Does the information security management manual (ISMM) have to be a single document containing all the information required, or can it be a set of separate documents covering the topic specified under point IS.I.OR.250(a) of Annex II (Part-IS.I.OR) to Commission Implementing Regulation (EU) 2023/203 or point IS.D.OR.250(a) of the Annex (Part-IS.D.OR) to Commission Delegated Regulation (EU) 2022/1645?
Does the information security management manual (ISMM) have to be a single document containing all the information required, or can it be a set of separate documents covering the topic specified under point IS.I.OR.250(a) of Annex II (Part-IS.I.OR) to Commission Implementing Regulation (EU) 2023/203 or point IS.D.OR.250(a) of the Annex (Part-IS.D.OR) to Commission Delegated Regulation (EU) 2022/1645?
Answer
Several formats can be used for the ISMM. It can be a standalone manual or it can be integrated into an existing manual/exposition. Alternatively, it can be a slim document with a skeleton that directs readers to separate documents. In any case, there is a need to have clear identifiers for the manual, its approvers, and its revisions.
Last updated
22/08/2025