137
Appendix E: Agreed-UponProcedures
(AUPs) V5.0
A. Risk Ma nagement
A.1
A for
mal risk governance program is implemented.
A.2 A formal risk governance program is aligned with the busi-
ness environment.
B. Information Security Policy
B.1
An i
nformation security policy is maintained that includes
the key relevant domains of security.
B.2
An o
rganization should review the information security
policy at planned intervals, at least annually (or if signicant
changes occur), to ensure its continuing suitability, adequacy,
and eectiveness.
B.3
Emp
loyees signify their acceptance of the company’s accept-
able use policy at least annually.
C.
Org
anization
of In
formation
Se
curity
C.1 An organization should communicate, get acknowledgment
from, and per ...