FAQ n.142371

Does the information security management manual (ISMM) have to be a single document containing all the information required, or can it be a set of separate documents covering the topic specified under point IS.I.OR.250(a) of Annex II (Part-IS.I.OR) to Commission Implementing Regulation (EU) 2023/203 or point IS.D.OR.250(a) of the Annex (Part-IS.D.OR) to Commission Delegated Regulation (EU) 2022/1645?

Answer

Several formats can be used for the ISMM. It can be a standalone manual or it can be integrated into an existing manual/exposition. Alternatively, it can be a slim document with a skeleton that directs readers to separate documents. In any case, there is a need to have clear identifiers for the manual, its approvers, and its revisions. 

Last updated
22/08/2025

Was this helpful?