701679203.

xlsx 10/31/2023

Control
Risk code Risk name Risk description Control Name Control Description
code

Recommended and applicable security configurations from the

vendors, professional organizations or the Group are adopted,
System security configurations are not
documented and then followed in related systems, database and
System breaches due to adequately and correctly managed leading to IST-C010 -
applications.
IST-C010 IST-R010 weak or deficient security unauthorized accesses and activities, breach or Appropriate Security
There is a periodical review performed to ensure that security
configurations loss of infrastructure, database or application Configurations
parameters remains aligned with security recommendations. The
systems and related data
frequency of the control must be defined according to the critically of
each application (and consequently database and systems).

All access rights are granted and removed according to a formal User
Access Management (UAM) process (new users, job changes,
termination). Access to Sodexo network, critical applications and
databases is granted upon a formal and documented request,
approved by the process, application or data owner at appropriate
Unauthorized activities or Access to systems is not properly controlled
IST-C020 - Access level. The requests are processed by the appropriate team (generally
IST-C020 IST-R020 use of systems and data due leading to fraud, errors, lack of protection over
rights management in IT security or IT administration teams). For critical systems, access
to deficient system access data or unauthorized transactions.
rights are reviewed on a regular basis (depending on the robustness
of the UAM process) and signed off by process, application or data
owner. Upon termination of a user, access rights are promptly
removed or deactivated.

Applications are adequately protected by passwords. Those are

sufficiently long and sophisticated, periodically changed and resistant
Unauthorized access or Passwords are not properly defined, adequately
IST-C030 - Password to intrusion attempts, appropriate for the nature of system, data and
IST-C030 IST-R030 breach of systems due to enhanced and protected, leading to unauthorized
protection user account, following applicable and recommended practices from
weak passwords or fraudulent access to systems and data
Group Information Security policy.
For Administrator accounts, higher complexity is expected.

Page 1/26
701679203.xlsx 10/31/2023

Control
Risk code Risk name Risk description Control Name Control Description
code

IT personnel only performs authorized activities appropriate to their

Fraud or unauthorized IS segregation of duties is not adequate leading job responsibilities through adequate division of roles and
IST-C040 - IS
IST-C040 IST-R040 activities due to Inadequate to fraud, errors or lack of protection over responsibilities. Those reduce the possibility of a single individual
segregation of duties
IS segregation of duties confidential data both performing a fraudulent or unauthorized act and concealing it
from detection at all or on a timely basis.

IT services provided by third parties (contractors, outsourcers,

vendors etc.) should at a minimum conform to Sodexo's IS&IT security
policies. It is imperative that controls IST-C020, C030, C060, C070
and C400 be applied by third parties providing IT services.
Third parties have to be audited and must be able to provide control
Third party security policies are not consistant IST-C050 - Third
IST-C050 IST-R050 Third party security policy certification (or control management) which allow management to
with Group and subsidiary security policies party security policy
conclude on the reliance that can be placed on the third party service
provider.
This ability to regularly audit service providers on their internal system
controls, protection of confidential information and other key service
continuity elements must be contractually ensured.

Page 2/26
701679203.xlsx 10/31/2023

Control
Risk code Risk name Risk description Control Name Control Description
code

Access to Sodexo information system (networks, systems, hardware,

Malicious intrusions in the information system due IST-C060 - Internal files, etc.) is monitored through appropriate use and configuration of
Malicious intrusions in the
IST-C060 IST-R060 to network security failures could occur leading to Network access and firewalls, detection and auditing of unauthorized access attempts,
Information System
access to confidential data or business disruption security analysis of security incident reports.

Access to sensitive / confidential applications and / or information

assets through external network (the Internet, dial-in or wireless
external remote access connections) must be secured thanks to the
Malicious intrusions in the information system due IST-C070 - External use of industry standard technology approaches (e.g. secure
Malicious intrusions in the
IST-C070 IST-R070 to network security failures could occur leading to Network access and architecture design / DMZ, VPN/IPSec, SSL, etc.) which will
Information System
access to confidential data or business disruption security supplement security procedures such as strong passwords use and
system monitoring.

Page 3/26
701679203.xlsx 10/31/2023

Control
Risk code Risk name Risk description Control Name Control Description
code

Lack of validation/adoption of innovative Ensure that new technologies used are authorized, fit Group
technologies leads unsupported and potentialy recommended solutions and services, are available when required
IST-C085 - New
Lack of controls for new insecure solutions and do not compromise security. Pay particular attention to all
IST-C085 IST-R085 technologies
technologies Lack of recommended tools and services solutions / infrastructure in public Cloud, in Saas (Solution As A
management
validated by Group leads to reduced business Service) and to manage applications and data into BYOD (Bring Your
engagement and competitiveness Own Device).

Sodexo desktops and mobile devices (i.e. laptop, tablet, smartphone,

Confidential or strategic data are lost or stolen
Loss or robbery of IST-C090 - Protection handled and some multi-function cell phone) meet Sodexo IS security
IST-C090 IST-R090 leading to competitor advantages, illicit usage of
confidential or strategic data of end-user devices policy in terms of data security (e.g. password; remote, IR & wifi
our strategic data
access) and physical protection against robbery and carelessness.

