MODUK DEF STAN 05-138 PDF

The scope of this standard is the Supplier’s overarching corporate or enterprise environment. All Supplier organisations, systems, processes, procedures and data necessary for its effective protection of Data and/or Functions are within the scope of this standard, going beyond the protection of just the information provided to the Supplier in support of that contracted output.

This standard is, therefore, intentionally broad, ensuring that a Supplier organisation, irrespective of any controls required for a specific contracted output, has the appropriate minimum levels of controls in place for the level of risk to which that Supplier organisation is expected more generally.

The requirements set out within this standard are derived from current international and industry best practices, as well as requirements placed upon the MOD as a UK Government department.

These requirements are intended to be considered as a ‘minimum’. Individual contracts may specify greater levels of controls/protection (such as where specified within a Security Aspects Letter).

It is intended that this standard will be regularly reviewed and updated, to ensure its continued currency and fit for purpose.

This standard may not be taken as a basis to reduce or remove any other requirements placed upon a Supplier organisation, whether contractual or legal.