Information Security

Statement of Applicability for the UK & Ireland business

Clause Control Objective / Sec / Control Justification / Remarks
Control Clause in place
Management direction 5.1 Objective: To provide management direction and support
for information security for information security in accordance with
business requirements and relevant laws and
A.5 Information security Policies

regulations.
Policies for Information 5.1.1 Yes We have a set of policies that are approved by
Security management that are referenced in this Statement of
Applicability. We also have a high-level global
framework and policy for Information Security to
support our ISMS. It is adopted by our UK Leadership
and applies to all team members and contractors in the
UK.
Review of the policies for 5.1.2 Yes All our policies follow a standard format which includes
information security details of the policy owner(s) coordinator(s) &
approver(s). All policies reviewed annually or sooner if
significant changes occur to ensure their continuing
suitability, adequacy and effectiveness.
Internal organization 6.1 Objective: To establish a management framework to
initiate and control the implementation and
operation of information security within the
organization.
Information Security 6.1.1 Yes Responsibility and accountability for the management
Roles and of our global ISMS resides with our global Chief
A.6 Organization of information security

Responsibilities Security Officer and for the UK ISMS accountability is

with the UK Managing Director with responsibility
delegated to the Business Operations Leader. Individual
assets have owners designated in the asset register.
Segregation of Duties 6.1.2 Yes Our Access Control Policy is to ensure that Conflicting
duties and areas of responsibility are segregated.
Contact with Authorities 6.1.3 Yes We maintain contact with relevant law enforcement
and regulatory bodies both in the normal course of our
business and in exceptional circumstance to report
security incidents or to maintain continuity of our
business.
Contact with Special 6.1.4 Yes We are members of special security related interest
Interest Groups groups and forums.
Information Security 6.1.5 Yes We address information security in all projects,
with Project Information security implications are expected to be
Management addressed and reviewed regularly in all projects.

ABOUT DUN & BRADSTREET

Dun & Bradstreet, the global leader in commercial data and analytics, enables companies around the world to improve their business performance.
Dun & Bradstreet’s Data Cloud fuels solutions and delivers insights that empower customers to accelerate revenue, lower cost, mitigate risk, and transform
their businesses. Since 1841, companies of every size have relied on Dun & Bradstreet to help them manage risk and reveal opportunity. For more about
Dun & Bradstreet, visit DNB.co.uk.
In the UK Dun & Bradstreet Limited is certified to ISO 27001
and is authorised & regulated by the Financial Conduct Authority.

© Dun & Bradstreet, Inc. 2021. All rights reserved.

Page 1 of 13 This document was updated June 2021 - DnB-OTH-GBR-BUS-0001 (r.2.2)

 Clause Control Objective / Sec / Control Justification / Remarks
Control Clause in place
Mobile Devices and 6.2 Objective: To ensure the security of teleworking and use of
Teleworking mobile devices.
Mobile Device Policy 6.2.1 Yes Mobile devices (including Smart Phones and Tablets)
are widely used in our organisation. The requirements
for both company provided devices and employee
owned devices are set out in our policies. Training is
provided to reinforce understanding and compliance.
Teleworking 6.2.2 Yes Teleworking is common practice in our modern
working environment. Our policies and training take
into account the risks and associated controls required.
Prior to Employment 7.1 Objective: To ensure that employees and contractors
understand their responsibilities and are
suitable for the roles for which they are
considered.
Screening 7.1.1 Yes Background verification checks in line with our policy
and procedure are carried out for all candidates for
employment. The policy takes account of relevant laws
and regulations; is proportional to the business
requirements, the classification of the information to
be accessed and the perceived risks to the business.

We have contractual agreements with third party

suppliers whose employees work at D&B premises are
often referred to as contractors. Our supplier
A.7 Human Resource Security

agreements with these third parties require their

employees to comply with our Information Security
policies and procedures.
Terms & Conditions of 7.1.2 Yes The contractual obligations for employees and
Employment contractors engaged by Dun & Bradstreet are set out
in the Terms & Conditions of Employment which all
employees and directly employed contractors are
required to sign before commencing employment.
These terms and conditions also set out the continuing
responsibilities for Information Security after
employment ends. The Information Security
obligations and ethical considerations required by D&B
are reinforced in our Code of Conduct and
Information Security Training materials.

We have contractual agreements with third party

suppliers whose employees work at D&B premises are
often referred to as contractors. Our supplier
agreements with these third parties require their
employees to comply with our Information Security
policies and procedures.