Computer jobs should be properly designed, developed and tested by

individuals other than those supporting the operation of jobs. Jobs
Job definition, scheduling or Lapses in operation job design, schedule result in
should be scheduled properly to allow for timely and complete
monitoring issues negatively data integrity issues. Inadequate job monitoring IST-C120 - Monitoring
IST-C120 IST-R120 processing. Jobs should be monitored for errors or exceptions which
affect data integrity and results in errors not being corrected at all or on of computers jobs
should be followed up and corrected in a timely manner. This control
financial reporting time, thus leading to financial reporting issues.
concerns all operation jobs, inexcluding automatic interfaces, not the
application jobs.

Page 4/26
701679203.xlsx 10/31/2023

Control
Risk code Risk name Risk description Control Name Control Description
code

Critical IT equipment (such as servers, routers) should be stored in

Storage conditions for critical IT equipment (e.g. areas meeting standards in terms of protection against fire, electrical
Inadequate physical security servers, routers, etc.) meet standards in terms of IST-C150 - IT storage surge, flooding or other natural disaster. Storage room should contain
IST-C150 IST-R150
over critical IT assets reasonable protection against fire, electrical conditions adequate back-up power supplies, air conditioning, and fire
surges, water damage and other natural disasters detection/suppression means.

Storage conditions for critical IT equipment (e.g.

Access to computer rooms is limited to authorized personnel and
Inadequate physical security servers, routers, etc.) meet standards in terms of IST-C151 - Access to
IST-C151 IST-R150 physically secured (controlled with access cards, key, digital,
over critical IT assets reasonable protection against fire, electrical computer room
finger, ...).
surges, water damage and other natural disasters

Weakness of Information System driving to

IST-C160 Security
financial losses (due to inadequate security level
Policies and Group To ensure that appropriate documented information security policy
in accordance with Group Security Policy)
IST-C160 IST-R160 Inadequate Security Policy practices and Group practives are communicated to all individuals and that
Expose other countries or Group to risk of
adoption/implementati security measures recommended are applied and effective locally
compromising, data leakage, system slowdown,
on
vulnerabilities, …

Page 5/26
701679203.xlsx 10/31/2023

Control
Risk code Risk name Risk description Control Name Control Description
code

Changes to business application programs, configurations, databases,

Data integrity, security or
Unauthorized or improperly managed changes operating system, IT infrastructure and processes are evaluated,
system availability issues IST-C200 - Change
IST-C200 IST-R200 lead to issues in data integrity, compliance and prioritized, authorized, performed and documented in a formal
due to unauthorized or management
availability of system or data. structured manner so as to reduce the risk in integrity, security and
poorly managed changes
availability of system and data.

Changes in systems/applications are tested and approved by

appropriate business/IS&IT process owners before to be transported
Unidentified errors, data Changes to systems, programs, configurations in production. Initial test plans and resulted test plans must be
integrity or security issues are not properly tested, leading to data integrity IST-C220 - Testing of documented.
IST-C220 IST-R220
due to deficient or lack of issues, loss of system or data and non- system changes
testing compliance issues Following process are respected: test scenarios building, unitary tests
management, integration tests management, formal acceptance slip is
signed before transport to production.

Page 6/26
701679203.xlsx 10/31/2023

Control
Risk code Risk name Risk description Control Name Control Description
code

Production environment is not properly

Production systems are on separate environments from development
Data integrity issue or segregated from development and testing IST-C230 - Separate
and test systems. Access rights of IT people are adequate on these
unauthorized changed due environment, leading to unauthorized changes, production, testing
IST-C230 IST-R230 environments according to IS&T best practices (For instance: indirect
to non-segregated data integrity issues and potential fraudulent and development
access of developers, consultants, administrators to production (no
environments activities that may result in financial losses or environments
access to functional data)).
compliance issues.

IT management should establish an IT risk assessment and

Significant IT risks are not identified or addressed management process to consistently and periodically identify, assess,
Major IT risks not identified within the organization, resulting in loss of key IT IST-C250 - IT risk mitigate, accept and track critical IT risks as they relate to business.
IST-C250 IST-R250
and addressed services, systems and data, thus leading to assessment Results of IT risk management should feed into IT strategic planning
business interruptions and other IT processes and controls. This control answers partially to
CLC-213 which is the risk management of all processes of the entity.

Lack of project managerment leads to projects Ensure IT project methodology is well described, communicated and
that are poorly defined and uncontrolleed that do implemented.
not meet business expectation in terms of time, Group / BU IT Governance processes are applied.
Lack of IT
cost and quality. Information security, data privacy and internal control requirements
involvment/validation in all IST-C260 - IT Project
IST-C260 IST-R260 Delivered solutions are not compliant, fail to meet are included in the design of the project.
application/infra initiative at management
security requirement and are not compatible with Changes to project scope, budget and time scales are formally
Sodexo
existing infrastructure managed and approved.
Insufficient IT resources to deliver and support. A post implementation review is conducted with the project sponsor
Lack of IT and/or Business ownership. before the project is closed.

