0003977
Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
European Union
Regulations
Free
Regulations specifying criteria (policy) for the critical ICT third-party service providers in the financial sector
Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
2024-03-13
The document as a whole was last reviewed and released on 2024-09-06T00:00:00-0700.
0003977
Free
European Union
Regulations
Regulations specifying criteria (policy) for the critical ICT third-party service providers in the financial sector
Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
2024-03-13
The document as a whole was last reviewed and released on 2024-09-06T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 | Establish Roles | Preventive | |
| Manage supply chain audits. CC ID 01203 [{supply chain management policy} The policy shall require that ICT services supporting critical or important functions provided by ICT third party service providers are subject to independent review and are included in the audit plan. Article 3: Governance arrangements 7. {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: its own internal audit or an audit by an appointed third party; Article 8: Contractual clauses 2. (a)] | Audits and Risk Management | Preventive | |
| Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Establish/Maintain Documentation | Preventive | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain the audit plan. CC ID 01156 [{supply chain management policy} The policy shall require that ICT services supporting critical or important functions provided by ICT third party service providers are subject to independent review and are included in the audit plan. Article 3: Governance arrangements 7.] | Testing | Detective | |
| Include the audit criteria in the audit plan. CC ID 15262 | Establish/Maintain Documentation | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Establish/Maintain Documentation | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Establish/Maintain Documentation | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Establish/Maintain Documentation | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Establish/Maintain Documentation | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Establish/Maintain Documentation | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Establish/Maintain Documentation | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Establish/Maintain Documentation | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Establish/Maintain Documentation | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 | Establish/Maintain Documentation | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Communicate | Preventive | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Establish Roles | Preventive | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [{supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5. {supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5.] | Establish Roles | Preventive | |
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources Management | Preventive | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Establish/Maintain Documentation | Preventive | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources Management | Preventive | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Establish/Maintain Documentation | Preventive | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Establish/Maintain Documentation | Preventive | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources Management | Preventive | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources Management | Preventive | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Establish Roles | Preventive | |
| Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources Management | Preventive | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources Management | Preventive | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources Management | Preventive | |
| Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources Management | Corrective | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 | Behavior | Preventive | |
| Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 [{supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1.] | Behavior | Preventive | |
Operational and Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 | Establish/Maintain Documentation | Preventive | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the ICT business continuity policy referred to in Article 11 of Regulation (EU) 2022/2554; Article 3: Governance arrangements 6. (c)] | Establish/Maintain Documentation | Preventive | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Establish/Maintain Documentation | Preventive | |
| Include risk management in the information security program. CC ID 12378 | Establish/Maintain Documentation | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the information security policy referred to in Article 9(4) of Regulation (EU) 2022/2554; Article 3: Governance arrangements 6. (b)] | Establish/Maintain Documentation | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{supply chain management policy} Where this Regulation applies on a sub-consolidated or consolidated basis, the parent undertaking that is responsible for providing the consolidated or sub-consolidated financial statements for the group shall ensure that the policy is implemented consistently in all financial entities that are part of the group and is adequate for the effective application of this Regulation at all relevant levels of the group. Article 2: Group application ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Establish/Maintain Documentation | Preventive | |
| Implement changes according to the change control program. CC ID 11776 [{supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1.] | Business Processes | Preventive | |
| Provide audit trails for all approved changes. CC ID 13120 | Establish/Maintain Documentation | Preventive | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 {supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the implementation, monitoring and management of contractual arrangements as referred to in Articles 7, 8 and 9, including at consolidated and sub-consolidated level, where applicable; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (d) {supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the planning of contractual arrangements, including the risk assessment, the due diligence as set out in Articles 5 and 6 and the approval process regarding new or material changes to contractual arrangements as set out in Article 8(4); Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (b) {supply chain management policy} The policy shall ensure that material changes to the contractual agreement are to be formalised in a written document which is dated and signed by all parties and shall specify the renewal process for the contractual arrangements. Article 8: Contractual clauses 4.] | Establish/Maintain Documentation | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 | Establish/Maintain Documentation | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [{supply chain management policy} {external requirement} {Digital Operational Resilience Act} The policy shall specify that the relevant contractual arrangement are to be in written form and are to include all the elements referred to in Article 30(2) and (3) of Regulation (EU) 2022/2554. The policy shall also include elements regarding requirements referred to in Article 1(1), point (a), of Regulation (EU) 2022/2554, as well as other relevant Union and national law as appropriate. Article 8: Contractual clauses 1.] | Process or Activity | Detective | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Establish/Maintain Documentation | Preventive | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [{supply chain management policy} The policy shall explicitly specify that the contractual arrangements: are to require that the financial entity, its auditors, and competent authorities have effective access to data and premises relating to the use of ICT services supporting critical or important functions. Article 3: Governance arrangements 8. (d) {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: Article 8: Contractual clauses 2.] | Business Processes | Preventive | |
| Include roles and responsibilities in third party contracts. CC ID 13487 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the involvement of business units, internal controls and other relevant units in respect of contractual arrangements; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (c) {supply chain management policy} The policy shall explicitly specify that the contractual arrangements: do not relieve the financial entity and its management body of its regulatory obligations and its responsibilities to its clients; Article 3: Governance arrangements 8. (a)] | Establish/Maintain Documentation | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [{supply chain management policy} The policy shall explicitly specify that the contractual arrangements: are not to prevent effective supervision of a financial entity and are not to contravene any supervisory restrictions on services and activities; Article 3: Governance arrangements 8. (b) {supply chain management policy} The policy shall explicitly specify that the contractual arrangements: do not relieve the financial entity and its management body of its regulatory obligations and its responsibilities to its clients; Article 3: Governance arrangements 8. (a)] | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 [{supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1. {supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1.] | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 [{supply chain management policy} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that the financial entity is notified, where appropriate, of ICT-related incidents and operational or security payment-related incidents; Article 9: Monitoring of the contractual arrangements 2. (d)] | Establish/Maintain Documentation | Preventive | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Establish/Maintain Documentation | Preventive | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Establish/Maintain Documentation | Preventive | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 [{supply chain management policy} The policy shall explicitly specify that the contractual arrangements: are not to prevent effective supervision of a financial entity and are not to contravene any supervisory restrictions on services and activities; Article 3: Governance arrangements 8. (b) {supply chain management policy} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: consents to contractual arrangements that ensure that it is effectively possible to conduct audits at the ICT third-party service provider, including onsite, by the financial entity itself, appointed third parties, and competent authorities; Article 6: Due diligence 1. (e) {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: Article 8: Contractual clauses 2. {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: has the contractual right to request, with a frequency that is reasonable and legitimate from a risk management perspective, modifications of the scope of the certifications or audit reports to other relevant systems and controls; Article 8: Contractual clauses 3. (g) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: has the contractual right to perform individual and pooled audits at its discretion with regard to the contractual arrangements and execute those rights in line with the agreed frequency. Article 8: Contractual clauses 3. (h) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: has the contractual right to perform individual and pooled audits at its discretion with regard to the contractual arrangements and execute those rights in line with the agreed frequency. Article 8: Contractual clauses 3. (h)] | Establish/Maintain Documentation | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the requirements on incident reporting set out in Article 19 of Regulation (EU) 2022/2554. Article 3: Governance arrangements 6. (d)] | Establish/Maintain Documentation | Preventive | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the documentation and record-keeping, taking into account the requirements with regard to the register of information laid down in Article 28(3) of Regulation (EU) 2022/2554; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (e)] | Testing | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 [{supply chain management policy} {internal audit report} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: where appropriate, internal or third-party audit reports made available by the ICT third-party service provider. Article 8: Contractual clauses 2. (d) {supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1.] | Testing | Detective | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Establish/Maintain Documentation | Preventive | |
| Establish the third party's service continuity. CC ID 00797 | Testing | Detective | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Systems Continuity | Preventive | |
