- The recommendations from last security risk assessment and audit are followed up.
- All relevant statutory, regulatory and contractual requirements to the system operation are identified and documented.
- Records to evidence compliance with security requirements and support audits of effective implementation of corresponding security measures are kept.
- Selection of auditors and conduct of audits are objective and impartial.
- Use of software and program for security risk assessment or audit is restricted and controlled.
- Appropriate security measures are implemented throughout the whole data lifecycle for information system that involves personal data.