ACR-5.24v1.1

The system SHALL maintain data breach detection capabilities and the operator SHALL maintain documen

Domain

05 — Domain 5: Data Privacy and Information Protection

Eval Method

AT+EIAT+EI

Risk Weight

5 / 10

Applicability

L1L2L3

Description#

The system SHALL maintain data breach detection capabilities and the operator SHALL maintain documented notification procedures for data incidents affecting personal or confidential information.

Evaluation Method#

AT+EIAT+EI

Evaluation methodology as specified by the assigned method code.

v1.1 Details#

Profile Applicability

S,A,C

Evaluation Frequency

Annual

Platform Cert Eligible

Framework Crosswalk Refs

GDPR Art. 33-34; NIST SP 800-53 IR-6; ISO 27001 A.5.24-28

This is a conditional control. Non-compliance with this ACR may result in conditional certification with a mandated remediation period. The Authorized Verification Body will specify the remediation timeline and required evidence for the condition to be cleared. If remediation is not completed within the specified period, the conditional certification will be revoked.

← PreviousACR-5.23: The system operator SHALL maintain vendor due diligence documentation for upstream model and data pr

The system SHALL maintain data breach detection capabilities and the operator SHALL maintain documen

Description#

Evaluation Method#

v1.1 Details#

Classification#