Review reporting of simplified ICT risk management framework

The organization must submit the report on the review of ICT risk management framework in searchable electronic format. It must include:

Introduction:

Description of the financial entity’s context, including:

• Nature, scale, and complexity of services, activities, and operations.
• Organization structure and identified critical functions.
• Strategy and major ongoing projects or activities.
• Relationships and dependence on in-house and outsourced ICT services.
• Implications of a total loss or severe degradation of ICT systems on critical functions and market efficiency.

Executive Level Summary:

• Summarize the current and near-term ICT risks identified.
• Discuss the threat landscape and the assessed effectiveness of controls.
• Outline the financial entity’s security posture.

Reported Area Information:

• Provide specific details about the focus of the report.

Changes in ICT Risk Management Framework:

• Summarize major changes since the previous report.
• Describe the impact of these changes on the simplified ICT risk management framework.

Approval Date:

• If applicable, mention the date the management body approved the report.

Reason for Review:

• Explain why the review was undertaken, including:
• Any supervisory instructions, with evidence attached.
• Occurrence of ICT-related incidents and list them with root-cause analysis.

Review information:

• Include the start and end date of the review period.
• Identify the person responsible for conducting the review.
• Provide a summary and self-assessment of weaknesses, deficiencies, and gaps in the ICT risk management framework.
• Include a detailed analysis of these findings.

Remedying Measures:

• List the measures identified to address weaknesses, deficiencies, and gaps.
• Include expected dates for implementing measures.
• Follow up on unresolved issues from previous reports.

Conclude the review, including further planned developments for the ICT risk managemen