Page 7/26
701679203.xlsx 10/31/2023

Control
Risk code Risk name Risk description Control Name Control Description
code

An IT disaster recovery plan exists to effectively reduce the impact of

A disaster that interrupted or eliminated critical IT
Business interruption and major disruption on key business functions and processes based on
resource leads to interruption of business IST-C280 - Disaster
IST-C280 IST-R280 financial losses due to major the major risks identified and the business requirements for resuming
operations for unacceptable period of time, Recovery Plan
disasters operations. This disaster recovery plan is part of global Business
resulting in major business and financial losses
Continuity plan of the entity (cf CLC-432)

Lack of clear service or of service management

IST-C300 - Service The IS&T department clearly identifies its responsibilies to users and
Lack of Service level or of internal control in case of insourcing leading
IST-C300 IST-R300 level agreement the functional departments and maintains a log of its tasks, including
agreement department IS&T to deviation, errors or lack of protection over
department IS&T follow up.
confidential data

The IS&IT department identifies the types of incidents that might arise
and prepares standard remediation plans. All applications, systems
Incidents are not sufficiently anticipated and IST-C340 -
and networks are included. All teams follow the same procedures:
IST-C340 IST-R340 Incidents are not anticipated corrective actions are not prepared in advance Management of
incident detection/help desk, analysis, remediation/correction plan,
resulting in excessive time to remediate incidents
remediation plan update, follow-up and communication to relevant
parties. A database of incidents and remediation plans is maintained.

Page 8/26
701679203.xlsx 10/31/2023

Control
Risk code Risk name Risk description Control Name Control Description
code

Data and programs are properly backed up according to the nature

and classification of the data, risk of loss and requirements for
recovery. Usually, backups of data/databases are performed at least
once a day on physical media (hard disk, tapes, storage area
networks). In case of incident (data corruption, program errors,
Lack of or inadequate backup of critical data or
IST-C350 - Backup hardware failure, virus infection, IT attacks, etc.), application and
Inability to recover data due programs lead to inability to resume business
IST-C350 IST-R350 and Restoration of database servers can be effectively restored. For critical applications
to loss of data or programs operations, loss of data or non-compliance with
Data and Systems and data, restoration tests are performed on a regular basis (at least
laws or contractual responsibilities.
quarterly or bi-annually) to verify effectiveness of the backup. This
control is not designed to address the risk of disaster by providing a
disaster recovery plan (DRP), but may be a prerequisite for such DRP
(see IST-C280).

Running standard business appllication software

Management has identified data files that must be retained to comply
can generate large volumes of data, often leading
with local regulatory requirements and the appropriate process to do
to reduced system performance and greater
so is in place.
No archiving solution is in demand on resources. The system can become
The IS&IT department has put into place an archiving solution for
place. And Data files overloaded without archiving, critical data may be IST-C360 - Archiving
IST-C360 IST-R360 critical data identified. This solution allows for access to and recovery
compliance with legal purged and historical information from prior years and retention
of historical data, either electronically or manually. The
requirements or information needed in case of litigation or audit
archiving/purge procedures are defined and performed regularly by
may become irretrievable.. Data files retained do
individuals identified. Audits of volumes, performance, and response
not comply with legal requirements (leading to
times are also regularly performed.
fines and penalties)

Risk:
- Non-compliance with laws regarding copyright
and counterfeiting
- Financial consequences induced in case of non-
compliance: Penalties involving both the Make sure that the software license management is integrated in IT
company and the responsibility and obligation to management, properly administered in accordance with software
Risk of non-compliance with
purchase licenses in case of deviation. IST-C380 - Software purchases made ​with sofware editors, in coordination with the
IST-C380 IST-R380 the software laws or Group's
- Reputation impact if public trial or at least license management negotiations at Group / BU / Zone and also to that audits by the
recommendations
communicated by the media. sofware editors do not create obstacles, financial penalties for the
And 2 another risks: company.
- pay too much licences in regards with those
really used,
- pay too much licences in regards with licence
prices negotiated at Group/BU/Zone levels

Page 9/26
701679203.xlsx 10/31/2023

Control
Risk code Risk name Risk description Control Name Control Description
code

Loss of data or system

System vulnerabilities or weaknesses are IST-C400 - Critical systems and IT infrastructure are free from major known
availability due to breaches
IST-C400 IS-R400 manipulated and lead to data integrity, Management of vulnerabilities to prevent them from being manipulated by malicious
caused by system
confidentiality or availability issues system vulnerabilities programs or individuals
vulnerabilities

Data errors or integrity Lack of or deficient controls within flows of data Interfaces have automated, semi-automated or manual controls such
IST-C410 - Interface
IST-C410 IST-R410 issues due to lack of or interfaces leads to data errors, omissions or that data transmission or processing through interfaces (or data
Control
sufficient interface controls other data integrity issues transfer) is accurate, complete, timely, authorized and auditable.

Loss of accountability and Deficient or lack of audit trail in systems lead to

Eligible business application systems have adequate and effective
inability to detect fraud or inability of identifying errors, ommissions or IST-C420 - Sufficient
IST-C420 IST-R420 audit trail features to record addition, change and deletion of critical
errors due to lack of audit fraudulent activities in systems, resulting in data audit trail
data.
trail integrity, non-compliance consequences

Page 10/26
701679203.xlsx 10/31/2023

Control
Risk code Risk name Risk description Control Name Control Description
code

Company and Legal representative will be sued

in case of data leakage and inadequate data To prevent information about individuals used in an inapropriate
IST-C600 - Data
IST-C600 IST-R600 Divulgation of Private data processing manner and to ensure compliance with legal and regulatory
Privacy Policy control
Negative Brand image impact and contract lost requirements for data privacy.
Human resources issues with employees