| Review third party recovery plans. CC ID 17123 | Systems Continuity | Detective | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Testing | Detective | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Data and Information Management | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Testing | Detective | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the provision of ICT services supporting critical or important functions are concentrated to a single ICT third-party service provider or a small number of such service providers; Article 1: Overall risk profile and complexity ¶ 1 (h) {supply chain management policy} {absent authorization} {absent authentication} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a supervisory authority in a third country, and the use of ICT third-party service providers that are not; Article 1: Overall risk profile and complexity ¶ 1 (g)] | Establish/Maintain Documentation | Preventive | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Establish/Maintain Documentation | Preventive | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Establish/Maintain Documentation | Preventive | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Communicate | Preventive | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Establish/Maintain Documentation | Preventive | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Establish/Maintain Documentation | Preventive | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the type of ICT services included in the contractual arrangement on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'contractual arrangement') between the financial entity and the ICT third-party service provider; Article 1: Overall risk profile and complexity ¶ 1 (a)] | Establish/Maintain Documentation | Preventive | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Establish/Maintain Documentation | Preventive | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Establish/Maintain Documentation | Preventive | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the location of the ICT third-party service provider or the location of its parent company; Article 1: Overall risk profile and complexity ¶ 1 (b) {supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT services supporting critical or important functions are provided by an ICT third-party service provider located within a Member State or in a third country, also considering the location from where the ICT services are provided and the location where the data is processed and stored; Article 1: Overall risk profile and complexity ¶ 1 (c) {supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT services supporting critical or important functions are provided by an ICT third-party service provider located within a Member State or in a third country, also considering the location from where the ICT services are provided and the location where the data is processed and stored; Article 1: Overall risk profile and complexity ¶ 1 (c) {supply chain management policy} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: is located, or processes or stores the data in a third country and, if this is the case, whether this practice affects the level of operational or reputational risks or the risk of being affected by restrictive measures, including embargos and sanctions, that may impact the ability of the ICT third-party service provider to provide the ICT services or the financial entity to receive those ICT services; Article 6: Due diligence 1. (d)] | Establish/Maintain Documentation | Preventive | |
| Categorize all suppliers in the supply chain management program. CC ID 00792 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT third-party service provider is part of the same group as the financial entity to which the services are provided; Article 1: Overall risk profile and complexity ¶ 1 (e)] | Establish/Maintain Documentation | Preventive | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the ICT risk management framework referred to in Article 6 of Regulation (EU) 2022/2554; Article 3: Governance arrangements 6. (a) {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers' risk management framework for the ICT services supporting critical or important functions to be provided by an ICT third-party service provider. The policy shall require that the due diligence process includes an assessment of the existence of risk mitigation and business continuity measures and of how their functioning within the ICT third-party service provider is ensured. Article 6: Due diligence 2.] | Establish/Maintain Documentation | Preventive | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 [{supply chain management policy} Without prejudice to the final responsibility of the financial entity to effectively oversee relevant contractual arrangements, the policy shall require that the ICT third party service provider is assessed to have sufficient resources to ensure that the financial entity complies with all its legal and regulatory requirements regarding the ICT services supporting critical or important functions that are provided. Article 3: Governance arrangements 4. {supply chain management policy} The policy shall require that a risk assessment is conducted at financial entity level and, where applicable, at consolidated and sub-consolidated level before a contractual arrangement is concluded Article 5: Ex-ante risk assessment 2. ¶ 1] | Testing | Detective | |
| Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 [The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: Article 1: Overall risk profile and complexity ¶ 1] | Business Processes | Preventive | |
| Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Establish/Maintain Documentation | Preventive | |
| Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Establish/Maintain Documentation | Preventive | |
| Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Business Processes | Preventive | |
| Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Establish/Maintain Documentation | Preventive | |
| Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: Article 1: Overall risk profile and complexity ¶ 1 The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: ICT concentration risks at entity level. Article 5: Ex-ante risk assessment 2. ¶ 2 (i) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: Article 5: Ex-ante risk assessment 2. ¶ 2 The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: ICT risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (c) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: reputational risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (d) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the location of the ICT third-party service provider; Article 5: Ex-ante risk assessment 2. ¶ 2 (h) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the location where the data is processed and stored; Article 5: Ex-ante risk assessment 2. ¶ 2 (g) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the location where the data is processed and stored; Article 5: Ex-ante risk assessment 2. ¶ 2 (g) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the -noun">availability of data; Article 5: Ex-ante risk assessment 2. ¶ 2 (f) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the protection of confidential or :#F0BBBC;" class="term_primary-noun">personal data; Article 5: Ex-ante risk assessment 2. ¶ 2 (e) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by I-verb">CT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: legal risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (b) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by I-verb">CT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: operational risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (a) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: Article 5: Ex-ante risk assessment 2. ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 | Audits and Risk Management | Detective | |
| Establish, implement, and maintain a supply chain management policy. CC ID 08808 [{supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1. {supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1. {supply chain management policy} The policy shall establish or refer to a methodology for determining which ICT services support critical or important functions. The policy shall also specify when this assessment is to be conducted and reviewed. Article 3: Governance arrangements 2. {supply chain management policy} The policy shall specify that the assessment referred to in paragraph 2 is to be documented and its results to be used to update the financial entity's risk assessment referred to in Article 6. Article 9: Monitoring of the contractual arrangements 3.] | Establish/Maintain Documentation | Preventive | |
| Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 | Business Processes | Preventive | |
| Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Human Resources Management | Preventive | |
| Include supplier assessment principles in the supply chain management policy. CC ID 08809 [{supply chain management policy} The policy shall establish or refer to a methodology for determining which ICT services support critical or important functions. The policy shall also specify when this assessment is to be conducted and reviewed. Article 3: Governance arrangements 2.] | Establish/Maintain Documentation | Preventive | |
| Include the third party selection process in the supply chain management policy. CC ID 13132 [{supply chain management policy} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: Article 6: Due diligence 1. {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: Article 6: Due diligence 3.] | Establish/Maintain Documentation | Preventive | |
| Select suppliers based on their qualifications. CC ID 00795 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a competent authority in a Member State or subject to the oversight framework under Chapter V, Section II, of Regulation (EU) 2022/2554, and the use of ICT third-party service providers that are not; Article 1: Overall risk profile and complexity ¶ 1 (f) {supply chain management policy} {absent authorization} {absent authentication} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a supervisory authority in a third country, and the use of ICT third-party service providers that are not; Article 1: Overall risk profile and complexity ¶ 1 (g)] | Establish/Maintain Documentation | Preventive | |
| Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Establish/Maintain Documentation | Preventive | |
| Include a clear management process in the supply chain management policy. CC ID 08810 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the supply chain management policy. CC ID 15499 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the responsibilities of the management body, including its involvement, as appropriate, in the decision-making process on the use of ICT services supporting critical or important functions provided by ICT third-party service providers; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (a) {supply chain management policy} The policy shall clearly assign the internal responsibilities for the approval, management, control, and documentation of relevant contractual arrangements and shall ensure that appropriate skills, experience and knowledge are maintained within the financial entity to effectively oversee the relevant contractual arrangements, including the ICT services provided under those arrangements. Article 3: Governance arrangements 3. {supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5.] | Establish/Maintain Documentation | Preventive | |
| Include third party due diligence standards in the supply chain management policy. CC ID 08812 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Communicate | Preventive | |
| Require suppliers to commit to the supply chain management policy. CC ID 08813 [{supply chain management policy} The policy shall require that the business needs of the financial entity are defined before a contractual arrangement is concluded. Article 5: Ex-ante risk assessment 1.] | Establish/Maintain Documentation | Preventive | |
| Support third parties in building their capabilities. CC ID 08814 | Business Processes | Preventive | |
| Implement measurable improvement plans with all third parties. CC ID 08815 | Business Processes | Preventive | |
| Post a list of compliant third parties on the organization's website. CC ID 08817 | Business Processes | Preventive | |
| Use third parties that are compliant with the applicable requirements. CC ID 08818 | Business Processes | Preventive | |
| Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Establish/Maintain Documentation | Preventive | |
| Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Establish/Maintain Documentation | Preventive | |
| Include all in scope materials in the conflict minerals policy. CC ID 08945 | Establish/Maintain Documentation | Preventive | |
| Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Establish/Maintain Documentation | Preventive | |
| Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Establish/Maintain Documentation | Preventive | |
| Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Data and Information Management | Preventive | |
| Establish and maintain a conflict materials report. CC ID 08823 | Establish/Maintain Documentation | Preventive | |
| Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Establish/Maintain Documentation | Preventive | |
| Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Establish/Maintain Documentation | Preventive | |
