Schedule 1 - Contract Definitions IASME Cyber Baseline

Owned by Stefan Vasiljevic
Last updated: Aug 22, 2024 by Kate McKenzie
12 min read

Revisions:

Date issued:

Author:

Description:

Sep 27, 2023

@Samantha Alexander (Deactivated)

First Introduction

Download PDF Here

Definitions  

The IASME Cyber Baseline Agreement (including the background recitals), unless expressly stated otherwise:  

"Accreditation Bodies"  

means the group of bodies appointed under the contract to deliver the Partner Services;  

"Agreement"  

means the agreement between IASME and the CB under which the CB provides services in relation to IASME Cyber Baseline;  

"Approval", "Approve", "Approved"  

means IASME’s express prior written approval or consent that may, at IASME’s sole and absolute discretion, be withheld or delayed;  

"Assessor"  

an individual who will assess the compliance of an Organisation's systems with the IASME Cyber Baseline Standard;  

"Assessor Criteria"  

shall have the meaning given in Schedule 2 & 11 (Certification Services and Relationship with Partner Services);  

"Auditor General"  

has the meaning given in the National Audit Act 1983;  

"Branding Guidelines"  

means the branding guidelines applicable (as the case may be) to use of:   

a. the IASME Cyber Baseline Scheme Logo (as set out in Schedule 7);  

b. CB Badges and Assessor Badges (as set out in Schedule 7); and  

c. the IASME Cyber Baseline Certification Mark (as set out in Schedule 7); and  

d. the IASME Consortium Logo (as set out in Schedule 7) 

in each case as may be updated by IASME from time to time;  

"Certificate"  

the certificate (in the form specified by IASME) issued by a IASME Cyber Baseline Supplier to an Organisation which has successfully been assessed against the IASME Cyber Baseline Standard;  

"Certification Body"   

means an IASME Cyber Baseline Supplier which has been appointed by IASME to provide Certification Services;  

“Certification Body Criteria”  

means the criteria set out in Schedule 9.  

"Certification Mark"   

means the IASME Cyber Baseline Certification Mark;  

"Certification Process"  

means the process by which an Organisation is assessed against the IASME Cyber Baseline Standard and, if successful, is awarded a Certificate;  

"Certification Services"  

means the certification services provided by a Certification Body (CB) in connection with IASME Cyber Baseline which must as a minimum include the Certification Services Requirements;   

"Certification Services Requirements"  

means the minimum requirements which IASME includes within each Supplier Agreement, as set out in Schedule 2 (Certification Services and Relationship with Partner Services);  

"Change"  

means any amendment or variation of this Agreement (including to the IASME Cyber Baseline Services or IASME Cyber Baseline standard) effected in accordance with the Change Control Procedure;  

"Claim"  

means any claim, demand, action, cost, expense (including legal cost and disbursement), loss, damage and liability of whatsoever nature;  

"Classification"  

a security marking of OFFICIAL, SECRET or TOP SECRET (including any STRAP marking) (and also including the legacy classifications of PROTECT, RESTRICTED and CONFIDENTIAL) which may be applied to material;  

"Classified Information"  

any material in whatever form to which a Classification may be or has been attributed, or where no Classification has been applied and the nature of the material is such that it ought to be protected with a Classification  

"Comptroller"  

has the meaning given in the National Audit Act 1983;  

"Confidential Information"   

means all information relating to either Party or its operations or business, disclosed in confidence by or on behalf of one Party, or generated from such information by the receiving Party (whether before or after the Effective Date), either in writing, orally, or in any other form, directly or indirectly from or pursuant to discussions with the other Party or which is obtained through observations made by the receiving Party, including commercial, policy, technical, scientific, operational, personnel, personal, property and other information, and including ideas, concepts, schemes, information, knowledge, techniques, generic business methodologies (and anything else in the nature of know-how relating to the IASME Cyber Baseline Services, IASME Cyber Baseline standard or otherwise to this Agreement), and all analyses, compilations, studies and other documents, whether prepared by or on behalf of either Party that contain or otherwise reflect or are derived from such information (and any copy of such information), whether or not marked or designated as "confidential", which ought reasonably to be considered as confidential, except any information that:  

a. at the time of disclosure, is already public knowledge, or subsequently becomes public knowledge, other than by way of any breach of this Agreement or by way of any breach of the handling requirements for any Protectively Marked Material;  

b. prior to disclosure, was not subject to any confidentiality obligation of any sort;  

c. is properly disclosed under any legal requirement to a designated regulatory or other body; or  

d. prior to disclosure, was already known (by some other means ) by the recipient;  

