Legal and regulatory requirements

The organization has established a procedure for conducting internal audits. The procedure shall describe at least:

• how often audits are carried out
• who may carry out the audits (including audit criteria)
• how the actual audit is carried out
• how audit results are documented and to whom the results are reported

Compliance with required laws, regulations, standards, and contractual obligations can be as challenging as dealing with an ever-changing threat environment and new forms of cyber-attacks.

The organization shall document the information security requirements and the organisation's operating model for meeting them.

It is important to note that a large part of the requirements (e.g. laws, standards) are evolving entities. It is recommended to define a review interval for the documentation to describe the frequency at which changes in the requirements should at least be checked.

With regard to the processing of personal data, the data subject must be provided with the information specified in the GDPR in a concise, comprehensible and easily accessible form. This is often done in the form of privacy statements, which are published, for example, on the organisation's website.

Where personal data have not been collected from the data subject himself, the descriptions shall state, in addition to the basic content:

• where the data were obtained
• which categories of personal data are covered

The organization conducts internal audits in accordance with its internal audit procedure. The aim is to check:

• whether the information security management system complies with the organisation's cyber security requirements
• whether the information security management system complies with other operational security requirements or standards complied with
• whether the information security management system is implemented effectively

Documented information on the execution and results of audits must be kept.

Top management shall review the organization's information security management system at planned intervals to ensure that it remains appropriate, relevant and effective.

The management review shall address and comment on at least the following:

• Status of improvements (or other actions) initiated as a result of previous management reviews
• Future changes relevant to the security management system
• Performance of the ISMS (problem areas, metering, audit results and fulfillment of management security objectives)
• Stakeholder feedback on data security
• Operation of the risk assessment and treatment process

Documented information on the execution and results of reviews must be maintained.

Whenever we process personal data, the data subject has certain rights, e.g. gain access to their data and, in certain situations, oppose processing or have their data deleted.

We have planned procedures for handling data subject requests, which may include e.g.:

• the ways in which the data subject may make a request for information
• methods to verify the identity of the sender
• the persons to whom requests for information are forwarded in relation to each register