| Identify supply sources for secondary materials. CC ID 08822 | Business Processes | Preventive | |
| Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Business Processes | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 [{supply chain management policy} {be ethical} {be responsible} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: acts in an ethical and socially responsible manner, respects human rights and children's rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions. Article 6: Due diligence 1. (f)] | Business Processes | Preventive | |
| Assess third parties' relevant experience during due diligence. CC ID 12070 [{supply chain management policy} The policy shall clearly assign the internal responsibilities for the approval, management, control, and documentation of relevant contractual arrangements and shall ensure that appropriate skills, experience and knowledge are maintained within the financial entity to effectively oversee the relevant contractual arrangements, including the ICT services provided under those arrangements. Article 3: Governance arrangements 3. {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a)] | Business Processes | Detective | |
| Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the potential impact of disruptions in the provision of the ICT services supporting critical or important functions on the continuity of the financial entity's activities and on the availability of its services. Article 1: Overall risk profile and complexity ¶ 1 (j) {supply chain management policy} The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers' risk management framework for the ICT services supporting critical or important functions to be provided by an ICT third-party service provider. The policy shall require that the due diligence process includes an assessment of the existence of risk mitigation and business continuity measures and of how their functioning within the ICT third-party service provider is ensured. Article 6: Due diligence 2.] | Business Processes | Detective | |
| Review third parties' backup policies. CC ID 13043 | Systems Continuity | Detective | |
| Assess third parties' abilities to provide services during due diligence. CC ID 12074 [{supply chain management policy} The policy shall establish or refer to a methodology for determining which ICT services support critical or important functions. The policy shall also specify when this assessment is to be conducted and reviewed. Article 3: Governance arrangements 2. {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers' risk management framework for the ICT services supporting critical or important functions to be provided by an ICT third-party service provider. The policy shall require that the due diligence process includes an assessment of the existence of risk mitigation and business continuity measures and of how their functioning within the ICT third-party service provider is ensured. Article 6: Due diligence 2.] | Business Processes | Detective | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 [{supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: audits or independent assessments performed by the financial entity itself or on its behalf; Article 6: Due diligence 3. (a) {supply chain management policy} {independent audit} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that an independent review and audits verifying compliance with legal and regulatory requirements and policies are performed. Article 9: Monitoring of the contractual arrangements 2. (e) {supply chain management policy} {be ethical} {be responsible} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: acts in an ethical and socially responsible manner, respects human rights and children's rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions. Article 6: Due diligence 1. (f)] | Process or Activity | Detective | |
| Request attestation of compliance from third parties. CC ID 12067 [{supply chain management policy} Where this Regulation applies on a sub-consolidated or consolidated basis, the parent undertaking that is responsible for providing the consolidated or sub-consolidated financial statements for the group shall ensure that the policy is implemented consistently in all financial entities that are part of the group and is adequate for the effective application of this Regulation at all relevant levels of the group. Article 2: Group application ¶ 1 {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of audit reports made by the internal audit function of the ICT third-party service provider; Article 6: Due diligence 3. (c) {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of appropriate third-party certifications; Article 6: Due diligence 3. (d) {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: where appropriate, third-party certifications; Article 8: Contractual clauses 2. (c) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: is satisfied that the certifications are issued, and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; Article 8: Contractual clauses 3. (f)] | Establish/Maintain Documentation | Detective | |
| Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 [{supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of independent audit reports made on request by the ICT third-party service provider; Article 6: Due diligence 3. (b)] | Business Processes | Detective | |
| Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Business Processes | Preventive | |
| Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 [{supply chain management policy} {security practice} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the ability to monitor relevant technological developments and identify ICT security leading practices and implement them where appropriate to have an effective and sound digital operational resilience framework; Article 6: Due diligence 1. (b)] | Business Processes | Detective | |
| Document the third parties compliance with the organization's system hardening framework. CC ID 04263 | Technical Security | Detective | |
| Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [{supply chain management policy} Without prejudice to the final responsibility of the financial entity to effectively oversee relevant contractual arrangements, the policy shall require that the ICT third party service provider is assessed to have sufficient resources to ensure that the financial entity complies with all its legal and regulatory requirements regarding the ICT services supporting critical or important functions that are provided. Article 3: Governance arrangements 4. {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of other relevant information available to the financial entity or other information provided by the ICT third-party service provider. Article 6: Due diligence 3. (e) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: Article 8: Contractual clauses 3. {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: ensures that the scope of the certifications or audit reports cover the systems and key controls identified by it and ensures compliance with relevant regulatory requirements; Article 8: Contractual clauses 3. (b) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: thoroughly assesses the content of the certifications or audit reports on an ongoing basis and verifies that the reports or certifications are not obsolete; Article 8: Contractual clauses 3. (c) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: thoroughly assesses the content of the certifications or audit reports on an ongoing basis and verifies that the reports or certifications are not obsolete; Article 8: Contractual clauses 3. (c)] | Business Processes | Preventive | |
| Establish, implement, and maintain third party reporting requirements. CC ID 13289 | Establish/Maintain Documentation | Preventive | |
| Define timeliness factors for third party reporting requirements. CC ID 13304 [{supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5.] | Establish/Maintain Documentation | Preventive | |
| Assess the effectiveness of third party services provided to the organization. CC ID 13142 [{audit} {independent assessment} {independent audit report} {audit report} Financial entities shall ensure an appropriate level of assurance on the ICT third-party service provider's performance, taking into account the elements listed in paragraph 3, points (a) to (e). Where appropriate, more than one element listed in those points shall be used. Article 6: Due diligence 4.] | Business Processes | Detective | |
| Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [{supply chain management policy} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that the performance of ICT third-party service providers is assessed with key performance indicators, key control indicators, audits, self-certifications and independent reviews in line with the financial entity's ICT risk management framework; Article 9: Monitoring of the contractual arrangements 2. (b) {supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1. {supply chain management policy} The policy shall establish the appropriate measures that the financial entity is to adopt if it identifies shortcomings of the ICT third-party service providers, including ICT-related incidents and operational or security payment related incidents, in the provision of the ICT services supporting critical or important functions or in the compliance with contractual arrangements or legal requirements. It shall also specify how the implementation of such measures is to be monitored in order to ensure that they are effectively complied with within a defined timeframe, taking into account the materiality of the shortcomings. Article 9: Monitoring of the contractual arrangements 4.] | Monitor and Evaluate Occurrences | Detective | |
| Monitor third parties' financial conditions. CC ID 13170 | Monitor and Evaluate Occurrences | Detective | |
| Review the supply chain's service delivery on a regular basis. CC ID 12010 [{supply chain management policy} The policy shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan. When establishing the exit plan, the following shall be taken into account: inappropriate or failed service delivery; Article 10: Exit from and termination of the contractual arrangements ¶ 1 (b)] | Business Processes | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Manage supply chain audits. CC ID 01203 [{supply chain management policy} The policy shall require that ICT services supporting critical or important functions provided by ICT third party service providers are subject to independent review and are included in the audit plan. Article 3: Governance arrangements 7. {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: its own internal audit or an audit by an appointed third party; Article 8: Contractual clauses 2. (a)] | Audits and risk management | Preventive | |
| Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and risk management | Preventive | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Preventive | |
| Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 | Third Party and supply chain oversight | Detective | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 [{supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1.] | Leadership and high level objectives | Preventive | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
| Implement changes according to the change control program. CC ID 11776 [{supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1.] | Operational management | Preventive | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [{supply chain management policy} The policy shall explicitly specify that the contractual arrangements: are to require that the financial entity, its auditors, and competent authorities have effective access to data and premises relating to the use of ICT services supporting critical or important functions. Article 3: Governance arrangements 8. (d) {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: Article 8: Contractual clauses 2.] | Third Party and supply chain oversight | Preventive | |
| Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 [The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: Article 1: Overall risk profile and complexity ¶ 1] | Third Party and supply chain oversight | Preventive | |
| Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Third Party and supply chain oversight | Preventive | |
| Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 | Third Party and supply chain oversight | Preventive | |
| Support third parties in building their capabilities. CC ID 08814 | Third Party and supply chain oversight | Preventive | |
| Implement measurable improvement plans with all third parties. CC ID 08815 | Third Party and supply chain oversight | Preventive | |
| Post a list of compliant third parties on the organization's website. CC ID 08817 | Third Party and supply chain oversight | Preventive | |
| Use third parties that are compliant with the applicable requirements. CC ID 08818 | Third Party and supply chain oversight | Preventive | |
| Identify supply sources for secondary materials. CC ID 08822 | Third Party and supply chain oversight | Preventive | |
| Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Third Party and supply chain oversight | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 [{supply chain management policy} {be ethical} {be responsible} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: acts in an ethical and socially responsible manner, respects human rights and children's rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions. Article 6: Due diligence 1. (f)] | Third Party and supply chain oversight | Preventive | |