"Contracting Authority"  

has the meaning given in Regulation 2 of the Public Contract Regulations 2015, as amended from time to time;  

"Control"  

the possession by a person, directly or indirectly, of the power to direct or cause the direction of the management and policies of the other person (whether through the ownership of voting shares, by contract or otherwise) and “Controls” and “Controlled” shall be interpreted accordingly;  

"Controller"  

has (as the case may be and as the context allows) the meaning given in Data Protection Law, as applicable to IASME and to their individual circumstances;  

"Cyber Baseline "  

means the first tier of certification under the IASME Cyber Baseline standard. It involves the Organisation carrying out a verified assessment which will then be sent to a IASME Cyber Baseline assessor for checking and certification, if appropriate;  

"Cyber Baseline Standard"  

means the process set out ensuring consistency when IASME Cyber Baseline assessors are assessing Organisations against the IASME Cyber Baseline standard;   

"Cyber Baseline Certification Mark"  

means the IASME Cyber Baseline Certification Mark as set out in Schedule 7 (Trade Marks and Certification Marks)  

"Cyber Baseline Trade Mark Regulations"  

the trade mark regulations relating to the IASME Cyber Baseline Certification Mark, as set out in Schedule 7 (Trade Marks and Certification Marks);  

"Cyber Baseline Documentation"  

means each or any of the following:  

a. IASME Cyber Baseline Standard;  

b. IASME Cyber Baseline Verified Assessment Questionnaire;  

c. IASME Cyber Baseline templates;  

d. IASME Cyber Baseline Certificate; and/or  

f. any documents recording or relating to the Appointing and On-Boarding Process (including any guidance produced by IASME),  

(as may be varied by IASME);  

"Cyber Baseline Verified Assessment Questionnaire"   

means the questionnaire to be used to assess Organisations against the IASME Cyber Baseline Standard;   

"Cyber Baseline Levels"  

means the two levels of the IASME Cyber Baseline Certification: Level 1 and Level 2; and such other levels as IASME shall specify.  

"Cyber Essentials Partner"   

means IASME Consortium Limited;  

“Cyber Baseline Platform”  

means the platform provided by Pervade Software or such other platform that IASME may specify for the use in relation to the provision of the Certification Services  

"Cyber Baseline Scheme IPR"  

means:  

a. (a) IPR in the IASME Cyber Baseline Documentation;  

b. (d) IPR in any management information provided by the CB to IASME and in any reports, materials and data relating to assessments made either by IASME or by the Supplier (including certificates issued);  

c. the IASME Cyber Baseline Logo and Badges and any IPR associated with the creation, development, and maintenance of the IASME Cyber Baseline Logo; and  

d. the IASME Cyber Baseline Certification Mark and any IPR associated with the creation, development and maintenance of the IASME Cyber Baseline Certification Mark, 

"Cyber Baseline Logo"  

means the logo set out in Schedule 7 (Trade Marks and Certification Marks);  

"Data Loss Event"  

any event that results, or may result, in unauthorised access to Personal Data held by the CB under this Agreement, and/or actual or potential loss and/or destruction of Personal Data in breach of this Agreement, including any Personal Data Breach;  

"Data Protection Law"  

means (as the case may be and the context allows):  

a. the GDPR and any applicable national implementing Laws as amended from time to time;  

b. the DPA 2018 to the extent that it relates to processing of Personal Data and privacy; and/or  

c. all applicable law about the processing of Personal Data and privacy;   

"Data Subject"  

has the meaning given in the DPA 2018;  

