Maps to ISO 27001 and 27701
- Information Security Management System (ISMS) with scope, policy and risk register
- Privacy Information Management System (PIMS) as an extension (ISO 27701)
- Least-privilege and need-to-know access policy
- Onboarding and offboarding procedure with access review
- Background checks (or VOG) for personnel with access to customer data
- Confidentiality agreements for all employees and contractors
- Security awareness training, annual and at hire
- AI literacy training (mandatory under AI Act art. 4, aligned with ISO 42001)
- Incident response procedure with roles, escalation paths and drills
- Vendor management with DPA, security review and annual reassessment
- Risk assessment process, annual and on material change
- Data Protection Officer appointed (mandatory for PIMS)
- Internal audit programme
- Management review, at least annually