9230471.03 · Web view2019. 12. 20. · fraud or fraudulent misrepresentation; and. ... Without prejudice to the provisions of this Clause 12, or to the operation of the Official

APMG CERTIFIED CYBER PROFESSIONAL (CCP) AGREEMENT

This Agreement is dated on [INSERT DATE]

BETWEEN:

(1) The APM Group Limited a company incorporated in England and Wales under registration number 02861902 whose registered office is at 6th Floor Sword House, Totteridge Road, High Wycombe, Buckinghamshire HP13 6DG (“APMG”); and

(2) [INSERT INDIVIDUAL’S NAME], of [INSERT ADDRESS] (the “Candidate”).

WHEREAS(A) APMG has been appointed by the Secretary of State and Commonwealth Affairs acting through the

National Cyber Security Centre (NCSC) which is part of Government Communication Headquarters (GCHQ) (the “Authority”) to assess and certify Cyber Security Professionals against a specific set of information assurance competency, roles and skills requirements and standards defined in the CCP Standards (as defined below).

(B) The Candidate wishes to undergo CCP assessment and, subject to the Candidate following the application process and meeting the applicable CCP Standards, obtain CCP certification in accordance with and subject to the terms of this Agreement.

IT IS HEREBY AGREED:

1. DEFINITIONS AND INTERPRETATION1.1 This Agreement shall be interpreted in accordance with Schedule 1 (Definitions and

interpretations).

2. COMMENCEMENT AND DURATION2.1 This Agreement shall commence on the date when it has been signed by the Candidate and shall

continue, unless terminated earlier in accordance with the terms of this Agreement, for a period of three (3) years from the Certification Date (“Term”).

3. CCP SCHEME OPERATION3.1 The CCP scheme is the industry-wide scheme developed and managed by the Authority for

certification of Cyber Security Professionals, including relevant standards, practices, methods and procedures, with at its core the CCP Standards (“CCP”).

3.2 The Authority shall at all times have sole and absolute control of CCP (including the CCP Standard and related protocols) in relation to its existence, scope, configuration, development, implementation, management, operation and use, and may at any time (at the Authority’s sole and absolute discretion) make changes to CCP.

3.3 The Authority shall at all times have sole and absolute control over the Security Policy (as defined in Schedule 3), and may at its sole discretion change any part or aspect of the Security Policy.

3.4 Without prejudice to Clause 3.2 and 3.3, if a change to CCP and/or the Security Policy by the Authority requires a change to this Agreement, APMG shall notify the Candidate of any such change and of the required amendments to this Agreement as soon as reasonably practicable.

APMG Certified Cyber Professional (CCP) Agreement Version 5.0_2019 (Live) Owner – The APMG Legal Advisor

1

Any required amendments to this Agreement arising from or in connection with any such change by the Authority shall be effected, and the Agreement deemed amended, 30 days after the date of notification by APMG to the Candidate of such amendment.

3.5 In the event the Candidate does not comply with the CCP Standard, Professional Code of Conduct or CCP generally, APMG shall promptly enforce CCP, including the Professional Code of Conduct and CCP Standard, including (without limitation):

(a) where appropriate, by revoking or suspending the Candidate’s CCP certification; and

(b) informing the Authority of any material failure to comply by the Candidate for the Authority’s consideration.

3.6 The Candidate acknowledges and agrees that the Authority may itself take appropriate action (including suspending or revoking CCP certification) to uphold the reputation and good standing of CCP and that prior notice of such action will be communicated to APMG to avoid duplication of efforts.

3.7 The Candidate shall reimburse APMG for any reasonable costs and expenses incurred by APMG and/or the Authority in taking any such enforcement action as described in Clause 3.5 and 3.6 above.

3.8 The Candidate may use CCP solely for the purposes of obtaining CCP certification in accordance with all applicable rules, standards and processes, provided always that the Candidate’s right to use CCP shall be:

(a) effective only during the Term and while CCP continues to exist; and

(b) subject to, and conditional on, the Candidate’s compliance with this Agreement.

3.9 The Candidate acknowledges and agrees to the CCP application process set out in the APMG CCP Portal available at https://www.apmg-ia.com/default.aspx and agrees that any certification and benefits afforded by this Agreement are subject to successful assessment.

4. CANDIDATE’S OBLIGATIONS4.1 The Candidate warrants that it has full right and power to enter into this Agreement.

4.2 The Candidate shall:

(a) at all times comply with and act in a manner that is consistent with the CCP Standards and the Professional Code of Conduct;

(b) comply with the Authority’s security requirements set out in Schedule 5 and seek appropriate professional guidance and advice, whenever required, on Security matters and the handling of any disputes relating to Security;

(c) abide by the duty of confidentiality as outlined in Clause 10 during the Term and for a further period of 5 years following termination of this Agreement;

(d) abide by the APMG Code of Ethics at all times and review the APMG Code of Ethics on an annual basis and upon being notified of any changes to ensure continued understanding of the implications in complying with the code;

(e) act with all due care, skill and diligence and in a good, safe and professional manner, in compliance with all applicable Laws, guidance and consents, (including the Bribery Act 2010) and so as not to put APMG and/or the Authority in breach of any Law or guidance, and in accordance with Good Industry Practices; and

(f) act in a manner not likely to be injurious to health or to cause damage to property or the environment;


2

https://www.apmg-ia.com/default.aspx

(g) access the APMG CCP Portal using log-on details as provided by APMG, and in doing so shall abide by the password policy, terms of use and any other policies, conditions and instructions provided by APMG from time to time; and

(h) ensure that any application document for CCP certification, re-validation or re-certification, Curriculum Vitae’s (CV), written submission and all other supporting documents provided by the Candidate to APMG are classified and suitably marked with the relevant security level applicable to the respective document.

4.3 The Candidate shall not do or omit to do anything in relation to this Agreement or its other activities that may bring the operations, standing, public imagine, reputation or goodwill of APMG, the Authority and/or the CCP scheme into disrepute or attract adverse publicity to APMG, the Authority and/or the CCP scheme.