ABOUT DUN & BRADSTREET

Dun & Bradstreet, the global leader in commercial data and analytics, enables companies around the world to improve their business performance.
Dun & Bradstreet’s Data Cloud fuels solutions and delivers insights that empower customers to accelerate revenue, lower cost, mitigate risk, and transform
their businesses. Since 1841, companies of every size have relied on Dun & Bradstreet to help them manage risk and reveal opportunity. For more about
Dun & Bradstreet, visit DNB.co.uk.
In the UK Dun & Bradstreet Limited is certified to ISO 27001
and is authorised & regulated by the Financial Conduct Authority.

© Dun & Bradstreet, Inc. 2021. All rights reserved.

Page 2 of 13 This document was updated June 2021 - DnB-OTH-GBR-BUS-0001 (r.2.2)

 Clause Control Objective / Sec / Control Justification / Remarks
Control Clause in place
During Employment 7.2 Objective: To ensure that employees and contractors are
aware of and fulfil their information security
responsibilities.
Management 7.2.1 Yes Being 'Data Inspired' is one of D&B's core values and
Responsibility the importance of data and information security is part
of the culture of our business. All new employees are
assessed against their terms & conditions of
employment, their information security obligations and
other criteria during their probationary period and
throughout their employment. Management ensure
that employees are trained in aspects of information
security relevant to their role. We have a clear
Whistleblowing process which is reinforced in our
annual Code of Conduct training.
Information Security 7.2.2 Yes A program of general Information Security Awareness,
Awareness, Education Education & Training exists for all employees. Where
and Training there are role specific information security
requirements, training needs are assessed and
appropriate training arranged.
Disciplinary process 7.2.3 Yes We have a clear Disciplinary Policy and Procedure
which sit along a Capability & Performance
Improvement Policy and Procedure to handle
circumstances where an employee who has committed
an information security breach.
Termination and Change 7.3 Objective: To protect the organization’s interests as part
of Employment of the process of changing or terminating
employment.
Termination or Change 7.3.1 Yes Processes exist to ensure employees are reminded of
of Employment their obligations with regard to information security
Responsibilities and the consequences of not meeting those obligations
when they leave D&B. When employees change roles,
the responsibility rests with the line manager to advise
the employee of any role specific obligations.
Responsibility for Assets 8.1 Objective: To identify organizational assets and define
appropriate protection responsibilities.
Inventory of assets 8.1.1 Yes We have an Inventory of information security related
assets contained in our UK Asset Register. It also
A.8 Asset Management

references assets held on other inventories. Certain

specific assets types such as software are managed by
our Global Security team - specific policy is in place
addressing requirements for those asset types.
Ownership of Assets 8.1.2 Yes All information security related assets (or groups of
assets) have designated owners who are responsible
for the asset throughout its lifecycle or owners for
defined phases of the asset's lifecycle.
Acceptable use of Assets 8.1.3 Yes Acceptable use of Information Security related assets is
defined in our Acceptable Use Policy and is reinforced
through training and awareness courses.

ABOUT DUN & BRADSTREET

Dun & Bradstreet, the global leader in commercial data and analytics, enables companies around the world to improve their business performance.
Dun & Bradstreet’s Data Cloud fuels solutions and delivers insights that empower customers to accelerate revenue, lower cost, mitigate risk, and transform
their businesses. Since 1841, companies of every size have relied on Dun & Bradstreet to help them manage risk and reveal opportunity. For more about
Dun & Bradstreet, visit DNB.co.uk.
In the UK Dun & Bradstreet Limited is certified to ISO 27001
and is authorised & regulated by the Financial Conduct Authority.

© Dun & Bradstreet, Inc. 2021. All rights reserved.

Page 3 of 13 This document was updated June 2021 - DnB-OTH-GBR-BUS-0001 (r.2.2)

 Clause Control Objective / Sec / Control Justification / Remarks
Control Clause in place
Return of Assets 8.1.4 Yes Procedures are in place to ensure that Information
Security related assets that are assigned to employees
or contractors are returned when the contract with
the employee or contractor ends.
Information 8.2 Objective: To ensure that information receives an
Classification appropriate level of protection in accordance
with its importance to the organization.
Classification Guidelines 8.2.1 Yes Information is classified and labelled as set out in our
Global Data Classification Policy. They guide asset
owners and employees on the appropriate labelling of
information assets.
Labelling of Information 8.2.2 Yes Information is classified and labelled as set out in our
Global Data Classification Policy. They guide asset
owners and employees on the appropriate labelling of
information assets.
Asset Handling 8.2.3 Yes Our Acceptable Use Policy and Data Classification
Policy together with our Data Handling & Destruction
Standard define appropriate handling of assets &
information.
Media Handling 8.3 Objective: To prevent unauthorized disclosure,
modification, removal or destruction of
information stored on media.
Management of 8.3.1 Yes The use, management and destruction of removable
Removable Media media is controlled by our Acceptable Use Policy and
our Data Handling and Media Destruction Standard.
Disposal of Media 8.3.2 Yes Disk drives and use of USB ports for media storage
devices are disabled as a standard and only enabled on
exception where justification is provided and approved
by GSR.
Physical Media Transfer 8.3.3 Yes A list of approved carriers is maintained by our GS&P
team as part of our Third-Party Management & Due
Diligence Policy.
Business Requirements 9.1 Objective: To limit access to information and information
of Access Control processing facilities.
Access Control Policy 9.1.1 Yes Access to the network and systems is controlled by
our Global Access Control Policy and Global Network
Access to Networks and 9.1.2 Yes
A.9 Access Control