"Default"  

means any breach of the obligations of the relevant party (including abandonment of this Agreement in breach of its terms, repudiatory breach or breach of a fundamental term) or any other default, act, omission, negligence or statement:  

a. in the case of IASME, of its employees, servants, agents; or  

b. in the case of the Supplier of its Sub-contractors or any Staff,  

in connection with or in relation to the subject-matter of this Agreement and in respect of which such Party is liable to the other;  

"Default Event"  

shall have the meaning given in Clause 16.2 (Termination);  

"Digital by Default"  

means the use of secure online services to deliver a personalized user experience including process automation, information collection, storage and analytics;  

"DPA 2018"  

the Data Protection Act 2018;  

"Dispute"  

any dispute, difference or question of interpretation arising out of or in connection with this Agreement, including any dispute, difference or question of interpretation relating to the Certification Services, failure to agree in accordance with the Change Control Procedure or any matter where this Agreement directs the parties to resolve an issue by reference to the Dispute Resolution Procedure;  

"Dispute Resolution Procedure"  

means the procedure, set out at Clause 25 (Dispute Resolution Procedure), by which the Parties shall seek to settle any Dispute;  

"Effective Date"  

means the date of this Agreement;  

"EIRs"  

the Environmental Information Regulations 2004, ether with any guidance and/or codes of practice issued by the Information Commissioner or any Central Government Body in relation to such Regulations;  

"Expiry Date"  

means the last day of the Initial Term or any Extension Period, when this Agreement shall cease to have effect;  

"Extension Period"  

the period by which extends the Initial Term;  

"FOIA"  

the Freedom of Information Act 2000 and any subordinate legislation made under that Act from time to time, together with any guidance and/or codes of practice issued by the Information Commissioner or any relevant Central Government Body in relation to such Act;  

"Force Majeure Event"  

means an event beyond the reasonable control of a Party, including acts of God, civil commotion, war, fire, flood or political interference;  

"GDPR"  

the General Data Protection Regulation (Regulation (EU) 2016/679);  

"Good Industry Practice"  

means the use of standards, practices, methods and procedures conforming to Law, and the exercise of that degree of skill, care, diligence, prudence and foresight that would reasonably and ordinarily be expected from a skilled and experienced person engaged in England and Wales in the provision of services of the same type as the Certification Services in the same or similar circumstance;  

IASME Logo  

means the logo identified in Schedule 7  

"ICT"  

means any electronic equipment used for processing, storing or transmitting information, including hardware, software, and electronic communications networks and equipment;  

"Individual Recipients"  

shall have the meaning set out in Clause 7.1.3 (Limited access);   

"Initial Term"  

shall have the meaning set out in Clause 3.1 (Term);  

"Insolvency Event"  

means the occurrence of any of the following events (or any event analogous to any of the following in a jurisdiction other than England and Wales) in relation to the relevant entity:  

a. the entity passing a resolution for its winding up or a court of competent jurisdiction making an order for the entity to be wound up or dissolved or the entity being otherwise dissolved or a petition being presented for the winding up of the entity save for a frivolous or vexatious petition which is discharged within 10 days;  

b. the appointment of an administrator of or, the making of an administration order in relation to the entity or the appointment of a receiver or administrative receiver of, or an encumbrancer taking possession of or selling, the whole or part of the entity's undertaking, assets, rights or revenue or any steps being taken by any person for or with a view to the appointment of an administrator in relation to the entity;  

c. the entity entering into an arrangement, compromise or composition in satisfaction of its debts with its creditors or any class of them or takes steps with a view to the same or to obtain a moratorium or makes an application to a court of competent jurisdiction for protection from its creditors;  

d. the entity being unable to pay its debts or being capable of being deemed unable to pay its debts within the meaning of section 123 of the Insolvency Act 1986 without the need to prove any matter to the court's satisfaction; or  

e. the entity proposing or entering into any arrangement, compromise or composition in satisfaction of its debts with its creditors;  

f. however, a resolution by the relevant entity or a court order that such entity be wound up for the purpose of a bona fide reconstruction or amalgamation shall not amount to an Insolvency Event;  

g. where the CB is an individual, any order for bankruptcy against the CB.  