| Assess third parties' relevant experience during due diligence. CC ID 12070 [{supply chain management policy} The policy shall clearly assign the internal responsibilities for the approval, management, control, and documentation of relevant contractual arrangements and shall ensure that appropriate skills, experience and knowledge are maintained within the financial entity to effectively oversee the relevant contractual arrangements, including the ICT services provided under those arrangements. Article 3: Governance arrangements 3. {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a)] | Third Party and supply chain oversight | Detective | |
| Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the potential impact of disruptions in the provision of the ICT services supporting critical or important functions on the continuity of the financial entity's activities and on the availability of its services. Article 1: Overall risk profile and complexity ¶ 1 (j) {supply chain management policy} The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers' risk management framework for the ICT services supporting critical or important functions to be provided by an ICT third-party service provider. The policy shall require that the due diligence process includes an assessment of the existence of risk mitigation and business continuity measures and of how their functioning within the ICT third-party service provider is ensured. Article 6: Due diligence 2.] | Third Party and supply chain oversight | Detective | |
| Assess third parties' abilities to provide services during due diligence. CC ID 12074 [{supply chain management policy} The policy shall establish or refer to a methodology for determining which ICT services support critical or important functions. The policy shall also specify when this assessment is to be conducted and reviewed. Article 3: Governance arrangements 2. {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers' risk management framework for the ICT services supporting critical or important functions to be provided by an ICT third-party service provider. The policy shall require that the due diligence process includes an assessment of the existence of risk mitigation and business continuity measures and of how their functioning within the ICT third-party service provider is ensured. Article 6: Due diligence 2.] | Third Party and supply chain oversight | Detective | |
| Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 [{supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of independent audit reports made on request by the ICT third-party service provider; Article 6: Due diligence 3. (b)] | Third Party and supply chain oversight | Detective | |
| Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Third Party and supply chain oversight | Preventive | |
| Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 [{supply chain management policy} {security practice} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the ability to monitor relevant technological developments and identify ICT security leading practices and implement them where appropriate to have an effective and sound digital operational resilience framework; Article 6: Due diligence 1. (b)] | Third Party and supply chain oversight | Detective | |
| Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [{supply chain management policy} Without prejudice to the final responsibility of the financial entity to effectively oversee relevant contractual arrangements, the policy shall require that the ICT third party service provider is assessed to have sufficient resources to ensure that the financial entity complies with all its legal and regulatory requirements regarding the ICT services supporting critical or important functions that are provided. Article 3: Governance arrangements 4. {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of other relevant information available to the financial entity or other information provided by the ICT third-party service provider. Article 6: Due diligence 3. (e) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: Article 8: Contractual clauses 3. {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: ensures that the scope of the certifications or audit reports cover the systems and key controls identified by it and ensures compliance with relevant regulatory requirements; Article 8: Contractual clauses 3. (b) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: thoroughly assesses the content of the certifications or audit reports on an ongoing basis and verifies that the reports or certifications are not obsolete; Article 8: Contractual clauses 3. (c) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: thoroughly assesses the content of the certifications or audit reports on an ongoing basis and verifies that the reports or certifications are not obsolete; Article 8: Contractual clauses 3. (c)] | Third Party and supply chain oversight | Preventive | |
| Assess the effectiveness of third party services provided to the organization. CC ID 13142 [{audit} {independent assessment} {independent audit report} {audit report} Financial entities shall ensure an appropriate level of assurance on the ICT third-party service provider's performance, taking into account the elements listed in paragraph 3, points (a) to (e). Where appropriate, more than one element listed in those points shall be used. Article 6: Due diligence 4.] | Third Party and supply chain oversight | Detective | |
| Review the supply chain's service delivery on a regular basis. CC ID 12010 [{supply chain management policy} The policy shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan. When establishing the exit plan, the following shall be taken into account: inappropriate or failed service delivery; Article 10: Exit from and termination of the contractual arrangements ¶ 1 (b)] | Third Party and supply chain oversight | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Preventive | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Third Party and supply chain oversight | Preventive | |
| Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Third Party and supply chain oversight | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Detective | |
| Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Third Party and supply chain oversight | Preventive | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 | Audits and risk management | Preventive | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Preventive | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [{supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5. {supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5.] | Human Resources management | Preventive | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Preventive | |
| Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 | Operational and Systems Continuity | Preventive | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the ICT business continuity policy referred to in Article 11 of Regulation (EU) 2022/2554; Article 3: Governance arrangements 6. (c)] | Operational and Systems Continuity | Preventive | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Preventive | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Preventive | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Preventive | |
| Include risk management in the information security program. CC ID 12378 | Operational management | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the information security policy referred to in Article 9(4) of Regulation (EU) 2022/2554; Article 3: Governance arrangements 6. (b)] | Operational management | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{supply chain management policy} Where this Regulation applies on a sub-consolidated or consolidated basis, the parent undertaking that is responsible for providing the consolidated or sub-consolidated financial statements for the group shall ensure that the policy is implemented consistently in all financial entities that are part of the group and is adequate for the effective application of this Regulation at all relevant levels of the group. Article 2: Group application ¶ 1] | Operational management | Preventive | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Preventive | |
| Provide audit trails for all approved changes. CC ID 13120 | Operational management | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 {supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the implementation, monitoring and management of contractual arrangements as referred to in Articles 7, 8 and 9, including at consolidated and sub-consolidated level, where applicable; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (d) {supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the planning of contractual arrangements, including the risk assessment, the due diligence as set out in Articles 5 and 6 and the approval process regarding new or material changes to contractual arrangements as set out in Article 8(4); Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (b) {supply chain management policy} The policy shall ensure that material changes to the contractual agreement are to be formalised in a written document which is dated and signed by all parties and shall specify the renewal process for the contractual arrangements. Article 8: Contractual clauses 4.] | Third Party and supply chain oversight | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Preventive | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in third party contracts. CC ID 13487 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the involvement of business units, internal controls and other relevant units in respect of contractual arrangements; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (c) {supply chain management policy} The policy shall explicitly specify that the contractual arrangements: do not relieve the financial entity and its management body of its regulatory obligations and its responsibilities to its clients; Article 3: Governance arrangements 8. (a)] | Third Party and supply chain oversight | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [{supply chain management policy} The policy shall explicitly specify that the contractual arrangements: are not to prevent effective supervision of a financial entity and are not to contravene any supervisory restrictions on services and activities; Article 3: Governance arrangements 8. (b) {supply chain management policy} The policy shall explicitly specify that the contractual arrangements: do not relieve the financial entity and its management body of its regulatory obligations and its responsibilities to its clients; Article 3: Governance arrangements 8. (a)] | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 [{supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1. {supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1.] | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 [{supply chain management policy} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that the financial entity is notified, where appropriate, of ICT-related incidents and operational or security payment-related incidents; Article 9: Monitoring of the contractual arrangements 2. (d)] | Third Party and supply chain oversight | Preventive | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Preventive | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Preventive | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 [{supply chain management policy} The policy shall explicitly specify that the contractual arrangements: are not to prevent effective supervision of a financial entity and are not to contravene any supervisory restrictions on services and activities; Article 3: Governance arrangements 8. (b) {supply chain management policy} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: consents to contractual arrangements that ensure that it is effectively possible to conduct audits at the ICT third-party service provider, including onsite, by the financial entity itself, appointed third parties, and competent authorities; Article 6: Due diligence 1. (e) {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: Article 8: Contractual clauses 2. {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: has the contractual right to request, with a frequency that is reasonable and legitimate from a risk management perspective, modifications of the scope of the certifications or audit reports to other relevant systems and controls; Article 8: Contractual clauses 3. (g) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: has the contractual right to perform individual and pooled audits at its discretion with regard to the contractual arrangements and execute those rights in line with the agreed frequency. Article 8: Contractual clauses 3. (h) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: has the contractual right to perform individual and pooled audits at its discretion with regard to the contractual arrangements and execute those rights in line with the agreed frequency. Article 8: Contractual clauses 3. (h)] | Third Party and supply chain oversight | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the requirements on incident reporting set