Article 31: ICT risk management

Oh no! No description found. But not to worry. Read from Tasks below how to advance this topic.

1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following:

(a) a determination of the risk tolerance levels for ICT risk, in accordance with the risk appetite of the financial entity;

(b) the identification and assessment of the ICT risks to which the financial entity is exposed;

(c) the specification of mitigation strategies at least for the ICT risks that are not within the risk tolerance levels of the financial entity;

(d) the monitoring of the effectiveness of the mitigation strategies referred to in point (c);

(e) the identification and assessment of any ICT and information security risks resulting from any major change in ICT system or ICT services, processes, or procedures, and from ICT security testing results and after any major ICT-related incident.

2. The financial entities referred to in paragraph 1 shall carry out and document the ICT risk assessment periodically commensurate to the financial entities’ ICT risk profile.

3. The financial entities referred to in paragraph 1 shall continuously monitor threats and vulnerabilities that are relevant to their critical or important functions, and information assets and ICT assets, and shall regularly review the risk scenarios impacting those critical or important functions.

4. The financial entities referred to in paragraph 1 shall set out alert thresholds and criteria to trigger and initiate ICT-related incident response processes.

This requirement is part of the framework:  
DORA simplified RMF
Best practices
How to implement:
Article 31: ICT risk management

Oh no! No description found. But not to worry. Read from Tasks below how to advance this topic.

1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following:

(a) a determination of the risk tolerance levels for ICT risk, in accordance with the risk appetite of the financial entity;

(b) the identification and assessment of the ICT risks to which the financial entity is exposed;

(c) the specification of mitigation strategies at least for the ICT risks that are not within the risk tolerance levels of the financial entity;

(d) the monitoring of the effectiveness of the mitigation strategies referred to in point (c);

(e) the identification and assessment of any ICT and information security risks resulting from any major change in ICT system or ICT services, processes, or procedures, and from ICT security testing results and after any major ICT-related incident.

2. The financial entities referred to in paragraph 1 shall carry out and document the ICT risk assessment periodically commensurate to the financial entities’ ICT risk profile.

3. The financial entities referred to in paragraph 1 shall continuously monitor threats and vulnerabilities that are relevant to their critical or important functions, and information assets and ICT assets, and shall regularly review the risk scenarios impacting those critical or important functions.

4. The financial entities referred to in paragraph 1 shall set out alert thresholds and criteria to trigger and initiate ICT-related incident response processes.

Read below what concrete actions you can take to improve this ->
Frameworks that include requirements for this topic:
No items found.

How to improve security around this topic

In Cyberday, requirements and controls are mapped to universal tasks. A set of tasks in the same topic create a Policy, such as this one.

Here's a list of tasks that help you improve your information and cyber security related to
Article 31: ICT risk management
Task name
Priority
Task completes
Complete these tasks to increase your compliance in this policy.
Critical
No other tasks found.

How to comply with this requirement

In Cyberday, requirements and controls are mapped to universal tasks. Each requirement is fulfilled with one or multiple tasks.

Here's a list of tasks that help you comply with the requirement
Article 31: ICT risk management
of the framework  
DORA simplified RMF
Task name
Priority
Task completes
Complete these tasks to increase your compliance in this policy.
Critical
Identification and documentation of cyber security risks
Critical
High
Normal
Low
Risk management procedure -report publishing and maintenance
Critical
High
Normal
Low
Treatment process and documentation of occurred security incidents
Critical
High
Normal
Low
Process for managing technical vulnerabilities
Critical
High
Normal
Low
41
requirements
Development and cloud
Technical vulnerability management

Process for managing technical vulnerabilities

This task helps you comply with the following requirements

The goals of threat intelligence and the collection of information related to information security threats
Critical
High
Normal
Low
Creating and maintaining incident response plans
Critical
High
Normal
Low
Defining security events and incidents
Critical
High
Normal
Low
6
requirements
Incident management
Incident management and response

Defining security events and incidents

This task helps you comply with the following requirements

Enabling asset-based risk management in the ISMS
Critical
High
Normal
Low
Change management procedure for significant changes to data processing services
Critical
High
Normal
Low
Assessment of the impact and likelihood of the risks and the scales used
Critical
High
Normal
Low
12
requirements
Risk management and leadership
Risk management

Assessment of the impact and likelihood of the risks and the scales used

This task helps you comply with the following requirements

Evaluation of the information security measures defined in the risk management phase
Critical
High
Normal
Low
5
requirements
Risk management and leadership
Risk management

Evaluation of the information security measures defined in the risk management phase

This task helps you comply with the following requirements

Monitoring the status of risk management
Critical
High
Normal
Low
Consideration of threat intelligence findings in the information security risk management process
Critical
High
Normal
Low

The ISMS component hierachy

When building an ISMS, it's important to understand the different levels of information hierarchy. Here's how Cyberday is structured.

Framework

Sets the overall compliance standard or regulation your organization needs to follow.

Requirements

Break down the framework into specific obligations that must be met.

Tasks

Concrete actions and activities your team carries out to satisfy each requirement.

Policies

Documented rules and practices that are created and maintained as a result of completing tasks.

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way
Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.
Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.
Do it once - we automatically apply it to all current and future frameworks.