"IPR"  

means any right, title or interest in:  

a. patents, trademarks, service marks, certification marks, unregistered trade marks, trade names, goodwill, registered designs, design rights, copyrights and other forms of intellectual or industrial property (in each case, in any part of the world), whether or not registered or registrable for their full period of registration with all extensions, renewals and revivals, and including all applications for registration or otherwise;  

b. inventions, formulae, confidential information (including know-how and secret processes);  

c. computer software; and  

d. any similar or equivalent rights and assets that may now or in the future subsist anywhere in the world;  

"Law"  

means any Act of Parliament or subordinate legislation within the meaning of section 21(1) of the Interpretation Act 1978 and any enforceable European Union legislation;  

"Malicious Software"  

means any software program or code intended to destroy, interfere with, corrupt, or cause undesired effects on or to program files, data or other information, executable code or application software macros, whether or not its operation is immediate or delayed, and whether introduced wilfully, negligently or without knowledge of its existence;  

"Month"  

means a calendar month;  

"Organisation"  

means a recipient of Certification Services;  

"Parties"  

means IASME and the CB;  

"Permitted Activities"  

means the Permitted Activities set out in Schedule 7 (Trade Marks and Certification Marks);  

"Personal Data"  

has the meaning given in Data Protection Law;  

"Personal Data Breach"  

has the meaning given in Data Protection Law;  

"Processor"  

has the meaning given in the Data Protection Law;  

"Prohibited Act"  

means any of the acts referred to in Clause 33  

"Protectively Marked Material"  

means any material, in whatever form, which is marked as "Secret" or "Top Secret", or which should properly be so marked and "Protectively Marked" shall be construed accordingly;  

"Protective Measures"  

appropriate technical and organisational measures which may include: pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the measures adopted by it;  

"Quality Plan"  

has the meaning given in Clause 24.1 (Quality Plans);  

"Quarter"  

means a period of three consecutive Months beginning on 1 January, 1 April, 1 July or 1 October;  

"Rectification"  

means as set out at Clause 16.5 (Rectification);  

"Rectification Notice"  

shall have the meaning set out in Clause 16.5 (Rectification) ;  

"Regulatory Bodies"  

96. means a public organisation or government agency that is set up to exercise a regulatory function;  

"Request for Information"  

has the meaning given in section 8 of the FOIA or a request made under Regulation 5 of the EIRs;  

"Scheme Party"  

means IASME, any IASME Cyber Baseline Supplier  (CB) or any Organisation;  

"Security"  

means all aspects of physical, logical, documentary, personnel and other security;  

"Security Requirements"  

means the security requirements set out in this Agreement, including those set out in Clause 5 (Security), Schedule 4 (Security Requirements). Requirements and any requirements specifically identified as such in Schedule 2 (Certification Services);  

"Sensitive Claim"  

has the meaning given in Clause 13.3 (Sensitive Claims);  

"Service Standards"  

means the service standards set out in Schedule 2;  

"Site"  

means any building, location or other site used for providing or supporting the provision of the Certification Services, whether in live use or as a back-up site, and whether or not used exclusively in connection with the Certification Services, excluding any Premises;  

"Staff"  

means any principal, employee, agent, supplier, or Sub-contractor of the CB, (and its principals, employees, agents, suppliers, and sub-contractors), employed or otherwise engaged directly in the provision of the Certification Services including without limitation (and where the context requires or permits) any Assessor engaged by the CB;  

"Sub-contractor"  

any third party with whom the CB enters into a sub-contract in connection with the performance of all or any part of the Certification Services or the CB's other obligations under this Agreement;  

"Supplier Agreement"  

This agreement between IASME and an entity appointed to provide Certification Services,   

"Term"  

has the meaning given in Clause 3 (Term);  

"Termination Date"  

means midnight on the date specified for that purpose in a termination notice given under this Agreement;  

"Third Party IPR Claim"  

has the meaning given in Clause 11.1 (Claims);  

"VAT"  

means value added tax as provided for in the Value Added Tax Act 1994 and any supplemental Law;  

"Working Day"  

means a day (excluding Saturdays, Sundays and bank holidays in England and Wales) on which banks are open for normal business in London. 

 

© The IASME Consortium Ltd 2023 All rights reserved