0003977
Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
European Union
Regulations
Free
Regulations specifying criteria (policy) for the critical ICT third-party service providers in the financial sector
Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
2024-03-13
The document as a whole was last reviewed and released on 2024-09-06T00:00:00-0700.
0003977
Free
European Union
Regulations
Regulations specifying criteria (policy) for the critical ICT third-party service providers in the financial sector
Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
2024-03-13
The document as a whole was last reviewed and released on 2024-09-06T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 | Establish Roles | Preventive | |
| Manage supply chain audits. CC ID 01203 [{supply chain management policy} The policy shall require that ICT services supporting critical or important functions provided by ICT third party service providers are subject to independent review and are included in the audit plan. Article 3: Governance arrangements 7. {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: its own internal audit or an audit by an appointed third party; Article 8: Contractual clauses 2. (a)] | Audits and Risk Management | Preventive | |
| Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and Risk Management | Preventive | |
| Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Establish Roles | Preventive | |
| Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Establish/Maintain Documentation | Preventive | |
| Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Establish/Maintain Documentation | Preventive | |
| Review the external auditor's qualifications. CC ID 01197 [{supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: is satisfied with the aptitude of the certifying or auditing party; Article 8: Contractual clauses 3. (e)] | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Establish/Maintain Documentation | Preventive | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Establish/Maintain Documentation | Preventive | |
| Include the scope for the desired level of assurance in the audit program. CC ID 12793 [{supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: is satisfied with the audit plan of the ICT third-party service provider for the relevant contractual arrangements; Article 8: Contractual clauses 3. (a)] | Communicate | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Business Processes | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 | Audits and Risk Management | Preventive | |
| Audit information systems, as necessary. CC ID 13010 [{supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: where appropriate, pooled audits and pooled ICT testing, including threat-led penetration testing, that are organised jointly with other contracting financial entities or firms that use ICT services of the same ICT third-party service provider and that are performed by those contracting financial entities or firms or by a third party appointed by them; Article 8: Contractual clauses 2. (b)] | Investigate | Detective | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Investigate | Detective | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Testing | Detective | |
| Document test plans for auditing in scope controls. CC ID 06985 | Testing | Detective | |
| Determine the effectiveness of in scope controls. CC ID 06984 [{supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: is satisfied that the certifications are issued, and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; Article 8: Contractual clauses 3. (f)] | Testing | Detective | |
| Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and Risk Management | Detective | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and Risk Management | Detective | |
| Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and Risk Management | Detective | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and Risk Management | Detective | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Process or Activity | Preventive | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and Risk Management | Detective | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and Risk Management | Detective | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and Risk Management | Detective | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain the audit plan. CC ID 01156 [{supply chain management policy} The policy shall require that ICT services supporting critical or important functions provided by ICT third party service providers are subject to independent review and are included in the audit plan. Article 3: Governance arrangements 7.] | Testing | Detective | |
| Include the audit criteria in the audit plan. CC ID 15262 | Establish/Maintain Documentation | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Establish/Maintain Documentation | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Establish/Maintain Documentation | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Establish/Maintain Documentation | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Establish/Maintain Documentation | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Establish/Maintain Documentation | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Establish/Maintain Documentation | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Establish/Maintain Documentation | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Establish/Maintain Documentation | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 | Establish/Maintain Documentation | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Communicate | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain risk management strategies. CC ID 13209 | Establish/Maintain Documentation | Preventive | |
| Include minimizing service interruptions in the risk management strategies. CC ID 13215 [{supply chain management policy} The policy shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan. When establishing the exit plan, the following shall be taken into account: unforeseen and persistent service interruptions; Article 10: Exit from and termination of the contractual arrangements ¶ 1 (a)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Establish/Maintain Documentation | Preventive | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 | Testing | Preventive | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 [{supply chain management policy} The policy shall specify that the assessment referred to in paragraph 2 is to be documented and its results to be used to update the financial entity's risk assessment referred to in Article 6. Article 9: Monitoring of the contractual arrangements 3.] | Establish/Maintain Documentation | Detective | |
| Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and Risk Management | Preventive | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the supply chain risk management policy. CC ID 14707 [{supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: ensures that key systems and controls are covered in future versions of the certification or audit report; Article 8: Contractual clauses 3. (d) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: ensures that the scope of the certifications or audit reports cover the systems and key controls identified by it and ensures compliance with relevant regulatory requirements; Article 8: Contractual clauses 3. (b)] | Establish/Maintain Documentation | Preventive | |
| Include supply chain risk management procedures in the risk management program. CC ID 13190 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the planning of contractual arrangements, including the risk assessment, the due diligence as set out in Articles 5 and 6 and the approval process regarding new or material changes to contractual arrangements as set out in Article 8(4); Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (b)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Communicate | Preventive | |
| Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Human Resources Management | Preventive | |
| Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Process or Activity | Detective | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Establish Roles | Preventive | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [{supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5. {supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5.] | Establish Roles | Preventive | |
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources Management | Preventive | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Establish/Maintain Documentation | Preventive | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources Management | Preventive | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Establish/Maintain Documentation | Preventive | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Establish/Maintain Documentation | Preventive | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources Management | Preventive | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources Management | Preventive | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Establish Roles | Preventive | |
| Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources Management | Preventive | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources Management | Preventive | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources Management | Preventive | |
| Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources Management | Corrective | |
| Establish, implement, and maintain a conflict of interest policy. CC ID 14785 [{supply chain management policy} The policy shall specify the appropriate measures to identify, prevent and manage actual or potential conflicts of interest arising from the use of ICT third-party service providers that are to be taken before entering relevant contractual arrangements and shall provide for an ongoing monitoring of such conflicts of interest. Article 7: Conflicts of interest 1.] | Establish/Maintain Documentation | Preventive | |
| Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 | Establish/Maintain Documentation | Preventive | |
| Include continuous monitoring for conflicts of interest in the conflict of interest policy. CC ID 17190 [{supply chain management policy} The policy shall specify the appropriate measures to identify, prevent and manage actual or potential conflicts of interest arising from the use of ICT third-party service providers that are to be taken before entering relevant contractual arrangements and shall provide for an ongoing monitoring of such conflicts of interest. Article 7: Conflicts of interest 1.] | Monitor and Evaluate Occurrences | Preventive | |
| Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194 | Communicate | Preventive | |
| Include roles and responsibilities in the conflict of interest policy. CC ID 14790 | Establish/Maintain Documentation | Preventive | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 | Behavior | Preventive | |
| Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 [{supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1.] | Behavior | Preventive | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a decision management strategy. CC ID 06913 | Establish/Maintain Documentation | Preventive | |
| Take actions in accordance with the decision-making criteria. CC ID 12909 [{supply chain management policy} {be objective} Where ICT services supporting critical or important functions are provided by ICT intra-group service providers, the policy shall specify that decisions on the conditions, including the financial conditions, for the ICT services are to be taken objectively. Article 7: Conflicts of interest 2.] | Process or Activity | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Log Management | Detective | |
| Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 [{supply chain management policy} {security practice} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the ability to monitor relevant technological developments and identify ICT security leading practices and implement them where appropriate to have an effective and sound digital operational resilience framework; Article 6: Due diligence 1. (b)] | Establish/Maintain Documentation | Detective | |
| Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Process or Activity | Detective | |
| Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 | Monitor and Evaluate Occurrences | Detective | |
| Monitor for and report when a software configuration is updated. CC ID 06746 | Monitor and Evaluate Occurrences | Detective | |
| Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 | Monitor and Evaluate Occurrences | Detective | |
| Monitor for firmware updates absent authorization. CC ID 10675 | Monitor and Evaluate Occurrences | Detective | |
| Implement file integrity monitoring. CC ID 01205 | Monitor and Evaluate Occurrences | Detective | |
| Identify unauthorized modifications during file integrity monitoring. CC ID 12096 | Technical Security | Detective | |
| Monitor for software configurations updates absent authorization. CC ID 10676 | Monitor and Evaluate Occurrences | Preventive | |
| Allow expected changes during file integrity monitoring. CC ID 12090 | Technical Security | Preventive | |
| Monitor for when documents are being updated absent authorization. CC ID 10677 | Monitor and Evaluate Occurrences | Preventive | |
| Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 | Establish/Maintain Documentation | Preventive | |
| Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 | Process or Activity | Preventive | |
| Monitor and evaluate user account activity. CC ID 07066 | Monitor and Evaluate Occurrences | Detective | |
| Develop and maintain a usage profile for each user account. CC ID 07067 | Technical Security | Preventive | |
| Log account usage to determine dormant accounts. CC ID 12118 | Log Management | Detective | |
| Log account usage times. CC ID 07099 | Log Management | Detective | |
| Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 | Monitor and Evaluate Occurrences | Detective | |
| Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 | Monitor and Evaluate Occurrences | Detective | |
| Log account usage durations. CC ID 12117 | Monitor and Evaluate Occurrences | Detective | |
| Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 | Communicate | Detective | |
| Log Internet Protocol addresses used during logon. CC ID 07100 | Log Management | Detective | |
| Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 | Monitor and Evaluate Occurrences | Detective | |
| Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Communicate | Detective | |
| Establish, implement, and maintain a corrective action plan. CC ID 00675 [{supply chain management policy} The policy shall establish the appropriate measures that the financial entity is to adopt if it identifies shortcomings of the ICT third-party service providers, including ICT-related incidents and operational or security payment related incidents, in the provision of the ICT services supporting critical or important functions or in the compliance with contractual arrangements or legal requirements. It shall also specify how the implementation of such measures is to be monitored in order to ensure that they are effectively complied with within a defined timeframe, taking into account the materiality of the shortcomings. Article 9: Monitoring of the contractual arrangements 4.] | Monitor and Evaluate Occurrences | Detective | |
| Align corrective actions with the level of environmental impact. CC ID 15193 | Business Processes | Preventive | |
| Include evidence of the closure of findings in the corrective action plan. CC ID 16978 | Actionable Reports or Measurements | Preventive | |
| Include roles and responsibilities in the corrective action plan. CC ID 16926 | Establish/Maintain Documentation | Preventive | |
| Include risks and opportunities in the corrective action plan. CC ID 15178 | Establish/Maintain Documentation | Preventive | |
| Include actions taken to resolve issues in the corrective action plan. CC ID 16884 | Establish/Maintain Documentation | Preventive | |
| Include environmental aspects in the corrective action plan. CC ID 15177 | Establish/Maintain Documentation | Preventive | |
| Include the completion date in the corrective action plan. CC ID 13272 | Establish/Maintain Documentation | Preventive | |
| Include monitoring in the corrective action plan. CC ID 11645 | Monitor and Evaluate Occurrences | Detective | |
| Disseminate and communicate the corrective action plan to interested personnel and affected parties. CC ID 16883 | Communicate | Preventive | |
Operational and Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 | Establish/Maintain Documentation | Preventive | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the ICT business continuity policy referred to in Article 11 of Regulation (EU) 2022/2554; Article 3: Governance arrangements 6. (c)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a critical third party list. CC ID 06815 [{supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 | Behavior | Preventive | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Establish/Maintain Documentation | Preventive | |
| Include risk management in the information security program. CC ID 12378 | Establish/Maintain Documentation | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the information security policy referred to in Article 9(4) of Regulation (EU) 2022/2554; Article 3: Governance arrangements 6. (b)] | Establish/Maintain Documentation | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{supply chain management policy} Where this Regulation applies on a sub-consolidated or consolidated basis, the parent undertaking that is responsible for providing the consolidated or sub-consolidated financial statements for the group shall ensure that the policy is implemented consistently in all financial entities that are part of the group and is adequate for the effective application of this Regulation at all relevant levels of the group. Article 2: Group application ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Business Processes | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 | Establish/Maintain Documentation | Preventive | |
| Share incident information with interested personnel and affected parties. CC ID 01212 [{supply chain management policy} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that the financial entity is notified, where appropriate, of ICT-related incidents and operational or security payment-related incidents; Article 9: Monitoring of the contractual arrangements 2. (d)] | Data and Information Management | Corrective | |
| Share data loss event information with the media. CC ID 01759 | Behavior | Corrective | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Data and Information Management | Preventive | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Establish/Maintain Documentation | Corrective | |
| Redact restricted data before sharing incident information. CC ID 16994 | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Communicate | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Communicate | Preventive | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Establish/Maintain Documentation | Preventive | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Data and Information Management | Corrective | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Log Management | Detective | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Communicate | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Behavior | Corrective | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Establish/Maintain Documentation | Preventive | |
| Implement changes according to the change control program. CC ID 11776 [{supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1.] | Business Processes | Preventive | |
| Provide audit trails for all approved changes. CC ID 13120 | Establish/Maintain Documentation | Preventive | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 {supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the implementation, monitoring and management of contractual arrangements as referred to in Articles 7, 8 and 9, including at consolidated and sub-consolidated level, where applicable; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (d) {supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the planning of contractual arrangements, including the risk assessment, the due diligence as set out in Articles 5 and 6 and the approval process regarding new or material changes to contractual arrangements as set out in Article 8(4); Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (b) {supply chain management policy} The policy shall ensure that material changes to the contractual agreement are to be formalised in a written document which is dated and signed by all parties and shall specify the renewal process for the contractual arrangements. Article 8: Contractual clauses 4.] | Establish/Maintain Documentation | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an exit plan. CC ID 15492 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the exit strategies and termination processes as set out in Article 10. Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (f) {supply chain management policy} The policy shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan. When establishing the exit plan, the following shall be taken into account: Article 10: Exit from and termination of the contractual arrangements ¶ 1 {supply chain management policy} The policy shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan. When establishing the exit plan, the following shall be taken into account: Article 10: Exit from and termination of the contractual arrangements ¶ 1 {be feasible} The exit plan shall be realistic, feasible, based on plausible scenarios and reasonable assumptions and shall have a planned implementation schedule compatible with the exit and termination terms established in the contractual arrangements. Article 10: Exit from and termination of the contractual arrangements ¶ 2 {be feasible} The exit plan shall be realistic, feasible, based on plausible scenarios and reasonable assumptions and shall have a planned implementation schedule compatible with the exit and termination terms established in the contractual arrangements. Article 10: Exit from and termination of the contractual arrangements ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the exit plan. CC ID 15497 | Establish/Maintain Documentation | Preventive | |
| Test the exit plan, as necessary. CC ID 15495 [{supply chain management policy} The policy shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan. When establishing the exit plan, the following shall be taken into account: Article 10: Exit from and termination of the contractual arrangements ¶ 1] | Testing | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [{supply chain management policy} {external requirement} {Digital Operational Resilience Act} The policy shall specify that the relevant contractual arrangement are to be in written form and are to include all the elements referred to in Article 30(2) and (3) of Regulation (EU) 2022/2554. The policy shall also include elements regarding requirements referred to in Article 1(1), point (a), of Regulation (EU) 2022/2554, as well as other relevant Union and national law as appropriate. Article 8: Contractual clauses 1.] | Process or Activity | Detective | |
| Write contractual agreements in clear and conspicuous language. CC ID 16923 [{supply chain management policy} {external requirement} {Digital Operational Resilience Act} The policy shall specify that the relevant contractual arrangement are to be in written form and are to include all the elements referred to in Article 30(2) and (3) of Regulation (EU) 2022/2554. The policy shall also include elements regarding requirements referred to in Article 1(1), point (a), of Regulation (EU) 2022/2554, as well as other relevant Union and national law as appropriate. Article 8: Contractual clauses 1. {supply chain management policy} The policy shall ensure that material changes to the contractual agreement are to be formalised in a written document which is dated and signed by all parties and shall specify the renewal process for the contractual arrangements. Article 8: Contractual clauses 4.] | Acquisition/Sale of Assets or Services | Preventive | |
| Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Establish/Maintain Documentation | Preventive | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Establish/Maintain Documentation | Preventive | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 | Establish/Maintain Documentation | Preventive | |
| Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the information flow agreement. CC ID 17016 | Establish/Maintain Documentation | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Establish/Maintain Documentation | Preventive | |
| Include the costs in the information flow agreement. CC ID 17018 | Establish/Maintain Documentation | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Establish/Maintain Documentation | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Establish/Maintain Documentation | Preventive | |
| Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Establish/Maintain Documentation | Preventive | |
| Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Establish/Maintain Documentation | Preventive | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Establish/Maintain Documentation | Preventive | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Establish/Maintain Documentation | Preventive | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [{supply chain management policy} The policy shall explicitly specify that the contractual arrangements: are to require that the financial entity, its auditors, and competent authorities have effective access to data and premises relating to the use of ICT services supporting critical or important functions. Article 3: Governance arrangements 8. (d) {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: Article 8: Contractual clauses 2.] | Business Processes | Preventive | |
| Include text about data ownership in third party contracts. CC ID 06502 | Establish/Maintain Documentation | Preventive | |
| Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Establish/Maintain Documentation | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 [{supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: Article 8: Contractual clauses 2.] | Establish/Maintain Documentation | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in third party contracts. CC ID 13487 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the involvement of business units, internal controls and other relevant units in respect of contractual arrangements; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (c) {supply chain management policy} The policy shall explicitly specify that the contractual arrangements: do not relieve the financial entity and its management body of its regulatory obligations and its responsibilities to its clients; Article 3: Governance arrangements 8. (a)] | Establish/Maintain Documentation | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Establish/Maintain Documentation | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Establish/Maintain Documentation | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Establish/Maintain Documentation | Preventive | |
| Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 [{supply chain management policy} The policy shall explicitly specify that the contractual arrangements: are to require that the ICT third party service providers cooperate with the competent authorities; Article 3: Governance arrangements 8. (c)] | Establish/Maintain Documentation | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [{supply chain management policy} The policy shall explicitly specify that the contractual arrangements: are not to prevent effective supervision of a financial entity and are not to contravene any supervisory restrictions on services and activities; Article 3: Governance arrangements 8. (b) {supply chain management policy} The policy shall explicitly specify that the contractual arrangements: do not relieve the financial entity and its management body of its regulatory obligations and its responsibilities to its clients; Article 3: Governance arrangements 8. (a)] | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 [{supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1. {supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1.] | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 [{supply chain management policy} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that the financial entity is notified, where appropriate, of ICT-related incidents and operational or security payment-related incidents; Article 9: Monitoring of the contractual arrangements 2. (d)] | Establish/Maintain Documentation | Preventive | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Establish/Maintain Documentation | Preventive | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Establish/Maintain Documentation | Preventive | |
| Include a reporting structure in third party contracts. CC ID 06532 [{supply chain management policy} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that the ICT third-party service providers provide appropriate reports on their activities and services to the financial entity, including periodic reports, incidents reports, service delivery reports, reports on ICT security and reports on business continuity measures and testing; Article 9: Monitoring of the contractual arrangements 2. (a) {supply chain management policy} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that the financial entity receives other relevant information from the ICT third-party service providers; Article 9: Monitoring of the contractual arrangements 2. (c)] | Establish/Maintain Documentation | Preventive | |
| Include points of contact in third party contracts. CC ID 12355 | Establish/Maintain Documentation | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Establish/Maintain Documentation | Preventive | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 [{supply chain management policy} {internal audit report} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: where appropriate, internal or third-party audit reports made available by the ICT third-party service provider. Article 8: Contractual clauses 2. (d)] | Establish/Maintain Documentation | Preventive | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 [{supply chain management policy} The policy shall explicitly specify that the contractual arrangements: are not to prevent effective supervision of a financial entity and are not to contravene any supervisory restrictions on services and activities; Article 3: Governance arrangements 8. (b) {supply chain management policy} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: consents to contractual arrangements that ensure that it is effectively possible to conduct audits at the ICT third-party service provider, including onsite, by the financial entity itself, appointed third parties, and competent authorities; Article 6: Due diligence 1. (e) {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: Article 8: Contractual clauses 2. {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: has the contractual right to request, with a frequency that is reasonable and legitimate from a risk management perspective, modifications of the scope of the certifications or audit reports to other relevant systems and controls; Article 8: Contractual clauses 3. (g) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: has the contractual right to perform individual and pooled audits at its discretion with regard to the contractual arrangements and execute those rights in line with the agreed frequency. Article 8: Contractual clauses 3. (h) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: has the contractual right to perform individual and pooled audits at its discretion with regard to the contractual arrangements and execute those rights in line with the agreed frequency. Article 8: Contractual clauses 3. (h)] | Establish/Maintain Documentation | Preventive | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Establish/Maintain Documentation | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Acquisition/Sale of Assets or Services | Preventive | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 | Establish/Maintain Documentation | Preventive | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Establish/Maintain Documentation | Preventive | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 | Establish/Maintain Documentation | Preventive | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Establish/Maintain Documentation | Preventive | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the planning of contractual arrangements, including the risk assessment, the due diligence as set out in Articles 5 and 6 and the approval process regarding new or material changes to contractual arrangements as set out in Article 8(4); Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (b)] | Establish/Maintain Documentation | Preventive | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Establish/Maintain Documentation | Preventive | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Establish/Maintain Documentation | Preventive | |
| Include change control notification processes in third party contracts. CC ID 06524 | Establish/Maintain Documentation | Preventive | |
| Include cost structure changes in third party contracts. CC ID 10021 | Establish/Maintain Documentation | Preventive | |
| Include a choice of venue clause in third party contracts. CC ID 06520 | Establish/Maintain Documentation | Preventive | |
| Include location requirements in third party contracts. CC ID 16915 | Acquisition/Sale of Assets or Services | Preventive | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 | Establish/Maintain Documentation | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Establish/Maintain Documentation | Preventive | |
| Include a termination provision clause in third party contracts. CC ID 01367 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the exit strategies and termination processes as set out in Article 10. Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (f)] | Establish/Maintain Documentation | Detective | |
| Include early termination contingency plans in the third party contracts. CC ID 06526 [{supply chain management policy} The policy shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan. When establishing the exit plan, the following shall be taken into account: the unexpected termination of the contractual arrangement. Article 10: Exit from and termination of the contractual arrangements ¶ 1 (c)] | Establish/Maintain Documentation | Preventive | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Establish/Maintain Documentation | Preventive | |
| Include termination costs in third party contracts. CC ID 10023 | Establish/Maintain Documentation | Preventive | |
| Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Establish/Maintain Documentation | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the requirements on incident reporting set out in Article 19 of Regulation (EU) 2022/2554. Article 3: Governance arrangements 6. (d)] | Establish/Maintain Documentation | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Establish/Maintain Documentation | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Establish/Maintain Documentation | Preventive | |
| Include third party requirements for personnel security in third party contracts. CC ID 00790 | Testing | Detective | |
| Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Establish/Maintain Documentation | Preventive | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the documentation and record-keeping, taking into account the requirements with regard to the register of information laid down in Article 28(3) of Regulation (EU) 2022/2554; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (e)] | Testing | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 [{supply chain management policy} {internal audit report} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: where appropriate, internal or third-party audit reports made available by the ICT third-party service provider. Article 8: Contractual clauses 2. (d) {supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1.] | Testing | Detective | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Establish/Maintain Documentation | Preventive | |
| Establish the third party's service continuity. CC ID 00797 | Testing | Detective | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Systems Continuity | Preventive | |
| Review third party recovery plans. CC ID 17123 | Systems Continuity | Detective | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Testing | Detective | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Data and Information Management | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Testing | Detective | |
| Include disclosure requirements in third party contracts. CC ID 08825 | Business Processes | Preventive | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Establish/Maintain Documentation | Preventive | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the provision of ICT services supporting critical or important functions are concentrated to a single ICT third-party service provider or a small number of such service providers; Article 1: Overall risk profile and complexity ¶ 1 (h) {supply chain management policy} {absent authorization} {absent authentication} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a supervisory authority in a third country, and the use of ICT third-party service providers that are not; Article 1: Overall risk profile and complexity ¶ 1 (g)] | Establish/Maintain Documentation | Preventive | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Establish/Maintain Documentation | Preventive | |
| Include disclosure requirements in the Third Party Service Provider list. CC ID 17189 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the nature of the data shared with the ICT third-party service provider; Article 1: Overall risk profile and complexity ¶ 1 (d)] | Establish/Maintain Documentation | Preventive | |
| Include storage locations in the Third Party Service Provider list. CC ID 17184 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT services supporting critical or important functions are provided by an ICT third-party service provider located within a Member State or in a third country, also considering the location from where the ICT services are provided and the location where the data is processed and stored; Article 1: Overall risk profile and complexity ¶ 1 (c)] | Establish/Maintain Documentation | Preventive | |
| Include the processing location in the Third Party Service Provider list. CC ID 17183 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT services supporting critical or important functions are provided by an ICT third-party service provider located within a Member State or in a third country, also considering the location from where the ICT services are provided and the location where the data is processed and stored; Article 1: Overall risk profile and complexity ¶ 1 (c)] | Establish/Maintain Documentation | Preventive | |
| Include the transferability of services in the Third Party Service Provider list. CC ID 17185 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the transferability of the ICT services supporting critical or important functions to another ICT third-party service provider, including as a result of technology specificities; Article 1: Overall risk profile and complexity ¶ 1 (i)] | Establish/Maintain Documentation | Preventive | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Establish/Maintain Documentation | Preventive | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Communicate | Preventive | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Establish/Maintain Documentation | Preventive | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Establish/Maintain Documentation | Preventive | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the type of ICT services included in the contractual arrangement on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'contractual arrangement') between the financial entity and the ICT third-party service provider; Article 1: Overall risk profile and complexity ¶ 1 (a)] | Establish/Maintain Documentation | Preventive | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Establish/Maintain Documentation | Preventive | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Establish/Maintain Documentation | Preventive | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the location of the ICT third-party service provider or the location of its parent company; Article 1: Overall risk profile and complexity ¶ 1 (b) {supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT services supporting critical or important functions are provided by an ICT third-party service provider located within a Member State or in a third country, also considering the location from where the ICT services are provided and the location where the data is processed and stored; Article 1: Overall risk profile and complexity ¶ 1 (c) {supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT services supporting critical or important functions are provided by an ICT third-party service provider located within a Member State or in a third country, also considering the location from where the ICT services are provided and the location where the data is processed and stored; Article 1: Overall risk profile and complexity ¶ 1 (c) {supply chain management policy} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: is located, or processes or stores the data in a third country and, if this is the case, whether this practice affects the level of operational or reputational risks or the risk of being affected by restrictive measures, including embargos and sanctions, that may impact the ability of the ICT third-party service provider to provide the ICT services or the financial entity to receive those ICT services; Article 6: Due diligence 1. (d)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 | Process or Activity | Preventive | |
| Enforce third party Service Level Agreements, as necessary. CC ID 07098 [{supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1.] | Business Processes | Corrective | |
| Categorize all suppliers in the supply chain management program. CC ID 00792 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT third-party service provider is part of the same group as the financial entity to which the services are provided; Article 1: Overall risk profile and complexity ¶ 1 (e)] | Establish/Maintain Documentation | Preventive | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the ICT risk management framework referred to in Article 6 of Regulation (EU) 2022/2554; Article 3: Governance arrangements 6. (a) {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers' risk management framework for the ICT services supporting critical or important functions to be provided by an ICT third-party service provider. The policy shall require that the due diligence process includes an assessment of the existence of risk mitigation and business continuity measures and of how their functioning within the ICT third-party service provider is ensured. Article 6: Due diligence 2.] | Establish/Maintain Documentation | Preventive | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 [{supply chain management policy} Without prejudice to the final responsibility of the financial entity to effectively oversee relevant contractual arrangements, the policy shall require that the ICT third party service provider is assessed to have sufficient resources to ensure that the financial entity complies with all its legal and regulatory requirements regarding the ICT services supporting critical or important functions that are provided. Article 3: Governance arrangements 4. {supply chain management policy} The policy shall require that a risk assessment is conducted at financial entity level and, where applicable, at consolidated and sub-consolidated level before a contractual arrangement is concluded Article 5: Ex-ante risk assessment 2. ¶ 1] | Testing | Detective | |
| Include a determination on the impact of services provided by third-party service providers in the supply chain risk assessment report. CC ID 17187 [The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: Article 5: Ex-ante risk assessment 2. ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 [The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: Article 1: Overall risk profile and complexity ¶ 1] | Business Processes | Preventive | |
| Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Establish/Maintain Documentation | Preventive | |
| Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Establish/Maintain Documentation | Preventive | |
| Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Business Processes | Preventive | |
| Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Establish/Maintain Documentation | Preventive | |
| Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: Article 1: Overall risk profile and complexity ¶ 1 The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: ICT concentration risks at entity level. Article 5: Ex-ante risk assessment 2. ¶ 2 (i) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: Article 5: Ex-ante risk assessment 2. ¶ 2 The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: ICT risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (c) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: reputational risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (d) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the location of the ICT third-party service provider; Article 5: Ex-ante risk assessment 2. ¶ 2 (h) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the location where the data is processed and stored; Article 5: Ex-ante risk assessment 2. ¶ 2 (g) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the location where the data is processed and stored; Article 5: Ex-ante risk assessment 2. ¶ 2 (g) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the -noun">availability of data; Article 5: Ex-ante risk assessment 2. ¶ 2 (f) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the protection of confidential or :#F0BBBC;" class="term_primary-noun">personal data; Article 5: Ex-ante risk assessment 2. ¶ 2 (e) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by I-verb">CT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: legal risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (b) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by I-verb">CT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: operational risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (a) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: Article 5: Ex-ante risk assessment 2. ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 | Audits and Risk Management | Detective | |
| Establish, implement, and maintain a supply chain management policy. CC ID 08808 [{supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1. {supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1. {supply chain management policy} The policy shall establish or refer to a methodology for determining which ICT services support critical or important functions. The policy shall also specify when this assessment is to be conducted and reviewed. Article 3: Governance arrangements 2. {supply chain management policy} The policy shall specify that the assessment referred to in paragraph 2 is to be documented and its results to be used to update the financial entity's risk assessment referred to in Article 6. Article 9: Monitoring of the contractual arrangements 3.] | Establish/Maintain Documentation | Preventive | |
| Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 | Business Processes | Preventive | |
| Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Human Resources Management | Preventive | |
| Include supplier assessment principles in the supply chain management policy. CC ID 08809 [{supply chain management policy} The policy shall establish or refer to a methodology for determining which ICT services support critical or important functions. The policy shall also specify when this assessment is to be conducted and reviewed. Article 3: Governance arrangements 2.] | Establish/Maintain Documentation | Preventive | |
| Include the third party selection process in the supply chain management policy. CC ID 13132 [{supply chain management policy} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: Article 6: Due diligence 1. {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: Article 6: Due diligence 3.] | Establish/Maintain Documentation | Preventive | |
| Select suppliers based on their qualifications. CC ID 00795 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a competent authority in a Member State or subject to the oversight framework under Chapter V, Section II, of Regulation (EU) 2022/2554, and the use of ICT third-party service providers that are not; Article 1: Overall risk profile and complexity ¶ 1 (f) {supply chain management policy} {absent authorization} {absent authentication} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a supervisory authority in a third country, and the use of ICT third-party service providers that are not; Article 1: Overall risk profile and complexity ¶ 1 (g)] | Establish/Maintain Documentation | Preventive | |
| Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Establish/Maintain Documentation | Preventive | |
| Include a clear management process in the supply chain management policy. CC ID 08810 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the supply chain management policy. CC ID 15499 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the responsibilities of the management body, including its involvement, as appropriate, in the decision-making process on the use of ICT services supporting critical or important functions provided by ICT third-party service providers; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (a) {supply chain management policy} The policy shall clearly assign the internal responsibilities for the approval, management, control, and documentation of relevant contractual arrangements and shall ensure that appropriate skills, experience and knowledge are maintained within the financial entity to effectively oversee the relevant contractual arrangements, including the ICT services provided under those arrangements. Article 3: Governance arrangements 3. {supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5.] | Establish/Maintain Documentation | Preventive | |
| Include third party due diligence standards in the supply chain management policy. CC ID 08812 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Communicate | Preventive | |
| Require suppliers to commit to the supply chain management policy. CC ID 08813 [{supply chain management policy} The policy shall require that the business needs of the financial entity are defined before a contractual arrangement is concluded. Article 5: Ex-ante risk assessment 1.] | Establish/Maintain Documentation | Preventive | |
| Support third parties in building their capabilities. CC ID 08814 | Business Processes | Preventive | |
| Implement measurable improvement plans with all third parties. CC ID 08815 | Business Processes | Preventive | |
| Post a list of compliant third parties on the organization's website. CC ID 08817 | Business Processes | Preventive | |
| Use third parties that are compliant with the applicable requirements. CC ID 08818 | Business Processes | Preventive | |
| Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Establish/Maintain Documentation | Preventive | |
| Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Establish/Maintain Documentation | Preventive | |
| Include all in scope materials in the conflict minerals policy. CC ID 08945 | Establish/Maintain Documentation | Preventive | |
| Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Establish/Maintain Documentation | Preventive | |
| Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Establish/Maintain Documentation | Preventive | |
| Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Data and Information Management | Preventive | |
| Establish and maintain a conflict materials report. CC ID 08823 | Establish/Maintain Documentation | Preventive | |
| Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Establish/Maintain Documentation | Preventive | |
| Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Establish/Maintain Documentation | Preventive | |
| Identify supply sources for secondary materials. CC ID 08822 | Business Processes | Preventive | |
| Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Business Processes | Preventive | |
| Establish, implement, and maintain supply chain due diligence standards. CC ID 08846 | Business Processes | Preventive | |
| Commit to the supply chain due diligence process. CC ID 08849 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the planning of contractual arrangements, including the risk assessment, the due diligence as set out in Articles 5 and 6 and the approval process regarding new or material changes to contractual arrangements as set out in Article 8(4); Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (b)] | Business Processes | Preventive | |
| Structure the organization to support supply chain due diligence. CC ID 08850 | Business Processes | Preventive | |
| Schedule supply chain audits, as necessary. CC ID 10015 [{supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: its own internal audit or an audit by an appointed third party; Article 8: Contractual clauses 2. (a) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: is satisfied that the certifications are issued, and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; Article 8: Contractual clauses 3. (f)] | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain supply chain due diligence requirements. CC ID 08853 [{supply chain management policy} {be ethical} {be responsible} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: acts in an ethical and socially responsible manner, respects human rights and children's rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions. Article 6: Due diligence 1. (f)] | Business Processes | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 [{supply chain management policy} {be ethical} {be responsible} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: acts in an ethical and socially responsible manner, respects human rights and children's rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions. Article 6: Due diligence 1. (f)] | Business Processes | Preventive | |
| Identify all service providers in the supply chain. CC ID 12213 | Business Processes | Preventive | |
| Establish, implement, and maintain deduplication procedures for third party services. CC ID 13915 | Business Processes | Detective | |
| Assess third parties' relevant experience during due diligence. CC ID 12070 [{supply chain management policy} The policy shall clearly assign the internal responsibilities for the approval, management, control, and documentation of relevant contractual arrangements and shall ensure that appropriate skills, experience and knowledge are maintained within the financial entity to effectively oversee the relevant contractual arrangements, including the ICT services provided under those arrangements. Article 3: Governance arrangements 3. {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a)] | Business Processes | Detective | |
| Assess third parties' legal risks to the organization during due diligence. CC ID 12078 | Business Processes | Detective | |
| Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the potential impact of disruptions in the provision of the ICT services supporting critical or important functions on the continuity of the financial entity's activities and on the availability of its services. Article 1: Overall risk profile and complexity ¶ 1 (j) {supply chain management policy} The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers' risk management framework for the ICT services supporting critical or important functions to be provided by an ICT third-party service provider. The policy shall require that the due diligence process includes an assessment of the existence of risk mitigation and business continuity measures and of how their functioning within the ICT third-party service provider is ensured. Article 6: Due diligence 2.] | Business Processes | Detective | |
| Review third parties' backup policies. CC ID 13043 | Systems Continuity | Detective | |
| Assess third parties' breach remediation status, as necessary, during due diligence. CC ID 12076 | Business Processes | Detective | |
| Assess third parties' abilities to provide services during due diligence. CC ID 12074 [{supply chain management policy} The policy shall establish or refer to a methodology for determining which ICT services support critical or important functions. The policy shall also specify when this assessment is to be conducted and reviewed. Article 3: Governance arrangements 2. {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers' risk management framework for the ICT services supporting critical or important functions to be provided by an ICT third-party service provider. The policy shall require that the due diligence process includes an assessment of the existence of risk mitigation and business continuity measures and of how their functioning within the ICT third-party service provider is ensured. Article 6: Due diligence 2.] | Business Processes | Detective | |
| Assess third parties' financial stability during due diligence. CC ID 12066 [{supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a)] | Business Processes | Detective | |
| Assess third parties' use of subcontractors during due diligence. CC ID 12073 [{supply chain management policy} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: uses or intends to use ICT sub-contractors to perform the ICT services supporting critical or important functions or material parts thereof; Article 6: Due diligence 1. (c)] | Business Processes | Detective | |
| Assess third parties' insurance coverage during due diligence. CC ID 12072 | Business Processes | Detective | |
| Assess the third parties' reputation during due diligence. CC ID 12068 [{supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} {be ethical} {be responsible} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: acts in an ethical and socially responsible manner, respects human rights and children's rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions. Article 6: Due diligence 1. (f) {supply chain management policy} {be ethical} {be responsible} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: acts in an ethical and socially responsible manner, respects human rights and children's rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions. Article 6: Due diligence 1. (f)] | Business Processes | Detective | |
| Assess any litigation case files against third parties during due diligence. CC ID 12071 | Business Processes | Detective | |
| Assess complaints against third parties during due diligence. CC ID 12069 | Business Processes | Detective | |
| Disallow engaging service providers that are restricted from performing their duties. CC ID 12214 | Business Processes | Preventive | |
| Collect evidence of each supplier's supply chain due diligence processes. CC ID 08855 | Business Processes | Preventive | |
| Conduct spot checks of the supplier's supply chain due diligence processes as necessary. CC ID 08860 | Business Processes | Preventive | |
| Determine if suppliers can meet the organization's production requirements. CC ID 11559 | Business Processes | Preventive | |
| Require suppliers to meet the organization's manufacturing and integration requirements. CC ID 11560 | Business Processes | Preventive | |
| Evaluate the impact of the authentication element of the anti-counterfeit measures on the manufacturing process. CC ID 11557 | Business Processes | Preventive | |
| Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 | Testing | Detective | |
| Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 [{supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} {security practice} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the ability to monitor relevant technological developments and identify ICT security leading practices and implement them where appropriate to have an effective and sound digital operational resilience framework; Article 6: Due diligence 1. (b)] | Establish/Maintain Documentation | Preventive | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 [{supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: audits or independent assessments performed by the financial entity itself or on its behalf; Article 6: Due diligence 3. (a) {supply chain management policy} {independent audit} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that an independent review and audits verifying compliance with legal and regulatory requirements and policies are performed. Article 9: Monitoring of the contractual arrangements 2. (e) {supply chain management policy} {be ethical} {be responsible} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: acts in an ethical and socially responsible manner, respects human rights and children's rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions. Article 6: Due diligence 1. (f)] | Process or Activity | Detective | |
| Document that supply chain members investigate security events. CC ID 13348 | Investigate | Detective | |
| Engage third parties to scope third party services' applicability to the organization's compliance requirements, as necessary. CC ID 12064 | Process or Activity | Detective | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 | Establish/Maintain Documentation | Detective | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Communicate | Preventive | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Establish/Maintain Documentation | Preventive | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Establish/Maintain Documentation | Detective | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Establish/Maintain Documentation | Detective | |
| Request attestation of compliance from third parties. CC ID 12067 [{supply chain management policy} Where this Regulation applies on a sub-consolidated or consolidated basis, the parent undertaking that is responsible for providing the consolidated or sub-consolidated financial statements for the group shall ensure that the policy is implemented consistently in all financial entities that are part of the group and is adequate for the effective application of this Regulation at all relevant levels of the group. Article 2: Group application ¶ 1 {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of audit reports made by the internal audit function of the ICT third-party service provider; Article 6: Due diligence 3. (c) {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of appropriate third-party certifications; Article 6: Due diligence 3. (d) {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: where appropriate, third-party certifications; Article 8: Contractual clauses 2. (c) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: is satisfied that the certifications are issued, and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; Article 8: Contractual clauses 3. (f)] | Establish/Maintain Documentation | Detective | |
| Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 [{supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of independent audit reports made on request by the ICT third-party service provider; Article 6: Due diligence 3. (b)] | Business Processes | Detective | |
| Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Business Processes | Preventive | |
| Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 [{supply chain management policy} {security practice} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the ability to monitor relevant technological developments and identify ICT security leading practices and implement them where appropriate to have an effective and sound digital operational resilience framework; Article 6: Due diligence 1. (b)] | Business Processes | Detective | |
| Document the third parties compliance with the organization's system hardening framework. CC ID 04263 | Technical Security | Detective | |
| Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [{supply chain management policy} Without prejudice to the final responsibility of the financial entity to effectively oversee relevant contractual arrangements, the policy shall require that the ICT third party service provider is assessed to have sufficient resources to ensure that the financial entity complies with all its legal and regulatory requirements regarding the ICT services supporting critical or important functions that are provided. Article 3: Governance arrangements 4. {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of other relevant information available to the financial entity or other information provided by the ICT third-party service provider. Article 6: Due diligence 3. (e) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: Article 8: Contractual clauses 3. {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: ensures that the scope of the certifications or audit reports cover the systems and key controls identified by it and ensures compliance with relevant regulatory requirements; Article 8: Contractual clauses 3. (b) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: thoroughly assesses the content of the certifications or audit reports on an ongoing basis and verifies that the reports or certifications are not obsolete; Article 8: Contractual clauses 3. (c) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: thoroughly assesses the content of the certifications or audit reports on an ongoing basis and verifies that the reports or certifications are not obsolete; Article 8: Contractual clauses 3. (c)] | Business Processes | Preventive | |
| Determine third party compliance with third party contracts. CC ID 08866 | Business Processes | Preventive | |
| Quarantine non-compliant material. CC ID 08867 | Business Processes | Preventive | |
| Refrain from quarantining conflict-free materials. CC ID 08868 | Business Processes | Preventive | |
| Establish, implement, and maintain disposition processes for non-compliant material. CC ID 08869 | Business Processes | Preventive | |
| Review the information collected about each supplier for the supply chain due diligence report. CC ID 08856 | Business Processes | Preventive | |
| Establish and maintain a supply chain due diligence report. CC ID 08824 | Business Processes | Preventive | |
| Submit the supply chain due diligence report. CC ID 08828 | Business Processes | Preventive | |
| Include monitoring and tracking risk mitigation performance in the supply chain due diligence report. CC ID 08837 [{supply chain management policy} The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers' risk management framework for the ICT services supporting critical or important functions to be provided by an ICT third-party service provider. The policy shall require that the due diligence process includes an assessment of the existence of risk mitigation and business continuity measures and of how their functioning within the ICT third-party service provider is ensured. Article 6: Due diligence 2.] | Business Processes | Preventive | |
| Establish, implement, and maintain third party reporting requirements. CC ID 13289 | Establish/Maintain Documentation | Preventive | |
| Define timeliness factors for third party reporting requirements. CC ID 13304 [{supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5.] | Establish/Maintain Documentation | Preventive | |
| Assess the effectiveness of third party services provided to the organization. CC ID 13142 [{audit} {independent assessment} {independent audit report} {audit report} Financial entities shall ensure an appropriate level of assurance on the ICT third-party service provider's performance, taking into account the elements listed in paragraph 3, points (a) to (e). Where appropriate, more than one element listed in those points shall be used. Article 6: Due diligence 4.] | Business Processes | Detective | |
| Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [{supply chain management policy} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that the performance of ICT third-party service providers is assessed with key performance indicators, key control indicators, audits, self-certifications and independent reviews in line with the financial entity's ICT risk management framework; Article 9: Monitoring of the contractual arrangements 2. (b) {supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1. {supply chain management policy} The policy shall establish the appropriate measures that the financial entity is to adopt if it identifies shortcomings of the ICT third-party service providers, including ICT-related incidents and operational or security payment related incidents, in the provision of the ICT services supporting critical or important functions or in the compliance with contractual arrangements or legal requirements. It shall also specify how the implementation of such measures is to be monitored in order to ensure that they are effectively complied with within a defined timeframe, taking into account the materiality of the shortcomings. Article 9: Monitoring of the contractual arrangements 4.] | Monitor and Evaluate Occurrences | Detective | |
| Monitor third parties' financial conditions. CC ID 13170 | Monitor and Evaluate Occurrences | Detective | |
| Review the supply chain's service delivery on a regular basis. CC ID 12010 [{supply chain management policy} The policy shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan. When establishing the exit plan, the following shall be taken into account: inappropriate or failed service delivery; Article 10: Exit from and termination of the contractual arrangements ¶ 1 (b)] | Business Processes | Preventive | |
| Identify red flags in the supply chain. CC ID 08873 | Business Processes | Preventive | |
| Detect red flags in the supply chain. CC ID 08874 | Business Processes | Preventive | |
| Notify interested personnel and affected parties when critical components or materials are not obtained from an authorized source. CC ID 11516 | Business Processes | Preventive | |
| Review third party red flag locations to identify facts for the supply chain risk assessment. CC ID 08875 | Business Processes | Preventive | |
| Establish and maintain an interactive map of third party red flag locations. CC ID 08876 | Business Processes | Preventive | |
| Collect information on red-flagged supply chains. CC ID 08877 | Business Processes | Preventive | |
| Establish, implement, and maintain outsourcing contracts. CC ID 13124 | Establish/Maintain Documentation | Preventive | |
| Include performance standards in outsourcing contracts. CC ID 13140 [{supply chain management policy} {performance standard} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: Article 9: Monitoring of the contractual arrangements 2.] | Establish/Maintain Documentation | Preventive | |
| Include quality standards in outsourcing contracts. CC ID 17191 [{supply chain management policy} {performance standard} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: Article 9: Monitoring of the contractual arrangements 2.] | Establish/Maintain Documentation | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Acquisition/Sale of Assets or Services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Write contractual agreements in clear and conspicuous language. CC ID 16923 [{supply chain management policy} {external requirement} {Digital Operational Resilience Act} The policy shall specify that the relevant contractual arrangement are to be in written form and are to include all the elements referred to in Article 30(2) and (3) of Regulation (EU) 2022/2554. The policy shall also include elements regarding requirements referred to in Article 1(1), point (a), of Regulation (EU) 2022/2554, as well as other relevant Union and national law as appropriate. Article 8: Contractual clauses 1. {supply chain management policy} The policy shall ensure that material changes to the contractual agreement are to be formalised in a written document which is dated and signed by all parties and shall specify the renewal process for the contractual arrangements. Article 8: Contractual clauses 4.] | Third Party and supply chain oversight | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Preventive | |
| Include location requirements in third party contracts. CC ID 16915 | Third Party and supply chain oversight | Preventive | |
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include evidence of the closure of findings in the corrective action plan. CC ID 16978 | Monitoring and measurement | Preventive | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Manage supply chain audits. CC ID 01203 [{supply chain management policy} The policy shall require that ICT services supporting critical or important functions provided by ICT third party service providers are subject to independent review and are included in the audit plan. Article 3: Governance arrangements 7. {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: its own internal audit or an audit by an appointed third party; Article 8: Contractual clauses 2. (a)] | Audits and risk management | Preventive | |
| Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and risk management | Preventive | |
| Review the external auditor's qualifications. CC ID 01197 [{supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: is satisfied with the aptitude of the certifying or auditing party; Article 8: Contractual clauses 3. (e)] | Audits and risk management | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 | Audits and risk management | Preventive | |
| Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and risk management | Detective | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Detective | |
| Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and risk management | Detective | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Detective | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Detective | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Detective | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Detective | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Preventive | |
| Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and risk management | Preventive | |
| Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 | Third Party and supply chain oversight | Detective | |
| Schedule supply chain audits, as necessary. CC ID 10015 [{supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: its own internal audit or an audit by an appointed third party; Article 8: Contractual clauses 2. (a) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: is satisfied that the certifications are issued, and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; Article 8: Contractual clauses 3. (f)] | Third Party and supply chain oversight | Preventive | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 [{supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1.] | Leadership and high level objectives | Preventive | |
| Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 | Operational and Systems Continuity | Preventive | |
| Share data loss event information with the media. CC ID 01759 | Operational management | Corrective | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Corrective | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Align corrective actions with the level of environmental impact. CC ID 15193 | Monitoring and measurement | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Preventive | |
| Implement changes according to the change control program. CC ID 11776 [{supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1.] | Operational management | Preventive | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [{supply chain management policy} The policy shall explicitly specify that the contractual arrangements: are to require that the financial entity, its auditors, and competent authorities have effective access to data and premises relating to the use of ICT services supporting critical or important functions. Article 3: Governance arrangements 8. (d) {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: Article 8: Contractual clauses 2.] | Third Party and supply chain oversight | Preventive | |
| Include disclosure requirements in third party contracts. CC ID 08825 | Third Party and supply chain oversight | Preventive | |
| Enforce third party Service Level Agreements, as necessary. CC ID 07098 [{supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1.] | Third Party and supply chain oversight | Corrective | |
| Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 [The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: Article 1: Overall risk profile and complexity ¶ 1] | Third Party and supply chain oversight | Preventive | |
| Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Third Party and supply chain oversight | Preventive | |
| Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 | Third Party and supply chain oversight | Preventive | |
| Support third parties in building their capabilities. CC ID 08814 | Third Party and supply chain oversight | Preventive | |
| Implement measurable improvement plans with all third parties. CC ID 08815 | Third Party and supply chain oversight | Preventive | |
| Post a list of compliant third parties on the organization's website. CC ID 08817 | Third Party and supply chain oversight | Preventive | |
| Use third parties that are compliant with the applicable requirements. CC ID 08818 | Third Party and supply chain oversight | Preventive | |
| Identify supply sources for secondary materials. CC ID 08822 | Third Party and supply chain oversight | Preventive | |
| Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain supply chain due diligence standards. CC ID 08846 | Third Party and supply chain oversight | Preventive | |
| Commit to the supply chain due diligence process. CC ID 08849 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the planning of contractual arrangements, including the risk assessment, the due diligence as set out in Articles 5 and 6 and the approval process regarding new or material changes to contractual arrangements as set out in Article 8(4); Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (b)] | Third Party and supply chain oversight | Preventive | |
