Security

The organisation shall establish and maintain a comprehensive security governance framework that encompasses security risk management, security policies, standards, and architectures that guide the implementation of security controls across the organisation. The organisation shall ensure continuous monitoring of control effectiveness, manages security incidents, and maintains business continuity capabilities while overseeing third-party security requirements.

The organisation shall implement and maintains comprehensive identity and access management controls governing authentication, authorisation, and access monitoring across all systems and applications. This includes the complete lifecycle of identity management from screening to provisioning through deprovisioning, ensuring appropriate access levels are maintained and regularly reviewed. The organisation shall implement strong authentication mechanisms and maintains detailed access logs for all critical systems.

The organisation shall ensure all software development and deployment activities follow secure development practices throughout the system development lifecycle. This includes implementing secure coding standards, conducting security testing, managing secure configurations, and maintaining robust change management procedures for all production systems. The organisation shall regularly assess applications for security vulnerabilities, including AI-specific threats such as model poisoning and adversarial attacks, and maintain secure development environments.

The organisation shall protect data throughout its lifecycle using appropriate technical and procedural controls, including classification, encryption, and secure handling procedures. This encompasses structured and unstructured data across all storage locations and transmission paths. The organisation shall maintain comprehensive data protection mechanisms, including backup systems, encryption standards, and secure disposal procedures, while ensuring appropriate data classification and handling requirements are enforced.

The organisation shall implement and maintain comprehensive network security controls to protect against unauthorised access, ensure secure communications, and maintain the confidentiality and integrity of data in transit. This includes implementing secure network architectures, maintaining network monitoring capabilities, and ensuring appropriate network segmentation. The organisation shall regularly assess network security controls and maintain comprehensive network logging and monitoring capabilities.