4.4 The Candidate shall at all times during and after the Term, on written demand indemnify APMG and keep APMG indemnified against all claims (meaning any claim, demand, action, cost, expense, loss damage and liability of whatsoever nature) to the extent arising out of or in connection with any breach of this Agreement by the Candidate or negligence on the part of the Candidate in respect of any:

(a) breach of any obligation contained in this Agreement;

(b) actions taken pursuant to Clause 3.5 and 3.6 of this Agreement; and

(c) breach of data protection rights as referred to in Clause 6.8 below.

5. CONSIDERATION5.1 In consideration for the provision of the Services by APMG, the Candidate will pay to APMG all

applicable fees in accordance with the level, role(s) and type of application as set out in the APMG CCP Portal available at https://www.apmg-ia.com/default.aspx (“Fees”).

5.2 Fees are exclusive of all applicable taxes, unless otherwise stated. The Candidate shall pay any applicable tax to APMG in addition to the Fees on receipt of a VAT invoice.

5.3 All Fees are subject to change. APMG reserves the right to review and amend Fees at any time.

5.4 Services are performed on a pre-payment basis. Unless otherwise agreed by APMG in writing, no Services shall be performed by APMG before payment of all applicable Fees is received by APMG in full.

5.5 The Candidate will submit its CCP application via the APMG CCP Portal. The Candidate accepts and agrees that once the application is accepted by APMG in the APMG CCP Portal APMG will start to perform the Service and, should the Candidate decide to cancel the application, no Fees will be refunded to the Candidate. If the Candidate cancels the application before it is accepted by APMG in the APMG CCP Portal an administration fee equivalent to 10% of Fees paid will be deducted and the balance refunded to the Candidate (via the same payment method used by the Candidate to pay for the Fees) within 30 days of the cancellation.

6. DATA PROTECTION6.1 APMG and the Candidate will comply with all applicable requirements of the Data Protection

Laws. This Clause 6 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Laws.

6.2 The Candidate also agrees that it shall not perform its obligations under this Agreement in such a way as to cause APMG and/or the Authority to breach any of their applicable obligations under the Data Protection Laws. For the purposes of this Clause 6, the expression “process”, “Personal Data” and “Data Subject” shall bear their respective meanings given in the Data Protection Laws.


3

https://www.apmg-ia.com/default.aspx

6.3 The Candidate must obtain all required permissions from Data Subjects prior to sharing any Personal Data with APMG.

6.4 APMG will process any Personal Data provided by the Candidate in connection with this Agreement and the Candidate’s application in accordance with any applicable Data Protection Laws, the APMG Privacy Policy and the terms and conditions set out in this Clause 6.

6.5 In accordance with the above, APMG agrees to only use Candidate Personal Data in accordance with the terms of this Agreement, the APMG Privacy Policy and as required for the delivery of the Services, and will not store, copy, disclose or use or in any other way process Candidate’s Personal Data except as necessary for the performance of this Agreement and the management of the CCP scheme.

6.6 The Candidate acknowledges and agreed that:

(a) all Personal Data captured by APMG during the CCP application process (whether belonging to the Candidate or to any other person disclosed by the Candidate) will be securely stored by APMG and processed in accordance with the Data Protection Laws and APMG’s Privacy Policy, and shall be accessible by the Authority and any other certification bodies for the CCP scheme, for the purposes of this Agreement and/or the management of the CCP scheme, and processed by such third parties in accordance with their own relevant privacy policies, available directly from such parties; and

(b) the following details shall be displayed on a publicly available successful candidate register, subject always to consent from the Candidate: Candidate name, date of Candidate’s CCP certification, Candidate role and level of certification and a unique identifier (i.e. candidate number). The Candidate shall notify APMG in writing if it wishes to have its details removed from such successful candidate register.

6.7 In relation to Personal Data provided by APMG to the Candidate, the Candidate shall:

(a) process any Personal Data strictly in accordance with the terms of this Agreement and APMG’s instructions and shall not store, disclose or use or in any other way process any Personal Data or APMG and/or Authority data, except as necessary for the performance of its obligations under this Agreement or as otherwise expressly authorised in writing by APMG;

(b) process Personal Data only to the extent, and in such manner, as is necessary for the purposes of this Agreement or in accordance with relevant Laws or as required by any regulatory body;

(c) shall not under any circumstances transfer such Personal Data outside the United Kingdom without APMG’s written approval;

(d) promptly carry out any request from APMG requiring the Candidate to amend, transfer, provide copies or delete the Personal Data or any part of the Personal Data;

(e) take responsibility for preventing the integrity of Personal Data and preventing the corruption, loss or unauthorised or unlawful disclosure of such data. If at any time the Candidate suspects or has reason to believe that the Personal Data have or may become corrupted, lost, unlawfully disclosed or sufficiently degraded in any way for any reason, then the Candidate shall notify APMG immediately and inform APMG of the remedial action the Candidate proposes to take; and

(f) provide APMG with full cooperation and assistance in relation to any complaint or request made regarding the Personal Data.

6.8 The Candidate shall fully indemnify and keep APMG indemnified against all liabilities, costs, expenses, damages and losses (including any interest, penalties and legal costs and all other professional costs and expenses) suffered or incurred by APMG arising out of or in connection with any loss, damage or distress suffered by any person as a result of the loss, destruction or


4

unauthorised disclosure of, or unauthorised access to, Personal Data as a result of any failure of the Candidate to comply with the provisions of this Clause 6.

7. LIMITATIONS ON LIABILITY 7.1 Nothing in this agreement limits any liability which cannot legally be limited, including liability for:

(a) death or personal injury caused by negligence;

(b) fraud or fraudulent misrepresentation; and

(c) breach of the terms implied by section 2 of the Supply of Goods and Services Act 1982 (title and quiet possession).

7.2 Each party’s liability in respect of each of the following:

(a) breach of Security;

(b) infringements of the Data Protection Laws;

(c) breach of obligations of confidence; or

(d) any Third Party IPR Claim

for any one or series of connected events shall be limited to ten thousand pounds (£10,000).

