigation are reported to the
anti- bribery compliance function and
other compliance functions, as
appropriate;
f) require that the investigation is
carried out confidentially and that the
outputs of the investigation are
confidential.
The investigation shall be carried out
by, and reported to, personnel who
are not part of the role or function
being investigated. The organization
can appoint a business associate to
conduct the investigation and report
the results to personnel who are not
part of the role or function being
investigated.
NOTE 1 See Clause A.18 for guidance.
9 Performance evaluation
9.1 Monitoring, measurement,
analysis and evaluation
The organization shall evaluate
the information security
performance and the
effectiveness of the information
security management system.
NOTE 2 In some jurisdictions, the
requirement in f) above is prohibited
by law. In this case, the organization
documents its inability to comply.
9 Performance evaluation
9.1 Monitoring, measurement,
analysis and evaluation
The organization shall determine:
a) what needs to be monitored and
measured;
b) who is responsible for monitoring;
c) the methods for monitoring,
measurement, analysis and evaluation,
The organization shall determine: as applicable, to ensure valid results;
a) what needs to be monitored
and measured, including
information security processes
and controls;
b) the methods for monitoring,
measurement, analysis and
d) when the monitoring and measuring
evaluation, as applicable, to
shall be performed;
ensure
e) when the results from monitoring
valid results;
and measurement shall be analysed
and evaluated;
9 Performance evaluation
9 Performance evaluation
9.1 Monitoring, measurement,
analysis and evaluation
9.1.1 General
The organization shall determine:
a) what needs to be monitored and
measured;
b) the methods for monitoring,
measurement, analysis and evaluation
needed to ensure valid results;
c) when the monitoring and measuring
shall be performed;
d) when the results from monitoring
and measurement shall be analysed
and evaluated.
The organization shall evaluate the
performance and the effectiveness of
the quality management system.
The organization shall retain
appropriate documented information
as evidence of the results.
9.1 Monitoring, measurement, analysis and evaluation
The organization shall determine:
a) what needs to be monitored and measured for the SMS and the
services;
b) the methods for monitoring, measurement, analysis and evaluation,
as applicable, to ensure valid results;
c) when the monitoring and measuring shall be performed;
d) when the results from monitoring and measurement shall be
analysed and evaluated.
The organization shall retain appropriate documented information as
evidence of the results.
The organization shall evaluate the SMS performance against the service
management objectives and evaluate the effectiveness of the SMS. The
organization shall evaluate the effectiveness of the services against the
service requirements.
NOTE : The methods selected
should produce comparable and
reproducible results to be
considered valid.
c) when the monitoring and
measuring shall be performed;
d) who shall monitor and
measure;
e) when the results from
monitoring and measurement
shall be analysed and evaluated;
and
f ) who shall analyse and evaluate
these results.
The organization shall retain
appropriate documented
information as evidence of the
monitoring and measurement
results.
f) to whom and how such information
shall be reported.
The organization shall retain
appropriate documented information
as evidence of the methods and
results.
The organization shall evaluate the
anti-bribery performance and the
effectiveness and efficiency of the
anti-bribery management system.
NOTE See Clause A.19 for guidance.
9.1.2 Customer satisfaction
The organization shall monitor
customers’ perceptions of the degree
to which their needs and
expectations have been fulfilled. The
organization shall determine the
methods for obtaining, monitoring
and reviewing this information.
NOTE Examples of monitoring
customer perceptions can include
customer surveys, customer feedback
on
delivered products and services,
meetings with customers, marketshare analysis, compliments, warranty
claims
and dealer reports.
9.1.3 Analysis and evaluation
The organization shall analyse and
evaluate appropriate data and
information arising from monitoring
and measurement.
The results of analysis shall be used to
evaluate:
a) conformity of products and services;
b) the degree of customer satisfaction;
c) the performance and effectiveness
of the quality management system;
d) if planning has been implemented
effectively;
e) the effectiveness of actions taken to
address risks and opportunities;
f) the performance of external
providers;
g) the need for improvements to the
quality management system.