Page 11/26
701679203.xlsx 10/31/2023

Control
Risk code Risk name Risk description Control Name Control Description
code

Lack of strategic alignment to the business

strategic objectives and goals
Risk of disconnection between the Business
Leaders and IS& Management.
There is no demand management of business Governance is defined to ensure IS&T function is aligned to business
requests. Strategic, Tactical or Operational. strategy, is able to deliver the expected value and can evaluate its
Lack of appropriate service levels defined to performance.
govern the relationship between the business and IS&T embeds risk management responsibilities into the organization,
IS&T. ensuring that the business and IT regularly assess and report IT-
Lack of Governance in IT IST-C700 –
Resilience and continuous availability. Loss of related risks and their impact and that the enterprise’s IT risk position
IST-C700 IST-R700 department or in relation with Governance
service availability is transparent to all stakeholders and formalizes the supplier
the business framework
Lack of appropriate outsourcing strategy leading relationship management process for each supplier.
to sub optimisation of IS&T resources It defines and maintains an enterprise information model to enable
Lack of appropriate enterprise architecture applications development and decision-supporting activites, consistent
strategy leading to inefficiencies with IT plans, allowing to establish the activities and
Lack of appropriate system integration leading to interdependencies of multiple projects.
inefficiencies
Lack of application controls leading to failure in
the control resulting in loss of business assets

IS&T departement budget is managed to ensure IT meets the

Lack of IT budget method Lack of evaluating IT investments and inability to
IST–C750 – IS&T business expectations at the best cost. It is followed at the level of the
and consistence in IT base decisions on a financial basis.
IST-C750 IST-R750 department budget project and regularly followed, as at a global level to ensure
investments and IT process Lack of appropriate budget management process
management appropriate resourcing are used and it is aligned with current and
lifecycle
future strategic objectives and business imperatives.

Page 12/26
701679203.xlsx 10/31/2023

Control
Testing procedures Tested by
code

Control:
1°) Process of control of Appropriate Security Configuration exists, is updated according to scope of applications, and communicated to
concerned actors
2°) Identify and define applications, operating systems and databases concerned
IST-C010 3°) Control that security parameters are defined and validated IT
4°) Control that in case of gap with provided security parameter list from Sodexo, there is a justification or an explained action plan to change
these parameters as soon as possible.

1°) Process of control of Access Rights management exists, is updated according to scope of applications, and communicated to concerned
actors

2°) Review the access rights procedure and evaluate if the following controls have been done:
a. Are profiles defined and approved by business owners and IT based on business need?
b. Are generic logins prohibited ?
c. Are new users and their access rights formally requested, approved by business owners and implemented by IT security?
d. Are user access rights timely changed due to job changes through coordination with Human Resources ?
e. Are periodic reviews performed to identify users who do not need the level of user rights, including terminated users, transferred users,
IST-C020 users with job changes and idle user accounts ? IC

3°) Creation or modification of user accounts correspond to a formalized and validated demand (at least by business owner and IS&T team
member)

4°) Extract the list of users and their access rights for a sample of critical applications. Evaluate if the policies stated above are being applied.

1°) Process of control of Password protection exists, is updated according to scope of applications, and communicated to concerned actors

2°) Password related configurations such as length, complexity, maximum age, account lockout and duration should be identified for each
important system and configured according to recommendations from Group IT Information Security policy

3°) Periodic inspections are performed as part of security configuration check (C010) to make sure established password configurations are
followed in actual systems.
IST-C030 IC
4°) Select samples of applications based on risk assessment and systems' criticality. Review actual password and user account settings for
compliance with required configurations and best practices.

5°) If system allowed, check if complexity for administrators is higher than Group IT security policy minimum requirements (for instance 1
additional character).

Page 13/26
701679203.xlsx 10/31/2023

Control
Testing procedures Tested by
code

1°) Process of control of IST segregation of duties exists, is updated according to scope of applications, and communicated to concerned
actors

2°) Check existence and update of IT organization, describing the IT local team, the role of each one, ...

3°) Verify the entity has developed an IS segregation of duty matrix that identifies all major conflicts between different IT duties or tasks.

Tested by access right review of IT individuals, ensure major tasks such as program development, system support, database administration
and internal control /audit are adequately separated, as:
- System developement is separated from application, database and operation system level
- database administration is separate from application programming
IST-C040 - IT personnel are prohibited from having incompatible responsibilities or duties in user departments (i.e. access by IT staff to modify IC/IT
production data is limited and traceable)
- developers do not transfer into production, and cannot request transfer without approval

4°) Ensure that this matrix is periodically reviewed and updated.

5°) Check that in case of inadequate segregation, compensating controls are in place and documented.

6°) Check Administrator privileges into production systems are under a regular and consistent control.

1) Process of control of third party security policy exists, is updated according to scope of applications, and communicated to concerned
actors

2) Control that an up-to-date contract exists for all suppliers providing IT products and services

3) Control that appropriate IT security and data protection provisions are included in all contracts.

4) Control that each third party provides evidence of IT security and internal control compliance in the form of annual attestation reports
(ISAE3402, SOC 1 Type 2, SOC 2 Type 2, SSAE16 etc) or in collaboration with Sodexo, via a defined Control Agreement and / or a "right of
audit" clause in the contract.
IST-C050 IT
5) Control that a review of the IT security and internal control evidence for critical third parties is completed at least annually and action plans
for deficiencies are agreed and managed with the Third Party.