7.3 In no event shall APMG be liable to the Candidate for:

(a) any indirect, special or consequential loss or damage; or

(b) any loss of profits, turnover, business opportunities or damage to goodwill (whether direct or indirect).

8. TERMINATION8.1 This Agreement may be terminated by either party at any time giving 30 days written notice to the

other.

8.2 This Agreement shall terminate automatically with immediate effect upon the termination or expiry of any agreement which gives APMG the right to provide the Services and deliver the CCP scheme.

8.3 Without prejudice to any other right or remedy available to APMG under this Agreement or at Law or in equity, each and any one or more of the following events shall constitute a default event, entitling APMG (at its sole and absolute discretion) to terminate this Agreement (in whole or in part):

(a) the Candidate does anything that any reasonable person with experience at senior management level in the United Kingdom information assurance market would consider so harmful to the reputation of APMG and/or the Authority as to justify the termination of this Agreement;

(b) the Candidate commits a breach of any obligation under this Agreement that (either alone or in aggregate with other breaches) has such an adverse, material effect on the CCP scheme or the provision of the Services that APMG, acting reasonably in the circumstances, may treat it as a Default Event;

(c) the Candidate commits any serious or repeated breach or non-observance of any of the provisions of this Agreement or refuses or neglects to comply with any reasonable directions of APMG;

(d) the Candidate conducts himself/herself in any manner which, in the opinion of APMG, has brought or is likely to bring either the Candidate, APMG or the CCP scheme into disrepute;


5

(e) the Candidate is convicted of any criminal offence (other than an offence under any road traffic legislation in the United Kingdom or elsewhere for which a fine or non-custodial penalty is imposed);

(f) the Candidate is declared bankrupt or makes any arrangement with or for the benefit of his creditors or has a county court administration order made against him under the County Court Act 1984;

(g) any material governmental or other licence, consent or authority required by the Candidate to enable it to observe or perform any of its obligations under this Agreement ceases, for whatever reason, to be in full force and effect;

(h) any Security-related breach arising out of or in connection with this Agreement;

(i) APMG discover a material misrepresentation in writing by the Candidate;

(j) the Candidate fails to comply with Clause 13.2, 13.3 or 17.2.

(each a “Default Event”).8.4 APMG may terminate this Agreement by written notice in the event that the Candidate fails to

successfully pass re-validation after eighteen months from Certification Date.

8.5 Upon termination or expiry of this Agreement for whatever reason:

(a) all use by the Candidate of the Certificate, CCP Standards, CCP Data and Scheme IPR shall cease;

(b) the Candidate shall comply with the provisions of Clause 9.3 and 9.5;

(c) within 15 days after termination or expiry, the Candidate shall comply with APMG’s instructions to either return to APMG or to destroy or delete (by appropriate means, as instructed) any original versions, drafts or copies of any Scheme IPR or other material that may have been supplied to the Candidate by or on behalf of APMG (including any Certificate); and

(d) the Candidate shall certify to APMG in writing that is has complied with the provisions of Clauses 8.5(a), (b) and (c) above.

8.6 Termination or expiry of this Agreement shall not affect:

(a) any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination or expiry, including the right to claim damages in respect of any breach of the Agreement which existed at or before the date of termination or expiry; and

(b) the continuing rights, remedies or obligations of the parties under Clauses 1 (definitions and interpretation); 3 (CCP scheme operation); 4.2(c) and 4.3 (Candidate’s obligations); 6 (data protection); 8.5 (termination); 9 (intellectual property); 10 (confidentiality); 11 (data handling); 12 (official secrets); 14 (conflict of interest); 15 (corrupt gifts); 16 (change in law); 17 (general); and Schedule 3 (Security).

9. INTELLECTUAL PROPERTY9.1 Subject to successful completion of the assessment process and the other terms and conditions

of this Agreement, the Candidate shall be entitled to:

(a) display and use the Certificate issued by APMG to the Candidate in the form provided; and

(b) use the expression “NCSC Certified Cyber Security Professional” (but not, for the avoidance of doubt, any APMG and/or Authority logo, name, brand or mark) on websites promoting the Candidate’s information assurance services,

in both cases for the sole purpose of demonstrating its CCP certification.


6

9.2 Except as expressly provided in Clause 9.1, the Candidate shall not be entitled to use any trade marks, names, logos, or brands belonging to either APMG or the Authority, including in any literature, documentation, mail signature, advertising, or publicity material, without the owning party’s prior written consent and subject, in any event, to the Candidate entering into a licence with the owning party on terms specified by the owning party.

9.3 Upon termination or expiry of this Agreement for any reason or upon suspension and/or withdrawal of the Candidate’s CCP certification, the Candidate shall cease and desist of all use of the Certificate and shall comply with APMG’s instructions with regards to the return or destruction (as the case may be at APMG’s sole discretion and at the Candidate’s cost) of its Certificate.

9.4 APMG reserves the right to recall Certificates at any time should the Candidate be found to be in breach of any term of the CCP Standards, Professional Code of Conduct, this Agreement and/or APMG instructions as to the use of the Certificate provided to the Candidate from time to time.

9.5 If the Authority decides to terminate the whole or any part of CCP, any licence granted under this Agreement shall terminate automatically, and unless otherwise approved by APMG in writing, the Candidate shall:

(a) cease to use CCP (including the CCP Standards and related protocols); and

(b) comply with APMG’s and/or the Authority’s (as applicable) instructions to either return to APMG and/or the Authority or to destroy or delete (by appropriate means, as instructed) any original versions, drafts and copies of any CCP IPR and other material that may have been supplied by or on behalf of APMG and/or the Authority in connection with this Agreement, which is in the Candidate’s possession or control.

9.6 The Candidate shall promptly notify APMG of any claims or allegation, of which it has notice, that the CCP IPR or the normal use of the Services or any IPR asserted or used in the provision of the Services infringes any third party IPR (“Third Party IPR Claim”) and shall provide all reasonable assistance to APMG and/or the Authority for the purpose of contesting any Third Party IPR Claim or demand made or action brought against APMG and/or the Authority.