NOTE Methods to analyse data can
include statistical techniques.
9.2 Internal audit
9.2 Internal audit
9.2 Internal audit
9.2 Internal audit
The organization shall conduct
internal audits at planned
intervals to provide information
on whether the information
security management system:
9.2.1 The organization shall conduct
internal audits at planned intervals to
provide information on whether the
anti-bribery management system:
9.2.1 The organization shall conduct
internal audits at planned intervals to
provide information on whether the
quality management system:
a) conforms to:
1) the organization’s own
requirements for its quality
management system;
2) the requirements of this
International Standard;
b) is effectively implemented and
maintained.
9.2.1 The organization shall conduct internal audits at planned intervals
to provide information on whether the SMS:
a) conforms to:
1) the organization’s own requirements for its SMS;
2) the requirements of this document;
b) is effectively implemented and maintained.
a) conforms to
1) the organization's own
requirements for its
information security
management system;
and
2) the requirements of this
International Standard;
b) is effectively implemented and
maintained.
The organization shall:
c) plan, establish, implement and
maintain an audit programme(s),
including the frequency, methods,
responsibilities, planning
requirements and reporting.
The audit programme(s) shall take
into consideration the importance
of the processes concerned and
the results of previous audits;
d) define the audit criteria and
scope for each audit;
e) select auditors and conduct
audits that ensure objectivity and
the impartiality of the audit
process;
f ) ensure that the results of the
audits are reported to relevant
management; and
a) conforms to:
1) the organization’s own
requirements for its antibribery management system;
2) the requirements of this
standard;
b) is effectively implemented and
maintained.
NOTE 1 Guidance on auditing
management systems is given in ISO
19011.
NOTE 2 The scope and scale of the
organization’s internal audit activities
can vary depending on a variety of
factors, including organization size,
structure, maturity and locations.
g) retain documented information
as evidence of the audit
programme(s) and the audit
results.
9.2.2 The organization shall:
a) plan, establish, implement and
maintain an audit programme(s),
including the frequency, methods,
responsibilities, planning requirements
and reporting, which shall take into
consideration the importance of the
processes concerned and the results of
previous audits;
b) define the audit criteria and
scope for each audit;
c) select competent auditors and
conduct audits to ensure objectivity
and the impartiality of the audit
process;
d) ensure that the results of the audits
are reported to relevant
management, the anti-bribery
compliance function, top management
and, as appropriate, the governing
body (if any);
e) retain documented information as
evidence of the implementation of
the audit programme and the audit
results
9.2.2 The organization shall:
a) plan, establish, implement and
maintain an audit programme(s)
including the frequency, methods,
responsibilities, planning requirements
and reporting, which shall take into
consideration the importance of the
processes concerned, changes
affecting the organization, and the
results of previous audits;
b) define the audit criteria and scope
for each audit;
c) select auditors and conduct audits
to ensure objectivity and the
impartiality of the audit process;
d) ensure that the results of the audits
are reported to relevant management;
e) take appropriate correction and
corrective actions without undue
delay;
f) retain documented information as
evidence of the implementation of the
audit programme and the audit
results.
NOTE See ISO 19011 for guidance
9.2.3 These audits shall be reasonable,
proportionate and risk-based. Such
audits shall consist of internal audit
processes or other procedures which
review procedures, controls and
systems for:
a) bribery or suspected bribery;
b) violation of the anti-bribery policy
or anti-bribery management system
requirements;
9.2.2 The organization shall:
a) plan, establish, implement and maintain an audit programme(s),
including the frequency, methods, responsibilities, planning
requirements and reporting, which shall take into consideration:
1) the importance of the processes concerned;
2) changes affecting the organization;
3) the results of previous audits;
b) define the audit criteria and scope for each audit;
c) select auditors and conduct audits to ensure objectivity and the
impartiality of the audit process;
d) ensure that the results of the audits are reported to relevant
management;
e) retain documented information as evidence of the implementation of
the audit programme(s) and the audit results.