out in Article 19 of Regulation (EU) 2022/2554. Article 3: Governance arrangements 6. (d)] | Third Party and supply chain oversight | Preventive | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Preventive | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 | Third Party and supply chain oversight | Preventive | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the provision of ICT services supporting critical or important functions are concentrated to a single ICT third-party service provider or a small number of such service providers; Article 1: Overall risk profile and complexity ¶ 1 (h) {supply chain management policy} {absent authorization} {absent authentication} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a supervisory authority in a third country, and the use of ICT third-party service providers that are not; Article 1: Overall risk profile and complexity ¶ 1 (g)] | Third Party and supply chain oversight | Preventive | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Third Party and supply chain oversight | Preventive | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Third Party and supply chain oversight | Preventive | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Third Party and supply chain oversight | Preventive | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Third Party and supply chain oversight | Preventive | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Third Party and supply chain oversight | Preventive | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the type of ICT services included in the contractual arrangement on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'contractual arrangement') between the financial entity and the ICT third-party service provider; Article 1: Overall risk profile and complexity ¶ 1 (a)] | Third Party and supply chain oversight | Preventive | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Third Party and supply chain oversight | Preventive | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Third Party and supply chain oversight | Preventive | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the location of the ICT third-party service provider or the location of its parent company; Article 1: Overall risk profile and complexity ¶ 1 (b) {supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT services supporting critical or important functions are provided by an ICT third-party service provider located within a Member State or in a third country, also considering the location from where the ICT services are provided and the location where the data is processed and stored; Article 1: Overall risk profile and complexity ¶ 1 (c) {supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT services supporting critical or important functions are provided by an ICT third-party service provider located within a Member State or in a third country, also considering the location from where the ICT services are provided and the location where the data is processed and stored; Article 1: Overall risk profile and complexity ¶ 1 (c) {supply chain management policy} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: is located, or processes or stores the data in a third country and, if this is the case, whether this practice affects the level of operational or reputational risks or the risk of being affected by restrictive measures, including embargos and sanctions, that may impact the ability of the ICT third-party service provider to provide the ICT services or the financial entity to receive those ICT services; Article 6: Due diligence 1. (d)] | Third Party and supply chain oversight | Preventive | |
| Categorize all suppliers in the supply chain management program. CC ID 00792 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT third-party service provider is part of the same group as the financial entity to which the services are provided; Article 1: Overall risk profile and complexity ¶ 1 (e)] | Third Party and supply chain oversight | Preventive | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the ICT risk management framework referred to in Article 6 of Regulation (EU) 2022/2554; Article 3: Governance arrangements 6. (a) {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers' risk management framework for the ICT services supporting critical or important functions to be provided by an ICT third-party service provider. The policy shall require that the due diligence process includes an assessment of the existence of risk mitigation and business continuity measures and of how their functioning within the ICT third-party service provider is ensured. Article 6: Due diligence 2.] | Third Party and supply chain oversight | Preventive | |
| Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Third Party and supply chain oversight | Preventive | |
| Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Third Party and supply chain oversight | Preventive | |
| Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Third Party and supply chain oversight | Preventive | |
| Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: Article 1: Overall risk profile and complexity ¶ 1 The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: ICT concentration risks at entity level. Article 5: Ex-ante risk assessment 2. ¶ 2 (i) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: Article 5: Ex-ante risk assessment 2. ¶ 2 The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: ICT risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (c) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: reputational risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (d) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the location of the ICT third-party service provider; Article 5: Ex-ante risk assessment 2. ¶ 2 (h) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the location where the data is processed and stored; Article 5: Ex-ante risk assessment 2. ¶ 2 (g) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the location where the data is processed and stored; Article 5: Ex-ante risk assessment 2. ¶ 2 (g) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the -noun">availability of data; Article 5: Ex-ante risk assessment 2. ¶ 2 (f) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the protection of confidential or :#F0BBBC;" class="term_primary-noun">personal data; Article 5: Ex-ante risk assessment 2. ¶ 2 (e) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by I-verb">CT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: legal risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (b) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by I-verb">CT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: operational risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (a) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: Article 5: Ex-ante risk assessment 2. ¶ 2] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain a supply chain management policy. CC ID 08808 [{supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1. {supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1. {supply chain management policy} The policy shall establish or refer to a methodology for determining which ICT services support critical or important functions. The policy shall also specify when this assessment is to be conducted and reviewed. Article 3: Governance arrangements 2. {supply chain management policy} The policy shall specify that the assessment referred to in paragraph 2 is to be documented and its results to be used to update the financial entity's risk assessment referred to in Article 6. Article 9: Monitoring of the contractual arrangements 3.] | Third Party and supply chain oversight | Preventive | |
| Include supplier assessment principles in the supply chain management policy. CC ID 08809 [{supply chain management policy} The policy shall establish or refer to a methodology for determining which ICT services support critical or important functions. The policy shall also specify when this assessment is to be conducted and reviewed. Article 3: Governance arrangements 2.] | Third Party and supply chain oversight | Preventive | |
| Include the third party selection process in the supply chain management policy. CC ID 13132 [{supply chain management policy} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: Article 6: Due diligence 1. {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: Article 6: Due diligence 3.] | Third Party and supply chain oversight | Preventive | |
| Select suppliers based on their qualifications. CC ID 00795 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a competent authority in a Member State or subject to the oversight framework under Chapter V, Section II, of Regulation (EU) 2022/2554, and the use of ICT third-party service providers that are not; Article 1: Overall risk profile and complexity ¶ 1 (f) {supply chain management policy} {absent authorization} {absent authentication} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a supervisory authority in a third country, and the use of ICT third-party service providers that are not; Article 1: Overall risk profile and complexity ¶ 1 (g)] | Third Party and supply chain oversight | Preventive | |
| Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Third Party and supply chain oversight | Preventive | |
| Include a clear management process in the supply chain management policy. CC ID 08810 | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in the supply chain management policy. CC ID 15499 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the responsibilities of the management body, including its involvement, as appropriate, in the decision-making process on the use of ICT services supporting critical or important functions provided by ICT third-party service providers; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (a) {supply chain management policy} The policy shall clearly assign the internal responsibilities for the approval, management, control, and documentation of relevant contractual arrangements and shall ensure that appropriate skills, experience and knowledge are maintained within the financial entity to effectively oversee the relevant contractual arrangements, including the ICT services provided under those arrangements. Article 3: Governance arrangements 3. {supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5.] | Third Party and supply chain oversight | Preventive | |
| Include third party due diligence standards in the supply chain management policy. CC ID 08812 | Third Party and supply chain oversight | Preventive | |
| Require suppliers to commit to the supply chain management policy. CC ID 08813 [{supply chain management policy} The policy shall require that the business needs of the financial entity are defined before a contractual arrangement is concluded. Article 5: Ex-ante risk assessment 1.] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Third Party and supply chain oversight | Preventive | |
| Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Third Party and supply chain oversight | Preventive | |
| Include all in scope materials in the conflict minerals policy. CC ID 08945 | Third Party and supply chain oversight | Preventive | |
| Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Third Party and supply chain oversight | Preventive | |
| Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Third Party and supply chain oversight | Preventive | |
| Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Third Party and supply chain oversight | Preventive | |
| Establish and maintain a conflict materials report. CC ID 08823 | Third Party and supply chain oversight | Preventive | |
| Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Third Party and supply chain oversight | Preventive | |
| Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Third Party and supply chain oversight | Preventive | |
| Request attestation of compliance from third parties. CC ID 12067 [{supply chain management policy} Where this Regulation applies on a sub-consolidated or consolidated basis, the parent undertaking that is responsible for providing the consolidated or sub-consolidated financial statements for the group shall ensure that the policy is implemented consistently in all financial entities that are part of the group and is adequate for the effective application of this Regulation at all relevant levels of the group. Article 2: Group application ¶ 1 {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of audit reports made by the internal audit function of the ICT third-party service provider; Article 6: Due diligence 3. (c) {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of appropriate third-party certifications; Article 6: Due diligence 3. (d) {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: where appropriate, third-party certifications; Article 8: Contractual clauses 2. (c) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: is satisfied that the certifications are issued, and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; Article 8: Contractual clauses 3. (f)] | Third Party and supply chain oversight | Detective | |
| Establish, implement, and maintain third party reporting requirements. CC ID 13289 | Third Party and supply chain oversight | Preventive | |