9.7 The Candidate acknowledges and agrees that APMG and/or the Authority shall have immediate and exclusive control of any Third Party IPR Claims.

9.8 The Candidate shall not make any admissions that may be prejudicial to the defence or settlement of a Third Party IPR Claim.

9.9 The Candidate acknowledges and agrees that in respect to any Claim (including any Third Party IPR Claim), which APMG and/or the Authority acting reasonably considers is likely to have an adverse impact on APMG’s and/or the Authority's operations (a "Sensitive Claim"), APMG and/or the Authority (as applicable) shall be entitled to take conduct of any defence, dispute, compromise or appeal of the Sensitive Claim. Any decision of APMG and/or the Authority concerning whether a claim is a Sensitive Claim (or not) shall be final and conclusive.

10. CONFIDENTIALITY 10.1 Each party shall at all times as far as reasonably practicable:

(a) treat any Confidential Information of the other party and/or of the Authority as confidential and safeguard it accordingly, and to the same standard as it would safeguard any confidential information relating to its own business, and in accordance with Good Industry Practice;

(b) not further disclose any Confidential Information of the other party or of the Authority to any third party, except:

i. in the case of disclosure by the Candidate in connection with the certification process in accordance with Clause 6.3;


7

ii. in the case of disclosure by APMG, for the purposes of this Agreement or as contemplated in Clause 3 and Clause 6.6;

and in respect of any such further disclosure, the disclosing party shall use its reasonable efforts to impose upon each intended third party recipient similar confidentiality obligations as are set out in this Agreement;

(c) limit access to any Confidential Information of the other party to such of its staff, agents, contractors, or professional advisers (as applicable) (“individual recipients”) as may reasonably need to have such access, and shall ensure that each individual recipient is made aware of the confidentiality provisions of this Agreement, and of his respective obligations concerning the other party’s Confidential Information, (by the imposition of individual confidentiality agreements, and/or the provision of training, the display of notices, and any other appropriate means) and shall ensure compliance with those obligations.

(d) only copy and retain any Confidential Information of the other party to the extent reasonably required for the purposes of this Agreement;

(e) unless otherwise agreed in writing by the parties, as soon as reasonably practicable, on expiry or termination of this Agreement, (at its own expense and by appropriate means) comply with the other party's reasonable instructions as to the return, destruction, or deletion of any material (of whatever nature) comprising any Confidential Information disclosed by that party, and

(f) immediately notify the other party by appropriate means, (followed by a written notice as soon as reasonably practicable) of any actual or potential breach of confidence in respect of any Confidential Information, and take any reasonable steps to end, avoid, prevent, reduce or mitigate any adverse effects of any such breach, and subsequently comply with any measures designed to prevent any incidence or recurrence of any breach as the parties may in writing agree.

10.2 The Candidate shall not seek to commercially exploit or financially benefit in any way from any Confidential Information, which it has generated, developed, or gained in the course of this Agreement in its business generally, unless otherwise approved in writing by APMG and provided that such use would not involve or result in any breach of confidence or conflict of interest and except as otherwise expressly provided under this Agreement.

10.3 If the Candidate intends to disclose any Confidential Information to any third party, it shall:

(a) obtain APMG’s prior written approval;

(b) comply with Clause 10.1(b) with regards to the imposition of confidentiality obligations upon the intended third party recipient;

(c) give prior written notice to the intended third party recipient that the Authority is exempt from the requirements of the Freedom of Information Act and that such exemption would extend to any Confidential Information disclosed to third party recipients;

(d) oblige the third party recipient to inform the Candidate as soon as reasonably practicable, by appropriate means, of any disclosure request in respect of any such Confidential Information, and to comply with any reasonable instructions from either the Candidate or APMG (as the case may be) as to responding to any such disclosure request;

(e) as soon as reasonably practicable, by appropriate means, notify APMG of any such disclosure request;

(f) provide such co-operation as may, in the circumstances, be reasonably required by APMG and/or the Authority and/or the third party recipient in dealing with the disclosure request; and

(g) not respond directly to the person making the disclosure request.


8

10.4 Subject to the provisions of Clause 10.5 and 10.8, if APMG intends to disclose any Confidential Information belonging to the Candidate to a third party it shall:

(a) obtain the Candidate’s consent; and

(b) comply with Clause 10.1(b) with regard to the imposition of confidentiality obligations upon the intended third party recipient.

10.5 Nothing in this Agreement shall prevent disclosure of the Candidate's Confidential Information:

(a) to the Authority;

(b) to any Crown Body or any other Contracting Authority. All Crown Bodies or Contracting Authorities receiving such Confidential Information shall be entitled to further disclose the Confidential Information to other Crown Bodies or other Contracting Authorities on the basis that the information is confidential and is not to be disclosed to a third party that is not part of any Crown Body or any Contracting Authority;

(c) to any consultant, contractor or other person engaged by APMG and/or the Authority or any person conducting a Cabinet Office gateway review;

(d) for the purpose of the examination and certification of APMG and/or the Authority’s accounts; and

(e) for the purpose of complying with the Environmental Information Regulations.

10.6 Each party shall treat the existence, nature and extent of this Agreement as confidential, together with any related discussions, documents, or arrangements.

10.7 Without prejudice to the provisions of Clauses 10.1 to 10.6 inclusive, the Candidate shall not, and shall procure that the individual recipients do not, without APMG’s written approval, in any way use any Confidential Information disclosed to it by APMG, for any purpose whatsoever other than the purposes of this Agreement.

10.8 The Candidate acknowledges and agrees that APMG and/or the Authority may disclose the Candidate’s Confidential Information to any person, solely for the purposes of handling:

(a) any feedback in connection with provision of services by the Candidate; or

(b) any complaints or appeals in connection with CCP or in connection with any other aspect of this Agreement.

11. DATA HANDLING 11.1 The Candidate shall not delete or remove any proprietary notices contained within or relating to

any Authority or APMG data.