NOTE ISO 19011 provides guidelines on auditing management systems.
c) failure of business associates to
conform to the applicable anti-bribery
requirements of the organization;
d) weaknesses in, or opportunities for
improvement to, the anti-bribery
management system.
9.2.4 To ensure the objectivity and
impartiality of these audit
programmes, the organization shall
ensure that these audits are
undertaken by one of the following:
a) an independent function or
personnel established or appointed for
this process; or
b) the anti-bribery compliance
function (unless the scope of the audit
includes an evaluation of the antibribery management system itself, or
similar work for which the anti-bribery
compliance function is responsible); or
c) an appropriate person from a
department or function other than the
one being audited; or
d) an appropriate third party; or
e) a group comprising any of a) to d).
The organization shall ensure that no
auditor is auditing his or her own area
of work.
9.3 Management review
Top management shall review the
organization's information
security management system at
planned intervals to ensure its
continuing suitability, adequacy
and effectiveness.
NOTE See Clause A.16 for guidance.
9.3 Management review
9.3.1 Top management review
Top management shall review the
organization's anti-bribery
management system, at planned
intervals, to ensure its continuing
suitability, adequacy and effectiveness.
9.3 Management review
9.3.1 General
Top management shall review the
organization’s quality management
system, at planned intervals, to ensure
its continuing suitability, adequacy,
effectiveness and alignment with the
strategic direction of the organization.
9.3 Management review
Top management shall review the organization's SMS and the services,
at planned intervals, to ensure their continuing suitability, adequacy and
effectiveness.
The management review shall include consideration of:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the SMS;
c) information on the performance and effectiveness of the SMS,
including trends in:
1) nonconformities and corrective actions;
The management review shall
include consideration of:
a) the status of actions from
previous management reviews;
b) changes in external and
internal issues that are relevant
to the information security
management system;
c) feedback on the information
security performance, including
trends in:
1) nonconformities and
corrective actions;
3) monitoring and
measurement results;
4) audit results; and
5) fulfilment of information
security objectives;
d) feedback from interested
parties;
e) results of risk assessment and
status of risk treatment plan; and
f ) opportunities for continual
improvement.
The outputs of the
management review shall
include decisions related to
continual improvement
opportunities and any needs for
changes to the information
security management system.
The organization shall retain
documented information as
evidence of the results of
management reviews.
The top management review shall
include consideration of:
a) the status of actions from previous
management reviews;
b) changes in external and internal
issues that are relevant to the antibribery management system;
c) information on the performance
of the anti-bribery management
system, including trends in:
1) nonconformities and corrective
actions;
2) monitoring and measurement
results;
3) audit results;
4) reports of bribery;
5) investigations;
6) the nature and extent of the bribery
risks faced by the organization;
d) effectiveness of actions taken to
address bribery risks;
e) opportunities for continual
improvement of the anti-bribery
management system, as referred to in
10.2.
The outputs of the top management
review shall include decisions related
to continual improvement
opportunities and any need for
changes to the anti-bribery
management system.
A summary of the results of the top
management review shall be reported
to the governing body (if any).
The organization shall retain
documented information as evidence
of the results of top management
reviews.
2) monitoring and measurement results;
3) audit results;
d) opportunities for continual improvement;
e) feedback from customers and other interested parties;
f) adherence to and suitability of the service management policy and
other policies required by this document;
g) achievement of service management objectives;
h) performance of the services;
i) performance of other parties involved in the delivery of the services;
j) current and forecast human, technical, information and financial
resource levels, and human and technical resource capabilities;
k) results of risk assessment and the effectiveness of actions taken to
address risks and opportunities;
l) changes that can affect the SMS and the services.
The outputs of the management review shall include decisions related
to continual improvement opportunities and any need for changes to
the SMS and the services.
The organization shall retain documented information as evidence of
the results of management reviews.