6) Control that external consultant activities are defined and validated.

Page 14/26
701679203.xlsx 10/31/2023

Control
Testing procedures Tested by
code

1°) Process of control of Internal Network access exists, is updated according to scope of applications, and communicated to concerned
actors

2°) Check that Information system architecture is described, taking into account internal network access to the concerned applications
(access points, technologies, user VLAN, admin VLAN, backup VLAN, etc.)

3°) Select major systems and verify they are configured to activate the capturing and logging of the approved security events.

4°) Verify that critical security events logged are effectively and efficiently reviewed preferably through the help of event analysis tools. Check
that this indicates unauthorized access or intrusion and that they are identified and investigated. Verify that security incident reports are
analysed.
IST-C060 IT
5°) Control that IT team checked that Group firewall policy is applied for internal network access

6°) if feasable, Control that IT team checked protection of Wifi access point (Widata)

7 ) Verify that monitoring systems for protecting the subsidiary from malicious intrusions into the computer system are reviewed and updated.
This may include the use of a monitoring tool to control the access to the network (to identify unauthorized entrance, suspicious activities,
unauthorized activities and intrusions).

1°) Process of control of External Network access exists, is updated according to scope of applications, and communicated to concerned
actors

2°) Check that Information system architecture is described, taking into account external network access to the concerned applications
(access points, technologies, etc.)

3°) Select major systems, as VPN access for instance, and verify they are configured to activate the capturing and logging of the approved
security events.

4°) Verify that critical security events logged are effectively and efficiently reviewed preferably through the help of event analysis tools. Check
IST-C070 that this indicates unauthorized access or intrusion and that they are identified and investigated. Verify that security incident reports are IT
analysed.

5°) Control that IT team checked that Group firewall policy is applied for external network access and inbound flows

6°) Check that the list of persons authorized to access the network through external connection is defined and updated.

Page 15/26
701679203.xlsx 10/31/2023

Control
Testing procedures Tested by
code

1°) Process of control of New technologies management exists, is updated according to scope of applications, and communicated to
concerned actors

2°) Control:
a. the catalog of Global IT solutions and services is taken into account into the entity and communicated,
b. when the catalog doesn't match business requirements, there is a formal approval process for new tool/software defined and documented
IST-C085 IC/IT
including roles and responsibilities, including IT department.
c. any new technologies are protected by the use technical configuration; access control mechanism, up-to-date antivirus protection and if
required encryption of data.
d. any new technology is supported by maintenance arrangements ( IT or external) and need to satisfy to operational prerequisites

1°) Process of control of Protection of End-user devices exists, is updated according to scope of applications, and communicated to
concerned actors

2°) Control:
a. twice a year that desktop equipements and mobile device parks are managed via asset management (tool or file)
b. yearly that mobile devices benefit from the following additional protection:
- that administrative rights demands are justified and validated and rights are not granted to end-users
- that devices are re-masterized before being provided to a new user.
- that mobile devices are backuped to avoid the loss of data.
IST-C090 IT
- that desktops and laptops are regularly scanned to detect vulnerabilities and have updated anti-virus software.
- sensitive mobile devices hard drives should be encrypted.
- Security patches applied in reasonable timeframe
- Only supported OS allowed
- Up-to-date Global Antimalware protection on centralized console
- Global MDM on Corporate mobiles and BYOD

1°) Process of control of Monitoring of computer jobs exists, is updated according to scope of applications, and communicated to concerned
actors

2°) Control:
a. that all the jobs (out of the ones about applications), are identified and described. Ensure that jobs added are correctly described and
IST-C120 tested before implementation. IT
b. that individuals in charge of job monitoring are clearly identified and that a tool used for controlling jobs is used.
c. that, when a problem occurs, jobs can be restarted at point of failure and that it is not necessary to relaunch it since the beginning.

Page 16/26
701679203.xlsx 10/31/2023

Control
Testing procedures Tested by
code

1°) Process of control of IT storage conditions exists, is updated according to related information system, and communicated to concerned
actors

2°) Check that all systems of applications in scope and all other critical systems as messaging / file / operation servers and critical devices as
router, back up systems are stored into defined and secured computer room(s) or data centre(s). Check the inventory of systems and if it is
updated at least once a year.

3°) Check how the server room is protected (from smoke, fire, flood, ...). Key systems should be (except entrance security because it is
another control: IST-C151) Ventilation duct security, Window security, Floor-to-floor wall, Air conditioning (primary and backup); Ventilation,
IST-C150 Dehumidifier, Temperature alarm, Fire extinguishing facilities, Fire alarms, Raised floor, "No food, smoking and drink" policy on the walls. IT

4°) Control adequate facilities to support normal operation of the data center have been implemented, including uninterrupted power supply
and /or standby power generators, emergency power cut-off device, power off alarm, emergency lighting.

5°) Check that all security equipments are appropriately maintained by related provided, by contract, with planned maintenance.

1°) Process of control of Access to computer room exists, and communicated to concerned actors

2°) Control:
a. quarterly that list of persons authorized to access the data center is up-to-date and validated and that data center requests are validated.
Control also that badges/keys of persons who must not be able to access the data center anymore are disabled.
IST-C151 b. quarterly that access to data center is secured and physically restricted (access cards, locked door, and for main data centre: camera and IC/IT
intrusion detection system,...).
c. that the process to access the computer room is defined, validated and communicated and that persons authorized to access the data
center are defined. Obtain the list of employees who have access to the server room and verify this list is updated / correct.

