The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.

The company requires passwords for in-scope system components to be configured according to the company's policy.

The company's networks are segmented to limit access between systems and reduce the impact of potential security incidents.

All data transmitted over public networks is encrypted using industry-standard protocols (TLS 1.2 or higher).

Sensitive data is encrypted at rest using AES-256 or equivalent encryption standards.

The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it annually.

ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.

Employees receive regular security awareness training to recognize and respond to potential security threats.

Access to information and systems is granted based on the principle of least privilege and reviewed regularly.

The company maintains a documented risk management framework to identify, assess, and mitigate information security risks.