9.3.2 Governing body review
9.3.2 Management review inputs
The management review shall be
The governing body (if any) shall
planned and carried out taking into
undertake periodic reviews of the anti- consideration:
bribery management system based on a) the status of actions from previous
information provided by top
management reviews;
management and the anti-bribery
b) changes in external and internal
compliance function and any other
issues that are relevant to the quality
information that the governing body management system;
requests or obtains.
c) information on the performance and
effectiveness of the quality
management system, including
The organization shall retain summary
trends in:
documented information as evidence 1) customer satisfaction and feedback
of the results of governing body
from relevant interested parties;
reviews.
2) the extent to which quality
objectives have been met;
3) process performance and
conformity of products and services;
4) nonconformities and corrective
actions;
5) monitoring and measurement
results;
6) audit results;
7) the performance of external
providers;
d) the adequacy of resources;
e) the effectiveness of actions taken to
address risks and opportunities (see
6.1);
f) opportunities for improvement.
9.3.3 Management review outputs
The outputs of the management
review shall include decisions and
actions related to:
a) opportunities for improvement;
b) any need for changes to the quality
management system;
c) resource needs. The organization
shall retain documented information
as evidence of the results of
management reviews.
9.4 Review by anti-bribery compliance
function
The anti-bribery compliance function
shall assess on a continual basis
whether the anti- bribery management
system is:
a) adequate to manage effectively the
bribery risks faced by the organization;
b) being effectively implemented.
The anti-bribery compliance function
shall report at planned intervals, and
on an ad hoc basis, as appropriate, to
the governing body (if any) and top
management, or to a suitable
committee of the governing body or
top management, on the adequacy
and implementation of the antibribery management system, including
the results of investigations and audits.
NOTE 1 The frequency of such reports
depends on the organization's
requirements, but is recommended to
be at least annually.
NOTE 2 The organization can use a
business associate to assist in the
review, as long as the business
associate’s observations are
appropriately communicated to the
anti-bribery compliance function, top
management and, as appropriate, the
governing body (if any).
9.4 Service reporting
The organization shall determine reporting requirements and their
purpose.
Reports on the performance and effectiveness of the SMS and the
services shall be produced using information from the SMS activities and
delivery of the services. Service reporting shall include trends.
The organization shall make decisions and take actions based on the
findings in service reports. The agreed actions shall be communicated to
interested parties.
NOTE The reports that are required are specified in the relevant clauses
of this document. Additional reports can also be produced.
10 Improvement
10 Improvement
10 Improvement
10 Improvement
10.1 Nonconformity and
corrective action
10.1 Nonconformity and corrective
action
10.1 Nonconformity and corrective action
When a nonconformity occurs,
the organization shall:
a) react to the nonconformity,
and as applicable:
1) take action to
control and correct
it; and
2) deal with the
consequences;
b) evaluate the need for action to
eliminate the causes of
nonconformity, in order that it
does not recur or occur
elsewhere, by:
1) reviewing the
nonconformity;
2) determining the
causes of the
nonconformity; and
3) determining if
similar
nonconformities
exist, or could
potentially occur;
c) implement any action needed;
d) review the effectiveness of any
corrective action taken; and
e) maPe changes to the
information security management
system, if necessary.
When a nonconformity occurs, the
organization shall:
a) react promptly to the
nonconformity, and as applicable:
1) take action to control and correct it;
2) deal with the consequences;
b) evaluate the need for action to
eliminate the cause(s) of the
nonconformity, in order that it does
not recur or occur elsewhere, by:
1) reviewing the nonconformity;
2) determining the causes of the
nonconformity;
3) determining if similar
nonconformities exist, or could
potentially occur;
c) implement any action needed;
d) review the effectiveness of any
corrective action taken;
e) make changes to the anti-bribery
management system, if necessary.
10.1 General
The organization shall determine and
select opportunities for improvement
and implement any necessary actions
to meet customer requirements and
enhance customer satisfaction.
Corrective actions shall be appropriate
to the effects of the nonconformities
encountered.
The organization shall retain
documented information as evidence
of:
ó the nature of the nonconformities
and any subsequent actions taken;
ó the results of any corrective action.