| Structure the organization to support supply chain due diligence. CC ID 08850 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain supply chain due diligence requirements. CC ID 08853 [{supply chain management policy} {be ethical} {be responsible} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: acts in an ethical and socially responsible manner, respects human rights and children's rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions. Article 6: Due diligence 1. (f)] | Third Party and supply chain oversight | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 [{supply chain management policy} {be ethical} {be responsible} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: acts in an ethical and socially responsible manner, respects human rights and children's rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions. Article 6: Due diligence 1. (f)] | Third Party and supply chain oversight | Preventive | |
| Identify all service providers in the supply chain. CC ID 12213 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain deduplication procedures for third party services. CC ID 13915 | Third Party and supply chain oversight | Detective | |
| Assess third parties' relevant experience during due diligence. CC ID 12070 [{supply chain management policy} The policy shall clearly assign the internal responsibilities for the approval, management, control, and documentation of relevant contractual arrangements and shall ensure that appropriate skills, experience and knowledge are maintained within the financial entity to effectively oversee the relevant contractual arrangements, including the ICT services provided under those arrangements. Article 3: Governance arrangements 3. {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a)] | Third Party and supply chain oversight | Detective | |
| Assess third parties' legal risks to the organization during due diligence. CC ID 12078 | Third Party and supply chain oversight | Detective | |
| Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the potential impact of disruptions in the provision of the ICT services supporting critical or important functions on the continuity of the financial entity's activities and on the availability of its services. Article 1: Overall risk profile and complexity ¶ 1 (j) {supply chain management policy} The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers' risk management framework for the ICT services supporting critical or important functions to be provided by an ICT third-party service provider. The policy shall require that the due diligence process includes an assessment of the existence of risk mitigation and business continuity measures and of how their functioning within the ICT third-party service provider is ensured. Article 6: Due diligence 2.] | Third Party and supply chain oversight | Detective | |
| Assess third parties' breach remediation status, as necessary, during due diligence. CC ID 12076 | Third Party and supply chain oversight | Detective | |
| Assess third parties' abilities to provide services during due diligence. CC ID 12074 [{supply chain management policy} The policy shall establish or refer to a methodology for determining which ICT services support critical or important functions. The policy shall also specify when this assessment is to be conducted and reviewed. Article 3: Governance arrangements 2. {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers' risk management framework for the ICT services supporting critical or important functions to be provided by an ICT third-party service provider. The policy shall require that the due diligence process includes an assessment of the existence of risk mitigation and business continuity measures and of how their functioning within the ICT third-party service provider is ensured. Article 6: Due diligence 2.] | Third Party and supply chain oversight | Detective | |
| Assess third parties' financial stability during due diligence. CC ID 12066 [{supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a)] | Third Party and supply chain oversight | Detective | |
| Assess third parties' use of subcontractors during due diligence. CC ID 12073 [{supply chain management policy} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: uses or intends to use ICT sub-contractors to perform the ICT services supporting critical or important functions or material parts thereof; Article 6: Due diligence 1. (c)] | Third Party and supply chain oversight | Detective | |
| Assess third parties' insurance coverage during due diligence. CC ID 12072 | Third Party and supply chain oversight | Detective | |
| Assess the third parties' reputation during due diligence. CC ID 12068 [{supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} {be ethical} {be responsible} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: acts in an ethical and socially responsible manner, respects human rights and children's rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions. Article 6: Due diligence 1. (f) {supply chain management policy} {be ethical} {be responsible} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: acts in an ethical and socially responsible manner, respects human rights and children's rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions. Article 6: Due diligence 1. (f)] | Third Party and supply chain oversight | Detective | |
| Assess any litigation case files against third parties during due diligence. CC ID 12071 | Third Party and supply chain oversight | Detective | |
| Assess complaints against third parties during due diligence. CC ID 12069 | Third Party and supply chain oversight | Detective | |
| Disallow engaging service providers that are restricted from performing their duties. CC ID 12214 | Third Party and supply chain oversight | Preventive | |
| Collect evidence of each supplier's supply chain due diligence processes. CC ID 08855 | Third Party and supply chain oversight | Preventive | |
| Conduct spot checks of the supplier's supply chain due diligence processes as necessary. CC ID 08860 | Third Party and supply chain oversight | Preventive | |
| Determine if suppliers can meet the organization's production requirements. CC ID 11559 | Third Party and supply chain oversight | Preventive | |
| Require suppliers to meet the organization's manufacturing and integration requirements. CC ID 11560 | Third Party and supply chain oversight | Preventive | |
| Evaluate the impact of the authentication element of the anti-counterfeit measures on the manufacturing process. CC ID 11557 | Third Party and supply chain oversight | Preventive | |
| Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 [{supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of independent audit reports made on request by the ICT third-party service provider; Article 6: Due diligence 3. (b)] | Third Party and supply chain oversight | Detective | |
| Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Third Party and supply chain oversight | Preventive | |
| Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 [{supply chain management policy} {security practice} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the ability to monitor relevant technological developments and identify ICT security leading practices and implement them where appropriate to have an effective and sound digital operational resilience framework; Article 6: Due diligence 1. (b)] | Third Party and supply chain oversight | Detective | |
| Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [{supply chain management policy} Without prejudice to the final responsibility of the financial entity to effectively oversee relevant contractual arrangements, the policy shall require that the ICT third party service provider is assessed to have sufficient resources to ensure that the financial entity complies with all its legal and regulatory requirements regarding the ICT services supporting critical or important functions that are provided. Article 3: Governance arrangements 4. {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of other relevant information available to the financial entity or other information provided by the ICT third-party service provider. Article 6: Due diligence 3. (e) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: Article 8: Contractual clauses 3. {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: ensures that the scope of the certifications or audit reports cover the systems and key controls identified by it and ensures compliance with relevant regulatory requirements; Article 8: Contractual clauses 3. (b) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: thoroughly assesses the content of the certifications or audit reports on an ongoing basis and verifies that the reports or certifications are not obsolete; Article 8: Contractual clauses 3. (c) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: thoroughly assesses the content of the certifications or audit reports on an ongoing basis and verifies that the reports or certifications are not obsolete; Article 8: Contractual clauses 3. (c)] | Third Party and supply chain oversight | Preventive | |
| Determine third party compliance with third party contracts. CC ID 08866 | Third Party and supply chain oversight | Preventive | |
| Quarantine non-compliant material. CC ID 08867 | Third Party and supply chain oversight | Preventive | |
| Refrain from quarantining conflict-free materials. CC ID 08868 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain disposition processes for non-compliant material. CC ID 08869 | Third Party and supply chain oversight | Preventive | |
| Review the information collected about each supplier for the supply chain due diligence report. CC ID 08856 | Third Party and supply chain oversight | Preventive | |
| Establish and maintain a supply chain due diligence report. CC ID 08824 | Third Party and supply chain oversight | Preventive | |
| Submit the supply chain due diligence report. CC ID 08828 | Third Party and supply chain oversight | Preventive | |
| Include monitoring and tracking risk mitigation performance in the supply chain due diligence report. CC ID 08837 [{supply chain management policy} The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers' risk management framework for the ICT services supporting critical or important functions to be provided by an ICT third-party service provider. The policy shall require that the due diligence process includes an assessment of the existence of risk mitigation and business continuity measures and of how their functioning within the ICT third-party service provider is ensured. Article 6: Due diligence 2.] | Third Party and supply chain oversight | Preventive | |
| Assess the effectiveness of third party services provided to the organization. CC ID 13142 [{audit} {independent assessment} {independent audit report} {audit report} Financial entities shall ensure an appropriate level of assurance on the ICT third-party service provider's performance, taking into account the elements listed in paragraph 3, points (a) to (e). Where appropriate, more than one element listed in those points shall be used. Article 6: Due diligence 4.] | Third Party and supply chain oversight | Detective | |
| Review the supply chain's service delivery on a regular basis. CC ID 12010 [{supply chain management policy} The policy shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan. When establishing the exit plan, the following shall be taken into account: inappropriate or failed service delivery; Article 10: Exit from and termination of the contractual arrangements ¶ 1 (b)] | Third Party and supply chain oversight | Preventive | |
| Identify red flags in the supply chain. CC ID 08873 | Third Party and supply chain oversight | Preventive | |
| Detect red flags in the supply chain. CC ID 08874 | Third Party and supply chain oversight | Preventive | |
| Notify interested personnel and affected parties when critical components or materials are not obtained from an authorized source. CC ID 11516 | Third Party and supply chain oversight | Preventive | |
| Review third party red flag locations to identify facts for the supply chain risk assessment. CC ID 08875 | Third Party and supply chain oversight | Preventive | |
| Establish and maintain an interactive map of third party red flag locations. CC ID 08876 | Third Party and supply chain oversight | Preventive | |
| Collect information on red-flagged supply chains. CC ID 08877 | Third Party and supply chain oversight | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 | Monitoring and measurement | Detective | |
| Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Monitoring and measurement | Detective | |
| Disseminate and communicate the corrective action plan to interested personnel and affected parties. CC ID 16883 | Monitoring and measurement | Preventive | |
| Include the scope for the desired level of assurance in the audit program. CC ID 12793 [{supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: is satisfied with the audit plan of the ICT third-party service provider for the relevant contractual arrangements; Article 8: Contractual clauses 3. (a)] | Audits and risk management | Preventive | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Preventive | |
| Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Audits and risk management | Preventive | |
| Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194 | Human Resources management | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Preventive | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Preventive | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Third Party and supply chain oversight | Preventive | |
| Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Third Party and supply chain oversight | Preventive | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Third Party and supply chain oversight | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Share incident information with interested personnel and affected parties. CC ID 01212 [{supply chain management policy} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that the financial entity is notified, where appropriate, of ICT-related incidents and operational or security payment-related incidents; Article 9: Monitoring of the contractual arrangements 2. (d)] | Operational management | Corrective | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Preventive | |
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Preventive | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Corrective | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Detective | |
| Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Third Party and supply chain oversight | Preventive | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 | Audits and risk management | Preventive | |
| Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Audits and risk management | Preventive | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Preventive | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [{supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5. {supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5.] | Human Resources management | Preventive | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a decision management strategy. CC ID 06913 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 [{supply chain management policy} {security practice} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the ability to monitor relevant technological developments and identify ICT security leading practices and implement them where appropriate to have an effective and sound digital operational resilience framework; Article 6: Due diligence 1. (b)] | Monitoring and measurement | Detective | |
| Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the corrective action plan. CC ID 16926 | Monitoring and measurement | Preventive | |
| Include risks and opportunities in the corrective action plan. CC ID 15178 | Monitoring and measurement | Preventive | |
| Include actions taken to resolve issues in the corrective action plan. CC ID 16884 | Monitoring and measurement | Preventive | |
| Include environmental aspects in the corrective action plan. CC ID 15177 | Monitoring and measurement | Preventive | |
| Include the completion date in the corrective action plan. CC ID 13272 | Monitoring and measurement | Preventive | |
| Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Audits and risk management | Preventive | |
| Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Preventive | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Audits and risk management | Preventive | |
| Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Preventive | |
| Establish, implement, and maintain risk management strategies. CC ID 13209 | Audits and risk management | Preventive | |
| Include minimizing service interruptions in the risk management strategies. CC ID 13215 [{supply chain management policy} The policy shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan. When establishing the exit plan, the following shall be taken into account: unforeseen and persistent service interruptions; Article 10: Exit from and termination of the contractual arrangements ¶ 1 (a)] | Audits and risk management | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Preventive | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 [{supply chain management policy} The policy shall specify that the assessment referred to in paragraph 2 is to be documented and its results to be used to update the financial entity's risk assessment referred to in Article 6. Article 9: Monitoring of the contractual arrangements 3.] | Audits and risk management | Detective | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Audits and risk management | Preventive | |
| Include the scope in the supply chain risk management policy. CC ID 14707 [{supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: ensures that key systems and controls are covered in future versions of the certification or audit report; Article 8: Contractual clauses 3. (d) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: ensures that the scope of the certifications or audit reports cover the systems and key controls identified by it and ensures compliance with relevant regulatory requirements; Article 8: Contractual clauses 3. (b)] | Audits and risk management | Preventive | |
| Include supply chain risk management procedures in the risk management program. CC ID 13190 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the planning of contractual arrangements, including the risk assessment, the due diligence as set out in Articles 5 and 6 and the approval process regarding new or material changes to contractual arrangements as set out in Article 8(4); Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (b)] | Audits and risk management | Preventive | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 | Operational and Systems Continuity | Preventive | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the ICT business continuity policy referred to in Article 11 of Regulation (EU) 2022/2554; Article 3: Governance arrangements 6. (c)] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a critical third party list. CC ID 06815 [{supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a)] | Operational and Systems Continuity | Preventive | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Preventive | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Preventive | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Preventive | |
| Establish, implement, and maintain a conflict of interest policy. CC ID 14785 [{supply chain management policy} The policy shall specify the appropriate measures to identify, prevent and manage actual or potential conflicts of interest arising from the use of ICT third-party service providers that are to be taken before entering relevant contractual arrangements and shall provide for an ongoing monitoring of such conflicts of interest. Article 7: Conflicts of interest 1.] | Human Resources management | Preventive | |
| Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 | Human Resources management | Preventive | |
| Include roles and responsibilities in the conflict of interest policy. CC ID 14790 | Human Resources management | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Preventive | |
| Include risk management in the information security program. CC ID 12378 | Operational management | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the information security policy referred to in Article 9(4) of Regulation (EU) 2022/2554; Article 3: Governance arrangements 6. (b)] | Operational management | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{supply chain management policy} Where this Regulation applies on a sub-consolidated or consolidated basis, the parent undertaking that is responsible for providing the consolidated or sub-consolidated financial statements for the group shall ensure that the policy is implemented consistently in all financial entities that are part of the group and is adequate for the effective application of this Regulation at all relevant levels of the group. Article 2: Group application ¶ 1] | Operational management | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 | Operational management | Preventive | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Corrective | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Preventive | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Preventive | |
| Provide audit trails for all approved changes. CC ID 13120 | Operational management | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 {supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the implementation, monitoring and management of contractual arrangements as referred to in Articles 7, 8 and 9, including at consolidated and sub-consolidated level, where applicable; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (d) {supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the planning of contractual arrangements, including the risk assessment, the due diligence as set out in Articles 5 and 6 and the approval process regarding new or material changes to contractual arrangements as set out in Article 8(4); Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (b) {supply chain management policy} The policy shall ensure that material changes to the contractual agreement are to be formalised in a written document which is dated and signed by all parties and shall specify the renewal process for the contractual arrangements. Article 8: Contractual clauses 4.] | Third Party and supply chain oversight | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain an exit plan. CC ID 15492 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the exit strategies and termination processes as set out in Article 10. Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (f) {supply chain management policy} The policy shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan. When establishing the exit plan, the following shall be taken into account: Article 10: Exit from and termination of the contractual arrangements ¶ 1 {supply chain management policy} The policy shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan. When establishing the exit plan, the following shall be taken into account: Article 10: Exit from and termination of the contractual arrangements ¶ 1 {be feasible} The exit plan shall be realistic, feasible, based on plausible scenarios and reasonable assumptions and shall have a planned implementation schedule compatible with the exit and termination terms established in the contractual arrangements. Article 10: Exit from and termination of the contractual arrangements ¶ 2 {be feasible} The exit plan shall be realistic, feasible, based on plausible scenarios and reasonable assumptions and shall have a planned implementation schedule compatible with the exit and termination terms established in the contractual arrangements. Article 10: Exit from and termination of the contractual arrangements ¶ 2] | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in the exit plan. CC ID 15497 | Third Party and supply chain oversight | Preventive | |
| Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Preventive | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Third Party and supply chain oversight | Preventive | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Preventive | |
| Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Third Party and supply chain oversight | Preventive | |
| Include the purpose in the information flow agreement. CC ID 17016 | Third Party and supply chain oversight | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Preventive | |
| Include the costs in the information flow agreement. CC ID 17018 | Third Party and supply chain oversight | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Preventive | |
| Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Third Party and supply chain oversight | Preventive | |
| Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Third Party and supply chain oversight | Preventive | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Third Party and supply chain oversight | Preventive | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Preventive | |
| Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Preventive | |
| Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Third Party and supply chain oversight | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 [{supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: Article 8: Contractual clauses 2.] | Third Party and supply chain oversight | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in third party contracts. CC ID 13487 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the involvement of business units, internal controls and other relevant units in respect of contractual arrangements; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (c) {supply chain management policy} The policy shall explicitly specify that the contractual arrangements: do not relieve the financial entity and its management body of its regulatory obligations and its responsibilities to its clients; Article 3: Governance arrangements 8. (a)] | Third Party and supply chain oversight | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Preventive | |
| Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 [{supply chain management policy} The policy shall explicitly specify that the contractual arrangements: are to require that the ICT third party service providers cooperate with the competent authorities; Article 3: Governance arrangements 8. (c)] | Third Party and supply chain oversight | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [{supply chain management policy} The policy shall explicitly specify that the contractual arrangements: are not to prevent effective supervision of a financial entity and are not to contravene any supervisory restrictions on services and activities; Article 3: Governance arrangements 8. (b) {supply chain management policy} The policy shall explicitly specify that the contractual arrangements: do not relieve the financial entity and its management body of its regulatory obligations and its responsibilities to its clients; Article 3: Governance arrangements 8. (a)] | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 [{supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1. {supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1.] | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 [{supply chain management policy} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that the financial entity is notified, where appropriate, of ICT-related incidents and operational or security payment-related incidents; Article 9: Monitoring of the contractual arrangements 2. (d)] | Third Party and supply chain oversight | Preventive | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Preventive | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Preventive | |
| Include a reporting structure in third party contracts. CC ID 06532 [{supply chain management policy} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that the ICT third-party service providers provide appropriate reports on their activities and services to the financial entity, including periodic reports, incidents reports, service delivery reports, reports on ICT security and reports on business continuity measures and testing; Article 9: Monitoring of the contractual arrangements 2. (a) {supply chain management policy} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that the financial entity receives other relevant information from the ICT third-party service providers; Article 9: Monitoring of the contractual arrangements 2. (c)] | Third Party and supply chain oversight | Preventive | |
| Include points of contact in third party contracts. CC ID 12355 | Third Party and supply chain oversight | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Preventive | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 [{supply chain management policy} {internal audit report} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: where appropriate, internal or third-party audit reports made available by the ICT third-party service provider. Article 8: Contractual clauses 2. (d)] | Third Party and supply chain oversight | Preventive | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 [{supply chain management policy} The policy shall explicitly specify that the contractual arrangements: are not to prevent effective supervision of a financial entity and are not to contravene any supervisory restrictions on services and activities; Article 3: Governance arrangements 8. (b) {supply chain management policy} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: consents to contractual arrangements that ensure that it is effectively possible to conduct audits at the ICT third-party service provider, including onsite, by the financial entity itself, appointed third parties, and competent authorities; Article 6: Due diligence 1. (e) {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: Article 8: Contractual clauses 2. {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: has the contractual right to request, with a frequency that is reasonable and legitimate from a risk management perspective, modifications of the scope of the certifications or audit reports to other relevant systems and controls; Article 8: Contractual clauses 3. (g) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: has the contractual right to perform individual and pooled audits at its discretion with regard to the contractual arrangements and execute those rights in line with the agreed frequency. Article 8: Contractual clauses 3. (h) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: has the contractual right to perform individual and pooled audits at its discretion with regard to the contractual arrangements and execute those rights in line with the agreed frequency. Article 8: Contractual clauses 3. (h)] | Third Party and supply chain oversight | Preventive | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Third Party and supply chain oversight | Preventive | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 | Third Party and supply chain oversight | Preventive | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Third Party and supply chain oversight | Preventive | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 | Third Party and supply chain oversight | Preventive | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Third Party and supply chain oversight | Preventive | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the planning of contractual arrangements, including the risk assessment, the due diligence as set out in Articles 5 and 6 and the approval process regarding new or material changes to contractual arrangements as set out in Article 8(4); Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (b)] | Third Party and supply chain oversight | Preventive | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Third Party and supply chain oversight | Preventive | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Preventive | |
| Include change control notification processes in third party contracts. CC ID 06524 | Third Party and supply chain oversight | Preventive | |
| Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Preventive | |
| Include a choice of venue clause in third party contracts. CC ID 06520 | Third Party and supply chain oversight | Preventive | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 | Third Party and supply chain oversight | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Preventive | |
| Include a termination provision clause in third party contracts. CC ID 01367 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the exit strategies and termination processes as set out in Article 10. Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (f)] | Third Party and supply chain oversight | Detective | |
| Include early termination contingency plans in the third party contracts. CC ID 06526 [{supply chain management policy} The policy shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan. When establishing the exit plan, the following shall be taken into account: the unexpected termination of the contractual arrangement. Article 10: Exit from and termination of the contractual arrangements ¶ 1 (c)] | Third Party and supply chain oversight | Preventive | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Third Party and supply chain oversight | Preventive | |
| Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Preventive | |
| Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Third Party and supply chain oversight | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the requirements on incident reporting set out in Article 19 of Regulation (EU) 2022/2554. Article 3: Governance arrangements 6. (d)] | Third Party and supply chain oversight | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Third Party and supply chain oversight | Preventive | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Preventive | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Third Party and supply chain oversight | Preventive | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 | Third Party and supply chain oversight | Preventive | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the provision of ICT services supporting critical or important functions are concentrated to a single ICT third-party service provider or a small number of such service providers; Article 1: Overall risk profile and complexity ¶ 1 (h) {supply chain management policy} {absent authorization} {absent authentication} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a supervisory authority in a third country, and the use of ICT third-party service providers that are not; Article 1: Overall risk profile and complexity ¶ 1 (g)] | Third Party and supply chain oversight | Preventive | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Third Party and supply chain oversight | Preventive | |
| Include disclosure requirements in the Third Party Service Provider list. CC ID 17189 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the nature of the data shared with the ICT third-party service provider; Article 1: Overall risk profile and complexity ¶ 1 (d)] | Third Party and supply chain oversight | Preventive | |
| Include storage locations in the Third Party Service Provider list. CC ID 17184 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT services supporting critical or important functions are provided by an ICT third-party service provider located within a Member State or in a third country, also considering the location from where the ICT services are provided and the location where the data is processed and stored; Article 1: Overall risk profile and complexity ¶ 1 (c)] | Third Party and supply chain oversight | Preventive | |
| Include the processing location in the Third Party Service Provider list. CC ID 17183 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT services supporting critical or important functions are provided by an ICT third-party service provider located within a Member State or in a third country, also considering the location from where the ICT services are provided and the location where the data is processed and stored; Article 1: Overall risk profile and complexity ¶ 1 (c)] | Third Party and supply chain oversight | Preventive | |
| Include the transferability of services in the Third Party Service Provider list. CC ID 17185 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the transferability of the ICT services supporting critical or important functions to another ICT third-party service provider, including as a result of technology specificities; Article 1: Overall risk profile and complexity ¶ 1 (i)] | Third Party and supply chain oversight | Preventive | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Third Party and supply chain oversight | Preventive | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Third Party and supply chain oversight | Preventive | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Third Party and supply chain oversight | Preventive | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Third Party and supply chain oversight | Preventive | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the type of ICT services included in the contractual arrangement on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'contractual arrangement') between the financial entity and the ICT third-party service provider; Article 1: Overall risk profile and complexity ¶ 1 (a)] | Third Party and supply chain oversight | Preventive | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Third Party and supply chain oversight | Preventive | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Third Party and supply chain oversight | Preventive | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the location of the ICT third-party service provider or the location of its parent company; Article 1: Overall risk profile and complexity ¶ 1 (b) {supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT services supporting critical or important functions are provided by an ICT third-party service provider located within a Member State or in a third country, also considering the location from where the ICT services are provided and the location where the data is processed and stored; Article 1: Overall risk profile and complexity ¶ 1 (c) {supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT services supporting critical or important functions are provided by an ICT third-party service provider located within a Member State or in a third country, also considering the location from where the ICT services are provided and the location where the data is processed and stored; Article 1: Overall risk profile and complexity ¶ 1 (c) {supply chain management policy} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: is located, or processes or stores the data in a third country and, if this is the case, whether this practice affects the level of operational or reputational risks or the risk of being affected by restrictive measures, including embargos and sanctions, that may impact the ability of the ICT third-party service provider to provide the ICT services or the financial entity to receive those ICT services; Article 6: Due diligence 1. (d)] | Third Party and supply chain oversight | Preventive | |
| Categorize all suppliers in the supply chain management program. CC ID 00792 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT third-party service provider is part of the same group as the financial entity to which the services are provided; Article 1: Overall risk profile and complexity ¶ 1 (e)] | Third Party and supply chain oversight | Preventive | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the ICT risk management framework referred to in Article 6 of Regulation (EU) 2022/2554; Article 3: Governance arrangements 6. (a) {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers' risk management framework for the ICT services supporting critical or important functions to be provided by an ICT third-party service provider. The policy shall require that the due diligence process includes an assessment of the existence of risk mitigation and business continuity measures and of how their functioning within the ICT third-party service provider is ensured. Article 6: Due diligence 2.] | Third Party and supply chain oversight | Preventive | |
| Include a determination on the impact of services provided by third-party service providers in the supply chain risk assessment report. CC ID 17187 [The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: Article 5: Ex-ante risk assessment 2. ¶ 2] | Third Party and supply chain oversight | Preventive | |
| Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Third Party and supply chain oversight | Preventive | |
| Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Third Party and supply chain oversight | Preventive | |
| Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Third Party and supply chain oversight | Preventive | |
| Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: Article 1: Overall risk profile and complexity ¶ 1 The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: ICT concentration risks at entity level. Article 5: Ex-ante risk assessment 2. ¶ 2 (i) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: Article 5: Ex-ante risk assessment 2. ¶ 2 The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: ICT risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (c) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: reputational risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (d) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the location of the ICT third-party service provider; Article 5: Ex-ante risk assessment 2. ¶ 2 (h) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the location where the data is processed and stored; Article 5: Ex-ante risk assessment 2. ¶ 2 (g) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the location where the data is processed and stored; Article 5: Ex-ante risk assessment 2. ¶ 2 (g) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the -noun">availability of data; Article 5: Ex-ante risk assessment 2. ¶ 2 (f) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the protection of confidential or :#F0BBBC;" class="term_primary-noun">personal data; Article 5: Ex-ante risk assessment 2. ¶ 2 (e) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by I-verb">CT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: legal risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (b) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by I-verb">CT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: operational risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (a) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: Article 5: Ex-ante risk assessment 2. ¶ 2] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain a supply chain management policy. CC ID 08808 [{supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1. {supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1. {supply chain management policy} The policy shall establish or refer to a methodology for determining which ICT services support critical or important functions. The policy shall also specify when this assessment is to be conducted and reviewed. Article 3: Governance arrangements 2. {supply chain management policy} The policy shall specify that the assessment referred to in paragraph 2 is to be documented and its results to be used to update the financial entity's risk assessment referred to in Article 6. Article 9: Monitoring of the contractual arrangements 3.] | Third Party and supply chain oversight | Preventive | |
| Include supplier assessment principles in the supply chain management policy. CC ID 08809 [{supply chain management policy} The policy shall establish or refer to a methodology for determining which ICT services support critical or important functions. The policy shall also specify when this assessment is to be conducted and reviewed. Article 3: Governance arrangements 2.] | Third Party and supply chain oversight | Preventive | |
| Include the third party selection process in the supply chain management policy. CC ID 13132 [{supply chain management policy} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: Article 6: Due diligence 1. {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: Article 6: Due diligence 3.] | Third Party and supply chain oversight | Preventive | |
| Select suppliers based on their qualifications. CC ID 00795 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a competent authority in a Member State or subject to the oversight framework under Chapter V, Section II, of Regulation (EU) 2022/2554, and the use of ICT third-party service providers that are not; Article 1: Overall risk profile and complexity ¶ 1 (f) {supply chain management policy} {absent authorization} {absent authentication} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a supervisory authority in a third country, and the use of ICT third-party service providers that are not; Article 1: Overall risk profile and complexity ¶ 1 (g)] | Third Party and supply chain oversight | Preventive | |
| Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Third Party and supply chain oversight | Preventive | |
| Include a clear management process in the supply chain management policy. CC ID 08810 | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in the supply chain management policy. CC ID 15499 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the responsibilities of the management body, including its involvement, as appropriate, in the decision-making process on the use of ICT services supporting critical or important functions provided by ICT third-party service providers; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (a) {supply chain management policy} The policy shall clearly assign the internal responsibilities for the approval, management, control, and documentation of relevant contractual arrangements and shall ensure that appropriate skills, experience and knowledge are maintained within the financial entity to effectively oversee the relevant contractual arrangements, including the ICT services provided under those arrangements. Article 3: Governance arrangements 3. {supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5.] | Third Party and supply chain oversight | Preventive | |
| Include third party due diligence standards in the supply chain management policy. CC ID 08812 | Third Party and supply chain oversight | Preventive | |
| Require suppliers to commit to the supply chain management policy. CC ID 08813 [{supply chain management policy} The policy shall require that the business needs of the financial entity are defined before a contractual arrangement is concluded. Article 5: Ex-ante risk assessment 1.] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Third Party and supply chain oversight | Preventive | |
| Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Third Party and supply chain oversight | Preventive | |
| Include all in scope materials in the conflict minerals policy. CC ID 08945 | Third Party and supply chain oversight | Preventive | |
| Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Third Party and supply chain oversight | Preventive | |
| Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Third Party and supply chain oversight | Preventive | |
| Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Third Party and supply chain oversight | Preventive | |
| Establish and maintain a conflict materials report. CC ID 08823 | Third Party and supply chain oversight | Preventive | |
| Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Third Party and supply chain oversight | Preventive | |
| Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Third Party and supply chain oversight | Preventive | |
| Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 [{supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} {security practice} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the ability to monitor relevant technological developments and identify ICT security leading practices and implement them where appropriate to have an effective and sound digital operational resilience framework; Article 6: Due diligence 1. (b)] | Third Party and supply chain oversight | Preventive | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 | Third Party and supply chain oversight | Detective | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Third Party and supply chain oversight | Preventive | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Third Party and supply chain oversight | Detective | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Third Party and supply chain oversight | Detective | |
| Request attestation of compliance from third parties. CC ID 12067 [{supply chain management policy} Where this Regulation applies on a sub-consolidated or consolidated basis, the parent undertaking that is responsible for providing the consolidated or sub-consolidated financial statements for the group shall ensure that the policy is implemented consistently in all financial entities that are part of the group and is adequate for the effective application of this Regulation at all relevant levels of the group. Article 2: Group application ¶ 1 {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of audit reports made by the internal audit function of the ICT third-party service provider; Article 6: Due diligence 3. (c) {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of appropriate third-party certifications; Article 6: Due diligence 3. (d) {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: where appropriate, third-party certifications; Article 8: Contractual clauses 2. (c) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: is satisfied that the certifications are issued, and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; Article 8: Contractual clauses 3. (f)] | Third Party and supply chain oversight | Detective | |
| Establish, implement, and maintain third party reporting requirements. CC ID 13289 | Third Party and supply chain oversight | Preventive | |
| Define timeliness factors for third party reporting requirements. CC ID 13304 [{supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5.] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain outsourcing contracts. CC ID 13124 | Third Party and supply chain oversight | Preventive | |
| Include performance standards in outsourcing contracts. CC ID 13140 [{supply chain management policy} {performance standard} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: Article 9: Monitoring of the contractual arrangements 2.] | Third Party and supply chain oversight | Preventive | |
| Include quality standards in outsourcing contracts. CC ID 17191 [{supply chain management policy} {performance standard} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: Article 9: Monitoring of the contractual arrangements 2.] | Third Party and supply chain oversight | Preventive | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Audits and risk management | Preventive | |
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Preventive | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Preventive | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Preventive | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Preventive | |
| Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources management | Preventive | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources management | Preventive | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Preventive | |
| Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Corrective | |
| Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Third Party and supply chain oversight | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Audit information systems, as necessary. CC ID 13010 [{supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: where appropriate, pooled audits and pooled ICT testing, including threat-led penetration testing, that are organised jointly with other contracting financial entities or firms that use ICT services of the same ICT third-party service provider and that are performed by those contracting financial entities or firms or by a third party appointed by them; Article 8: Contractual clauses 2. (b)] | Audits and risk management | Detective | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Detective | |
| Document that supply chain members investigate security events. CC ID 13348 | Third Party and supply chain oversight | Detective | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Detective | |