1°) Process of control of IT Security Policy exists, is updated according to scope of applications, and communicated to concerned actors

2°) Control:
IST-C160 a) Communication to all IT individuals of Group Information and Systems Security Policy (GISSP). IC
b) Security Policy training and awareness provided to all IT personnel at least annually.
c) Enforcement of the GISSP into the entity and in coordination with Group and entity IT teams.
d) if feasible: security awareness ia appendix of employee contract and it is signed by the employee.

Page 17/26
701679203.xlsx 10/31/2023

Control
Testing procedures Tested by
code

1°) Process of control of Change management exists, is updated according to scope of applications, and communicated to concerned actors

2°) A formal change management process is defined, documented and communicated to cover roles and responsibilities, prioritization of
changes based on risk, assessment of impact, authorization of changes by business owners and IT, and tracking /reporting of changes.

3°) Check that functional, security, legal, regulatory and compliance impacts of changes are considered.

4°) Control that all changes are formally approved by business process owner and IT technical stakeholders, as appropriate

5°) Check that each step of change is documented and understandable by someone who did not realize the developments.

6°) Check that emergency changes are properly defined, authorized, reviewed after the change and documented. Emergency changes
should not be performed to circumvent normal change controls.
IST-C200 7°) Per interviews enquire on the changes that we made in the system IC/IT
a. Select several changes and verify they are formally approved by business process owner and IT
b. Select several emergency changes and ensure they are adequately taken into account and that they don't circumvent normal change
controls.

8) Check that ownership is assigned for each application and database within the IT infrastructure and that there exists an appropriate
structure for assigning ownership of data, including who is authorized to initiate and/or change transactions

1°) Process of control of Test management exists, is updated according to scope of applications, and communicated to concerned actors

2°) Select significant changes in system or application:

a. Verify that a formal test plan has been defined and documented following established testing standard based on the business requirements
and communication with business owners and IT.
b. Check that a person responsible for tests is identified.
IST-C220 IC/IT
c. Ensure that all major functional and technical requirements were included in the testing.
d. Verify that the test plan define clear criteria for measuring the success or failure of testing results.
e. Verify that testing results were reviewed and approved by business owners and IT.
f. Check that testing evidence (user acceptance slips and all documents justifying done tests) are retained for an appropriate period of time.

Page 18/26
701679203.xlsx 10/31/2023

Control
Testing procedures Tested by
code

1°) Process of control of Separate production, testing and development environments exists, is updated according to scope of applications,
and communicated to concerned actors

2°) Control:
1. that development / acceptance / production environments are technically separated.
2. that a cartography of the environments is available.
3. twice a year that access rights on environments are differentiated and that access rights are restricted according to the roles /
responsibilities defined.
IST-C230 IT

1°) Process of control of IT risk assessment exists, is updated according to scope of applications, and communicated to concerned actors

2°) Control:
a. that a process to identify, assess, reduce and follow the IT risks is created with the business.
IST-C250 b. that IT risks are assessed and that management defined a strategy to manage them. IC
c. that actors have been defined and that operational action plans are in place.
d. these action plans are controlled monthly to ensure they are followed regularly.
e. Bi-annually, risk are re-evaluated according to action plans driven.

1) Process of control of IT project management exists, is updated according to scope of applications, and communicated to concerned actors

Control:
i) A formal IS&T governance process has been implemented to review and approve IT project requests before project initiation. This includes
defined project roles & responsibilities and a Business Case, aligned to Group / BU IT strategy and DOA levels.
ii) For OSS only - The Group/ Regional IT Governance process framework has been implemented (e.g. Project Origination Proposal (POP),
Project Charter etc).
iii) Process ensures solutions align effectively the Global Enterprise Architecture roadmap.
iv) Information security, data privacy and internal control requirements are included in solution design.
IST-C260 v) Changes to project scope, budget and time scales are formally managed and approved. IC/IT
vi) Progress is monitored and communicated as required by the Entity, Region and Group.
vii) System inventory information is updated in Global APM and a process is implemented to keep it up to date.
viii) A post implementation review conducted with the business after a defined period validated by business and IS&T owners (e.g 6 months /
1 year) to formally close the project and review benefit realisation.

Page 19/26
701679203.xlsx 10/31/2023

Control
Testing procedures Tested by
code

1°) Process of control of Disaster Recovery Plan exists, is updated according to scope of applications, and communicated to concerned
actors

2) Control:
a. Ensure that critical applications are defined with the Business and in line with Group recommendations.
b) Ensure that each critical application has a defined maximum tolerable period of disruption and recovery objectives (RTO and RPO).
c) Ensure that the major IT risk scenarios for Business Continuity are defined and reviewed at least annually.
d) Control that a Disaster Recovery Plan (DRP) is documented and kept up-to-date covering each critical application and each major risk
scenario.
e) Verify that the DRP has been approved by the Business as part of the Business Continuity plan of the entity (c.f. CLC-432) and that the
DPR is fully budgeted.
IST-C280 IC/IT
f) Verify that that a list of DRP contacts and suppliers is documented and reviewed at least annually.
g) Ensure that key employees are aware of their roles in the event of a disaster.
h) Verify that asset inventories and vendor agreements relating to critical applications are accurate and current.
i) Control that the DRP is tested regularly in line with Group recommendations.