| Define timeliness factors for third party reporting requirements. CC ID 13304 [{supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5.] | Third Party and supply chain oversight | Preventive | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Preventive | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Preventive | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Preventive | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Preventive | |
| Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources management | Preventive | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources management | Preventive | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Preventive | |
| Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Corrective | |
| Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Third Party and supply chain oversight | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [{supply chain management policy} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that the performance of ICT third-party service providers is assessed with key performance indicators, key control indicators, audits, self-certifications and independent reviews in line with the financial entity's ICT risk management framework; Article 9: Monitoring of the contractual arrangements 2. (b) {supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1. {supply chain management policy} The policy shall establish the appropriate measures that the financial entity is to adopt if it identifies shortcomings of the ICT third-party service providers, including ICT-related incidents and operational or security payment related incidents, in the provision of the ICT services supporting critical or important functions or in the compliance with contractual arrangements or legal requirements. It shall also specify how the implementation of such measures is to be monitored in order to ensure that they are effectively complied with within a defined timeframe, taking into account the materiality of the shortcomings. Article 9: Monitoring of the contractual arrangements 4.] | Third Party and supply chain oversight | Detective | |
| Monitor third parties' financial conditions. CC ID 13170 | Third Party and supply chain oversight | Detective | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [{supply chain management policy} {external requirement} {Digital Operational Resilience Act} The policy shall specify that the relevant contractual arrangement are to be in written form and are to include all the elements referred to in Article 30(2) and (3) of Regulation (EU) 2022/2554. The policy shall also include elements regarding requirements referred to in Article 1(1), point (a), of Regulation (EU) 2022/2554, as well as other relevant Union and national law as appropriate. Article 8: Contractual clauses 1.] | Third Party and supply chain oversight | Detective | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 [{supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: audits or independent assessments performed by the financial entity itself or on its behalf; Article 6: Due diligence 3. (a) {supply chain management policy} {independent audit} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that an independent review and audits verifying compliance with legal and regulatory requirements and policies are performed. Article 9: Monitoring of the contractual arrangements 2. (e) {supply chain management policy} {be ethical} {be responsible} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: acts in an ethical and socially responsible manner, respects human rights and children's rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions. Article 6: Due diligence 1. (f)] | Third Party and supply chain oversight | Detective | |
Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Third Party and supply chain oversight | Preventive | |
| Review third party recovery plans. CC ID 17123 | Third Party and supply chain oversight | Detective | |
| Review third parties' backup policies. CC ID 13043 | Third Party and supply chain oversight | Detective | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Document the third parties compliance with the organization's system hardening framework. CC ID 04263 | Third Party and supply chain oversight | Detective | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain the audit plan. CC ID 01156 [{supply chain management policy} The policy shall require that ICT services supporting critical or important functions provided by ICT third party service providers are subject to independent review and are included in the audit plan. Article 3: Governance arrangements 7.] | Audits and risk management | Detective | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the documentation and record-keeping, taking into account the requirements with regard to the register of information laid down in Article 28(3) of Regulation (EU) 2022/2554; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (e)] | Third Party and supply chain oversight | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 [{supply chain management policy} {internal audit report} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: where appropriate, internal or third-party audit reports made available by the ICT third-party service provider. Article 8: Contractual clauses 2. (d) {supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1.] | Third Party and supply chain oversight | Detective | |
| Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Detective | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Detective | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 [{supply chain management policy} Without prejudice to the final responsibility of the financial entity to effectively oversee relevant contractual arrangements, the policy shall require that the ICT third party service provider is assessed to have sufficient resources to ensure that the financial entity complies with all its legal and regulatory requirements regarding the ICT services supporting critical or important functions that are provided. Article 3: Governance arrangements 4. {supply chain management policy} The policy shall require that a risk assessment is conducted at financial entity level and, where applicable, at consolidated and sub-consolidated level before a contractual arrangement is concluded Article 5: Ex-ante risk assessment 2. ¶ 1] | Third Party and supply chain oversight | Detective | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Human Resources Management | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain the audit plan. CC ID 01156 [{supply chain management policy} The policy shall require that ICT services supporting critical or important functions provided by ICT third party service providers are subject to independent review and are included in the audit plan. Article 3: Governance arrangements 7.] | Audits and risk management | Testing | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [{supply chain management policy} {external requirement} {Digital Operational Resilience Act} The policy shall specify that the relevant contractual arrangement are to be in written form and are to include all the elements referred to in Article 30(2) and (3) of Regulation (EU) 2022/2554. The policy shall also include elements regarding requirements referred to in Article 1(1), point (a), of Regulation (EU) 2022/2554, as well as other relevant Union and national law as appropriate. Article 8: Contractual clauses 1.] | Third Party and supply chain oversight | Process or Activity | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the documentation and record-keeping, taking into account the requirements with regard to the register of information laid down in Article 28(3) of Regulation (EU) 2022/2554; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (e)] | Third Party and supply chain oversight | Testing | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 [{supply chain management policy} {internal audit report} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: where appropriate, internal or third-party audit reports made available by the ICT third-party service provider. Article 8: Contractual clauses 2. (d) {supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1.] | Third Party and supply chain oversight | Testing | |
| Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Testing | |
| Review third party recovery plans. CC ID 17123 | Third Party and supply chain oversight | Systems Continuity | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Testing | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Data and Information Management | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Testing | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 [{supply chain management policy} Without prejudice to the final responsibility of the financial entity to effectively oversee relevant contractual arrangements, the policy shall require that the ICT third party service provider is assessed to have sufficient resources to ensure that the financial entity complies with all its legal and regulatory requirements regarding the ICT services supporting critical or important functions that are provided. Article 3: Governance arrangements 4. {supply chain management policy} The policy shall require that a risk assessment is conducted at financial entity level and, where applicable, at consolidated and sub-consolidated level before a contractual arrangement is concluded Article 5: Ex-ante risk assessment 2. ¶ 1] | Third Party and supply chain oversight | Testing | |
| Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 | Third Party and supply chain oversight | Audits and Risk Management | |
| Assess third parties' relevant experience during due diligence. CC ID 12070 [{supply chain management policy} The policy shall clearly assign the internal responsibilities for the approval, management, control, and documentation of relevant contractual arrangements and shall ensure that appropriate skills, experience and knowledge are maintained within the financial entity to effectively oversee the relevant contractual arrangements, including the ICT services provided under those arrangements. Article 3: Governance arrangements 3. {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a)] | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the potential impact of disruptions in the provision of the ICT services supporting critical or important functions on the continuity of the financial entity's activities and on the availability of its services. Article 1: Overall risk profile and complexity ¶ 1 (j) {supply chain management policy} The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers' risk management framework for the ICT services supporting critical or important functions to be provided by an ICT third-party service provider. The policy shall require that the due diligence process includes an assessment of the existence of risk mitigation and business continuity measures and of how their functioning within the ICT third-party service provider is ensured. Article 6: Due diligence 2.] | Third Party and supply chain oversight | Business Processes | |
| Review third parties' backup policies. CC ID 13043 | Third Party and supply chain oversight | Systems Continuity | |
| Assess third parties' abilities to provide services during due diligence. CC ID 12074 [{supply chain management policy} The policy shall establish or refer to a methodology for determining which ICT services support critical or important functions. The policy shall also specify when this assessment is to be conducted and reviewed. Article 3: Governance arrangements 2. {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers' risk management framework for the ICT services supporting critical or important functions to be provided by an ICT third-party service provider. The policy shall require that the due diligence process includes an assessment of the existence of risk mitigation and business continuity measures and of how their functioning within the ICT third-party service provider is ensured. Article 6: Due diligence 2.] | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 [{supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: audits or independent assessments performed by the financial entity itself or on its behalf; Article 6: Due diligence 3. (a) {supply chain management policy} {independent audit} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that an independent review and audits verifying compliance with legal and regulatory requirements and policies are performed. Article 9: Monitoring of the contractual arrangements 2. (e) {supply chain management policy} {be ethical} {be responsible} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: acts in an ethical and socially responsible manner, respects human rights and children's rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions. Article 6: Due diligence 1. (f)] | Third Party and supply chain oversight | Process or Activity | |