| Log account usage to determine dormant accounts. CC ID 12118 | Monitoring and measurement | Detective | |
| Log account usage times. CC ID 07099 | Monitoring and measurement | Detective | |
| Log Internet Protocol addresses used during logon. CC ID 07100 | Monitoring and measurement | Detective | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Detective | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 | Monitoring and measurement | Detective | |
| Monitor for and report when a software configuration is updated. CC ID 06746 | Monitoring and measurement | Detective | |
| Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 | Monitoring and measurement | Detective | |
| Monitor for firmware updates absent authorization. CC ID 10675 | Monitoring and measurement | Detective | |
| Implement file integrity monitoring. CC ID 01205 | Monitoring and measurement | Detective | |
| Monitor for software configurations updates absent authorization. CC ID 10676 | Monitoring and measurement | Preventive | |
| Monitor for when documents are being updated absent authorization. CC ID 10677 | Monitoring and measurement | Preventive | |
| Monitor and evaluate user account activity. CC ID 07066 | Monitoring and measurement | Detective | |
| Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 | Monitoring and measurement | Detective | |
| Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 | Monitoring and measurement | Detective | |
| Log account usage durations. CC ID 12117 | Monitoring and measurement | Detective | |
| Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a corrective action plan. CC ID 00675 [{supply chain management policy} The policy shall establish the appropriate measures that the financial entity is to adopt if it identifies shortcomings of the ICT third-party service providers, including ICT-related incidents and operational or security payment related incidents, in the provision of the ICT services supporting critical or important functions or in the compliance with contractual arrangements or legal requirements. It shall also specify how the implementation of such measures is to be monitored in order to ensure that they are effectively complied with within a defined timeframe, taking into account the materiality of the shortcomings. Article 9: Monitoring of the contractual arrangements 4.] | Monitoring and measurement | Detective | |
| Include monitoring in the corrective action plan. CC ID 11645 | Monitoring and measurement | Detective | |
| Include continuous monitoring for conflicts of interest in the conflict of interest policy. CC ID 17190 [{supply chain management policy} The policy shall specify the appropriate measures to identify, prevent and manage actual or potential conflicts of interest arising from the use of ICT third-party service providers that are to be taken before entering relevant contractual arrangements and shall provide for an ongoing monitoring of such conflicts of interest. Article 7: Conflicts of interest 1.] | Human Resources management | Preventive | |
| Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [{supply chain management policy} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that the performance of ICT third-party service providers is assessed with key performance indicators, key control indicators, audits, self-certifications and independent reviews in line with the financial entity's ICT risk management framework; Article 9: Monitoring of the contractual arrangements 2. (b) {supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1. {supply chain management policy} The policy shall establish the appropriate measures that the financial entity is to adopt if it identifies shortcomings of the ICT third-party service providers, including ICT-related incidents and operational or security payment related incidents, in the provision of the ICT services supporting critical or important functions or in the compliance with contractual arrangements or legal requirements. It shall also specify how the implementation of such measures is to be monitored in order to ensure that they are effectively complied with within a defined timeframe, taking into account the materiality of the shortcomings. Article 9: Monitoring of the contractual arrangements 4.] | Third Party and supply chain oversight | Detective | |
| Monitor third parties' financial conditions. CC ID 13170 | Third Party and supply chain oversight | Detective | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Take actions in accordance with the decision-making criteria. CC ID 12909 [{supply chain management policy} {be objective} Where ICT services supporting critical or important functions are provided by ICT intra-group service providers, the policy shall specify that decisions on the conditions, including the financial conditions, for the ICT services are to be taken objectively. Article 7: Conflicts of interest 2.] | Leadership and high level objectives | Preventive | |
| Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Monitoring and measurement | Detective | |
| Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 | Monitoring and measurement | Preventive | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Preventive | |
| Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Audits and risk management | Detective | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [{supply chain management policy} {external requirement} {Digital Operational Resilience Act} The policy shall specify that the relevant contractual arrangement are to be in written form and are to include all the elements referred to in Article 30(2) and (3) of Regulation (EU) 2022/2554. The policy shall also include elements regarding requirements referred to in Article 1(1), point (a), of Regulation (EU) 2022/2554, as well as other relevant Union and national law as appropriate. Article 8: Contractual clauses 1.] | Third Party and supply chain oversight | Detective | |
| Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 | Third Party and supply chain oversight | Preventive | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 [{supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: audits or independent assessments performed by the financial entity itself or on its behalf; Article 6: Due diligence 3. (a) {supply chain management policy} {independent audit} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that an independent review and audits verifying compliance with legal and regulatory requirements and policies are performed. Article 9: Monitoring of the contractual arrangements 2. (e) {supply chain management policy} {be ethical} {be responsible} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: acts in an ethical and socially responsible manner, respects human rights and children's rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions. Article 6: Due diligence 1. (f)] | Third Party and supply chain oversight | Detective | |
| Engage third parties to scope third party services' applicability to the organization's compliance requirements, as necessary. CC ID 12064 | Third Party and supply chain oversight | Detective | |
Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Third Party and supply chain oversight | Preventive | |
| Review third party recovery plans. CC ID 17123 | Third Party and supply chain oversight | Detective | |
| Review third parties' backup policies. CC ID 13043 | Third Party and supply chain oversight | Detective | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Identify unauthorized modifications during file integrity monitoring. CC ID 12096 | Monitoring and measurement | Detective | |
| Allow expected changes during file integrity monitoring. CC ID 12090 | Monitoring and measurement | Preventive | |
| Develop and maintain a usage profile for each user account. CC ID 07067 | Monitoring and measurement | Preventive | |
| Document the third parties compliance with the organization's system hardening framework. CC ID 04263 | Third Party and supply chain oversight | Detective | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Detective | |
| Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Detective | |
| Determine the effectiveness of in scope controls. CC ID 06984 [{supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: is satisfied that the certifications are issued, and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; Article 8: Contractual clauses 3. (f)] | Audits and risk management | Detective | |
| Establish, implement, and maintain the audit plan. CC ID 01156 [{supply chain management policy} The policy shall require that ICT services supporting critical or important functions provided by ICT third party service providers are subject to independent review and are included in the audit plan. Article 3: Governance arrangements 7.] | Audits and risk management | Detective | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 | Audits and risk management | Preventive | |
| Test the exit plan, as necessary. CC ID 15495 [{supply chain management policy} The policy shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan. When establishing the exit plan, the following shall be taken into account: Article 10: Exit from and termination of the contractual arrangements ¶ 1] | Third Party and supply chain oversight | Preventive | |
| Include third party requirements for personnel security in third party contracts. CC ID 00790 | Third Party and supply chain oversight | Detective | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the documentation and record-keeping, taking into account the requirements with regard to the register of information laid down in Article 28(3) of Regulation (EU) 2022/2554; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (e)] | Third Party and supply chain oversight | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 [{supply chain management policy} {internal audit report} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: where appropriate, internal or third-party audit reports made available by the ICT third-party service provider. Article 8: Contractual clauses 2. (d) {supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1.] | Third Party and supply chain oversight | Detective | |
| Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Detective | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Detective | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 [{supply chain management policy} Without prejudice to the final responsibility of the financial entity to effectively oversee relevant contractual arrangements, the policy shall require that the ICT third party service provider is assessed to have sufficient resources to ensure that the financial entity complies with all its legal and regulatory requirements regarding the ICT services supporting critical or important functions that are provided. Article 3: Governance arrangements 4. {supply chain management policy} The policy shall require that a risk assessment is conducted at financial entity level and, where applicable, at consolidated and sub-consolidated level before a contractual arrangement is concluded Article 5: Ex-ante risk assessment 2. ¶ 1] | Third Party and supply chain oversight | Detective | |
| Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 | Third Party and supply chain oversight | Detective | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Human Resources Management | |
| Share incident information with interested personnel and affected parties. CC ID 01212 [{supply chain management policy} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that the financial entity is notified, where appropriate, of ICT-related incidents and operational or security payment-related incidents; Article 9: Monitoring of the contractual arrangements 2. (d)] | Operational management | Data and Information Management | |
| Share data loss event information with the media. CC ID 01759 | Operational management | Behavior | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Establish/Maintain Documentation | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Data and Information Management | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Behavior | |
| Enforce third party Service Level Agreements, as necessary. CC ID 07098 [{supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1.] | Third Party and supply chain oversight | Business Processes | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 [{supply chain management policy} {security practice} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the ability to monitor relevant technological developments and identify ICT security leading practices and implement them where appropriate to have an effective and sound digital operational resilience framework; Article 6: Due diligence 1. (b)] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Monitoring and measurement | Process or Activity | |
| Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor for and report when a software configuration is updated. CC ID 06746 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor for firmware updates absent authorization. CC ID 10675 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Implement file integrity monitoring. CC ID 01205 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Identify unauthorized modifications during file integrity monitoring. CC ID 12096 | Monitoring and measurement | Technical Security | |
| Monitor and evaluate user account activity. CC ID 07066 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Log account usage to determine dormant accounts. CC ID 12118 | Monitoring and measurement | Log Management | |
| Log account usage times. CC ID 07099 | Monitoring and measurement | Log Management | |
| Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Log account usage durations. CC ID 12117 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 | Monitoring and measurement | Communicate | |
| Log Internet Protocol addresses used during logon. CC ID 07100 | Monitoring and measurement | Log Management | |
| Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain a corrective action plan. CC ID 00675 [{supply chain management policy} The policy shall establish the appropriate measures that the financial entity is to adopt if it identifies shortcomings of the ICT third-party service providers, including ICT-related incidents and operational or security payment related incidents, in the provision of the ICT services supporting critical or important functions or in the compliance with contractual arrangements or legal requirements. It shall also specify how the implementation of such measures is to be monitored in order to ensure that they are effectively complied with within a defined timeframe, taking into account the materiality of the shortcomings. Article 9: Monitoring of the contractual arrangements 4.] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Include monitoring in the corrective action plan. CC ID 11645 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Audit information systems, as necessary. CC ID 13010 [{supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: where appropriate, pooled audits and pooled ICT testing, including threat-led penetration testing, that are organised jointly with other contracting financial entities or firms that use ICT services of the same ICT third-party service provider and that are performed by those contracting financial entities or firms or by a third party appointed by them; Article 8: Contractual clauses 2. (b)] | Audits and risk management | Investigate | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Investigate | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Testing | |
| Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Testing | |
| Determine the effectiveness of in scope controls. CC ID 06984 [{supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: is satisfied that the certifications are issued, and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; Article 8: Contractual clauses 3. (f)] | Audits and risk management | Testing | |
| Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and risk management | Audits and Risk Management | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Audits and Risk Management | |
| Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and risk management | Audits and Risk Management | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Audits and Risk Management | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Audits and Risk Management | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Audits and Risk Management | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain the audit plan. CC ID 01156 [{supply chain management policy} The policy shall require that ICT services supporting critical or important functions provided by ICT third party service providers are subject to independent review and are included in the audit plan. Article 3: Governance arrangements 7.] | Audits and risk management | Testing | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 [{supply chain management policy} The policy shall specify that the assessment referred to in paragraph 2 is to be documented and its results to be used to update the financial entity's risk assessment referred to in Article 6. Article 9: Monitoring of the contractual arrangements 3.] | Audits and risk management | Establish/Maintain Documentation | |
| Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Audits and risk management | Process or Activity | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Log Management | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [{supply chain management policy} {external requirement} {Digital Operational Resilience Act} The policy shall specify that the relevant contractual arrangement are to be in written form and are to include all the elements referred to in Article 30(2) and (3) of Regulation (EU) 2022/2554. The policy shall also include elements regarding requirements referred to in Article 1(1), point (a), of Regulation (EU) 2022/2554, as well as other relevant Union and national law as appropriate. Article 8: Contractual clauses 1.] | Third Party and supply chain oversight | Process or Activity | |
| Include a termination provision clause in third party contracts. CC ID 01367 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the exit strategies and termination processes as set out in Article 10. Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (f)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party requirements for personnel security in third party contracts. CC ID 00790 | Third Party and supply chain oversight | Testing | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the documentation and record-keeping, taking into account the requirements with regard to the register of information laid down in Article 28(3) of Regulation (EU) 2022/2554; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (e)] | Third Party and supply chain oversight | Testing | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 [{supply chain management policy} {internal audit report} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: where appropriate, internal or third-party audit reports made available by the ICT third-party service provider. Article 8: Contractual clauses 2. (d) {supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1.] | Third Party and supply chain oversight | Testing | |
| Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Testing | |
| Review third party recovery plans. CC ID 17123 | Third Party and supply chain oversight | Systems Continuity | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Testing | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Data and Information Management | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Testing | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 [{supply chain management policy} Without prejudice to the final responsibility of the financial entity to effectively oversee relevant contractual arrangements, the policy shall require that the ICT third party service provider is assessed to have sufficient resources to ensure that the financial entity complies with all its legal and regulatory requirements regarding the ICT services supporting critical or important functions that are provided. Article 3: Governance arrangements 4. {supply chain management policy} The policy shall require that a risk assessment is conducted at financial entity level and, where applicable, at consolidated and sub-consolidated level before a contractual arrangement is concluded Article 5: Ex-ante risk assessment 2. ¶ 1] | Third Party and supply chain oversight | Testing | |
| Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 | Third Party and supply chain oversight | Audits and Risk Management | |
| Establish, implement, and maintain deduplication procedures for third party services. CC ID 13915 | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' relevant experience during due diligence. CC ID 12070 [{supply chain management policy} The policy shall clearly assign the internal responsibilities for the approval, management, control, and documentation of relevant contractual arrangements and shall ensure that appropriate skills, experience and knowledge are maintained within the financial entity to effectively oversee the relevant contractual arrangements, including the ICT services provided under those arrangements. Article 3: Governance arrangements 3. {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a)] | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' legal risks to the organization during due diligence. CC ID 12078 | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the potential impact of disruptions in the provision of the ICT services supporting critical or important functions on the continuity of the financial entity's activities and on the availability of its services. Article 1: Overall risk profile and complexity ¶ 1 (j) {supply chain management policy} The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers' risk management framework for the ICT services supporting critical or important functions to be provided by an ICT third-party service provider. The policy shall require that the due diligence process includes an assessment of the existence of risk mitigation and business continuity measures and of how their functioning within the ICT third-party service provider is ensured. Article 6: Due diligence 2.] | Third Party and supply chain oversight | Business Processes | |
| Review third parties' backup policies. CC ID 13043 | Third Party and supply chain oversight | Systems Continuity | |
| Assess third parties' breach remediation status, as necessary, during due diligence. CC ID 12076 | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' abilities to provide services during due diligence. CC ID 12074 [{supply chain management policy} The policy shall establish or refer to a methodology for determining which ICT services support critical or important functions. The policy shall also specify when this assessment is to be conducted and reviewed. Article 3: Governance arrangements 2. {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers' risk management framework for the ICT services supporting critical or important functions to be provided by an ICT third-party service provider. The policy shall require that the due diligence process includes an assessment of the existence of risk mitigation and business continuity measures and of how their functioning within the ICT third-party service provider is ensured. Article 6: Due diligence 2.] | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' financial stability during due diligence. CC ID 12066 [{supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a)] | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' use of subcontractors during due diligence. CC ID 12073 [{supply chain management policy} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: uses or intends to use ICT sub-contractors to perform the ICT services supporting critical or important functions or material parts thereof; Article 6: Due diligence 1. (c)] | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' insurance coverage during due diligence. CC ID 12072 | Third Party and supply chain oversight | Business Processes | |
| Assess the third parties' reputation during due diligence. CC ID 12068 [{supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} {be ethical} {be responsible} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: acts in an ethical and socially responsible manner, respects human rights and children's rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions. Article 6: Due diligence 1. (f) {supply chain management policy} {be ethical} {be responsible} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: acts in an ethical and socially responsible manner, respects human rights and children's rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions. Article 6: Due diligence 1. (f)] | Third Party and supply chain oversight | Business Processes | |
| Assess any litigation case files against third parties during due diligence. CC ID 12071 | Third Party and supply chain oversight | Business Processes | |
| Assess complaints against third parties during due diligence. CC ID 12069 | Third Party and supply chain oversight | Business Processes | |
| Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 | Third Party and supply chain oversight | Testing | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 [{supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: audits or independent assessments performed by the financial entity itself or on its behalf; Article 6: Due diligence 3. (a) {supply chain management policy} {independent audit} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that an independent review and audits verifying compliance with legal and regulatory requirements and policies are performed. Article 9: Monitoring of the contractual arrangements 2. (e) {supply chain management policy} {be ethical} {be responsible} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: acts in an ethical and socially responsible manner, respects human rights and children's rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions. Article 6: Due diligence 1. (f)] | Third Party and supply chain oversight | Process or Activity | |
| Document that supply chain members investigate security events. CC ID 13348 | Third Party and supply chain oversight | Investigate | |