These shall include:
a) improving products and services to
meet requirements as well as to
address future needs and
expectations;
b) correcting, preventing or reducing
undesired effects;
c) improving the performance and
effectiveness of the quality
management system.
NOTE Examples of improvement can
include correction, corrective action,
continual improvement, breakthrough
change, innovation and reorganization.
10.1.1 When a nonconformity occurs, the organization shall:
a) react to the nonconformity, and as applicable:
1) take action to control and correct it;
2) deal with the consequences;
b) evaluate the need for action to eliminate the causes of the
nonconformity in order that it does not recur or occur elsewhere by:
1) reviewing the nonconformity;
2) determining the causes of the nonconformity;
3) determining if similar nonconformities exist, or could potentially
occur;
c) implement any action needed;
d) review the effectiveness of any corrective action taken;
e) make changes to the SMS, if necessary.
Corrective actions shall be appropriate to the effects of the
nonconformities encountered.
10.1.2 The organization shall retain documented information as
evidence of:
a) the nature of the nonconformities and any subsequent actions taken;
b) the results of any corrective action.
Corrective actions shall be
appropriate to the effects of the
nonconformities encountered.
The organization shall retain
documented information as
evidence of:
f ) the nature of the
nonconformities and any
subsequent actions taken, and
g) the results of any corrective
action.
NOTE See Clause A.20 for guidance.
10.2 Continual improvement
10.2 Continual improvement
The organization shall continually
improve the suitability, adequacy
and effectiveness of the
information security management
system.
The organization shall continually
improve the suitability, adequacy and
effectiveness of the anti-bribery
management system.
NOTE See Clause A.20 for guidance.
10.2 Nonconformity and corrective
action
10.2.1 When a nonconformity occurs,
including any arising from complaints,
the organization shall:
a) react to the nonconformity and, as
applicable:
1) take action to control and correct it;
2) deal with the consequences;
b) evaluate the need for action to
eliminate the cause(s) of the
nonconformity, in order that it does
not
recur or occur elsewhere, by:
1) reviewing and analysing the
nonconformity;
2) determining the causes of the
nonconformity;
3) determining if similar
nonconformities exist, or could
potentially occur;
c) implement any action needed;
d) review the effectiveness of any
corrective action taken;
e) update risks and opportunities
determined during planning, if
necessary;
f) make changes to the quality
10.2 Continual improvement
The organization shall continually improve the suitability, adequacy and
effectiveness of the SMS and the services.
The organization shall determine evaluation criteria to be applied to the
opportunities for improvement when making decisions on their
approval. Evaluation criteria shall include alignment of the improvement
with service management objectives.
Opportunities for improvement shall be documented. The organization
shall manage approved improvement activities that include:
a) setting one or more targets for improvement in areas such as quality,
value, capability, cost, productivity, resource utilization and risk
reduction;
b) ensuring that improvements are prioritized, planned and
implemented;
c) making changes to the SMS, if necessary;
d) measuring implemented improvements against the target(s) set and
where target(s) are not achieved, taking necessary actions;
e) reporting on implemented improvements.
NOTE Improvements can include reactive and pro-active actions such as
correction, corrective action, preventive action, enhancements,
innovation and re-organization.
management system, if necessary.
Corrective actions shall be appropriate
to the effects of the nonconformities
encountered.
10.2.2 The organization shall retain
documented information as evidence
of:
a) the nature of the nonconformities
and any subsequent actions taken;
b) the results of any corrective action.
10.3 Continual improvement
The organization shall continually
improve the suitability, adequacy and
effectiveness of the quality
management system.
The organization shall consider the
results of analysis and evaluation, and
the outputs from management review,
to determine if there are needs or
opportunities that shall be addressed
as part of continual improvement
Annex A
Annex A
Annex A
(normative)
(informative)
(informative)
Reference control objectives and Guidance on the use of this standard Clarification of new structure,
controls
terminology and concepts
Tanpa Annex A