1°) Process of control of Service level Agreement exists, is updated according to scope of applications, and communicated to concerned
actors

2°) Control:
a. that a list of services, activities, applications, infrastructures or assets shared with others Sodexo entities / entities is formalized. Ensure
IST-C300 that responsibilities regarding IS&T, the entities and the client entities or departements are defined IC/IT
b. that any services, activities, applications, infrastructures or assets shared added or removed implies the SLA update.
c. that quality level is followed and shared with internal client, via KPI key performance indicators, and that evidences of internal controls can
be easily obtainted by internal clients for their own audits / controls.

1°) Process of control of Management of Incidents exists, is updated according to scope of applications, infra, network, and communicated to
concerned actors

2°) Control:
a. that anomaly identification and correction process is defined, validated and communicated.
b. that tools enabling identification and /or management of incidents are defined.
c. that persons responsible for incident identification and / or management are defined.
IST-C340 d. monthly that incident solving is followed and periodically communicated to the board thourgh KPI, that anomalies are described and that IC
solutions are stored to improve knowledge management.
e. All IT security incidents need to be managed until closure, in line with the Information Security Incident Management Directive
f. Based on evaluation of the impact, information security incidents must be reported to Group InfoSec

Page 20/26
701679203.xlsx 10/31/2023

Control
Testing procedures Tested by
code

1°) Process of control of Back-up and Restore exists, is updated according to scope of applications, and communicated to concerned actors

2°) Verify that critical data that affect business operations or conducting of business are identified in accordance with data classification and
IT risk management process
3°) Verify that policies and procedures exist for the backup of data, and detail frequency of backup, the scope of backup (full, incremental,
differential etc), versioning, validation and storage location.
IST-C350 4°) Verify that restoration tests are performed periodically to verify all components of backups can be effectively restored. IT
5°) For all applications defined as critical by the Business and in line with Group recommendations, verify that back ups have been performed
at stated intervals and that a restore test has been performed within the last 12 months.
6°) Where physical Medias are stored securely and safely offsite for disaster recovey purposes, ensure that the backup media can be
retrieved promptly from the off-site storage (ideally defined by SLAs).

1°) Process of control of Archiving and Data retention exists, is updated according to scope of applications, and communicated to concerned
actors

2°) Control:
a. that a list of document with legal retention period is formalized and maintained up-to-date.
IST-C360 b. that list of applications storing these legal documents is formalized. IC/IT
c. that criticality of each level and type of data is defined and that legal retention time and particular needs are in place.
d. Control that associated purge rule is defined for each archiving rule and that archiving and purge is realized by a specific tool.
e. Control that an automatic process for archiving legal document is implemented
f. Control that testing is regularly realized regarding integrity and access to the documents archived.

1°) Process of control of Software license management exists, is updated according to scope of applications, and communicated to
concerned actors

2°) Control that software license management is:

a. integrated in IT management,
b. properly administered in accordance with software purchases made ​with sofware editors,
c. in coordination with the negotiations at Group / BU / Zone,
IST-C380 and also to that audits by the sofware editors do not create obstacles, financial penalties for the company. IC

3°) Control of inventory of locally purchased software (not open source), of associated contracts and of the park installed software related.

Page 21/26
701679203.xlsx 10/31/2023

Control
Testing procedures Tested by
code

1°) Process of control of Management of system vulnerabilities exists, is updated according to scope of applications, and communicated to
concerned actors

2°) Verify that systematic process exists to apply updates or patches (automatically or manually) against security vulnerabilities on systems
and IT infrastructure devices. As via Qualys, vulnerability scan tool for servers/IP recommended by the Group

3°) Check that critical systems and IT infrastructure have been identified. Verify that they are regularly scanned or assessed for known
IST-C400 vulnerabilities. IT

4°) Check that all major vulnerabilities are remediated or action plans are defined (the patch application policy is defined and communicated.

5°) Select a sample of workstations and servers (at HQ, in the field) and verify that each on is effectively anti-virus protected.

1°) Process of Interface control exists, is updated according to scope of applications, and communicated to concerned actors

2°) Control that all technical controls within interfaces are defined, documented and approved by business owners and IT: extaction abilities
from origin application, importation abilities to destination application limited to a few number of individuals, secured file, secured folder of
IST-C410 location or crypted file, deletion or renaming of the file after import into destination application. IC/IT
3) Verify that a map of the functional architecture of the information system is defined and allows clear identification of manual and automated
interfaces which affect the preparation of financial information.

1) Select a sample of critical application / systems and verify that audit trails are available for them
2) Verify that audit trail include date/time, user or program making the changes, value before the change, value after the change
IST-C420 3) Verify that audit trails cannot be removed by person making the change IC/IT
4) Ensure audit trail reports are reviewed or verified by individuals who cannot make the changes to make sure the changes are authorized.

Page 22/26
701679203.xlsx 10/31/2023

Control
Testing procedures Tested by
code

1°) Process of IT Data Privacy exists and communicated to concerned actors.

2°) Verify that the process ensures that IT have an active role in the affiliate governance structure on data privacy in order to:
a) identify the IT applications that process sensitive personal data in high risk activities (as defined by the Local or Regional Special Data
Protection Point of Contact (DP SPOC)).
b) identify the contractual and regulatory IT technical and organisational measures (TOMs) that must be applied to the IT applications
identified in a) such as data retention requirements.
c) notify the DP SPOC of all IT sub-contractors that process personal data (so that that the DP SPOC can put appropriate provisions related
to data protection obligations and liabilities of the sub-contractor in the third party contract).
d) notify the DP SPOC of the development of new cross-border data transfers of personal data outside of the Sodexo group (so that the DP
SPOC can put in place an appropriate data transfer agreement with the recipient).
IST-C600 e) ensure that the affiliate risk and data protection impact procedure (DPIA) is applied to IT changes as necessary. IC/IT

3°) Check that an inventory is maintained that records the type of personal data held in each application along with name of the Business
Data Owner and the IT Application Owner.

4°) For a sample of applications that hold sensitive personal data, check that the data is protected according to the agreed TOMs (if known)
and the requirements of the Group Information and Systems Security Policy. Ensure there is an action plan in place for any gaps.

5) Check that a Personal Data Breach Incident Management Procedure exists and is followed.

Page 23/26
701679203.xlsx 10/31/2023

Control
Testing procedures Tested by
code

1°) Document of IS&T Governance framework and control exists, is updated according to related information system, and communicated to
concerned actors.

2°) Control:
a. that business strategy / 3 years business plan is defined
b. that IS&T strategy is defined and aligned to business strategy
c. that projects in progress, to be started, are followed and respect their main milestones
d. that IS&T performance metrics are defined and followed
e. that outsourcing choice is evaluated and validated for the concerned projects, considering the global strategy
f. that global entreprise's architecture is designed and ensure it meets the industrial best practices with cost effectiveness
g. that IS&T architecture allows evaluating the integration levels between applications and the global ownership costs: application availability,
infra, staff & ressources utilization rates, projects, incidents, support, customer satisfaction,...
h. that the list of software/devices used is maintained, with vendors and planned dates of maintenance stopping. Ensure that management is
aware of future obsolete IT solutions, consequences and that action plans has been defined.
IST-C700 IC/IT

1°) Process of IS&T budget department framework and control exists, is updated according to related information system, and communicated
to concerned actors.

2°) Control:
- that IS budget incliudes : functional budget (OPEX) and investment budget (CAPEX)
- that evaluation of the % of IS&T costs / entities revenues has been realized
- that IS&T synergies have been identified and evaluated in a cost perspective
IST-C750 - the frequency of IS&T contract negotiation to obtain best prices from 3rd party IC/IT
- that performance / costs metrics, relatives to IS&T, are realized in project ROI
- that IS&T budgets are validated and integrated in business strategy plan before the launch of projects
- if IS&T budgets are regularly followed during the main milestones of projects

Page 24/26
Version Control
v6.6 C600 Data Privacy Policy Control
v6.7 C050 Third Party Security Policy

v6.7 C090 Protection of end user devices

v6.7 C160 Security Policies and Group

practices adoption/implementation

v6.7 C340 Management of incidents

v6.7 C600 Data Privacy Policy Control

v7.0 IST-C280 - Disaster Recovery Plan

v7.0 IST-C350 - Backup and Restoration of Data

and Systems
v7.0 IST-C050 - Third Party Security Policy
Changes
Testing procedure rewritten to complement CLC 325 Data Protection which has been rewritten to incorporate the GDPR requi
Testing procedure updated to align to Minimum Security Baseline Guidance
i) MSB 411 Cloud Any IaaS and PaaS service subscriptions need to go through security approval process by Group InfoSec
ii) MSB 711 IT Supply Management Existence of up-to-date contracts with all suppliers providing IT products and services
iii)MSB 712 IT Supply Management Appropriate IT security and Data Protection provisions included in all contracts

Testing procedure updated to align to Minimum Security Baseline Guidance

i) MSB-114 Network Internet Surfing through secure gateway only
ii) MSB 311 Endpoint (laptop, mobile, etc.) Only supported OS allowed
iii) MSB 312 Endpoint (laptop, mobile, etc.) Security patches applied in reasonable timeframe
iv) MSB 313 Endpoint (laptop, mobile, etc.) No administrative rights granted to end-users
v) MSB 314 Endpoint (laptop, mobile, etc.) Up-to-date Global Antimalware protection on centralized console
vi) MSB 315 Endpoint (laptop, mobile, etc.) Encryption for sensitive population
vii) MSB 316 Endpoint (laptop, mobile, etc.) Global MDM on Corporate mobiles and BYOD

Testing procedure updated to align to Minimum Security Baseline Guidance

i) MSB 011 Accountability Regional CIO is accountable for Security & Compliance across his/her region, aligned with the Group
Security Policy
Testing procedure updated to align to Minimum Security Baseline Guidance
i) MSB 811 Incident Management All IT security incidents need to be managed until closure, in line with the Information Secur
Management Directive
ii) MSB 812 Incident Management Based on evaluation of the impact, incidents must be reported to Group InfoSec

Testing procedure updated to align to Minimum Security Baseline Guidance

i) MSB 811 Incident Management All IT security incidents need to be managed until closure, in line with the Information Secur
Management Directive
Test procedure updated to reflect focus on critical applications.

IST-C350 - Backup and Restoration of Data and Systems - Test procedure updated to require additional documented details of
and to clarify the testing process of off site backup media as per SLA.
Removed reference to IST-C110.