Configuration Policy. User Requests are managed by

Network Services
our USR process controlling and limiting access to an
as needed basis.
Business Requirements 9.2 Objective: To ensure authorized user access and to
of Access Control prevent unauthorized access to systems and
services.
User Registration and 9.2.1 Yes There are global policies and standards in place, and a
De-Registration formal global user registration and de-registration
procedure for granting and revoking access to all
information technology systems and services.

ABOUT DUN & BRADSTREET

Dun & Bradstreet, the global leader in commercial data and analytics, enables companies around the world to improve their business performance.
Dun & Bradstreet’s Data Cloud fuels solutions and delivers insights that empower customers to accelerate revenue, lower cost, mitigate risk, and transform
their businesses. Since 1841, companies of every size have relied on Dun & Bradstreet to help them manage risk and reveal opportunity. For more about
Dun & Bradstreet, visit DNB.co.uk.
In the UK Dun & Bradstreet Limited is certified to ISO 27001
and is authorised & regulated by the Financial Conduct Authority.

© Dun & Bradstreet, Inc. 2021. All rights reserved.

Page 4 of 13 This document was updated June 2021 - DnB-OTH-GBR-BUS-0001 (r.2.2)

 Clause Control Objective / Sec / Control Justification / Remarks
Control Clause in place
User Access Provisioning 9.2.2 Yes There are global policies, standards and a formal user
access provisioning process is implemented to assign
and revoke access rights for all user types to all
systems and services.
Management of 9.2.3 Yes Allocation and use of privileges are restricted and
Privileged Access Rights controlled in line with our global policy.
Management of Secret 9.2.4 Yes Allocation of passwords is controlled through a formal
Authentication management process. Globally D&B operates a formal
Information of Users management process for the management and control
of secret authentication information of users.
For contractors and 3rd Party Vendors the
contract/agreement covers confidentiality. Where
access is granted to third parties it is limited in
accordance with our policy.
Review of User Access 9.2.5 Yes D&B operates a formal user registration and de-
Rights registration procedure for granting and revoking access
to all information technology systems and services.
Removal or Adjustment 9.2.6 Yes D&B operates a formal user registration and de-
of Access Rights registration procedure for granting and revoking access
to all information technology systems and services.
User Responsibilities 9.3 Objective: To make users accountable for safeguarding
their authentication information.
Use of Secret 9.3.1 Yes A Confidentiality Agreement is included in employee's
Authentication terms and conditions of employment.
Information Our policies and standards support this and use of
secret authentication information is included in training
materials.
For contractors and 3rd Party Vendors the
contract/agreement covers confidentiality.
System and Application 9.4 Objective: To prevent unauthorized access to systems and
Access Control applications.
Information Access 9.4.1 Yes Access to information and application system functions
Restriction by users and support personnel is restricted in
accordance with the defined access control policy.
Secure Log-on 9.4.2 Yes Access to operating systems is controlled by a secure
Procedures log-on policy.
Password Management 9.4.3 Yes Systems for managing password is interactive and
System ensure quality password
Use of Privileged Utility 9.4.4 Yes The use of utility programs that might be capable of
Programs overriding system and application controls is restricted
and tightly controlled
Access control to 9.4.5 Yes Access to program source code is restricted.
program Source Code

ABOUT DUN & BRADSTREET

Dun & Bradstreet, the global leader in commercial data and analytics, enables companies around the world to improve their business performance.
Dun & Bradstreet’s Data Cloud fuels solutions and delivers insights that empower customers to accelerate revenue, lower cost, mitigate risk, and transform
their businesses. Since 1841, companies of every size have relied on Dun & Bradstreet to help them manage risk and reveal opportunity. For more about
Dun & Bradstreet, visit DNB.co.uk.
In the UK Dun & Bradstreet Limited is certified to ISO 27001
and is authorised & regulated by the Financial Conduct Authority.

© Dun & Bradstreet, Inc. 2021. All rights reserved.