| Engage third parties to scope third party services' applicability to the organization's compliance requirements, as necessary. CC ID 12064 | Third Party and supply chain oversight | Process or Activity | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Request attestation of compliance from third parties. CC ID 12067 [{supply chain management policy} Where this Regulation applies on a sub-consolidated or consolidated basis, the parent undertaking that is responsible for providing the consolidated or sub-consolidated financial statements for the group shall ensure that the policy is implemented consistently in all financial entities that are part of the group and is adequate for the effective application of this Regulation at all relevant levels of the group. Article 2: Group application ¶ 1 {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of audit reports made by the internal audit function of the ICT third-party service provider; Article 6: Due diligence 3. (c) {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of appropriate third-party certifications; Article 6: Due diligence 3. (d) {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: where appropriate, third-party certifications; Article 8: Contractual clauses 2. (c) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: is satisfied that the certifications are issued, and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; Article 8: Contractual clauses 3. (f)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 [{supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of independent audit reports made on request by the ICT third-party service provider; Article 6: Due diligence 3. (b)] | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 [{supply chain management policy} {security practice} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the ability to monitor relevant technological developments and identify ICT security leading practices and implement them where appropriate to have an effective and sound digital operational resilience framework; Article 6: Due diligence 1. (b)] | Third Party and supply chain oversight | Business Processes | |
| Document the third parties compliance with the organization's system hardening framework. CC ID 04263 | Third Party and supply chain oversight | Technical Security | |
| Assess the effectiveness of third party services provided to the organization. CC ID 13142 [{audit} {independent assessment} {independent audit report} {audit report} Financial entities shall ensure an appropriate level of assurance on the ICT third-party service provider's performance, taking into account the elements listed in paragraph 3, points (a) to (e). Where appropriate, more than one element listed in those points shall be used. Article 6: Due diligence 4.] | Third Party and supply chain oversight | Business Processes | |
| Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [{supply chain management policy} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that the performance of ICT third-party service providers is assessed with key performance indicators, key control indicators, audits, self-certifications and independent reviews in line with the financial entity's ICT risk management framework; Article 9: Monitoring of the contractual arrangements 2. (b) {supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1. {supply chain management policy} The policy shall establish the appropriate measures that the financial entity is to adopt if it identifies shortcomings of the ICT third-party service providers, including ICT-related incidents and operational or security payment related incidents, in the provision of the ICT services supporting critical or important functions or in the compliance with contractual arrangements or legal requirements. It shall also specify how the implementation of such measures is to be monitored in order to ensure that they are effectively complied with within a defined timeframe, taking into account the materiality of the shortcomings. Article 9: Monitoring of the contractual arrangements 4.] | Third Party and supply chain oversight | Monitor and Evaluate Occurrences | |
| Monitor third parties' financial conditions. CC ID 13170 | Third Party and supply chain oversight | Monitor and Evaluate Occurrences | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 | Leadership and high level objectives | Behavior | |
| Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 [{supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1.] | Leadership and high level objectives | Behavior | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a decision management strategy. CC ID 06913 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Take actions in accordance with the decision-making criteria. CC ID 12909 [{supply chain management policy} {be objective} Where ICT services supporting critical or important functions are provided by ICT intra-group service providers, the policy shall specify that decisions on the conditions, including the financial conditions, for the ICT services are to be taken objectively. Article 7: Conflicts of interest 2.] | Leadership and high level objectives | Process or Activity | |
| Monitor for software configurations updates absent authorization. CC ID 10676 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Allow expected changes during file integrity monitoring. CC ID 12090 | Monitoring and measurement | Technical Security | |
| Monitor for when documents are being updated absent authorization. CC ID 10677 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 | Monitoring and measurement | Establish/Maintain Documentation | |
| Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 | Monitoring and measurement | Process or Activity | |
| Develop and maintain a usage profile for each user account. CC ID 07067 | Monitoring and measurement | Technical Security | |
| Align corrective actions with the level of environmental impact. CC ID 15193 | Monitoring and measurement | Business Processes | |
| Include evidence of the closure of findings in the corrective action plan. CC ID 16978 | Monitoring and measurement | Actionable Reports or Measurements | |
| Include roles and responsibilities in the corrective action plan. CC ID 16926 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include risks and opportunities in the corrective action plan. CC ID 15178 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include actions taken to resolve issues in the corrective action plan. CC ID 16884 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include environmental aspects in the corrective action plan. CC ID 15177 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the completion date in the corrective action plan. CC ID 13272 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the corrective action plan to interested personnel and affected parties. CC ID 16883 | Monitoring and measurement | Communicate | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 | Audits and risk management | Establish Roles | |
| Manage supply chain audits. CC ID 01203 [{supply chain management policy} The policy shall require that ICT services supporting critical or important functions provided by ICT third party service providers are subject to independent review and are included in the audit plan. Article 3: Governance arrangements 7. {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: its own internal audit or an audit by an appointed third party; Article 8: Contractual clauses 2. (a)] | Audits and risk management | Audits and Risk Management | |
| Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and risk management | Audits and Risk Management | |
| Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Audits and risk management | Establish Roles | |
| Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Audits and risk management | Establish/Maintain Documentation | |
| Review the external auditor's qualifications. CC ID 01197 [{supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: is satisfied with the aptitude of the certifying or auditing party; Article 8: Contractual clauses 3. (e)] | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Establish/Maintain Documentation | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope for the desired level of assurance in the audit program. CC ID 12793 [{supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: is satisfied with the audit plan of the ICT third-party service provider for the relevant contractual arrangements; Article 8: Contractual clauses 3. (a)] | Audits and risk management | Communicate | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Business Processes | |
| Audit in scope audit items and compliance documents. CC ID 06730 | Audits and risk management | Audits and Risk Management | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Process or Activity | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Audits and Risk Management | |
| Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Establish/Maintain Documentation | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Establish/Maintain Documentation | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Establish/Maintain Documentation | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Establish/Maintain Documentation | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Establish/Maintain Documentation | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Establish/Maintain Documentation | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Establish/Maintain Documentation | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Establish/Maintain Documentation | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain risk management strategies. CC ID 13209 | Audits and risk management | Establish/Maintain Documentation | |
| Include minimizing service interruptions in the risk management strategies. CC ID 13215 [{supply chain management policy} The policy shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan. When establishing the exit plan, the following shall be taken into account: unforeseen and persistent service interruptions; Article 10: Exit from and termination of the contractual arrangements ¶ 1 (a)] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Establish/Maintain Documentation | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 | Audits and risk management | Testing | |
| Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and risk management | Audits and Risk Management | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope in the supply chain risk management policy. CC ID 14707 [{supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: ensures that key systems and controls are covered in future versions of the certification or audit report; Article 8: Contractual clauses 3. (d) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: ensures that the scope of the certifications or audit reports cover the systems and key controls identified by it and ensures compliance with relevant regulatory requirements; Article 8: Contractual clauses 3. (b)] | Audits and risk management | Establish/Maintain Documentation | |
| Include supply chain risk management procedures in the risk management program. CC ID 13190 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the planning of contractual arrangements, including the risk assessment, the due diligence as set out in Articles 5 and 6 and the approval process regarding new or material changes to contractual arrangements as set out in Article 8(4); Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (b)] | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Audits and risk management | Communicate | |
| Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Audits and risk management | Human Resources Management | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the ICT business continuity policy referred to in Article 11 of Regulation (EU) 2022/2554; Article 3: Governance arrangements 6. (c)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a critical third party list. CC ID 06815 [{supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 | Operational and Systems Continuity | Behavior | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Establish Roles | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [{supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5. {supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5.] | Human Resources management | Establish Roles | |
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Human Resources Management | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Establish/Maintain Documentation | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Establish/Maintain Documentation | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Establish/Maintain Documentation | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Human Resources Management | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Human Resources Management | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Establish Roles | |
| Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources management | Human Resources Management | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources management | Human Resources Management | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain a conflict of interest policy. CC ID 14785 [{supply chain management policy} The policy shall specify the appropriate measures to identify, prevent and manage actual or potential conflicts of interest arising from the use of ICT third-party service providers that are to be taken before entering relevant contractual arrangements and shall provide for an ongoing monitoring of such conflicts of interest. Article 7: Conflicts of interest 1.] | Human Resources management | Establish/Maintain Documentation | |
| Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 | Human Resources management | Establish/Maintain Documentation | |
| Include continuous monitoring for conflicts of interest in the conflict of interest policy. CC ID 17190 [{supply chain management policy} The policy shall specify the appropriate measures to identify, prevent and manage actual or potential conflicts of interest arising from the use of ICT third-party service providers that are to be taken before entering relevant contractual arrangements and shall provide for an ongoing monitoring of such conflicts of interest. Article 7: Conflicts of interest 1.] | Human Resources management | Monitor and Evaluate Occurrences | |
| Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194 | Human Resources management | Communicate | |
| Include roles and responsibilities in the conflict of interest policy. CC ID 14790 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Establish/Maintain Documentation | |
| Include risk management in the information security program. CC ID 12378 | Operational management | Establish/Maintain Documentation | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the information security policy referred to in Article 9(4) of Regulation (EU) 2022/2554; Article 3: Governance arrangements 6. (b)] | Operational management | Establish/Maintain Documentation | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{supply chain management policy} Where this Regulation applies on a sub-consolidated or consolidated basis, the parent undertaking that is responsible for providing the consolidated or sub-consolidated financial statements for the group shall ensure that the policy is implemented consistently in all financial entities that are part of the group and is adequate for the effective application of this Regulation at all relevant levels of the group. Article 2: Group application ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Business Processes | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 | Operational management | Establish/Maintain Documentation | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Data and Information Management | |
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Data and Information Management | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Communicate | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Communicate | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Establish/Maintain Documentation | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Communicate | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Communicate | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Establish/Maintain Documentation | |
| Implement changes according to the change control program. CC ID 11776 [{supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1.] | Operational management | Business Processes | |
| Provide audit trails for all approved changes. CC ID 13120 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 {supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the implementation, monitoring and management of contractual arrangements as referred to in Articles 7, 8 and 9, including at consolidated and sub-consolidated level, where applicable; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (d) {supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the planning of contractual arrangements, including the risk assessment, the due diligence as set out in Articles 5 and 6 and the approval process regarding new or material changes to contractual arrangements as set out in Article 8(4); Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (b) {supply chain management policy} The policy shall ensure that material changes to the contractual agreement are to be formalised in a written document which is dated and signed by all parties and shall specify the renewal process for the contractual arrangements. Article 8: Contractual clauses 4.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain an exit plan. CC ID 15492 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the exit strategies and termination processes as set out in Article 10. Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (f) {supply chain management policy} The policy shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan. When establishing the exit plan, the following shall be taken into account: Article 10: Exit from and termination of the contractual arrangements ¶ 1 {supply chain management policy} The policy shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan. When establishing the exit plan, the following shall be taken into account: Article 10: Exit from and termination of the contractual arrangements ¶ 1 {be feasible} The exit plan shall be realistic, feasible, based on plausible scenarios and reasonable assumptions and shall have a planned implementation schedule compatible with the exit and termination terms established in the contractual arrangements. Article 10: Exit from and termination of the contractual arrangements ¶ 2 {be feasible} The exit plan shall be realistic, feasible, based on plausible scenarios and reasonable assumptions and shall have a planned implementation schedule compatible with the exit and termination terms established in the contractual arrangements. Article 10: Exit from and termination of the contractual arrangements ¶ 2] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include roles and responsibilities in the exit plan. CC ID 15497 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Test the exit plan, as necessary. CC ID 15495 [{supply chain management policy} The policy shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan. When establishing the exit plan, the following shall be taken into account: Article 10: Exit from and termination of the contractual arrangements ¶ 1] | Third Party and supply chain oversight | Testing | |
| Write contractual agreements in clear and conspicuous language. CC ID 16923 [{supply chain management policy} {external requirement} {Digital Operational Resilience Act} The policy shall specify that the relevant contractual arrangement are to be in written form and are to include all the elements referred to in Article 30(2) and (3) of Regulation (EU) 2022/2554. The policy shall also include elements regarding requirements referred to in Article 1(1), point (a), of Regulation (EU) 2022/2554, as well as other relevant Union and national law as appropriate. Article 8: Contractual clauses 1. {supply chain management policy} The policy shall ensure that material changes to the contractual agreement are to be formalised in a written document which is dated and signed by all parties and shall specify the renewal process for the contractual arrangements. Article 8: Contractual clauses 4.] | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the purpose in the information flow agreement. CC ID 17016 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the costs in the information flow agreement. CC ID 17018 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [{supply chain management policy} The policy shall explicitly specify that the contractual arrangements: are to require that the financial entity, its auditors, and competent authorities have effective access to data and premises relating to the use of ICT services supporting critical or important functions. Article 3: Governance arrangements 8. (d) {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: Article 8: Contractual clauses 2.] | Third Party and supply chain oversight | Business Processes | |
| Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 [{supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: Article 8: Contractual clauses 2.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include roles and responsibilities in third party contracts. CC ID 13487 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the involvement of business units, internal controls and other relevant units in respect of contractual arrangements; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (c) {supply chain management policy} The policy shall explicitly specify that the contractual arrangements: do not relieve the financial entity and its management body of its regulatory obligations and its responsibilities to its clients; Article 3: Governance arrangements 8. (a)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 [{supply chain management policy} The policy shall explicitly specify that the contractual arrangements: are to require that the ICT third party service providers cooperate with the competent authorities; Article 3: Governance arrangements 8. (c)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [{supply chain management policy} The policy shall explicitly specify that the contractual arrangements: are not to prevent effective supervision of a financial entity and are not to contravene any supervisory restrictions on services and activities; Article 3: Governance arrangements 8. (b) {supply chain management policy} The policy shall explicitly specify that the contractual arrangements: do not relieve the financial entity and its management body of its regulatory obligations and its responsibilities to its clients; Article 3: Governance arrangements 8. (a)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 [{supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1. {supply chain management policy} The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity's relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. Article 9: Monitoring of the contractual arrangements 1.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 [{supply chain management policy} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that the financial entity is notified, where appropriate, of ICT-related incidents and operational or security payment-related incidents; Article 9: Monitoring of the contractual arrangements 2. (d)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a reporting structure in third party contracts. CC ID 06532 [{supply chain management policy} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that the ICT third-party service providers provide appropriate reports on their activities and services to the financial entity, including periodic reports, incidents reports, service delivery reports, reports on ICT security and reports on business continuity measures and testing; Article 9: Monitoring of the contractual arrangements 2. (a) {supply chain management policy} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: that the financial entity receives other relevant information from the ICT third-party service providers; Article 9: Monitoring of the contractual arrangements 2. (c)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include points of contact in third party contracts. CC ID 12355 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 [{supply chain management policy} {internal audit report} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: where appropriate, internal or third-party audit reports made available by the ICT third-party service provider. Article 8: Contractual clauses 2. (d)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 [{supply chain management policy} The policy shall explicitly specify that the contractual arrangements: are not to prevent effective supervision of a financial entity and are not to contravene any supervisory restrictions on services and activities; Article 3: Governance arrangements 8. (b) {supply chain management policy} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: consents to contractual arrangements that ensure that it is effectively possible to conduct audits at the ICT third-party service provider, including onsite, by the financial entity itself, appointed third parties, and competent authorities; Article 6: Due diligence 1. (e) {supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: Article 8: Contractual clauses 2. {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: has the contractual right to request, with a frequency that is reasonable and legitimate from a risk management perspective, modifications of the scope of the certifications or audit reports to other relevant systems and controls; Article 8: Contractual clauses 3. (g) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: has the contractual right to perform individual and pooled audits at its discretion with regard to the contractual arrangements and execute those rights in line with the agreed frequency. Article 8: Contractual clauses 3. (h) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: has the contractual right to perform individual and pooled audits at its discretion with regard to the contractual arrangements and execute those rights in line with the agreed frequency. Article 8: Contractual clauses 3. (h)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the planning of contractual arrangements, including the risk assessment, the due diligence as set out in Articles 5 and 6 and the approval process regarding new or material changes to contractual arrangements as set out in Article 8(4); Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (b)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include change control notification processes in third party contracts. CC ID 06524 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a choice of venue clause in third party contracts. CC ID 06520 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include location requirements in third party contracts. CC ID 16915 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include early termination contingency plans in the third party contracts. CC ID 06526 [{supply chain management policy} The policy shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan. When establishing the exit plan, the following shall be taken into account: the unexpected termination of the contractual arrangement. Article 10: Exit from and termination of the contractual arrangements ¶ 1 (c)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the requirements on incident reporting set out in Article 19 of Regulation (EU) 2022/2554. Article 3: Governance arrangements 6. (d)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Third Party and supply chain oversight | Systems Continuity | |
