IAEA Information Security IAEA Specification

Management System
Development and
Implementation Dated 23 November 2015

STATEMENT OF WORK

IAEA Information Security Management System

Development and Implementation

Contents
1. Scope ............................................................................................................................................... 1
2. Applicable Documents..................................................................................................................... 2
3. Definitions, Acronyms, and Abbreviations ...................................................................................... 3
4. Requirements .................................................................................................................................. 3
5. Deliverable Data Items .................................................................................................................. 10
6. IAEA Responsibilities ..................................................................................................................... 11
Attachment 1......................................................................................................................................... 13

1. Scope
This Statement of Work (SOW) describes the requirements for the development,
documentation, and assistance with the implementation of an ISO 27000 series
compliant IAEA Information Security Management System (ISMS) framework,
governance structure, documentation and associated management processes that
may be either new or will revise, adapt, or replace current structures or processes.
The resulting ISMS will prepare the IAEA for obtaining and maintaining an ISO
27001:2013 certification.

The ISMS shall be based on the ISO/IEC 27000 series and shall take into
consideration the results and recommendations of an internal Audit of ISMS and of an
IAEA Information Security Risk Assessment and Five-Year Roadmap that was
commissioned by the Chief Information Officer and completed earlier in 2015. The
ISMS must enable the IAEA to further protect the information it creates and manages
and to more effectively adapt and respond to changes in information and security
technologies and threats to the IAEA in the years to come.

Page 1 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015

The IAEA has the same information security needs of any enterprise organization.
However, due to the unique and varied nature of the IAEAs missions, described on
the IAEA homepage (www.iaea.org), the information managed by the various IAEA
programmes has significantly differing requirements in terms of confidentiality,
integrity and availability. These include confidentiality requirements for some
information similar to national governments and intelligence organizations and for
some information similar to not-for-profit business environments. There are integrity
requirements that range from those of health, safety and research organizations to
that of an official public website as well as routine administrative information. The
IAEAs availability requirements are in line with that of archived records but also that
of Internet-based public safety information and emergency response providers. The
ISMS must effectively address all aspects of information and IT security at the IAEA.

It is critical to understand that this is not a clean slate environment with regards to
information and IT security. The IAEA currently has information security controls in
the form of policies, procedures, processes, technologies and systems and is actively
working on the creation and/or revision of other aspects of an ISMS. Policies,
procedures, processes, technologies and systems differ across various parts of the
IAEA on many aspects. The development of the IAEA ISMS shall create and
implement the new components required, and shall also take into consideration both
the existing and in-progress components and, as appropriate, adapt and integrate or
replace them.

2. Applicable Documents
The ISO/IEC 27000 series (current versions) documents shall be applicable for the
work to the extent specified hereinafter.
In the event of conflict between these documents and the content of this
Specification, the content of this Specification shall take precedence to the extent of
the conflict.
Additionally, the following resources are included as recommended references:
FedRAMP General Document Acceptance Criteria
(https://www.fedramp.gov/files/2015/07/FedRAMP-General-Document-
Acceptance-Criteria.pdf)
IAEA Security of Nuclear Information
(http://www-pub.iaea.org/MTCD/Publications/PDF/Pub1677web-32045715.pdf)
Internet Security Forum Best Practices
(https://www.securityforum.org/tools/sogp/)

Extensive documentation will be made available, such as relevant current and draft
policies and procedures, relevant audits and risk assessments, and long term
Page 2 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015

response plans. The audits and risk assessments are based on extensive and
substantive reviews of IAEA documentation (more than 300 policies, procedures and
audit, technical security assessment and incident reports), personal interviews with
management and technical staff, and technical verification testing. The risk
assessment reports provide detailed descriptions of the risks identified. This
information will also be made available, as deemed necessary.

For a preliminary understanding of the compliance landscape, the legally binding

agreements (https://www.iaea.org/publications/documents) and Medium Term
Strategy (https://www.iaea.org/about/mts) may be obtained on the IAEA website
(www.iaea.org).