Page 5 of 13 This document was updated June 2021 - DnB-OTH-GBR-BUS-0001 (r.2.2)

 Clause Control Objective / Sec / Control Justification / Remarks
Control Clause in place
Cryptography Controls 10.1 Objective: To ensure proper and effective use of
cryptography to protect the confidentiality,
A.10 Cryptography

authenticity and/or integrity of information.

Policy on the use of 10.1.1 Yes D&B operate formal policies, standards and procedures
Cryptography Controls on the use of cryptography controls for the protection
of its information.
Key Management 10.1.2 Yes A policy, and associated procedures and standards, in
relation to the use, protection and life cycle of
cryptographic keys has been developed and
implemented throughout the whole lifecycle.
Secure Areas 11.1 Objective: To prevent unauthorized physical access,
damage and interference to the organization’s
information and information processing
facilities.
Physical Security 11.1.1 Yes Physical perimeter security is defined by an managed in
Perimeter accordance with our Physical Security Policy.
Additional documented information supports the
execution of the policy. The premises and secure
working areas are defined.
Physical Entry Controls 11.1.2 Yes Physical entry controls are set out in our Physical
Security Policy. There is a visitor access procedure to
A.11 Physical and Environmental Security

support this policy.

Securing Offices, Rooms 11.1.3 Yes Secured information processing faculties are identified
and Facilities and secured by access control systems in line with our
policy and as set out in associated documents.
Protecting against 11.1.4 Yes Protection of our facilities, in line with health and
External and safety legislation requirements, is in place. Additional
Environmental Threats fire, heat and flood protection is active in sensitive
secure areas housing essential equipment. Additional
security measures are also in place at all our sites to
help prevent malicious access.
Working in Secure 11.1.5 Yes We have policies and procedures to ensure that access
Areas to secure areas is restricted on a specific needs basis
and that special working procedures are in place and
rigorously enforced.
Delivery and Loading 11.1.6 Yes All deliveries in Marlow & London are made via our
Areas reception teams. In Cardiff postal deliveries are sorted
by allocated team members.
Equipment 11.2 Objective: To prevent loss, damage, theft or compromise
of assets and interruption to the organization’s
operations.
Equipment Sighting and 11.2.1 Yes Equipment is sited or protected to reduce the risks
Protection from environmental threats and hazards and
opportunities for unauthorized access.

ABOUT DUN & BRADSTREET

Dun & Bradstreet, the global leader in commercial data and analytics, enables companies around the world to improve their business performance.
Dun & Bradstreet’s Data Cloud fuels solutions and delivers insights that empower customers to accelerate revenue, lower cost, mitigate risk, and transform
their businesses. Since 1841, companies of every size have relied on Dun & Bradstreet to help them manage risk and reveal opportunity. For more about
Dun & Bradstreet, visit DNB.co.uk.
In the UK Dun & Bradstreet Limited is certified to ISO 27001
and is authorised & regulated by the Financial Conduct Authority.

© Dun & Bradstreet, Inc. 2021. All rights reserved.

Page 6 of 13 This document was updated June 2021 - DnB-OTH-GBR-BUS-0001 (r.2.2)

 Clause Control Objective / Sec / Control Justification / Remarks
Control Clause in place
Supporting Utilities 11.2.2 Yes Equipment is protected from power failures and other
disruptions caused by failures in supporting utilities by
ensuring suitable planning and architecture of
infrastructure utilities.
Cabling Security 11.2.3 Yes Power and telecommunication cabling carrying data or
supporting information services is protected from
interruptions or damaged.
Equipment Maintenance 11.2.4 Yes Equipment is correctly maintained to ensure its
continued availability and integrity.
Removal of Assets 11.2.5 Yes Equipment, information and software is not be taken
off-site without prior authorization of their manager
unless set out in policy.
Security of Equipment 11.2.6 Yes Security is applied to assets and equipment off-site,
and Assets Off-Premises taking into account the different risks that arise outside
the D&B premises.
Secure Disposal or Re- 11.2.7 Yes Policy, process and procedures exist that ensure that
Use of Equipment all equipment reuse is managed and is disposed of
securely.
Unattended User 11.2.8 Yes Policy, standards and training are in place to ensure
Equipment that users log off or lock devices whenever equipment
is left unattended so that passwords or PINs are
required to reactivate sessions and that sessions should
be terminated when no longer in use.
Clear Desk and Screen 11.2.9 Yes Policy, standards and training are in place to ensure
Policy that users clear their desk of restricted information
when unattended and log off or lock devices whenever
equipment is left unattended so that passwords or
PINs are required to reactivate sessions.
Operational Procedures 12.1 Objective: To ensure correct and secure operations of
and responsibilities information processing facilities.
Documented Operating 12.1.1 Yes Procedures, policies (containing procedures), training
Procedures materials and other instructions / information is
provided to those that need them to effectively fulfil
A.12 Operations Security

the information security aspects of their roles. Where

appropriate these documents are included in this SoA
under the appropriate controls.
Change Management 12.1.2 Yes Policies and processes are documented to ensure that
changes likely to impact information security are
controlled
Capacity Management 12.1.3 Yes Use of resources is monitored, tuned and projections
made of future capacity requirements to ensure the
required system performance
Separation of 12.1.4 Yes Development, test and operational environments are
development, Testing separated by controlled access to reduce the risks of
and Operational unauthorized access or changes to the operational
Environments system.

ABOUT DUN & BRADSTREET

Dun & Bradstreet, the global leader in commercial data and analytics, enables companies around the world to improve their business performance.
Dun & Bradstreet’s Data Cloud fuels solutions and delivers insights that empower customers to accelerate revenue, lower cost, mitigate risk, and transform
their businesses. Since 1841, companies of every size have relied on Dun & Bradstreet to help them manage risk and reveal opportunity. For more about
Dun & Bradstreet, visit DNB.co.uk.
In the UK Dun & Bradstreet Limited is certified to ISO 27001
and is authorised & regulated by the Financial Conduct Authority.

© Dun & Bradstreet, Inc. 2021. All rights reserved.

Page 7 of 13 This document was updated June 2021 - DnB-OTH-GBR-BUS-0001 (r.2.2)

 Clause Control Objective / Sec / Control Justification / Remarks
Control Clause in place
Protection from 12.2 Objective: To ensure that information and information
Malware processing facilities are protected against
malware.
Controls against 12.2.1 Yes Where technically feasible, all D&B servers and
Malware workstations are required to have active anti-malware
software that is configured in compliance with D&B
corporate standards. Any server or workstation
without active malware configured any-malware
software may be blocked from network services until
brought into compliance.
Back-Up 12.3 Objective: To protect against loss of data.
Information Backup 12.3.1 Yes Back-up copies of information and software are taken
and tested regularly in accordance with the agreed
back-up policy.
Logging and Monitoring 12.4.1 Objective: To record events and generate evidence.
Event Logging 12.4.1 Yes Audit logs recording user activities, exceptions and
information security incidents is produced and kept for
an agreed time period to assist future investigations
and access control monitoring.
Protection of Log 12.4.2 Yes Logging facilities and log information is protected
Information against tampering, unauthorized access and destruction.
Administrator and 12.4.3 Yes System Administrator/Operator activities is logged,
Operator Logs protected from amendment by the same
System/Operator Administrator and regularly
reviewed.
Clock Synchronization 12.4.4 Yes The clocks of all relevant information processing
systems are synchronized with an agreed single
accurate time source.
Control of Operational 12.5 Objective: To ensure the integrity of operational systems.
Software
Installation of software 12.5.1 Yes We have policies and procedures in place to ensure
on Operational Systems the installation of software on production systems is
appropriately controlled.
Technical Vulnerability 12.6 Objective: To prevent exploitation of technical
Management vulnerabilities.
Management of 12.6.1 Yes Technical vulnerabilities are identified and managed in
Technical Vulnerabilities line with our policies and processes.
Restrictions on Software 12.6.2 Yes Only D&B approved, licensed and functionally required
Installations software is installed on end user devices.

Information Systems 12.7 Objective: To minimise the impact of audit activities on

Audit Considerations operational systems.

ABOUT DUN & BRADSTREET

Dun & Bradstreet, the global leader in commercial data and analytics, enables companies around the world to improve their business performance.
Dun & Bradstreet’s Data Cloud fuels solutions and delivers insights that empower customers to accelerate revenue, lower cost, mitigate risk, and transform
their businesses. Since 1841, companies of every size have relied on Dun & Bradstreet to help them manage risk and reveal opportunity. For more about
Dun & Bradstreet, visit DNB.co.uk.
In the UK Dun & Bradstreet Limited is certified to ISO 27001
and is authorised & regulated by the Financial Conduct Authority.

© Dun & Bradstreet, Inc. 2021. All rights reserved.

Page 8 of 13 This document was updated June 2021 - DnB-OTH-GBR-BUS-0001 (r.2.2)

 Clause Control Objective / Sec / Control Justification / Remarks
Control Clause in place
Information System 12.7.1 Yes Global Security documents set out compliance
Audit Controls requirements in all policies, standards, procedures, etc.,
so that implementers & management know what they
will be measured against. Technical tests are included
in the compliance section as well. GSR performs any
number of scanning activities on systems, e.g.,
vulnerability scanning, compliance scanning, static code
analysis, dynamic URL scanning, penetration testing as
well as detective monitoring on servers and end point
systems (e.g., laptops).
Network Security 13.1 Objective: To ensure the protection of information in
Management networks and its supporting information
processing facilities.
Network Controls 13.1.1 Yes D&B maintain appropriate controls and procedures to
ensure the consistent and secure operations of the
network and related components.
Security of Network 13.1.2 Yes D&B ensure security is considered and addressed in all
Services network service agreements.
A.13 Communications Security

Segregation in Networks 13.1.3 Yes Networks are segregated as much as practical to

prevent access overlap and to minimise impact of any
incident to a network.
Information Transfer 13.2 Objective: To maintain the security of information
transferred within an organization and with any
external entity.
Information Transfer 13.2.1 Yes Formal transfer policies, procedures and controls are
Policies and Procedures in place to protect the transfer of information through
the use of all types of communication facilities. Security
training re-enforces our policies.
Agreements on 13.2.2 Yes Agreements are in place between D&B Global and 3rd
Information Transfer party Vendors and Business Partners.
Electronic Messaging 13.2.3 Yes Information involved in electronic messaging is
appropriately protected.
Confidentiality or Non- 13.2.4 Yes Confidentiality and non-disclosure agreements are
Disclosure Agreements established and used where appropriate to protect
information.
System Requirements of 14.1 Objective: To ensure that information security is an
A.14 System Acquisition,

Information Systems integral part of information systems across the

and Maintenance

entire lifecycle. This also includes the

Development

requirements for information systems which

provide services over public networks.
Information Security 14.1.1 Yes Statements of business requirements for new and
Requirements Analysis information technology systems, or enhancements to
and Specifications existing information technology systems specify the
requirements for security controls.

ABOUT DUN & BRADSTREET

Dun & Bradstreet, the global leader in commercial data and analytics, enables companies around the world to improve their business performance.
Dun & Bradstreet’s Data Cloud fuels solutions and delivers insights that empower customers to accelerate revenue, lower cost, mitigate risk, and transform
their businesses. Since 1841, companies of every size have relied on Dun & Bradstreet to help them manage risk and reveal opportunity. For more about
Dun & Bradstreet, visit DNB.co.uk.
In the UK Dun & Bradstreet Limited is certified to ISO 27001
and is authorised & regulated by the Financial Conduct Authority.

© Dun & Bradstreet, Inc. 2021. All rights reserved.

Page 9 of 13 This document was updated June 2021 - DnB-OTH-GBR-BUS-0001 (r.2.2)

 Clause Control Objective / Sec / Control Justification / Remarks
Control Clause in place
Securing Application 14.1.2 Yes All systems and supporting infrastructure that engage in
Services on Public e-commerce is designed, developed and operated in a
Networks manner that appropriately protects the interests of
D&B and its customers.
Protection Application 14.1.3 Yes Information involved in application service interactions
Services Transactions is protected to ensure that its confidentiality,
availability and integrity is, by design and overall
architecture, protected.
Security in Development 14.2 Objective: To ensure that information security is designed
and Support and implemented within the development
lifecycle of information systems.
Secure Development 14.2.1 Yes Development of software within the organisation is set
Policy out in our policy for secure application development.
We have Support Service Agreements with other parts
of our organisation to ensure this is applied where
software is being developed. Third Parties are
required to meet our standards as set out in our
Third-Party Management Policy.
System Change Controls 14.2.2 Yes System changes are controlled by policies and
Procedures implemented following process and procedure.
Technical Review of 14.2.3 Yes When operating platforms are changed, business
Applications after critical applications are reviewed and tested to ensure
Operating Platform no adverse reactions to operations or security.
Changes
Restrictions on changes 14.2.4 Yes Changes to software packages are discouraged, limited
to Software Packages to necessary changes and effective software change
control.
Secure System 14.2.5 Yes Software security standards are in place to ensure that
Engineering Principles systems are designed, developed, implemented,
maintained and documented consistently in accordance
with security requirements.
Secure Development 14.2.6 Yes Secure development environments for system
Environment development and integration cover the entire system
development lifecycle in line with our policy for secure
application development.
Outsourced 14.2.7 Yes Where global contract is in place compliance with our
Development global policies is established at a corporate level.
Where outsourced development is managed from the
UK, leaders provide suitable and adequate supervision
and monitoring.
System Security Testing 14.2.8 Yes Systems security requirements and functionality are
integrated into software test plans.
System Acceptance 14.2.9 Yes Software change control, test procedures and system
Testing acceptance procedures are followed when new or
amended hardware, software and relevant procedures
are introduced to the production environment.

ABOUT DUN & BRADSTREET

Dun & Bradstreet, the global leader in commercial data and analytics, enables companies around the world to improve their business performance.
Dun & Bradstreet’s Data Cloud fuels solutions and delivers insights that empower customers to accelerate revenue, lower cost, mitigate risk, and transform
their businesses. Since 1841, companies of every size have relied on Dun & Bradstreet to help them manage risk and reveal opportunity. For more about
Dun & Bradstreet, visit DNB.co.uk.
In the UK Dun & Bradstreet Limited is certified to ISO 27001
and is authorised & regulated by the Financial Conduct Authority.

© Dun & Bradstreet, Inc. 2021. All rights reserved.

Page 10 of 13 This document was updated June 2021 - DnB-OTH-GBR-BUS-0001 (r.2.2)

 Clause Control Objective / Sec / Control Justification / Remarks
Control Clause in place
Test Data 14.3 Objective: To ensure the protection of data used for
testing.
Protection of Test Data 14.3.1 Yes Data used for testing systems are stored and
processed in a manner that ensures appropriate
security controls and compliance with all applicable
privacy requirements and where production
environment sensitive data is used in a test
environment it shall be redacted or otherwise
obfuscated.
Information Security in 15.1 Objective: To ensure protection of the organization’s
Supplier Relationships assets that is accessible by suppliers.
Information Security 15.1.1 Yes Through agreements and contracts we require our
Policy for Supplier vendors to meet Information Security requirements as
Relationships set out in relevant policies.
Addressing Security with 15.1.2 Yes Appropriate arrangements are in place in relation to
Supplier Agreements information security agreements with 3rd Party
A.15 Supplier Relationships

Vendors and Business Partners.

Information and 15.1.3 Yes Agreements with Vendors include requirements that
Communication address the information security risks associated with
Technology Supply information and communication technology services
Chain and product supply chain.
Supplier Service 15.2 Objective: To maintain an agreed level of information
Delivery Management security and service delivery in line with supplier
agreements.
Monitoring and Review 15.2.1 Yes D&B monitors, reviews and audits vendor service
of Supplier Services delivery, where required.
Managing Changes to 15.2.2 Yes Changes to the provision of services, including
Supplier Services maintaining and improving existing information security
policies, procedures and controls, is managed, taking
into account of the criticality of business information
systems and processes and re-assessment of risks.
Management of 16.1 Objective: To ensure a consistent and effective approach
Information Security to the management of information security
Incidents and incidents, including communication on security
A.16 Information Security Incident

Improvements events and weaknesses.

Responsibilities and 16.1.1 Yes Management responsibilities and procedures are
Procedures established to ensure a quick, effective, and orderly
Management

response to information security incidents.

Reporting Information 16.1.2 Yes We have procedures in place to ensure security events
Security Events are reported and recorded. These procedures are
supported with training courses and policy.
Reporting Information 16.1.3 Yes All employees, contractors and 3rd party users of
Security Weaknesses information technology systems and services are
required to report any observed or suspected
weaknesses in information technology systems or
services using the same mechanisms as for actual
Security Events.
ABOUT DUN & BRADSTREET
Dun & Bradstreet, the global leader in commercial data and analytics, enables companies around the world to improve their business performance.
Dun & Bradstreet’s Data Cloud fuels solutions and delivers insights that empower customers to accelerate revenue, lower cost, mitigate risk, and transform
their businesses. Since 1841, companies of every size have relied on Dun & Bradstreet to help them manage risk and reveal opportunity. For more about
Dun & Bradstreet, visit DNB.co.uk.
In the UK Dun & Bradstreet Limited is certified to ISO 27001
and is authorised & regulated by the Financial Conduct Authority.

© Dun & Bradstreet, Inc. 2021. All rights reserved.

Page 11 of 13 This document was updated June 2021 - DnB-OTH-GBR-BUS-0001 (r.2.2)

 Clause Control Objective / Sec / Control Justification / Remarks
Control Clause in place
Assessment of and 16.1.4 Yes The assessment of incident security events and the
Decision on Information decision to classify as an information security incident
Security Events is defined in our policy and procedure.
Response to Information 16.1.5 Yes The response to information security incidents are
Security incidents defined in policy and process documents.
Learning from 16.1.6 Yes We apply a learning and continual improvement
Information Security approach to all IS incidents.
Incidents
Collection of Evidence 16.1.7 Yes Policy and process set out the procedure for gathering
and retaining evidence and the chain of custody.
Information Security 17.1 Objective: Information security continuity shall be
Continuity embedded in the organization’s business
A.17 Information Security Aspects of Business Continuity Management

continuity management systems.

Planning Information 17.1.1 Yes A managed process has been developed and is
Security Continuity maintained for business continuity throughout D&B
Globally including the UK and with relevant 3rd Party
vendors that addresses the information security
requirements needed for the organization's business
continuity.
Implementing 17.1.2 Yes Plans have been developed and implemented to
Information Security maintain or restore operations and ensure availability
Continuity of information at the required level and in the required
timescales following interruption to, of failure of,
critical business processes. Events that cause
interruptions to business processes are identified, along
with the probability and impact of such interruptions
and their consequences for information security.
Verify, Review and 17.1.3 Yes Business Continuity Plans are tested and updated
Evaluate Information periodically to ensure that they are up to date and
Security Continuity effective.
Redundancies 17.2 Objective: To ensure availability of information processing
facilities.
Availability of 17.2.1 Yes A managed process have been developed and
Information Processing maintained for establishing, documenting, implementing
Facilities and maintaining processes, procedures and controls to
ensure the required level of continuity for information
security during an adverse, unplanned or emergency
situation.
Compliance with Legal 18.1 Objective: To avoid breaches of legal, statutory, regulatory
and Contractual or contractual obligations related to
A.18 Compliance

Requirements information security and of any security

requirements.
Identification of 18.1.1 Yes Registers are maintained to capture relevant IS related
Applicable Legislation statutory, regulatory and contractual obligations.
and Contractual
Obligations

ABOUT DUN & BRADSTREET

Dun & Bradstreet, the global leader in commercial data and analytics, enables companies around the world to improve their business performance.
Dun & Bradstreet’s Data Cloud fuels solutions and delivers insights that empower customers to accelerate revenue, lower cost, mitigate risk, and transform
their businesses. Since 1841, companies of every size have relied on Dun & Bradstreet to help them manage risk and reveal opportunity. For more about
Dun & Bradstreet, visit DNB.co.uk.
In the UK Dun & Bradstreet Limited is certified to ISO 27001
and is authorised & regulated by the Financial Conduct Authority.

© Dun & Bradstreet, Inc. 2021. All rights reserved.

Page 12 of 13 This document was updated June 2021 - DnB-OTH-GBR-BUS-0001 (r.2.2)

 Clause Control Objective / Sec / Control Justification / Remarks
Control Clause in place
Intellectual Property 18.1.2 Yes Appropriate procedures are implemented to ensure
Rights (IPR) compliance with statutory, regulatory, and other legal
obligation requirements on the user of material in
respect of which there may be intellectual property
rights and on the use of proprietary software products
Protection of Records 18.1.3 Yes Policies are in place to ensure records are protected
from loss, destruction and falsification, in accordance
with statutory and regulatory and other legal obligation
and business requirements
Privacy and Protection 18.1.4 Yes Our Data protection and privacy policies, procedures
of Personal Identifiable and training support relevant statutory and regulatory
Information and (if applicable) in other legal requirements.
Regulations of 18.1.5 Yes Cryptographic Controls are in compliance with all
Cryptographic Controls relevant statutory and regulatory and other legal
obligation requirements.
Information Security 18.2 Objective: To ensure that information security is
Reviews implemented and operated in accordance with
the organizational policies and procedures.
Independent Review of 18.2.1 Yes Audits are conducted internally by persons
Information Security independent of the function of management being
audited. Our Global Enterprise Risk and Audit team
who are independent of UKI management support the
audit process.
Compliance with 18.2.2 Yes Leaders are responsible for ensuring compliance within
Security Policies and their areas of responsibility. Non-compliance,
Procedures corrective action and opportunities for improvement
are also reviewed at Management Review Meetings.
Technical Compliance 18.2.3 Yes Information technology systems are checked for
Review compliance with security implementation standards.
ISMS leaders from GSR; DBIS and UK meet to share
best practice, identify continual improvement
opportunities and track changes.
Continual Improvement D&B Objective: Continual Improvement
Control
Additional
Controls

Learning from other C01 Yes ISMS leaders from GSR; DBIS and UK meet to share
D&B business entities & best practice, identify continual improvement
driving improvements to opportunities and track changes.
ISMSs

ABOUT DUN & BRADSTREET

Dun & Bradstreet, the global leader in commercial data and analytics, enables companies around the world to improve their business performance.
Dun & Bradstreet’s Data Cloud fuels solutions and delivers insights that empower customers to accelerate revenue, lower cost, mitigate risk, and transform
their businesses. Since 1841, companies of every size have relied on Dun & Bradstreet to help them manage risk and reveal opportunity. For more about
Dun & Bradstreet, visit DNB.co.uk.
In the UK Dun & Bradstreet Limited is certified to ISO 27001
and is authorised & regulated by the Financial Conduct Authority.

© Dun & Bradstreet, Inc. 2021. All rights reserved.

Page 13 of 13 This document was updated June 2021 - DnB-OTH-GBR-BUS-0001 (r.2.2)