|
+SP-02.02B |
1. ÜbersichtSP-02.02BRevised policies and procedures are approved by the appropriate level of management before they become effective and are communicated and made available to internal and external personnel.Significant changes include, but are not limited to, any circumstances or events that materially affect the scope, effectiveness, or objectives of the information security policy. Specifically, significant changes are e.g.: 1. Major technical or architectural changes to the cloud platform (e.g., adoption of new infrastructure services, cloud migration, introduction of a new service offering); 2. Substantial updates to national or international laws, regulations, or sector-specific standards (e.g., NIS2, DORA, GDPR) that impact information security obligations; 3. Reorganisation or merger/acquisition of organisational units that affect leadership, decision-making, or key responsibilities related to security; 4. Significant changes in contractual requirements, risk assessments, operational processes, or threat landscape (e.g., new threat intelligence indicating emerging risks, supply chain incidents); 5. Major security incidents or breaches requiring incident response revision; 6. Launch or decommissioning of service components impacting customer data or trust boundaries; and 7. Changes in the composition or responsibilities of top management or the information security steering committee. For an efficient review the cloud service provider can document the nature of each significant change, the rationale for review, and the result of policy adjustments. Automated tracking of policy changes and manual verification of content can also be integrated into the review workflow. The top level management is an appropriate level of management for approving the information security policy.
1.1 Referenzen1.2 Identifizierte Anforderungen1.2 Related Regulation2. Identifizierte Anforderungen
3. Related Regulations
|