3. Definitions, Acronyms, and Abbreviations

The following definitions, acronyms, and abbreviations shall apply throughout this
SOW unless defined otherwise hereinafter:
Agency International Atomic Energy Agency
GRC Governance, Risk and Compliance
IAEA International Atomic Energy Agency
ISMS Information Security Management System
IT Information Technology
KPI Key Performance Indicator
MTIT IT Division | Department of Management
RMS Risk Management System
SGIS IT Division | Department of Safeguards
Note: Unless noted otherwise, all references to the IAEA include all internal
organizations and staff.

4. Requirements
The Contractor and its staff(s) engaged on this account shall meet the requirements
and carry out the activities listed here below and provide the deliverables specified.
4.1. Schedule and Place
4.1.1. The initial kick-off of the engagement shall take place no more than two weeks
after the contract is signed. The current estimated date is mid-April 2016.
4.1.2. For the initial kick-off of the engagement, review of confidential information,
any needed stakeholder interviews, workshops or review meetings and
presentations, the Contractor shall work on-site at the IAEA Headquarters in
Vienna, Austria, with assistance from the IAEA Project Lead and the
Information Security Office.
Page 3 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015

4.1.3. For collaborative activities that do not involve sensitive IAEA information, per
classification policy, online resources such as Webex and SharePoint may be
utilised if effective and efficient;
4.1.4. The working hours for activities involving IAEA staff are the standard working
hours at the IAEA Headquarters, Vienna, Austria hours (08:00 18:00 GMT
+1).
4.2. Profile and Qualifications
4.2.1. The Contractor shall be ISO 27001 certified;
4.2.2. All staff engaged by the Contractor on this account, unless otherwise noted,
shall have/be:
4.2.2.1. Experience:
4.2.2.1.1. A minimum of 5 years working experience covering a majority
of the areas detailed in Section 4.3;
4.2.2.1.2. Extensive familiarity with the ISO 27000 series and in helping
organizations achieve ISO 27001 certification;
4.2.2.1.3. Experience working in high confidentiality environments and
relevant business sectors (such as national government,
banking, intelligence);
4.2.2.2. Personal qualities:
4.2.2.2.1. Strong business communication and facilitation skills; and
4.2.2.2.2. Fluency in English Both oral and written equivalent to
Cambridge English certification levels First, Advanced or
Proficiency or Common European Framework level C or similar
competency;
4.2.3. The Contractors Project Manager working on this account shall have/be:
4.2.3.1. The Single Point of Contact for the engagement;
4.2.3.2. A minimum of 10 years working experience covering a majority of the
areas detailed in Section 4.3;
4.2.3.3. Extensive and proven experience managing consulting engagements
of this nature (ISMS implementation) and magnitude for high-profile
clients;
4.2.3.4. Relevant certifications (Prince2 and/or equivalents, CISSP or other
relevant equivalents) in good standing;
4.2.4. The Contractors Subject matter expert (ISMS implementation) working on
this account shall have/be:
4.2.4.1. Extensive and proven experience developing and implementing ISO
27001 Information Security Management Systems of this magnitude;
4.2.4.2. Relevant certifications (CRISC, CISSP, IRCA ISMS auditor and/or
equivalents) in good standing;
4.2.5. The Contractors Subject matter expert (Risk management) working on this
account shall have/be:

Page 4 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015

4.2.5.1. Extensive and proven experience in information security, IT security,

risk management and performing the services listed in Section 4.3;
4.2.5.2. Strong understanding of security controls in the environments
described in Attachment 1 (IAEA Information and IT Technology
Environment Description);
4.2.5.3. Relevant certifications (CRISC, CISSP and/or equivalents) in good
standing;
4.2.6. Subject matter expert (Governance) working on this account shall have/be:
4.2.6.1. Strong and proven experience in governance, organization and
operational security; and
4.2.6.2. Extensive experience implementing industry standards and best
practices;
4.2.6.3. Relevant certifications (CGEIT, CRISC, CISSP and/or equivalents) in
good standing;
4.2.7. Subject matter expert (Policies and standards)
4.2.7.1. English business and technical writing skills;
4.2.7.2. Extensive experience implementing industry standards and best
practices;
4.3. Develop an IAEA Information Security Management System and Assist with the
Implementation thereof
The Contractor shall develop, document and assist the IAEA to establish and
implement an ISO 27000 series compliant IAEA ISMS. The ISMS shall be
designed to ensure effective and efficient maintenance and continuous
improvement. The Contractor shall also, in accordance with the requirements of
ISO 27001:2013, prepare the IAEA for obtaining and maintaining ISO
27001:2013 certification.