11.2 The Candidate shall not store, copy, disclose or otherwise use any Authority or APMG data, except as necessary for the performance by the Candidate of its obligations under this Agreement or as otherwise approved in writing by APMG.

11.3 The Candidate shall take responsibility for preserving the integrity of all CCP Data and for preventing the loss or corruption of such data.

12. OFFICIAL SECRETS 12.1 Without prejudice to the provisions of this Clause 12, or to the operation of the Official Secrets

Acts 1911 to 1989 generally, the Candidate is aware that the Authority is a security and intelligence service and that, in particular, Confidential Information and any Protectively Marked Material (as defined in Schedule 3) are information relating to security or intelligence for the purposes of Section 1 of the 1989 Act.

12.2 The Candidate acknowledges that the Official Secrets Acts 1911 to 1989 apply to them and will continue to apply to them after the expiry or termination of this Agreement.


9

12.3 The Candidate shall, if directed by APMG or the Authority, sign a statement acknowledging that, both during and after the Term, he or she is bound by the Official Secrets Acts 1911 to 1989 (and any other applicable Law).

13. RELATIONSHIP BETWEEN THE PARTIES13.1 Nothing in this Agreement shall constitute, or be deemed to constitute any form of employment,

legal partnership, joint venture, or agency between the parties or between a party and the Authority, nor shall either party (including, in the case of APMG, its principals (if any), employees, agents, or sub-contractors) be deemed to be the servant, legal partner, or agent of the other party or the Authority.

13.2 The Candidate shall not do any act, enter into any contract, make any representation, give any warranty, incur any liability, assume any obligation, whether express or implied, of any kind whatever on behalf of APMG or the Authority, or bind APMG or the Authority in any way.

13.3 The Candidate shall not in any circumstances hold itself out to be the servant, legal partner or agent of APMG or the Authority.

14. CONFLICT OF INTEREST14.1 The Candidate shall immediately disclose to APMG any actual or potential conflict of interest

arising from or in relation to this Agreement, or from the Candidate’s relationship with APMG generally.

14.2 The Candidate shall give effect to such measures as may reasonably be required by APMG for ending or avoiding any such actual or potential conflict of interest, or alleviating its effect.

15. CORRUPT GIFTS 15.1 The Candidate shall not do, and warrants that in entering into this Agreement it has not done any

of the following:

(a) offer, give or agree to give to any APMG employee any gift or consideration of any kind as an inducement or reward:

i. for doing or not doing (or for having done or not having done) any act in relation to the obtaining or execution of this Agreement or any contract/agreement with APMG; or

ii. for showing or not showing favour or disfavour to any person in relation to this Agreement or any contract/agreement with APMG; or

(b) enter into this Agreement or any contract/agreement with APMG in connection with which commission has been paid or has been agreed to be paid by it or on its behalf, or to its knowledge, unless before the contract/agreement is made, particulars of any such commission and of the terms and conditions of any such agreement for the payment thereof have been disclosed in writing to APMG.

(the “prohibited acts”).

15.2 If the Candidate does any of the prohibited acts or commits any offence under the Prevention of Corruption Act 1906, the Prevention of Corruption Act 1916 or the Public Bodies Corrupt Practices Act 1889 in relation to this Agreement or any other contract agreement with APMG, APMG shall be entitled:

(a) to terminate this Agreement and recover from the Candidate the amount of any loss resulting from the termination;

(b) to recover from the Candidate the amount or value of any such gift, consideration or commission; and


10

(c) to recover from the Candidate any other loss sustained in consequence of any breach of this Clause 15 where this Agreement has not been terminated.

15.3 In exercising its rights or remedies under this Clause 15, APMG shall:

(a) act in a reasonable and proportionate manner having regard to such matters as the gravity of, and the identity of the person performing, the prohibited act

(b) give all due consideration, where appropriate, to action other than termination of this Agreement.

15.4 Recovery action taken against any person in APMG’s service shall be without prejudice to any recovery action taken against the Candidate pursuant to this Clause 15.

16. CHANGE IN LAW16.1 The terms and conditions of this Agreement shall be deemed to cover and take account of the

effects of any changes in Law that are enacted or implemented after the date of this Agreement, and that the parties ought reasonably to have been aware of, or that ought reasonably to have been foreseen by the parties.

16.2 Without prejudice to Clause 16.1, in relation to changes in Law after the date of this Agreement that were not reasonably foreseeable by the parties as at the date of this Agreement, APMG shall inform the Candidate of any requisite changes to this Agreement as a result of such changes in Law.

17. GENERAL 17.1 The Candidate agrees that a breach of any part of this Agreement, with emphasis on the use of

Confidential Information, shall be dealt with appropriately, be that a civil or criminal action and evidence of any actions incurred by either party shall be held by APMG.

17.2 This Agreement is personal between APMG and the Candidate and the Candidate shall not give, bargain, sell, charge, delegate, assign, novate, sub-let, transfer or otherwise dispose of this Agreement or any part of it, or the rights, interests, entitlements, benefits or advantages of, or burden under, this Agreement or any part if.

17.3 This Agreement constitutes the entire agreement between the parties concerning the subject matter of this Agreement and each party acknowledges and agrees that in entering into this Agreement it does not rely on, and shall have no remedy in respect of, any statement, representation, warranty or undertaking (whether negligently or innocently made) other than as expressly set out in this Agreement. The only remedy available to either party in respect of such statements, representation, warranty or understanding shall be for breach of contract under the terms of this Agreement. Nothing in this clause shall operate to exclude or restrict the liability of either party arising out of fraud or fraudulent misrepresentation.

17.4 For the purposes of the Contracts (Rights of Third Parties) Act 1999 these terms and conditions are not intended to, and do not, give to any person who is not a party to it any rights to enforce any provision contained in it, except that the provisions of Clause 3.5, 3.6, 4.3 and 9 shall be enforceable by the Authority.

17.5 Except as provided in Clause 3.4 and 16.2, no amendment or other variation to this Agreement shall be effective unless it is in writing is dated and is signed by a duly authorised representative of each Party.

17.6 A waiver of any right or remedy under this Agreement or by Law is only effective if given in writing and shall not be deemed a waiver of any subsequent right or remedy.

