Does the information security management manual (ISMM) have to be a single document containing all the information required, or can it be a set of separate documents covering the topic specified under point IS.I.OR.250(a) of Annex II (Part-IS.I.OR) to Commission Implementing Regulation (EU) 2023/203 or point IS.D.OR.250(a) of the Annex (Part-IS.D.OR) to Commission Delegated Regulation (EU) 2022/1645?
Several formats can be used for the ISMM. It can be a standalone manual or it can be integrated into an existing manual/exposition. Alternatively, it can be a slim document with a skeleton that directs readers to separate documents. In any case, there is a need to have clear identifiers for the manual, its approvers, and its revisions.
Can the term "archived" in point IS.I.OR.245 of Annex II (Part-IS.I.OR) to Commission Implementing Regulation (EU) 2023/203 or point IS.D.OR.245 of the Annex (Part-IS.D.OR) to Commission Delegated Regulation (EU) 2022/1645 be understood as "archiving" as described in the EN9130 standard?
No. Under the EN9130 standard, archiving is the “process of moving one or more electronic record extracts to off-line storage in a way that ensures the possibility of restoring them to on-line storage when needed without loss of meaning. Wherever possible, archived data should be technology-independent so that future users do not have dependencies on obsolete technology from the past”.
In the context of Part-IS, archiving should be understood as "stored in a manner that ensures protection from damage, alteration and theft, with information being identified, when required, according to its security classification level". Moreover, integrity, authenticity, and authorised access shall be ensured (refer to point IS.I.OR.245(d) of Part-IS.I.OR or point IS.D.OR.245(d) of Part-IS.D.OR).