| Request attestation of compliance from third parties. CC ID 12067 [{supply chain management policy} Where this Regulation applies on a sub-consolidated or consolidated basis, the parent undertaking that is responsible for providing the consolidated or sub-consolidated financial statements for the group shall ensure that the policy is implemented consistently in all financial entities that are part of the group and is adequate for the effective application of this Regulation at all relevant levels of the group. Article 2: Group application ¶ 1 {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of audit reports made by the internal audit function of the ICT third-party service provider; Article 6: Due diligence 3. (c) {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of appropriate third-party certifications; Article 6: Due diligence 3. (d) {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: where appropriate, third-party certifications; Article 8: Contractual clauses 2. (c) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: is satisfied that the certifications are issued, and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; Article 8: Contractual clauses 3. (f)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 [{supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of independent audit reports made on request by the ICT third-party service provider; Article 6: Due diligence 3. (b)] | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 [{supply chain management policy} {security practice} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the ability to monitor relevant technological developments and identify ICT security leading practices and implement them where appropriate to have an effective and sound digital operational resilience framework; Article 6: Due diligence 1. (b)] | Third Party and supply chain oversight | Business Processes | |
| Document the third parties compliance with the organization's system hardening framework. CC ID 04263 | Third Party and supply chain oversight | Technical Security | |
| Assess the effectiveness of third party services provided to the organization. CC ID 13142 [{audit} {independent assessment} {independent audit report} {audit report} Financial entities shall ensure an appropriate level of assurance on the ICT third-party service provider's performance, taking into account the elements listed in paragraph 3, points (a) to (e). Where appropriate, more than one element listed in those points shall be used. Article 6: Due diligence 4.] | Third Party and supply chain oversight | Business Processes | |
| Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [{supply chain management policy} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that the performance of ICT third-party service providers is assessed with key performance indicators, key control indicators, audits, self-certifications and independent reviews in line with the financial entity's ICT risk management framework; Article 9: Monitoring of the contractual arrangements 2. (b) {supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1. {supply chain management policy} The policy shall establish the appropriate measures that the financial entity is to adopt if it identifies shortcomings of the ICT third-party service providers, including ICT-related incidents and operational or security payment related incidents, in the provision of the ICT services supporting critical or important functions or in the compliance with contractual arrangements or legal requirements. It shall also specify how the implementation of such measures is to be monitored in order to ensure that they are effectively complied with within a defined timeframe, taking into account the materiality of the shortcomings. Article 9: Monitoring of the contractual arrangements 4.] | Third Party and supply chain oversight | Monitor and Evaluate Occurrences | |
| Monitor third parties' financial conditions. CC ID 13170 | Third Party and supply chain oversight | Monitor and Evaluate Occurrences | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 | Leadership and high level objectives | Behavior | |
| Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 [{supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1.] | Leadership and high level objectives | Behavior | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 | Audits and risk management | Establish Roles | |
| Manage supply chain audits. CC ID 01203 [{supply chain management policy} The policy shall require that ICT services supporting critical or important functions provided by ICT third party service providers are subject to independent review and are included in the audit plan. Article 3: Governance arrangements 7. {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: its own internal audit or an audit by an appointed third party; Article 8: Contractual clauses 2. (a)] | Audits and risk management | Audits and Risk Management | |
| Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Establish/Maintain Documentation | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Audits and Risk Management | |
| Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Establish/Maintain Documentation | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Establish/Maintain Documentation | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Establish/Maintain Documentation | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Establish/Maintain Documentation | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Establish/Maintain Documentation | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Establish/Maintain Documentation | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Establish/Maintain Documentation | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Establish/Maintain Documentation | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the ICT business continuity policy referred to in Article 11 of Regulation (EU) 2022/2554; Article 3: Governance arrangements 6. (c)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Establish Roles | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [{supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5. {supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5.] | Human Resources management | Establish Roles | |
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Human Resources Management | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Establish/Maintain Documentation | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Establish/Maintain Documentation | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Establish/Maintain Documentation | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Human Resources Management | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Human Resources Management | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Establish Roles | |
| Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources management | Human Resources Management | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources management | Human Resources Management | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Establish/Maintain Documentation | |
| Include risk management in the information security program. CC ID 12378 | Operational management | Establish/Maintain Documentation | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the information security policy referred to in Article 9(4) of Regulation (EU) 2022/2554; Article 3: Governance arrangements 6. (b)] | Operational management | Establish/Maintain Documentation | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{supply chain management policy} Where this Regulation applies on a sub-consolidated or consolidated basis, the parent undertaking that is responsible for providing the consolidated or sub-consolidated financial statements for the group shall ensure that the policy is implemented consistently in all financial entities that are part of the group and is adequate for the effective application of this Regulation at all relevant levels of the group. Article 2: Group application ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Establish/Maintain Documentation | |
| Implement changes according to the change control program. CC ID 11776 [{supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1.] | Operational management | Business Processes | |
| Provide audit trails for all approved changes. CC ID 13120 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 {supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the implementation, monitoring and management of contractual arrangements as referred to in Articles 7, 8 and 9, including at consolidated and sub-consolidated level, where applicable; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (d) {supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the planning of contractual arrangements, including the risk assessment, the due diligence as set out in Articles 5 and 6 and the approval process regarding new or material changes to contractual arrangements as set out in Article 8(4); Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (b) {supply chain management policy} The policy shall ensure that material changes to the contractual agreement are to be formalised in a written document which is dated and signed by all parties and shall specify the renewal process for the contractual arrangements. Article 8: Contractual clauses 4.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [{supply chain management policy} The policy shall explicitly specify that the contractual arrangements: are to require that the financial entity, its auditors, and competent authorities have effective access to data and premises relating to the use of ICT services supporting critical or important functions. Article 3: Governance arrangements 8. (d) {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: Article 8: Contractual clauses 2.] | Third Party and supply chain oversight | Business Processes | |
| Include roles and responsibilities in third party contracts. CC ID 13487 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the involvement of business units, internal controls and other relevant units in respect of contractual arrangements; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (c) {supply chain management policy} The policy shall explicitly specify that the contractual arrangements: do not relieve the financial entity and its management body of its regulatory obligations and its responsibilities to its clients; Article 3: Governance arrangements 8. (a)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [{supply chain management policy} The policy shall explicitly specify that the contractual arrangements: are not to prevent effective supervision of a financial entity and are not to contravene any supervisory restrictions on services and activities; Article 3: Governance arrangements 8. (b) {supply chain management policy} The policy shall explicitly specify that the contractual arrangements: do not relieve the financial entity and its management body of its regulatory obligations and its responsibilities to its clients; Article 3: Governance arrangements 8. (a)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 [{supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1. {supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 [{supply chain management policy} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that the financial entity is notified, where appropriate, of ICT-related incidents and operational or security payment-related incidents; Article 9: Monitoring of the contractual arrangements 2. (d)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 [{supply chain management policy} The policy shall explicitly specify that the contractual arrangements: are not to prevent effective supervision of a financial entity and are not to contravene any supervisory restrictions on services and activities; Article 3: Governance arrangements 8. (b) {supply chain management policy} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: consents to contractual arrangements that ensure that it is effectively possible to conduct audits at the ICT third-party service provider, including onsite, by the financial entity itself, appointed third parties, and competent authorities; Article 6: Due diligence 1. (e) {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: Article 8: Contractual clauses 2. {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: has the contractual right to request, with a frequency that is reasonable and legitimate from a risk management perspective, modifications of the scope of the certifications or audit reports to other relevant systems and controls; Article 8: Contractual clauses 3. (g) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: has the contractual right to perform individual and pooled audits at its discretion with regard to the contractual arrangements and execute those rights in line with the agreed frequency. Article 8: Contractual clauses 3. (h) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: has the contractual right to perform individual and pooled audits at its discretion with regard to the contractual arrangements and execute those rights in line with the agreed frequency. Article 8: Contractual clauses 3. (h)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the requirements on incident reporting set out in Article 19 of Regulation (EU) 2022/2554. Article 3: Governance arrangements 6. (d)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Third Party and supply chain oversight | Systems Continuity | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the provision of ICT services supporting critical or important functions are concentrated to a single ICT third-party service provider or a small number of such service providers; Article 1: Overall risk profile and complexity ¶ 1 (h) {supply chain management policy} {absent authorization} {absent authentication} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a supervisory authority in a third country, and