17.7 A failure or delay by a party to exercise any right or remedy provided under this Agreement or by Law shall not constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict any further exercise of that or any other right or remedy. No single or partial exercise of any right


11

or remedy provided under this agreement or by Law shall prevent or restrict the further exercise of that or any other right or remedy.

17.8 If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this Agreement.

17.9 If any provision or part-provision of this Agreement is deemed deleted under Clause 17.8 the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.

17.10 Any notice given to a party under or in connection with this Agreement shall be in writing and shall be:

(a) if delivered by hand, on signature of a delivery receipt or at the time the notice is left at the proper address;

(b) if sent by pre-paid first-class post or other next Working Day delivery service, at 9.00 am on the second Business Day after posting or at the time recorded by the delivery service; and

(c) if sent by email, at the time of transmission to the correct email address, or, if this time falls outside business hours in the place of receipt, when business hours resume. In this Clause 17.10(c), business hours means 9.00am to 5.00pm Monday to Friday on a day that is not a public holiday in the place of receipt.

This clause does not apply to the service of any proceedings or any documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

17.11 This Agreement is subject to the exclusive jurisdiction of the English courts and shall be governed by and construed in accordance with the Law of England and Wales.

This Agreement shall come into force on the date given at the beginning of this Agreement.

Signed by

the CandidatePrint name: ……….………………………………………………..

Signature: …………………………………………………………..

Date: …………………………………………………………………


12

SCHEDULE 1

DEFINITIONS AND INTERPRETATION1. Definitions

In this Agreement (including in the background recitals), unless expressly stated otherwise: Agreement means this contract together with any schedules or annexes attached hereto,

as amended from time to time;

APMG CCP Portal means the secure network available at www.apmg-ia.com that is accessible to the Candidate in order to submit, track and progress applications and obtain all necessary information relating to this Agreement;

APMG Code of Ethics means the code of ethics as laid down by the APMG Ethics and Standards Board (or a similar code) which is available to download at https://apmg-international.com/about-us;

APMG Ethics andStandards Board means the independent confidential board that handles all complaints and

appeals, and set the APMG Code of Ethics;

APMG Privacy Policy means the APMG privacy policy available at https://apmg-international.com/privacy-policy ;

Authority means The Secretary of State for Foreign and Commonwealth Affairs (acting through the Government Communication Head Quarters, GCHQ -by NCSC (the National Cyber Security Centre), the UK Government’s Authority on Cyber Security), of Westminster, London, SW1E 5LB;

CCP has the meaning given in Clause 3.1;

CCP Data means any data processed by or on behalf of the Candidate for the purposes of this Agreement, including diagrams, drawings, images, information, text, or sounds, back-up data, or other materials or items that are embodied in any medium (including all electronic, magnetic, optical or tangible medium), and including Authority and APMG data;

CCP Standard means the Authority’s standard entitled “NCSC Certification for Cyber Security/IA Professionals”, as amended by the Authority from time to time and available at https://www.ncsc.gov.uk/information/about-certified-professional-scheme;

Certificate means the APMG certificate for CCP issued by APMG to the successful candidates who have undergone the CCP assessment process and met the required CCP standards, practices, methods and procedures.

Certification Date means the date listed on the Certificate issued to the Candidate by APMG for CCP subject to the terms of this Agreement;

Claim means any claim, demand, action, cost, expense (including legal cost and disbursement), loss, damage and liability of whatsoever nature;


13

https://www.ncsc.gov.uk/information/about-certified-professional-scheme

https://www.ncsc.gov.uk/information/about-certified-professional-scheme

https://apmg-international.com/privacy-policy

https://apmg-international.com/about-us

https://apmg-international.com/about-us

http://www.apmg-ia.com/

Confidential Information means all information relating to either party, the Authority or their respective operations or business, disclosed in confidence by or on behalf of one party, or generated from such information by the receiving party (whether before of after the Effective Date), either in writing, orally, or in any other form, directly or indirectly from or pursuant to discussions with the other party or which is obtained through observations made by the receiving party, including commercial, policy, technical, scientific, operational, personnel, personal, property and other information, and including ideas, concepts, schemes, information, knowledge, techniques, generic business methodologies (and anything else in the nature of know-how relating to the certification services provided by APMG, CCP or otherwise to this Agreement), and all analyses, compilations, studies and other documents, whether prepared by or on behalf of either party that contain or otherwise reflect or are derived from such information (and any copy of such information), whether or not marked or designated as “confidential”, which ought reasonably to be considered as confidential, except any information that:

(a) at the time of disclosure, is already public knowledge, or subsequently becomes public knowledge, other than by way of any breach of this Agreement;

(b) prior to disclosure, was not subject to any confidentiality obligation of any sort;

(c) is properly disclosed under any legal requirement to a designated regulatory or other body; or

(d) prior to disclosure, was already known (by some other means) by the recipient.

For the avoidance of doubt, Confidential Information shall include information belonging to the Authority disclosed by APMG to the Candidate under or in connection with this Agreement.

Contracting Authority has the meaning given in regulation 2 of the Public Contract Regulations 2015, as amended from time to time;

Data Protection Laws means (i) unless and until the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) is no longer directly applicable in the UK, the GDPR and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 2018;

Default Event means any of the events listed at Clause 8.3, any of which would entitle APMG to terminate this Agreement;

Good Industry Practice means the use of standards, practices, methods and procedures conforming to law, and the exercise of that degree of skill, care, diligence, prudence and foresight that would reasonably and ordinarily be expected from a skilled and experienced person in the same or similar circumstances;

Intellectual Property (or ‘IPR’) means any right, title or interest in:

(a) patents, trade marks, service marks, trade names, goodwill, registered design, design rights, copyright , database rights and other forms of intellectual or industrial property (in each case, in any part of the world), whether or not registered or registrable for their full period of registration with all extensions, renewals and revivals, and including all applications for registration or otherwise;


14

(b) inventions, formulae, confidential information (including know-how and secret processes);

