The company has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats.

The company performs periodic backups for production data. Data is backed up to a different location than the production system.

The company's databases are replicated to a secondary cloud in real-time. Alerts are configured to notify administrators if replication fails.

The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.

The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key.

The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

The company prohibits confidential or sensitive customer data, by policy, from being used or stored in non-production systems/environments.

The company's network is segmented to prevent unauthorized access to customer data.

The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.

A cloud service customer's virtual environment running on a cloud service should be protected from other cloud service customers and unauthorized persons.

The company has a multi-location strategy for production environments employed to permit the resumption of operations at other company cloud locations in the event of loss of a facility.

The company performs background checks on new employees.

The company requires employees to complete security awareness training within thirty days of hire and annually thereafter.

The company requires contractors to sign a confidentiality agreement at the time of engagement.

The company maintains a formal inventory of production system assets.

The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.

The company has established a formalized whistleblower policy, and an anonymous communication channel is in place for users to report potential issues or fraud concerns.

The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.

The company tests their incident response plan at least annually.

The company's data backup policy documents requirements for backup and recovery of customer data.

The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.

The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.

The company management has established defined roles and responsibilities to oversee the design and implementation of information security controls.

The company provides a description of its products and services to internal and external users.

The company's information security policies and procedures are documented and reviewed at least annually.

The company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.

Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy.

The company has written agreements in place with vendors and related third-parties. These agreements include confidentiality and privacy commitments applicable to that entity.

The company's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company's security incident response policy and procedures.

The company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.

The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

The organization shall perform AI system impact assessments according to 6.1.4 at planned intervals or when significant changes are proposed to occur. The organization shall retain documented information of the results of all AI system impact assessments.

The organization shall determine the boundaries and applicability of the AI management system to establish its scope. The scope shall be available as documented information.

The organization shall establish AI objectives at relevant functions and levels. The AI objectives shall be consistent with the AI policy, be measurable (if practicable), take into account applicable requirements, be monitored, communicated, and updated as appropriate.

The organization shall determine what needs to be monitored and measured, the methods for monitoring, measurement, analysis and evaluation, when they shall be performed, and when results shall be analysed and evaluated. The organization shall evaluate the performance and effectiveness of the AI management system.

The organization shall conduct internal audits at planned intervals to provide information on whether the AI management system conforms to the organization's own requirements and the requirements of this document, and is effectively implemented and maintained.

When a nonconformity occurs, the organization shall react to it, evaluate the need for action to eliminate the cause(s), implement any action needed, review the effectiveness of any corrective action taken, and make changes to the AI management system if necessary.

The organization should document a policy for the development or use of AI systems.

The organization should provide capabilities for interested parties to report adverse impacts of the system.

The organization should determine and document a plan for communicating incidents to users of the system.

The organization should determine and document its obligations to reporting information about the AI system to interested parties.

The organization should define and document the processes for the responsible use of AI systems.

The organization should identify and document objectives to guide the responsible use of AI systems.

The organization should ensure that the AI system is used according to the intended uses of the AI system and its accompanying documentation.

The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended result(s) of its AI management system.

The organization shall determine the interested parties that are relevant to the AI management system, their relevant requirements, and which of these requirements will be addressed through the AI management system.

The organization shall establish, implement, maintain, continually improve and document an AI management system, including the processes needed and their interactions, in accordance with the requirements of this document.

Top management shall demonstrate leadership and commitment with respect to the AI management system by ensuring that the AI policy and AI objectives are established, ensuring the integration of the AI management system requirements into the organization's business processes, and ensuring that the resources needed are available.

Top management shall establish an AI policy that is appropriate to the purpose of the organization, provides a framework for setting AI objectives, includes a commitment to meet applicable requirements, and includes a commitment to continual improvement of the AI management system.

Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization.

Persons doing work under the organization's control shall be aware of the AI policy, their contribution to the effectiveness of the AI management system, and the implications of not conforming with the AI management system requirements.

The organization shall determine the internal and external communications relevant to the AI management system including what it will communicate, when to communicate, with whom to communicate, and how to communicate.

The organization's AI management system shall include documented information required by this document and documented information determined by the organization as being necessary for the effectiveness of the AI management system.

When creating and updating documented information, the organization shall ensure appropriate identification and description, format and media, and review and approval for suitability and adequacy.

The organization shall implement the AI risk treatment plan according to 6.1.3 and verify its effectiveness. The organization shall retain documented information of the results of all AI risk treatments.

The organization shall plan, establish, implement and maintain an audit programme, including the frequency, methods, responsibilities, planning requirements and reporting.

Top management shall review the organization's AI management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness.

The management review shall include the status of actions from previous management reviews, changes in external and internal issues, information on the AI management system performance, and opportunities for continual improvement.

The results of the management review shall include decisions related to continual improvement opportunities and any need for changes to the AI management system.

The organization should determine where other policies can be affected by or apply to the organization's objectives with respect to AI systems.

The AI policy should be reviewed at planned intervals or additionally as needed to ensure its continuing suitability, adequacy and effectiveness.

The organization should define and put in place a process to report concerns about the organization's role with respect to an AI system throughout its life cycle.

Documented information required by the AI management system shall be controlled to ensure it is available and suitable for use where and when needed, and it is adequately protected.

When planning for the AI management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed.

The organization shall define and establish an AI risk assessment process. The organization shall perform AI risk assessments at planned intervals or when significant changes are proposed or occur.

The organization should document a deployment plan and ensure that appropriate requirements are met prior to deployment.

The organization should determine at which phases of the AI system life cycle record keeping of event logs should be enabled, but at the minimum when the AI system is in use.

The organization should define and document requirements for data quality and ensure that data used to develop and operate the AI system meet those requirements.

The organization should determine and provide the necessary information to users of the system.

Host-based vulnerability scans are performed at least quarterly on all external-facing systems. Critical and high vulnerabilities are tracked to remediation. The company's formal policies outline requirements for system monitoring.

The company has a privacy policy in place that documents and clearly communicates to individuals the extent of personal information collected, the company's obligations, the individual's rights to access, update, or erase their personal information, and an up-to-date point of contact where individuals can direct their questions, requests or concerns.

The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.

The company has documented processes and procedures in place to ensure that any privacy-related complaints are addressed, and the resolution is documented in the company's designated tracking system and communicated to the individual.

The company has a privacy policy available to customers, employees, and/or relevant third parties who need them before and/or at the time information is collected from the individual.

The company reviews the privacy policy as needed or when changes occur and updates it accordingly to ensure it is consistent with the applicable laws, regulations, and appropriate standards.

The company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.

The company validates deletion requests and once confirmed are flagged and the requested information is deleted, in accordance with applicable laws and regulations.

The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it annually.

The company limits collection of PII to the minimum that is necessary for its purposes.

The company shall appoint an EU based representative.

The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.

The company encrypts PII in transit.

The company implements technical controls to ensure data transmitted to third parties reaches its destination.