The specified requirements detailed below are intended to clarify or provide

additional requirements to the general requirement stated above.

4.3.1. Project management

4.3.1.1. The Contractor shall utilise an ISO 27001:2013-aligned formal and
structured approach, such as ISO 27003, for the development and
implementation of the ISMS, addressing all requirements of ISO
27001:2013 in the process;
4.3.1.2. The Contractor shall, based on the approach referenced (4.3.1.1),
develop, manage and follow a formal project management
methodology and produce a detailed project plan with milestones,
stage plans and gates to effectively and efficiently provide the services
procured;

Page 5 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015

4.3.1.3. The Contractor shall, as a part of the project management

methodology, hold regular meetings and provide highlight/status
reports, exception reports and a project closure report;
4.3.2. General
4.3.2.1. The working language of the IAEA is English, as such all
documentation, whether working, draft or final shall be in English or
formal business English, as is appropriate;
4.3.2.2. The Contractor shall identify and provide any other ISMS components
not specified in the ISO 27000 series standards or listed below that the
Contractor deems necessary for effective ISMS implementation;
4.3.2.3. The Contractor shall lead or assist with the communication,
coordination and negotiations with internal organizations affected by or
associated with the changes in internal processes;
4.3.3. Preparation
4.3.3.1. The Contractor shall collect and review relevant information about the
IAEA per ISO 27001:2013 Section 4 Context of the Organization;
4.3.3.2. The Contractor shall, based on the information collected and reviewed,
develop; document; organise reviews and make revisions; for the
following:
4.3.3.2.1. An IAEA ISMS Scope Statement;
4.3.3.2.2. An IAEA information security strategy;
4.3.3.2.3. IAEA information security objectives;
4.3.3.2.4. An IAEA ISMS policy/charter;
4.3.3.3. The Contractor shall, as an aid to the senior managers who will
approve the documents listed in 4.3.3.2, prepare and present a
description and explanation of how these documents implement ISO
27000 requirements and best practices;
4.3.4. Framework
4.3.4.1. The Contractor shall develop and formally document an ISMS
framework and associated management processes, based on ISO
27000 series requirements and guidance, ensuring the inclusion of the
following items;
4.3.4.1.1. A definition of information security roles, responsibilities and
communication lines including:
4.3.4.1.1.1. Information security and information classification officer
roles descriptions, qualifications and a reporting structure;
4.3.4.1.1.2. IAEA-wide and intra-organizational information security
collaboration;
4.3.4.1.1.3. Formalised cooperation between staff responsible for
information and physical security, both internal and
external to the IAEA;

Page 6 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015

4.3.4.1.1.4. The expected relationship with the IAEA Office of Internal

Oversight (OIOS);
4.3.4.1.2. An ISMS staffing resource plan including number of FTEs,
functions and qualifications;
4.3.4.1.3. An information security documentation management process
that provides for:
4.3.4.1.3.1. The creation or revision, review and approval,
maintenance and dissemination processes of ISMS
documentation;
4.3.4.1.3.2. A standardised format/structure for ISMS documentation
(policy, standard, process description, procedure,
guidance) and identifiers/naming convention;
4.3.4.1.3.3. A standardised document format or template;
4.3.4.1.3.4. A general document acceptance criterion for both writers
and reviewers. (See the FedRAMP General Document
Acceptance Criteria for an example);
4.3.4.1.3.5. Interface mechanisms or processes for the integration of
new or existing ISMS and/or ISMS-related processes;
4.3.4.1.4. An ISMS performance management and improvement process
that provides for:
4.3.4.1.4.1. monitoring and self-assessment;
4.3.4.1.4.2. measuring, responding and improving effectiveness
including the use of metrics and key performance
indicators (KPI);
4.3.4.1.4.3. reporting and review process for tactical response;
4.3.4.1.4.4. reporting and review process for senior management;
4.3.4.2. The Contractor shall document; organise reviews and make revisions;
prepare for and assist with the approvals, implementation and
integration of ISMS Framework described in 4.3.4.1;
4.3.4.3. The Contractor shall provide, based on experience and industry best
practice, and in conjunction with project stakeholders/project team,
recommendations and guidance for the functional requirements
definition and functional reviews during the in-house development of a
SharePoint-based ISMS content and process management portal;
4.3.4.4. The Contractor shall, in conjunction with the project team, evaluate
and test the ISMS portal being developed by the IAEA at different
stages of its implementation (as outlined in the project plan) to ensure
the system is fit-for-purpose and delivers the desired outputs;
4.3.4.5. The Contractor shall utilize the ISMS portal, when it is available and as
feasible considering off-site access restrictions, for the documentation
and process development activities described in this Statement of
Services;