(c) computer software; and(d) any similar or equivalent rights and assets that may now or in the future

subsist anywhere in the world; Law means any Act of Parliament or subordinate legislation within the meaning of

section 21(1) of the Interpretation Act 1978 and any enforceable European Union legislation;

Personal Data shall have the same meaning as prescribed in the Data Protection Laws;

Professional Code ofConduct means the professional code of conduct prescribed by the Authority for all

Certified Cyber Professionals to adhere to as set out in Schedule 2;

Scheme IPR means all IPR in CCP and all Authority and APMG data, together with all IPR provided by or on behalf of APMG and/or the Authority to the Candidate under or in connection with this Agreement (whether before or after the Effective Date);

Security means all aspects of physical, technical, procedural, documentary, personnel, information technology and office security;

Services means the provisions of CCP assessment and certification services by APMG to the Candidate;

Term has the meaning given in Clause 2;

Territory means the United Kingdom only;

Third Party IPR Claim has the meaning given in Clause 9.6;

Working Day means Monday to Friday other than public holidays in England.

2. Interpretation2.1 The interpretation and construction of this Agreement shall be subject to the following provisions:

(a) A reference to any statute, enactment, order, regulation or similar instrument shall be construed as a reference to the statute, enactment, order, regulation or instrument as subsequently extended, amended, consolidated or re-enacted;

(b) the headings are for ease of reference only and shall not affect the interpretation or construction of this Agreement;

(c) except where the context expressly requires otherwise, references to Clauses, Schedules, sections, parts and paragraphs are references to Clauses, Schedules, sections, parts and paragraphs of this Agreement;

(d) the Schedules to this Agreement (including any Annexes) are an integral part of this Agreement and reference to this Agreement incudes references to the Schedules, and references to the Schedules includes reference to any Annex to that Schedule;

(e) all references to any agreement (including this Agreement), document or other instrument include a reference to that agreement, document or instrument as amended, supplemented, substituted, novated or assigned;


15

(f) where the context allows, the masculine includes the feminine and the neuter, and the singular includes the plural and vice versa;

(g) where this Agreement defines a word or expression, related words and expressions that are not separately defined shall have a consistent meaning; and

(h) any phrase introduced by words “including”, “includes”, “in particular”, “for example” or similar, shall be construed as illustrative and without limitation to the generality of the related general words. A phrase starting with the words “or other” or “otherwise” is not limited by any preceding words where a wider interpretation is possible.

2.2 In case of conflict between Schedule 3 (Security) and any of the other previous or documents referred to in this Agreement, then Schedule 3 (Security) shall prevail.

2.3 The Candidate shall draw any conflict between any of the requirements or provisions of this Agreement to the attention of APMG and shall comply with APMG’s decision on the resolution of the conflict. APMG’s decision shall be final and conclusive.


16

SCHEDULE 2

PROFESSIONAL CODE OF CONDUCTThe Secretary of State for Foreign and Commonwealth Affairs acting through the National Cyber Security Centre (“NCSC”) which is part of Government Communications Headquarters (“GCHQ”) expects all information assurance (IA) professionals undertaking work on the basis of CCP to comply with this Professional Code of Conduct to uphold the reputation and good standing of the CCP Scheme. CCP includes the role definitions documented in Certification for IA Professionals (i.e. the CCP Standard), the certification bodies, their assessment processes and the contract between them and NCSC.

The table below sets out the relevant attributes, together with a description of the behavior expected from all IA Professionals and the behavior that would be inappropriate for any IA Professional.

Atrribute Expected Behaviour Inappropriate Behaviour

Impartiality Act in the best interests of the client organisation at all times

Proposing or undertaking unnecessary or excessive work

Suppressing findings that the client representative does not wish to hear

Recommending inappropriate products or services

Objectivity Base advice on material knowledge, facts, professional experience and evidence

Being influenced by personal relationships or short-term objectives

Ignoring material factsConfidentiality & Integrity Protect information received in

the course of work for a client organisation

Disclosing vulnerabilities in client information systems to third parties

Sharing client information with third parties without permission

Compliance Provide advice and ensure that conduct is consistent with applicable laws, regulations and the HMG Security Policy Framework

Recommending actions that knowingly contravene applicable laws, regulations or policies

Recommending actions which conflict with HMG guidance without drawing the client’s attention to the conflict

Undertaking security testing without client permission

Competence Meet Certification Body requirements for continuing professional development

Undertaking work which you know you are not competent to undertake

Presenting yourself as having a higher level of competence that is actually the case

Proportionate Ensure advice is proportionate with business objectives and the level of information risk

Recommending work that is disproportionately large to business requirements

Recommending solutions that are grossly inadequate to meet the intended business requirements

Reputation Preserve the reputation of the IA certification framework

Use of IA certification brand for permitted purposes only

Conduct that may bring the IA certification framework into disrepute

Using the IA certification brand outside its intended scope

© Crown copyright 2011

You may re-use this document/publication (not including logos) free of charge in any format or medium, under the terms of the Open Government Licence. To view this licence, visit http://www.nationalarchives.gov.uk/doc/open-government-licence or write to Information Policy Team, The National Archives, Kew, Richmond, Surrey TW9 4DU; or email [email protected].

This document/publication is available at www.ncsc.gov.uk. Any queries regarding this document/publication should be sent to [email protected].