the use of ICT third-party service providers that are not; Article 1: Overall risk profile and complexity ¶ 1 (g)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Third Party and supply chain oversight | Communicate | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the type of ICT services included in the contractual arrangement on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'contractual arrangement') between the financial entity and the ICT third-party service provider; Article 1: Overall risk profile and complexity ¶ 1 (a)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the location of the ICT third-party service provider or the location of its parent company; Article 1: Overall risk profile and complexity ¶ 1 (b) {supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT services supporting critical or important functions are provided by an ICT third-party service provider located within a Member State or in a third country, also considering the location from where the ICT services are provided and the location where the data is processed and stored; Article 1: Overall risk profile and complexity ¶ 1 (c) {supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT services supporting critical or important functions are provided by an ICT third-party service provider located within a Member State or in a third country, also considering the location from where the ICT services are provided and the location where the data is processed and stored; Article 1: Overall risk profile and complexity ¶ 1 (c) {supply chain management policy} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: is located, or processes or stores the data in a third country and, if this is the case, whether this practice affects the level of operational or reputational risks or the risk of being affected by restrictive measures, including embargos and sanctions, that may impact the ability of the ICT third-party service provider to provide the ICT services or the financial entity to receive those ICT services; Article 6: Due diligence 1. (d)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Categorize all suppliers in the supply chain management program. CC ID 00792 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT third-party service provider is part of the same group as the financial entity to which the services are provided; Article 1: Overall risk profile and complexity ¶ 1 (e)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the ICT risk management framework referred to in Article 6 of Regulation (EU) 2022/2554; Article 3: Governance arrangements 6. (a) {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers' risk management framework for the ICT services supporting critical or important functions to be provided by an ICT third-party service provider. The policy shall require that the due diligence process includes an assessment of the existence of risk mitigation and business continuity measures and of how their functioning within the ICT third-party service provider is ensured. Article 6: Due diligence 2.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 [The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: Article 1: Overall risk profile and complexity ¶ 1] | Third Party and supply chain oversight | Business Processes | |
| Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Third Party and supply chain oversight | Business Processes | |
| Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: Article 1: Overall risk profile and complexity ¶ 1 The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: ICT concentration risks at entity level. Article 5: Ex-ante risk assessment 2. ¶ 2 (i) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: Article 5: Ex-ante risk assessment 2. ¶ 2 The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: ICT risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (c) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: reputational risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (d) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the location of the ICT third-party service provider; Article 5: Ex-ante risk assessment 2. ¶ 2 (h) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the location where the data is processed and stored; Article 5: Ex-ante risk assessment 2. ¶ 2 (g) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the location where the data is processed and stored; Article 5: Ex-ante risk assessment 2. ¶ 2 (g) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the -noun">availability of data; Article 5: Ex-ante risk assessment 2. ¶ 2 (f) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the protection of confidential or :#F0BBBC;" class="term_primary-noun">personal data; Article 5: Ex-ante risk assessment 2. ¶ 2 (e) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by I-verb">CT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: legal risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (b) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by I-verb">CT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: operational risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (a) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: Article 5: Ex-ante risk assessment 2. ¶ 2] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain a supply chain management policy. CC ID 08808 [{supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1. {supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1. {supply chain management policy} The policy shall establish or refer to a methodology for determining which ICT services support critical or important functions. The policy shall also specify when this assessment is to be conducted and reviewed. Article 3: Governance arrangements 2. {supply chain management policy} The policy shall specify that the assessment referred to in paragraph 2 is to be documented and its results to be used to update the financial entity's risk assessment referred to in Article 6. Article 9: Monitoring of the contractual arrangements 3.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 | Third Party and supply chain oversight | Business Processes | |
| Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Third Party and supply chain oversight | Human Resources Management | |
| Include supplier assessment principles in the supply chain management policy. CC ID 08809 [{supply chain management policy} The policy shall establish or refer to a methodology for determining which ICT services support critical or important functions. The policy shall also specify when this assessment is to be conducted and reviewed. Article 3: Governance arrangements 2.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the third party selection process in the supply chain management policy. CC ID 13132 [{supply chain management policy} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: Article 6: Due diligence 1. {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: Article 6: Due diligence 3.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Select suppliers based on their qualifications. CC ID 00795 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a competent authority in a Member State or subject to the oversight framework under Chapter V, Section II, of Regulation (EU) 2022/2554, and the use of ICT third-party service providers that are not; Article 1: Overall risk profile and complexity ¶ 1 (f) {supply chain management policy} {absent authorization} {absent authentication} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a supervisory authority in a third country, and the use of ICT third-party service providers that are not; Article 1: Overall risk profile and complexity ¶ 1 (g)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a clear management process in the supply chain management policy. CC ID 08810 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include roles and responsibilities in the supply chain management policy. CC ID 15499 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the responsibilities of the management body, including its involvement, as appropriate, in the decision-making process on the use of ICT services supporting critical or important functions provided by ICT third-party service providers; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (a) {supply chain management policy} The policy shall clearly assign the internal responsibilities for the approval, management, control, and documentation of relevant contractual arrangements and shall ensure that appropriate skills, experience and knowledge are maintained within the financial entity to effectively oversee the relevant contractual arrangements, including the ICT services provided under those arrangements. Article 3: Governance arrangements 3. {supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party due diligence standards in the supply chain management policy. CC ID 08812 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Third Party and supply chain oversight | Communicate | |
| Require suppliers to commit to the supply chain management policy. CC ID 08813 [{supply chain management policy} The policy shall require that the business needs of the financial entity are defined before a contractual arrangement is concluded. Article 5: Ex-ante risk assessment 1.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Support third parties in building their capabilities. CC ID 08814 | Third Party and supply chain oversight | Business Processes | |
| Implement measurable improvement plans with all third parties. CC ID 08815 | Third Party and supply chain oversight | Business Processes | |
| Post a list of compliant third parties on the organization's website. CC ID 08817 | Third Party and supply chain oversight | Business Processes | |
| Use third parties that are compliant with the applicable requirements. CC ID 08818 | Third Party and supply chain oversight | Business Processes | |
| Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include all in scope materials in the conflict minerals policy. CC ID 08945 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Third Party and supply chain oversight | Data and Information Management | |
| Establish and maintain a conflict materials report. CC ID 08823 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Identify supply sources for secondary materials. CC ID 08822 | Third Party and supply chain oversight | Business Processes | |
| Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Third Party and supply chain oversight | Business Processes | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 [{supply chain management policy} {be ethical} {be responsible} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: acts in an ethical and socially responsible manner, respects human rights and children's rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions. Article 6: Due diligence 1. (f)] | Third Party and supply chain oversight | Business Processes | |
| Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Third Party and supply chain oversight | Business Processes | |
| Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [{supply chain management policy} Without prejudice to the final responsibility of the financial entity to effectively oversee relevant contractual arrangements, the policy shall require that the ICT third party service provider is assessed to have sufficient resources to ensure that the financial entity complies with all its legal and regulatory requirements regarding the ICT services supporting critical or important functions that are provided. Article 3: Governance arrangements 4. {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of other relevant information available to the financial entity or other information provided by the ICT third-party service provider. Article 6: Due diligence 3. (e) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: Article 8: Contractual clauses 3. {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: ensures that the scope of the certifications or audit reports cover the systems and key controls identified by it and ensures compliance with relevant regulatory requirements; Article 8: Contractual clauses 3. (b) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: thoroughly assesses the content of the certifications or audit reports on an ongoing basis and verifies that the reports or certifications are not obsolete; Article 8: Contractual clauses 3. (c) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: thoroughly assesses the content of the certifications or audit reports on an ongoing basis and verifies that the reports or certifications are not obsolete; Article 8: Contractual clauses 3. (c)] | Third Party and supply chain oversight | Business Processes | |
| Establish, implement, and maintain third party reporting requirements. CC ID 13289 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Define timeliness factors for third party reporting requirements. CC ID 13304 [{supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Review the supply chain's service delivery on a regular basis. CC ID 12010 [{supply chain management policy} The policy shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan. When establishing the exit plan, the following shall be taken into account: inappropriate or failed service delivery; Article 10: Exit from and termination of the contractual arrangements ¶ 1 (b)] | Third Party and supply chain oversight | Business Processes | |