Back to Legal
LG-01·

Schedule SR – Security Requirements (ISO/IEC 27001-Aligned

  1. Purpose and Scope
    This Schedule sets out the Supplier’s information security requirements applicable to the provision of the Services, including the Fortiv software platform and related professional services.
    The requirements in this Schedule are designed to align with ISO/IEC 27001:2022 Annex A controls and support the confidentiality, integrity, and availability of information.
  2. Information Security Governance
    (ISO 27001 Annex A: A.5)
    1. The Supplier shall maintain an information security management framework proportionate to the nature, scope, and risk profile of the Services.
      1. The Supplier shall define and maintain:
      2. information security policies,
      3. roles and responsibilities, and
      4. management oversight of information security.
    2. Security policies shall be reviewed periodically and updated as appropriate.
  3. Risk Management
    (ISO 27001: Clauses 6 & 8; Annex A supporting)
    1. The Supplier shall identify and assess information security risks relevant to the Services.
    2. Appropriate controls shall be implemented to address identified risks, taking into account:
      1. likelihood and impact,
      2. industry best practice, and
      3. proportionality.
  4. Human Resource Security
    (ISO 27001 Annex A: A.6)
    1. Personnel with access to Customer Data shall be:
      1. subject to confidentiality obligations, and
      2. provided with appropriate security awareness training.
    2. Access rights shall be revoked promptly upon termination or change of role.
  5. Asset Management and Information Handling
    (ISO 27001 Annex A: A.5, A.8)
    1. The Supplier shall maintain an inventory of information assets relevant to the Services.
    2. Customer Data shall be classified and handled in accordance with its sensitivity.
    3. Secure data handling and disposal procedures shall be applied where applicable.
  6. Access Control
    (ISO 27001 Annex A: A.5, A.8)
    1. Logical access to systems shall be:
      1. restricted to authorised users,
      2. based on least privilege, and
      3. reviewed periodically.
    2. Strong authentication mechanisms shall be used, including multi-factor authentication where technically appropriate.
  7. Cryptography
    (ISO 27001 Annex A: A.8)
    1. Industry-standard cryptographic controls shall be used to protect Customer Data:
      1. in transit, and
      2. at rest where appropriate.
    2. Cryptographic keys shall be protected against unauthorised access.
  8. Physical and Environmental Security
    (ISO 27001 Annex A: A.7)
    1. Physical security controls shall be implemented for facilities used to deliver the Services.
    2. Where third-party hosting or cloud providers are used, equivalent physical security controls shall be relied upon.
  9. Operations Security
    (ISO 27001 Annex A: A.8)
    1. The Supplier shall implement operational procedures to ensure secure system operation, including:
      1. change management,
      2. malware protection, and
      3. vulnerability management.
    2. Systems shall be monitored for security-relevant events where appropriate.
  10. Network and Infrastructure Security
    (ISO 27001 Annex A: A.8)
    1. Network controls shall be implemented to protect systems and data from unauthorised access.
    2. Reasonable measures shall be taken to protect against:
      1. intrusion,
      2. denial-of-service attacks, and
      3. other common threats.
  11. Supplier and Subcontractor Security
    (ISO 27001 Annex A: A.5)
    1. Subcontractors with access to Customer Data shall be subject to written security obligations no less protective than those set out in this Schedule.
    2. The Supplier remains responsible for the performance of its subcontractors under the Agreement.
  12. Incident Management
    (ISO 27001 Annex A: A.5)
    1. The Supplier shall maintain incident management procedures covering:
      1. identification,
      2. response,
      3. mitigation, and
      4. post-incident review.
    2. The Supplier shall notify the Customer without undue delay of any material information security incident affecting Customer Data or Service availability.
  13. Business Continuity and Disaster Recovery
    (ISO 27001 Annex A: A.5; ISO 22301 alignment)
    1. The Supplier shall maintain business continuity and disaster recovery measures appropriate to the Services.
    2. Backup and recovery procedures shall be implemented and tested periodically.
  14. Logging and Monitoring
    (ISO 27001 Annex A: A.8)
    1. Security-relevant events shall be logged where appropriate.
    2. Logs shall be protected from unauthorised access and retained for a reasonable period.
  15. Compliance and Assurance
    (ISO 27001 Annex A: A.5)
    1. The Supplier shall maintain compliance with applicable information security laws and regulations.
    2. Upon reasonable request, the Supplier shall provide:
      1. relevant policies,
      2. certifications, or
      3. high-level audit or assurance information.
    3. On-site audits are excluded unless expressly agreed in writing
  16. Continuous Improvement
    (ISO 27001 Clause 10)
    The Supplier shall use reasonable efforts to continuously improve its information security controls, taking into account:
    1. audit findings,
    2. incidents,
    3. changes to threats, and
    4. industry developments.

Learn more

See first-hand what AI-Native Resilience looks like

Company

Fortiv
© Fortiv 2026Legal and Privacy