17

mailto:[email protected]

http://www.ncsc.gov.uk/

mailto:[email protected]

http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/

http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/

SCHEDULE 3

SECURITY

1. Security Requirements1.1 Definitions

“Clearance” means the Security clearance ascribed to an individual by the Authority, or by any agent authorised for that purpose by the Authority, being Basic Check (BC), Counter Terrorist Check (CTC), Security Check (SC), and Developed Vetting (DV) with, where specified, any requisite STRAP designation, and “Cleared“ shall be construed accordingly;

“Cleared Individual” means a person currently holding any Clearance;

“Protectively MarkedMaterial” means any material, in whatever form, which is marked as “Official”, “Official

Sensitive”, "Protect", “Restricted“, “Confidential”, “Secret” or “Top Secret”, or which should properly be so marked and “Protectively Marked” shall be construed accordingly;

“Remedial Action” means any action, as specified by APMG and/or the Authority (as applicable), taken to avoid, end, reduce, mitigate the effects of, or prevent the re-occurrence of, any Security Incident;

“Security Incident” means an incident involving any breach of the Security requirements set out in this Agreement, including any breach of confidentiality;

“Security Policy” means the Authority’s security policy, based on the Security Reference Documents, as set out in this Schedule 3 (Security);

“Security Reference Documents" mean the documents, which together comprise the Authority's current Security

Policy, guidance and operating procedures, including the current versions, for the time being, of:

(i) the HMG Security Policy Framework, which is accessible at https://www.gov.uk/government/publications/security-policy-framework;

(j) HMG IA Standards, which are accessible at https://www.ncsc.gov.uk/

“Vetting Procedure” means the process by which a person may become a Cleared Individual;

1.2 General(a) The Authority requires high Security standards, as set out in the Security Reference

Documents, of its own staff and of APMG and CCP candidates. Any Security Incident, of whatever nature and regardless of any consequences, shall be treated as a Default Event and may, without prejudice to any other available rights or remedies, lead to termination of this Agreement in accordance with Clause 8 (Termination).

(b) The Authority shall at all times have sole and absolute control over, and be responsible for, the Security Policy and may at its sole discretion amend any part or aspect of the Security Policy at any time.


18

https://www.ncsc.gov.uk/

https://www.gov.uk/government/publications/security-policy-framework

(c) APMG shall give written notice (wherever reasonably practicable in advance) to CCP candidates of any such amendment.

(d) The Candidate shall not be liable for any breach of any of his obligations under this Agreement resulting or arising from, or caused by, any amendment of the Security Policy of which he has not had notice.

(e) Any required changes to this Agreement arising from or in connection with any such amendment shall be effected upon notice by APMG to the Candidate in accordance with Clause 3.4 of this Agreement.

(f) The Candidate shall fully co-operate with any inspection of any security plans, systems, checks, procedures or controls and shall attend any Security-related meeting, whether on a routine od ad hoc basis, which APMG may reasonably require.

1.3 Security Incidents(g) The Candidate shall ensure APMG's nominated representative is immediately given notice,

by appropriate means, of any Security Incident, and shall otherwise comply with the current Security Incident reporting procedure.

(h) The Candidate shall take any reasonably practicable steps as may in the circumstances avoid, end or mitigate any adverse effects of the Security Incident.

(i) The Candidate shall as soon as reasonably practicable, and no longer than 2 Working Days after any such notice, provide APMG with a written report on the Security Incident.

(j) The Candidate shall comply with any directions given by APMG in respect of any Security Incident, and shall fully co-operate in any requisite Remedial Action.

(k) Any changes to this Agreement arising from or in connection with any Remedial Action shall be effected by Change Note in accordance with Clause 17.5 of this Agreement.

1.4 Protectively Marked Material(a) APMG shall disclose and / or provide copies of such of the Security Reference Documents

(in whole or part) and other Protectively Marked Material to the Candidate, as APMG shall at its sole discretion consider appropriate for the purposes of this Agreement.

(b) The Candidate shall hold any such disclosed or copy material as referred to in paragraph 1.4(a) above in such conditions (as to physical security and access) as may be appropriate to that particular material, or as otherwise specified in writing by APMG.

(c) The Candidate shall in writing request written approval of APMG of any location where the Candidate intends to hold any Protectively Marked Material and shall facilitate any inspection of such location at such time as APMG may reasonably require.

(d) Subject to sub-paragraph 1.4(e) and (f), the Candidate shall at all times hold any Protectively Marked Material at a location approved in writing by APMG.

(e) The Candidate may with approval of APMG or the Authority hold Protectively Marked Material at such other place and for such period and/or purpose as APMG or the Authority (as applicable) may in writing specify.

(f) The Candidate may, subject to any relevant Security requirements, move any Protectively Marked Material from one place to another to the extent reasonably necessary for, and in the normal course of, enjoying the right and complying with its obligations under this Agreement.

(g) The Candidate shall only use any such material for the proper purposes of this Agreement, and for no other purpose whatsoever, and shall not make any copy, précis or record, of whatever nature, of any such material without APMG’s or the Authority's written approval.

(h) The Candidate shall for all purposes treat any such copy, précis or record as if it was the original version of the Protectively Marked Material.


19

(i) The Candidate shall immediately comply with any instruction from APMG and/or the Authority in respect of any such material, including any requirement for all or any of it to be returned to APMG or destroyed on expiry or termination of this Agreement (as the case may be) or at such other time as APMG may specify and shall provide a certificate to APMG confirming destruction of such material, as APMG may require.

1.5 Clearance(a) The Candidate shall not allow any other person to have access to sensitive material

(including for this purpose the Security Reference Documents and any other Protectively Marked Information).

(b) The Candidate shall ensure that he shall only have access to such sensitive material as may be appropriate to the level of Clearance held.

(c) The Candidate shall make himself available for any Security training, briefing or vetting procedure, at such place and time, as APMG and/or the Authority may require from time to time.

(d) The Candidate shall facilitate a co-operate with any relevant Vetting Procedure, and in particular shall promptly on request provide such written information as APMG and/or the Authority may require in connection with such procedure.

(e) The Candidate shall at all times comply with the provisions of Clause 10 (Confidentiality). The Candidate shall not disclose to any third parties the identity of the Authority, or any information about the Authority’s premises, equipment or business generally, of this Agreement in particular.

1.6 Equipment(a) APMG is required, under its agreement with the Authority, to promptly comply with any

Security directions given by the Authority regarding any equipment, (including ICT-related software, machinery and associated kit) used in the provision of CCP certification services, including any direction to cease using any such equipment in the provisions of CCP certifications services.

(b) The Candidate shall assist APMG in complying with any Security directions given by the Authority and shall comply with APMG’s instructions in relation to any equipment used by the Candidate in connection with this Agreement and its CCP certification.


20