Page 7 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015

4.3.5. Documentation, process and integration

4.3.5.1. The Contractor shall develop a comprehensive suite of IAEA IS
policies, standards, processes, process descriptions, procedures and
other guidance tailored for the IAEA environment that are based on the
ISO 27002:2013 control objectives and relevant industry best
practices, and taking into consideration the results of recent internal
information security audits and risk assessments referenced in Section
2, Applicable Documents, IAEA requirements and information gathered
from staff;
4.3.5.1.1. The Contractor shall perform a review of existing IAEA and
Departmental/Division policies, standards, process
descriptions, procedures and guidance;
4.3.5.1.2. The Contractor shall perform and document a documentation
gap analysis based on the documents created during the
Preparation phase (4.3.3.2), review (4.3.5.1.1) results, ISO
27002:2013, other relevant ISO 27000 series standards and
best practice standards, IAEA audit recommendations and
legal requirements and commitments;
4.3.5.1.3. The Contractor shall, based on the results of the gap analysis
(4.3.5.1.2), prepare a proposal with justifications for a suite of
authoritative IAEA policies, standards, processes, process
descriptions, procedures and guidance documents for all staff;
identifying in the proposal the current documentation that can
be revised/adapted, the current documentation that need to be
replaced and what new documentation need to be developed,
ensuring that all of the ISO 27002:2013 security control
objectives have been considered and including the additional
objectives listed below:
Information security exception management process;
Application and IT system security acceptance testing
and certification (pre-production authorisation)
management process;
Integration with and/or into the ISMS of existing
processes related to :
o Information security (risk, incident, and
awareness);
o IT project management;
o ITIL (service, change and CMDB management);
4.3.5.1.4. The Contractor shall, based on the documentation review
(4.3.5.1.1), prepare a proposal for not more than ten (10)
existing non-IAEA-wide (department or division) policies or

Page 8 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015

processes that cannot be revised for IAEA-wide use but are

IAEA-mission required;
4.3.5.1.5. The Contractor shall perform a review of existing and relevant
IAEA information security performance management
measurements and metrics;
4.3.5.1.6. The Contractor shall perform and document a metrics and KPI
gap analysis, based on the review (4.3.5.1.4) results, ISO
27002:2013, other relevant ISO 27000 series standards and
best practice standards and IAEA audit recommendations;
4.3.5.1.7. The Contractor shall, based on the results of the gap analysis
(4.3.5.1.6), prepare a proposal with justifications for the
metrics, KPIs and measurement processes to be used and the
reporting and review process for both tactical and strategic
purposes;
4.3.5.2. The Contractor shall present the draft documentation proposals
(4.3.5.1.3, 4.3.5.1.4, 4.3.5.1.7) for review, revision and approval and
document the final proposals;
4.3.5.3. The Contractor shall develop the approved suite of IAEA information
security documentation (4.3.5.1.3), ensuring that they are suitable and
adequate and also clear, complete, concise and consistent (see the
FedRAMP General Document Acceptance Criteria for a description of
these terms);
4.3.5.4. The Contractor shall develop a strategy for IAEA alignment to ITIL
processes that is consistent with the IT service organization structures
(see Attachment 1, paragraph 1.3);
4.3.5.5. The Contractor shall revise and adapt the approved non-IAEA-wide
information security documentation (4.3.5.1.4) to be compliant with the
ISMS documentation standard;
4.3.5.6. The Contractor shall lead the review and approval process for all
documentation by organising reviews, making revisions and by
providing, as needed, explanations and descriptions of how the
documents implement ISO 27000 series requirements and best
practices;
4.3.5.7. The Contractor shall lead and assist with the integration into existing
management processes or the ISMS framework:
4.3.5.7.1. the developed and/or revised policies, standards and
procedures;
4.3.5.7.2. the developed new ISMS processes;
4.3.5.7.3. the existing information security risk, incident and awareness
management processes;
4.3.5.8. The Contractor shall prepare training materials describing the
ISMS for live and web-based presentation that includes the:

Page 9 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015

4.3.5.8.1. Purpose;
4.3.5.8.2. Governance;
4.3.5.8.3. Policy and documentation: changes, structure, location;
4.3.5.8.4. Performance measurement;
4.3.5.8.5. ISMS portal;
4.3.5.9. The Contractor shall present the ISMS training at a one-time
series of live sessions to all current IAEA staff;
4.3.6. Certification preparation
4.3.6.1. The Contractor shall provide a test certification assessment template
that the IAEA can use for pre- ISO 27001:2013 certification self-
readiness assessment.
4.4. Quality assurance and monitoring of work deliverables
4.4.1. All work shall be monitored and assessed by the IAEA Project Lead and the
Information Security Office, who will act as the primary representatives of the
IAEA; and
4.4.2. The Contractor shall provide the IAEA with regular updates either via email,
Internet-supported or in-person meetings to provide updates and review
progress as required. Updates shall be provided biweekly or as requested by
the IAEA.
4.5. Formal acceptance of deliverables/specialist products
4.5.1. All interim drafts and final deliverables shall be provided in electronic format
(Microsoft Office 2013 Word for all documents, also in PDF for final); prior to
acceptance of the final versions of the deliverables, the Contractor shall
organise formal review meetings with the IAEA; and

4.5.2. The Contractor shall prepare and present (using PowerPoint) the descriptions
and explanations of the major deliverables (Information Security Strategy,
ISMS Policy, ISMS staffing resource plan, ISMS framework, overview of the
policy suite, performance monitoring approach) to the IAEA CISO, CIO and
Senior Management.

5. Deliverable Data Items

The Contractor shall deliver the following data items:

5.1. Project management

5.1.1. A detailed Project Plan with milestones, stage plans and stage gates;
5.1.2. Project highlight, status and exception reports;
5.1.3. Project closure report;
5.1.4. All artefacts such as questionnaires, interview notes, minutes, working sheets,
draft documentation, reports and any other data created along with all
information provided by the IAEA along with all final documents.

Page 10 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015

5.2. Preparation
5.2.1. ISMS Scope
5.2.2. IAEA Information Security Strategy
5.2.3. IAEA Information Security Control Objectives
5.2.4. ISMS Policy / Charter
5.3. Framework
5.3.1. Formal ISMS framework description
5.3.2. ISMS Governance mandate document
5.3.3. ISMS management staffing resource plan
5.3.4. ISMS Portal functional requirements recommendations
5.3.5. Information Security document management process and structure
descriptions, templates, general document acceptance criteria and procedures
5.3.6. ISMS performance management and improvement process descriptions
5.4. Documentation, process and integration
5.4.1. Three gap analysis reports (documentation and performance management)
5.4.2. Two documentation proposals (draft and final)
5.4.3. Performance management proposal (draft and final)
5.4.4. IAEA suite of policies, standards, procedures and guidance
5.4.5. Non-IAEA-wide policies or process designs and descriptions
5.4.6. Performance management process designs and descriptions (measurement,
metrics, reporting and review)
5.4.7. IAEA ITIL alignment strategy
5.4.8. ISMS training materials
5.5. Certification preparation
5.5.1. Assessment preparation documentation

6. IAEA Responsibilities
6.1. The IAEA will allocate a Project Lead who will be the focal point of contact within the
ISO for the duration of the engagement;
6.2. The IAEA will provide extensive documentation at the initiation of the project,
including:
6.2.1. IAEA information security risk assessment and planning documents;
6.2.2. IAEA Business Technology Strategic Plan [2015-2020];
6.2.3. IAEA legally binding agreements;
6.2.4. IAEA Information and IT security relevant policies, procedures and guidance
documents;
6.2.5. Relevant audit findings and recommendations;
6.3. The IAEA staff will provide assistance to the Contractor by;
6.3.1. Setting up stakeholder engagements (meetings, workshops etc.);

Page 11 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015

6.3.2. Providing access to any further information as required (additional

documentation);
6.3.3. Providing user accounts and access to IAEA IT resources if required and as
appropriate;
6.3.4. Acting as reviewer of drafts, proposals and approaches produced by the
Contractors engaged staff(s);
6.3.5. Acting as approver for the final deliverables throughout the engagement; and
6.3.6. Providing an on-site working space (meeting room) when the Contractors
staff are at the IAEA in Vienna;
6.3.7. Providing on-line collaboration tools if required and as appropriate (see
Section 4.1.3).

Page 12 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015

Attachment 1: IAEA Information and Information Technology

Environment Description

1.1. Information and communication systems are central to the IAEAs mission and
daily business activities, as they are utilised to routinely exchange information
among management and staff, with member states and other third parties in
the public and private sectors. This is accomplished through the normal
enterprise business and communications systems, restricted access and
public web and collaboration services and staff remote access systems that
are hosted both internally and in cloud-based systems. In addition to the
systems supporting daily business activities, the IAEA has information and
communications systems supporting the highly sensitive Nuclear Security and
Safeguards activities.

1.2. The information technology infrastructure supports ~3000 users (staff and
consultants) located at one primary location (Vienna International Centre) with
five additional permanent facilities located in Austria, Canada, Monaco and
Japan.

1.3. The IAEA has a partially centralised IT management structure with two
organizationally autonomous IT service organizations. Each centralised IT
management organization provides network, server, end point and security
operations planning and administration with well-defined technical inter-
connectivity. Both organizations provide software development and
maintenance. Additionally, there are staff members within divisions throughout
the IAEA providing software development, server-based applications
administration and local IT client support.

1.4. While all staff members have information security responsibilities, the IAEA has a
number of staff positions dedicated to security functions. These include:

Central Security Coordinator (responsible for all aspects of security except for
Information Security)
Chief Information Security Officer
Information Security Office
Safeguards Information Security Officer
Security operations groups, supporting
o Access control
o Threat management
o Incident response
o IT security engineering

Page 13 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015

1.5. The IAEA has a formal information security policy; however, the elements that
underlie the policy in terms of IAEA processes, procedures, standards and
guidelines are limited. There are also IAEA policies for various information
security related activities. Additionally, each Department may also issue
additional policies. For instance, the Department of Safeguards has policy and
procedures focused on protecting the confidentiality and integrity of the sensitive
information that is central to their mission. On an ongoing basis, both internal and
external audits and security assessments are performed.

The technology underlying these services that are administered by IAEA staff
includes;

800+ Servers, physical and virtualised (highly virtualised), Windows and Linux
(predominantly Windows);
3500+ Client computers (desktop and notebook, Windows, Macintosh and
Linux, predominantly Windows);
500+ Mobile devices (phones and tablets);
MS Active Directory, multiple forests/multiple domains and additional
standalone domains (such as for the DMZ);
IPv4 wired and wireless networks, supporting client and server environments
and Internet access;
Network security systems providing access control; threat identification and
blocking; centralised logging and Security Event and Incident Management;
Multiple inter-site network communications connections;
Multiple remote access systems;
On-site dedicated data centres and rooms;
Cloud-based and outsourced resources;
Centralised and local IT Service Desks;
Commercial and bespoke applications (client, client-server and web-based);
Specialised laboratory, remote monitoring and embedded systems;
Disaster recovery infrastructure;
1.6. Application and system development is provided by IAEA staff and consultants
for in-house and technology transfer projects, utilizing multiple platforms and
languages that include but are not limited to;

Java Enterprise Edition (Java Servlets, JSP, JSF, Spring Framework)

JavaScript (e.g. Angular)
LAMP (Linux/Apache/MySQL/Perl/PHP/Python)
Microsoft .NET, ASP.NET and ASP.NET MVC;
Microsoft SharePoint;
Oracle E-Business Suite and Oracle ADF;
Ruby on Rails

Page 14 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015

Various languages (C, C++, script, java) used with specialised and embedded
systems.

Page 15 of 15