| Include disclosure requirements in third party contracts. CC ID 08825 | Third Party and supply chain oversight | Business Processes | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the provision of ICT services supporting critical or important functions are concentrated to a single ICT third-party service provider or a small number of such service providers; Article 1: Overall risk profile and complexity ¶ 1 (h) {supply chain management policy} {absent authorization} {absent authentication} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a supervisory authority in a third country, and the use of ICT third-party service providers that are not; Article 1: Overall risk profile and complexity ¶ 1 (g)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include disclosure requirements in the Third Party Service Provider list. CC ID 17189 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the nature of the data shared with the ICT third-party service provider; Article 1: Overall risk profile and complexity ¶ 1 (d)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include storage locations in the Third Party Service Provider list. CC ID 17184 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT services supporting critical or important functions are provided by an ICT third-party service provider located within a Member State or in a third country, also considering the location from where the ICT services are provided and the location where the data is processed and stored; Article 1: Overall risk profile and complexity ¶ 1 (c)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the processing location in the Third Party Service Provider list. CC ID 17183 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT services supporting critical or important functions are provided by an ICT third-party service provider located within a Member State or in a third country, also considering the location from where the ICT services are provided and the location where the data is processed and stored; Article 1: Overall risk profile and complexity ¶ 1 (c)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the transferability of services in the Third Party Service Provider list. CC ID 17185 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the transferability of the ICT services supporting critical or important functions to another ICT third-party service provider, including as a result of technology specificities; Article 1: Overall risk profile and complexity ¶ 1 (i)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Third Party and supply chain oversight | Communicate | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the type of ICT services included in the contractual arrangement on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'contractual arrangement') between the financial entity and the ICT third-party service provider; Article 1: Overall risk profile and complexity ¶ 1 (a)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the location of the ICT third-party service provider or the location of its parent company; Article 1: Overall risk profile and complexity ¶ 1 (b) {supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT services supporting critical or important functions are provided by an ICT third-party service provider located within a Member State or in a third country, also considering the location from where the ICT services are provided and the location where the data is processed and stored; Article 1: Overall risk profile and complexity ¶ 1 (c) {supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT services supporting critical or important functions are provided by an ICT third-party service provider located within a Member State or in a third country, also considering the location from where the ICT services are provided and the location where the data is processed and stored; Article 1: Overall risk profile and complexity ¶ 1 (c) {supply chain management policy} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: is located, or processes or stores the data in a third country and, if this is the case, whether this practice affects the level of operational or reputational risks or the risk of being affected by restrictive measures, including embargos and sanctions, that may impact the ability of the ICT third-party service provider to provide the ICT services or the financial entity to receive those ICT services; Article 6: Due diligence 1. (d)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 | Third Party and supply chain oversight | Process or Activity | |
| Categorize all suppliers in the supply chain management program. CC ID 00792 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: whether the ICT third-party service provider is part of the same group as the financial entity to which the services are provided; Article 1: Overall risk profile and complexity ¶ 1 (e)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 [{supply chain management policy} The policy shall ensure that the contractual arrangements are consistent with the following: the ICT risk management framework referred to in Article 6 of Regulation (EU) 2022/2554; Article 3: Governance arrangements 6. (a) {supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers' risk management framework for the ICT services supporting critical or important functions to be provided by an ICT third-party service provider. The policy shall require that the due diligence process includes an assessment of the existence of risk mitigation and business continuity measures and of how their functioning within the ICT third-party service provider is ensured. Article 6: Due diligence 2.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination on the impact of services provided by third-party service providers in the supply chain risk assessment report. CC ID 17187 [The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: Article 5: Ex-ante risk assessment 2. ¶ 2] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 [The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: Article 1: Overall risk profile and complexity ¶ 1] | Third Party and supply chain oversight | Business Processes | |
| Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Third Party and supply chain oversight | Business Processes | |
| Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: Article 1: Overall risk profile and complexity ¶ 1 The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: ICT concentration risks at entity level. Article 5: Ex-ante risk assessment 2. ¶ 2 (i) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: Article 5: Ex-ante risk assessment 2. ¶ 2 The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: ICT risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (c) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: reputational risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (d) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the location of the ICT third-party service provider; Article 5: Ex-ante risk assessment 2. ¶ 2 (h) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the location where the data is processed and stored; Article 5: Ex-ante risk assessment 2. ¶ 2 (g) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the location where the data is processed and stored; Article 5: Ex-ante risk assessment 2. ¶ 2 (g) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the -noun">availability of data; Article 5: Ex-ante risk assessment 2. ¶ 2 (f) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: risks linked to the protection of confidential or :#F0BBBC;" class="term_primary-noun">personal data; Article 5: Ex-ante risk assessment 2. ¶ 2 (e) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by I-verb">CT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: legal risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (b) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by I-verb">CT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: operational risks; Article 5: Ex-ante risk assessment 2. ¶ 2 (a) The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following: Article 5: Ex-ante risk assessment 2. ¶ 2] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain a supply chain management policy. CC ID 08808 [{supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1. {supply chain management policy} The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation. Article 3: Governance arrangements 1. {supply chain management policy} The policy shall establish or refer to a methodology for determining which ICT services support critical or important functions. The policy shall also specify when this assessment is to be conducted and reviewed. Article 3: Governance arrangements 2. {supply chain management policy} The policy shall specify that the assessment referred to in paragraph 2 is to be documented and its results to be used to update the financial entity's risk assessment referred to in Article 6. Article 9: Monitoring of the contractual arrangements 3.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 | Third Party and supply chain oversight | Business Processes | |
| Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Third Party and supply chain oversight | Human Resources Management | |
| Include supplier assessment principles in the supply chain management policy. CC ID 08809 [{supply chain management policy} The policy shall establish or refer to a methodology for determining which ICT services support critical or important functions. The policy shall also specify when this assessment is to be conducted and reviewed. Article 3: Governance arrangements 2.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the third party selection process in the supply chain management policy. CC ID 13132 [{supply chain management policy} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: Article 6: Due diligence 1. {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: Article 6: Due diligence 3.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Select suppliers based on their qualifications. CC ID 00795 [{supply chain management policy} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a competent authority in a Member State or subject to the oversight framework under Chapter V, Section II, of Regulation (EU) 2022/2554, and the use of ICT third-party service providers that are not; Article 1: Overall risk profile and complexity ¶ 1 (f) {supply chain management policy} {absent authorization} {absent authentication} The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the 'policy') shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a supervisory authority in a third country, and the use of ICT third-party service providers that are not; Article 1: Overall risk profile and complexity ¶ 1 (g)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a clear management process in the supply chain management policy. CC ID 08810 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include roles and responsibilities in the supply chain management policy. CC ID 15499 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the responsibilities of the management body, including its involvement, as appropriate, in the decision-making process on the use of ICT services supporting critical or important functions provided by ICT third-party service providers; Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (a) {supply chain management policy} The policy shall clearly assign the internal responsibilities for the approval, management, control, and documentation of relevant contractual arrangements and shall ensure that appropriate skills, experience and knowledge are maintained within the financial entity to effectively oversee the relevant contractual arrangements, including the ICT services provided under those arrangements. Article 3: Governance arrangements 3. {supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party due diligence standards in the supply chain management policy. CC ID 08812 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Third Party and supply chain oversight | Communicate | |
| Require suppliers to commit to the supply chain management policy. CC ID 08813 [{supply chain management policy} The policy shall require that the business needs of the financial entity are defined before a contractual arrangement is concluded. Article 5: Ex-ante risk assessment 1.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Support third parties in building their capabilities. CC ID 08814 | Third Party and supply chain oversight | Business Processes | |
| Implement measurable improvement plans with all third parties. CC ID 08815 | Third Party and supply chain oversight | Business Processes | |
| Post a list of compliant third parties on the organization's website. CC ID 08817 | Third Party and supply chain oversight | Business Processes | |
| Use third parties that are compliant with the applicable requirements. CC ID 08818 | Third Party and supply chain oversight | Business Processes | |
| Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include all in scope materials in the conflict minerals policy. CC ID 08945 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Third Party and supply chain oversight | Data and Information Management | |
| Establish and maintain a conflict materials report. CC ID 08823 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Identify supply sources for secondary materials. CC ID 08822 | Third Party and supply chain oversight | Business Processes | |
| Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Third Party and supply chain oversight | Business Processes | |
| Establish, implement, and maintain supply chain due diligence standards. CC ID 08846 | Third Party and supply chain oversight | Business Processes | |
| Commit to the supply chain due diligence process. CC ID 08849 [{supply chain management policy} The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: the planning of contractual arrangements, including the risk assessment, the due diligence as set out in Articles 5 and 6 and the approval process regarding new or material changes to contractual arrangements as set out in Article 8(4); Article 4: Main phases of the life cycle for the adoption and use of contractual arrangements ¶ 1 (b)] | Third Party and supply chain oversight | Business Processes | |
| Structure the organization to support supply chain due diligence. CC ID 08850 | Third Party and supply chain oversight | Business Processes | |
| Schedule supply chain audits, as necessary. CC ID 10015 [{supply chain management policy} The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: its own internal audit or an audit by an appointed third party; Article 8: Contractual clauses 2. (a) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: is satisfied that the certifications are issued, and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; Article 8: Contractual clauses 3. (f)] | Third Party and supply chain oversight | Audits and Risk Management | |
| Establish, implement, and maintain supply chain due diligence requirements. CC ID 08853 [{supply chain management policy} {be ethical} {be responsible} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: acts in an ethical and socially responsible manner, respects human rights and children's rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions. Article 6: Due diligence 1. (f)] | Third Party and supply chain oversight | Business Processes | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 [{supply chain management policy} {be ethical} {be responsible} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: acts in an ethical and socially responsible manner, respects human rights and children's rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions. Article 6: Due diligence 1. (f)] | Third Party and supply chain oversight | Business Processes | |
| Identify all service providers in the supply chain. CC ID 12213 | Third Party and supply chain oversight | Business Processes | |
| Disallow engaging service providers that are restricted from performing their duties. CC ID 12214 | Third Party and supply chain oversight | Business Processes | |
| Collect evidence of each supplier's supply chain due diligence processes. CC ID 08855 | Third Party and supply chain oversight | Business Processes | |
| Conduct spot checks of the supplier's supply chain due diligence processes as necessary. CC ID 08860 | Third Party and supply chain oversight | Business Processes | |
| Determine if suppliers can meet the organization's production requirements. CC ID 11559 | Third Party and supply chain oversight | Business Processes | |
| Require suppliers to meet the organization's manufacturing and integration requirements. CC ID 11560 | Third Party and supply chain oversight | Business Processes | |
| Evaluate the impact of the authentication element of the anti-counterfeit measures on the manufacturing process. CC ID 11557 | Third Party and supply chain oversight | Business Processes | |
| Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 [{supply chain management policy} {financial resource} {human resource} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner; Article 6: Due diligence 1. (a) {supply chain management policy} {security practice} The policy shall set out an appropriate and proportionate process for selecting and assessing the prospective ICT third-party service providers taking into account whether or not the ICT third party service provider is an intragroup ICT service provider, and shall require that the financial entity assesses, before entering into a contractual arrangement, whether the ICT third-party service provider: has the ability to monitor relevant technological developments and identify ICT security leading practices and implement them where appropriate to have an effective and sound digital operational resilience framework; Article 6: Due diligence 1. (b)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Third Party and supply chain oversight | Communicate | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Third Party and supply chain oversight | Business Processes | |
| Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [{supply chain management policy} Without prejudice to the final responsibility of the financial entity to effectively oversee relevant contractual arrangements, the policy shall require that the ICT third party service provider is assessed to have sufficient resources to ensure that the financial entity complies with all its legal and regulatory requirements regarding the ICT services supporting critical or important functions that are provided. Article 3: Governance arrangements 4. {supply chain management policy} The policy shall determine the due diligence process for selecting and assessing the prospective ICT third-party service providers and shall indicate which of the following elements are to be used for the required level of assurance on the ICT third-party service provider's performance: the use of other relevant information available to the financial entity or other information provided by the ICT third-party service provider. Article 6: Due diligence 3. (e) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: Article 8: Contractual clauses 3. {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: ensures that the scope of the certifications or audit reports cover the systems and key controls identified by it and ensures compliance with relevant regulatory requirements; Article 8: Contractual clauses 3. (b) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: thoroughly assesses the content of the certifications or audit reports on an ongoing basis and verifies that the reports or certifications are not obsolete; Article 8: Contractual clauses 3. (c) {supply chain management policy} {third-party certification} {audit report} The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and (d), where the financial entity: thoroughly assesses the content of the certifications or audit reports on an ongoing basis and verifies that the reports or certifications are not obsolete; Article 8: Contractual clauses 3. (c)] | Third Party and supply chain oversight | Business Processes | |
| Determine third party compliance with third party contracts. CC ID 08866 | Third Party and supply chain oversight | Business Processes | |
| Quarantine non-compliant material. CC ID 08867 | Third Party and supply chain oversight | Business Processes | |
| Refrain from quarantining conflict-free materials. CC ID 08868 | Third Party and supply chain oversight | Business Processes | |
| Establish, implement, and maintain disposition processes for non-compliant material. CC ID 08869 | Third Party and supply chain oversight | Business Processes | |
| Review the information collected about each supplier for the supply chain due diligence report. CC ID 08856 | Third Party and supply chain oversight | Business Processes | |
| Establish and maintain a supply chain due diligence report. CC ID 08824 | Third Party and supply chain oversight | Business Processes | |
| Submit the supply chain due diligence report. CC ID 08828 | Third Party and supply chain oversight | Business Processes | |
| Include monitoring and tracking risk mitigation performance in the supply chain due diligence report. CC ID 08837 [{supply chain management policy} The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers' risk management framework for the ICT services supporting critical or important functions to be provided by an ICT third-party service provider. The policy shall require that the due diligence process includes an assessment of the existence of risk mitigation and business continuity measures and of how their functioning within the ICT third-party service provider is ensured. Article 6: Due diligence 2.] | Third Party and supply chain oversight | Business Processes | |
| Establish, implement, and maintain third party reporting requirements. CC ID 13289 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Define timeliness factors for third party reporting requirements. CC ID 13304 [{supply chain management policy} {be responsible} The policy shall clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. The policy shall specify how that role or member of senior management shall cooperate with the control functions, unless it is part of it, and shall set out the reporting lines to the management body, including the nature of the information to report and the documents to provide. It shall also set out the frequency of such reporting. Article 3: Governance arrangements 5.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Review the supply chain's service delivery on a regular basis. CC ID 12010 [{supply chain management policy} The policy shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan. When establishing the exit plan, the following shall be taken into account: inappropriate or failed service delivery; Article 10: Exit from and termination of the contractual arrangements ¶ 1 (b)] | Third Party and supply chain oversight | Business Processes | |
| Identify red flags in the supply chain. CC ID 08873 | Third Party and supply chain oversight | Business Processes | |
| Detect red flags in the supply chain. CC ID 08874 | Third Party and supply chain oversight | Business Processes | |
| Notify interested personnel and affected parties when critical components or materials are not obtained from an authorized source. CC ID 11516 | Third Party and supply chain oversight | Business Processes | |
| Review third party red flag locations to identify facts for the supply chain risk assessment. CC ID 08875 | Third Party and supply chain oversight | Business Processes | |
| Establish and maintain an interactive map of third party red flag locations. CC ID 08876 | Third Party and supply chain oversight | Business Processes | |
| Collect information on red-flagged supply chains. CC ID 08877 | Third Party and supply chain oversight | Business Processes | |
| Establish, implement, and maintain outsourcing contracts. CC ID 13124 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include performance standards in outsourcing contracts. CC ID 13140 [{supply chain management policy} {performance standard} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: Article 9: Monitoring of the contractual arrangements 2.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include quality standards in outsourcing contracts. CC ID 17191 [{supply chain management policy} {performance standard} The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity's own policies. The policy shall, in particular, ensure the following: Article 9: Monitoring of the contractual arrangements 2.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |