Back

Europe > European Banking Authority

Final Report on EBA Guidelines on outsourcing arrangements



AD ID

0003192

AD STATUS

Final Report on EBA Guidelines on outsourcing arrangements

ORIGINATOR

European Banking Authority

TYPE

Regulation or Statute

AVAILABILITY

Free

SYNONYMS

EBA/GL/2019/02

Final Report on EBA Guidelines on outsourcing arrangements

EFFECTIVE

2019-02-25

ADDED

The document as a whole was last reviewed and released on 2020-08-03T00:00:00-0700.

URL

Click here

AD ID

0003192

AD STATUS

Free

ORIGINATOR

European Banking Authority

TYPE

Regulation or Statute

AVAILABILITY

SYNONYMS

EBA/GL/2019/02

Final Report on EBA Guidelines on outsourcing arrangements

EFFECTIVE

2019-02-25

ADDED

The document as a whole was last reviewed and released on 2020-08-03T00:00:00-0700.

URL

Click here


Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Final Report on EBA Guidelines on outsourcing arrangements that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Final Report on EBA Guidelines on outsourcing arrangements are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone 203 Mandated Controls - bold    
70 Implied Controls - italic     1482 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
1755 Total
  • Acquisition or sale of facilities, technology, and services
    45
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Acquisition or sale of facilities, technology, and services CC ID 01123 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538
    [When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: whether the outsourcing arrangement is directly connected to the provision of banking activities or payment services for which they are authorised; 4.4 31(a)
    {critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: when they intend to outsource functions of banking activities or payment services to an extent that would require authorisation by a competent authority, as referred to in Section 12.1. 4.4 29(c)
    {supervisory authority} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the service provider is authorised or registered to provide that banking activity or payment service in the third country and is supervised by a relevant competent authority in that third country (referred to as a 'supervisory authority'); 4.12.1 63(a)
    Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in the same or another Member State takes place only if one of the following conditions is met: the service provider is authorised or registered by a competent authority to perform such banking activities or payment services; or 4.12.1 62(a)]     		Business Processes Preventive
    Establish, implement, and maintain expedited recredit procedures. CC ID 13574 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain payment systems. CC ID 13539 Business Processes Preventive
    Document the business need justification for payment page scripts. CC ID 15480 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an inventory of payment page scripts. CC ID 15467 Business Processes Preventive
    Establish, implement, and maintain retail payment activities supporting the retail payment system, as necessary. CC ID 13540 Business Processes Preventive
    Employ Remote Deposit Capture systems, as necessary. CC ID 13570 Configuration Preventive
    Include liquidity plans in the payment and settlement functions. CC ID 16722 Process or Activity Preventive
    Establish, implement, and maintain an electronic commerce program. CC ID 08617 Business Processes Preventive
    Determine whether the financial institution uses positive pay for electronic check presentment. CC ID 13562 Investigate Detective
    Define risk levels for Automated Clearing House activities, as necessary. CC ID 13542 Business Processes Preventive
    Determine Automated Clearing House exposure limits, as necessary. CC ID 13549 Business Processes Preventive
    Adjust the originator's activity levels to match Automated Clearing House exposure limits, as necessary. CC ID 13565 Business Processes Corrective
    Adjust the originator's credit rating to match Automated Clearing House exposure limits, as necessary. CC ID 13564 Business Processes Corrective
    Establish, implement, and maintain payment transaction security measures. CC ID 13088 Technical Security Preventive
    Establish, implement, and maintain a list of approved third parties for payment transactions. CC ID 16349 Business Processes Preventive
    Restrict transaction activities, as necessary. CC ID 16334 Business Processes Preventive
    Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687 Communicate Preventive
    Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683 Business Processes Preventive
    Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682 Business Processes Preventive
    Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671 Business Processes Preventive
    Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182 Establish/Maintain Documentation Preventive
    Obtain cardholder authorization prior to completing payment transactions. CC ID 13108 Business Processes Preventive
    Encrypt electronic commerce transactions and messages. CC ID 08621 Configuration Preventive
    Protect the integrity of application service transactions. CC ID 12017 Business Processes Preventive
    Include required information in electronic commerce transactions and messages. CC ID 15318 Data and Information Management Preventive
    Establish, implement, and maintain telephone-initiated transaction security measures. CC ID 13566 Business Processes Preventive
    Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571 Communicate Preventive
    Bill and settle electronic commerce transactions. CC ID 08622 Business Processes Preventive
    Notify affected parties after successful card-not-present transactions. CC ID 13668 Communicate Preventive
    Deliver incoming and outgoing electronic commerce transactions and messages to the correct Internet Protocol address. CC ID 08620 Business Processes Preventive
    Use a risk-based approach to following up situations where customer notifications regarding electronic commerce transactions cannot be delivered. CC ID 13663 Business Processes Corrective
    Disseminate and communicate transaction exceptions to consumers. CC ID 08619 Business Processes Preventive
    Make electronic commerce order information available to the customer who ordered the product. CC ID 04585 Data and Information Management Preventive
    Correct billing and settlement errors. CC ID 08623 Business Processes Corrective
    Withhold payment and settlement functions, as necessary. CC ID 15460 Business Processes Preventive
    Obtain consent from affected parties prior to changes in payment and settlement functions. CC ID 15455 Behavior Preventive
    Plan for acquiring facilities, technology, or services. CC ID 06892 Acquisition/Sale of Assets or Services Preventive
    Establish, implement, and maintain system acquisition contracts. CC ID 14758 Establish/Maintain Documentation Preventive
    Include security requirements in system acquisition contracts. CC ID 01124 Establish/Maintain Documentation Preventive
    Include operational requirements in system acquisition contracts. CC ID 00825
    [{critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: when operational tasks of internal control functions are outsourced, unless the assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the effectiveness of the internal control function; 4.4 29(b)]     		Establish/Maintain Documentation Preventive
    Provide suppliers with operational requirement information needed to define required service levels in system acquisition contracts. CC ID 06890 Establish/Maintain Documentation Preventive
    Establish and maintain a register of approved third parties, technologies and tools. CC ID 06836
    [{not authorized} The outsourcing policy should differentiate between the following: outsourcing to service providers that are authorised by a competent authority and those that are not; 4.7 43(b)]     		Establish/Maintain Documentation Preventive
    Install software that originates from approved third parties. CC ID 12184 Technical Security Preventive
  • Audits and risk management
    573
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 Establish Roles Preventive
    Define and assign the external auditor's roles and responsibilities. CC ID 00683 Establish Roles Preventive
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102
    [Where the outsourcing arrangement carries a high level of technical complexity, for instance in the case of cloud outsourcing, the institution or payment institution should verify that whoever is performing the audit – whether it is its internal auditors, the pool of auditors or external auditors acting on its behalf – has appropriate and relevant skills and knowledge to perform relevant audits and/or assessments effectively. The same applies to any staff of the institution or payment institution reviewing third-party certifications or audits carried out by service providers. 4.13.3 97]     		Audits and Risk Management Preventive
    Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 Establish/Maintain Documentation Preventive
    Review external auditor outsourcing contracts and engagement letters. CC ID 01189 Establish/Maintain Documentation Preventive
    Review the risk assessments as compared to the in scope controls. CC ID 06978
    [With regard to the outsourcing process, the internal audit function should at least ascertain: the adequacy, quality and effectiveness of the risk assessment for outsourcing arrangements and that the risks remain in line with the institution's risk strategy; 4.10 51(c)]     		Testing Detective
    Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 Establish/Maintain Documentation Preventive
    Review the external auditor's qualifications. CC ID 01197
    [{third-party certifications} {third-party audit report}Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied with the aptitude of the certifying or auditing party (e.g. with regard to rotation of the certifying or auditing company, qualifications, expertise, reperformance/verification of the evidence in the underlying audit file); 4.13.3 93(e)]     		Audits and Risk Management Preventive
    Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199
    [{third party audit report} {are sufficient} For the outsourcing of critical or important functions, institutions and payment institutions should assess whether third-party certifications and reports as referred to in paragraph 91(b) are adequate and sufficient to comply with their regulatory obligations and should not rely solely on these reports over time. 4.13.3 92]     		Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an audit program. CC ID 00684
    [{audit program} The internal audit function's activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions. 4.10 50]     		Establish/Maintain Documentation Preventive
    Establish, implement, and maintain audit policies. CC ID 13166 Establish/Maintain Documentation Preventive
    Assign the audit to impartial auditors. CC ID 07118 Establish Roles Preventive
    Define what constitutes a threat to independence. CC ID 16824 Audits and Risk Management Preventive
    Determine if requested services create a threat to independence. CC ID 16823 Audits and Risk Management Detective
    Exercise due professional care during the planning and performance of the audit. CC ID 07119
    [When performing audits in multi-client environments, care should be taken to ensure that risks to another client's environment (e.g. impact on service levels, availability of data, confidentiality aspects) are avoided or mitigated. 4.13.3 96]     		Behavior Preventive
    Include resource requirements in the audit program. CC ID 15237 Establish/Maintain Documentation Preventive
    Include risks and opportunities in the audit program. CC ID 15236 Establish/Maintain Documentation Preventive
    Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 Audits and Risk Management Preventive
    Establish and maintain audit terms. CC ID 13880
    [{third-party certifications} {third-party audit report} {be legitimate} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: have the contractual right to request the expansion of the scope of the certifications or audit reports to other relevant systems and controls; the number and frequency of such requests for scope modification should be reasonable and legitimate from a risk management perspective; and 4.13.3 93(g)]     		Establish/Maintain Documentation Preventive
    Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 Process or Activity Preventive
    Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 Establish/Maintain Documentation Preventive
    Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882
    [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90]     		Establish/Maintain Documentation Preventive
    Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an in scope system description. CC ID 14873 Establish/Maintain Documentation Preventive
    Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 Audits and Risk Management Preventive
    Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 Audits and Risk Management Preventive
    Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 Audits and Risk Management Preventive
    Include third party data in the audit assertion's in scope system description. CC ID 16554 Audits and Risk Management Preventive
    Include third party personnel in the audit assertion's in scope system description. CC ID 16552 Audits and Risk Management Preventive
    Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 Audits and Risk Management Preventive
    Include third party assets in the audit assertion's in scope system description. CC ID 16550 Audits and Risk Management Preventive
    Include third party services in the audit assertion's in scope system description. CC ID 16503 Establish/Maintain Documentation Preventive
    Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 Establish/Maintain Documentation Preventive
    Include availability commitments in the audit assertion's in scope system description. CC ID 14914 Establish/Maintain Documentation Preventive
    Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 Audits and Risk Management Preventive
    Include changes in the audit assertion's in scope system description. CC ID 14894 Establish/Maintain Documentation Preventive
    Include external communications in the audit assertion's in scope system description. CC ID 14913 Establish/Maintain Documentation Preventive
    Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 Establish/Maintain Documentation Preventive
    Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 Establish/Maintain Documentation Preventive
    Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 Establish/Maintain Documentation Preventive
    Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 Establish/Maintain Documentation Preventive
    Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 Establish/Maintain Documentation Preventive
    Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 Establish/Maintain Documentation Preventive
    Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 Establish/Maintain Documentation Preventive
    Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 Establish/Maintain Documentation Preventive
    Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 Establish/Maintain Documentation Preventive
    Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 Establish/Maintain Documentation Preventive
    Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 Establish/Maintain Documentation Preventive
    Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 Establish/Maintain Documentation Preventive
    Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 Establish/Maintain Documentation Preventive
    Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 Establish/Maintain Documentation Preventive
    Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 Establish/Maintain Documentation Preventive
    Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 Establish/Maintain Documentation Preventive
    Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 Establish/Maintain Documentation Detective
    Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 Establish/Maintain Documentation Preventive
    Include commitments to third parties in the audit assertion. CC ID 14899 Establish/Maintain Documentation Preventive
    Determine the completeness of the audit assertion's in scope system description. CC ID 14883 Establish/Maintain Documentation Preventive
    Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 Audits and Risk Management Detective
    Include system requirements in the audit assertion's in scope system description. CC ID 14881 Establish/Maintain Documentation Preventive
    Include third party controls in the audit assertion's in scope system description. CC ID 14880 Establish/Maintain Documentation Preventive
    Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 Audits and Risk Management Preventive
    Identify personnel who should attend the closing meeting. CC ID 15261 Business Processes Preventive
    Confirm audit requirements during the opening meeting. CC ID 15255 Audits and Risk Management Detective
    Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 Audits and Risk Management Preventive
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 Establish/Maintain Documentation Preventive
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077
    [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that key systems and controls are covered in future versions of the certification or audit report; 4.13.3 93(d)
    {access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90]     		Establish/Maintain Documentation Preventive
    Include third party assets in the audit scope. CC ID 16504 Audits and Risk Management Preventive
    Include audit subject matter in the audit program. CC ID 07103 Establish/Maintain Documentation Preventive
    Examine the availability of the audit criteria in the audit program. CC ID 16520 Investigate Preventive
    Examine the objectivity of the audit criteria in the audit program. CC ID 07104 Establish/Maintain Documentation Preventive
    Examine the measurability of the audit criteria in the audit program. CC ID 07105 Establish/Maintain Documentation Preventive
    Examine the completeness of the audit criteria in the audit program. CC ID 07106 Establish/Maintain Documentation Preventive
    Examine the relevance of the audit criteria in the audit program. CC ID 07107 Establish/Maintain Documentation Preventive
    Determine the appropriateness of the audit subject matter. CC ID 16505 Audits and Risk Management Preventive
    Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 Establish/Maintain Documentation Preventive
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and Risk Management Preventive
    Include in scope information in the audit program. CC ID 16198 Establish/Maintain Documentation Preventive
    Include the out of scope material or out of scope products in the audit program. CC ID 08962 Establish/Maintain Documentation Preventive
    Provide a representation letter in support of the audit assertion. CC ID 07158 Establish/Maintain Documentation Preventive
    Include the date of the audit in the representation letter. CC ID 16517 Audits and Risk Management Preventive
    Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 Establish/Maintain Documentation Preventive
    Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 Establish/Maintain Documentation Preventive
    Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 Establish/Maintain Documentation Preventive
    Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 Establish/Maintain Documentation Preventive
    Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 Establish/Maintain Documentation Preventive
    Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 Establish/Maintain Documentation Preventive
    Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 Establish/Maintain Documentation Preventive
    Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 Establish/Maintain Documentation Preventive
    Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 Establish/Maintain Documentation Preventive
    Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 Establish/Maintain Documentation Preventive
    Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 Establish/Maintain Documentation Preventive
    Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 Establish/Maintain Documentation Preventive
    Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 Establish/Maintain Documentation Preventive
    Establish and maintain audit assertions, as necessary. CC ID 14871 Establish/Maintain Documentation Detective
    Include an in scope system description in the audit assertion. CC ID 14872 Establish/Maintain Documentation Preventive
    Include any assumptions that are improbable in the audit assertion. CC ID 13950 Establish/Maintain Documentation Preventive
    Include investigations and legal proceedings in the audit assertion. CC ID 16846 Establish/Maintain Documentation Preventive
    Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 Establish/Maintain Documentation Preventive
    Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 Establish/Maintain Documentation Preventive
    Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 Establish/Maintain Documentation Preventive
    Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 Establish/Maintain Documentation Preventive
    Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 Establish/Maintain Documentation Preventive
    Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 Establish/Maintain Documentation Preventive
    Include the in scope procedures in the audit assertion. CC ID 06972 Establish/Maintain Documentation Preventive
    Include the in scope records produced in the audit assertion. CC ID 06968 Establish/Maintain Documentation Preventive
    Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 Establish/Maintain Documentation Preventive
    Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 Establish/Maintain Documentation Preventive
    Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 Establish/Maintain Documentation Preventive
    Include the in scope risk assessment processes in the audit assertion. CC ID 06975 Establish/Maintain Documentation Preventive
    Include in scope change controls in the audit assertion. CC ID 06976 Establish/Maintain Documentation Preventive
    Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 Establish/Maintain Documentation Preventive
    Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 Establish/Maintain Documentation Preventive
    Include the scope for the desired level of assurance in the audit program. CC ID 12793 Communicate Preventive
    Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 Establish/Maintain Documentation Preventive
    Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 Establish/Maintain Documentation Preventive
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 Audits and Risk Management Preventive
    Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 Establish/Maintain Documentation Preventive
    Include the expectations for the audit report in the audit terms. CC ID 07148 Establish/Maintain Documentation Preventive
    Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 Establish/Maintain Documentation Preventive
    Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 Establish/Maintain Documentation Corrective
    Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 Communicate Preventive
    Include materiality levels in the audit terms. CC ID 01238 Establish/Maintain Documentation Preventive
    Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 Establish/Maintain Documentation Preventive
    Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 Establish/Maintain Documentation Preventive
    Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 Business Processes Preventive
    Refrain from performing an attestation engagement under defined conditions. CC ID 13952 Audits and Risk Management Detective
    Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 Business Processes Preventive
    Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 Behavior Preventive
    Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 Audits and Risk Management Preventive
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Business Processes Preventive
    Audit in scope audit items and compliance documents. CC ID 06730
    [With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)]     		Audits and Risk Management Preventive
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 Actionable Reports or Measurements Preventive
    Document any after the fact changes to the engagement file. CC ID 07002 Establish/Maintain Documentation Preventive
    Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 Establish/Maintain Documentation Preventive
    Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 Establish/Maintain Documentation Preventive
    Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 Records Management Preventive
    Conduct onsite inspections, as necessary. CC ID 16199 Testing Preventive
    Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 Audits and Risk Management Detective
    Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 Audits and Risk Management Detective
    Audit policies, standards, and procedures. CC ID 12927
    [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41
    With regard to the outsourcing process, the internal audit function should at least ascertain: the adequacy, quality and effectiveness of the assessment of the criticality or importance of functions; 4.10 51(b)]     		Audits and Risk Management Preventive
    Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 Investigate Detective
    Audit information systems, as necessary. CC ID 13010
    [Without prejudice to their final responsibility regarding outsourcing arrangements, institutions and payment institutions may use: pooled audits organised jointly with other clients of the same service provider, and performed by them and these clients or by a third party appointed by them, to use audit resources more efficiently and to decrease the organisational burden on both the clients and the service provider; 4.13.3 91(a)]     		Investigate Detective
    Audit the potential costs of compromise to information systems. CC ID 13012 Investigate Detective
    Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 Testing Detective
    Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 Testing Detective
    Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 Audits and Risk Management Detective
    Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 Process or Activity Detective
    Edit the audit assertion for accuracy. CC ID 07030 Establish/Maintain Documentation Preventive
    Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 Establish/Maintain Documentation Preventive
    Determine if the audit assertion's in scope controls are reasonable. CC ID 06980
    [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied that the certifications are issued and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; 4.13.3 93(f)]     		Testing Detective
    Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 Process or Activity Detective
    Document test plans for auditing in scope controls. CC ID 06985 Testing Detective
    Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 Testing Detective
    Determine the effectiveness of in scope controls. CC ID 06984 Testing Detective
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and Risk Management Detective
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 Audits and Risk Management Detective
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and Risk Management Detective
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and Risk Management Detective
    Review documentation to determine the effectiveness of in scope controls. CC ID 16522 Process or Activity Preventive
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 Audits and Risk Management Detective
    Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 Audits and Risk Management Detective
    Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 Audits and Risk Management Detective
    Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 Testing Detective
    Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 Establish/Maintain Documentation Preventive
    Audit the in scope system according to the test plan using relevant evidence. CC ID 07112
    [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90]     		Testing Preventive
    Implement procedures that collect sufficient audit evidence. CC ID 07153 Audits and Risk Management Preventive
    Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 Audits and Risk Management Preventive
    Collect audit evidence sufficient to avoid misstatements. CC ID 07155 Audits and Risk Management Preventive
    Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 Audits and Risk Management Preventive
    Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 Audits and Risk Management Preventive
    Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 Communicate Preventive
    Provide transactional walkthrough procedures for external auditors. CC ID 00672 Testing Preventive
    Establish, implement, and maintain interview procedures. CC ID 16282 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the interview procedures. CC ID 16297 Human Resources Management Preventive
    Coordinate the scheduling of interviews. CC ID 16293 Process or Activity Preventive
    Create a schedule for the interviews. CC ID 16292 Process or Activity Preventive
    Identify interviewees. CC ID 16290 Process or Activity Preventive
    Conduct interviews, as necessary. CC ID 07188 Testing Detective
    Verify statements made by interviewees are correct. CC ID 16299 Behavior Detective
    Discuss unsolved questions with the interviewee. CC ID 16298 Process or Activity Detective
    Allow interviewee to respond to explanations. CC ID 16296 Process or Activity Detective
    Explain the requirements being discussed to the interviewee. CC ID 16294 Process or Activity Detective
    Explain the goals of the interview to the interviewee. CC ID 07189 Behavior Detective
    Explain the testing results to the interviewee. CC ID 16291 Process or Activity Preventive
    Withdraw from the audit, when defined conditions exist. CC ID 13885 Process or Activity Corrective
    Establish and maintain work papers, as necessary. CC ID 13891 Establish/Maintain Documentation Preventive
    Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 Establish/Maintain Documentation Preventive
    Include audit irregularities in the work papers. CC ID 16774 Establish/Maintain Documentation Preventive
    Include corrective actions in the work papers. CC ID 16771 Establish/Maintain Documentation Preventive
    Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 Establish/Maintain Documentation Preventive
    Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 Establish/Maintain Documentation Preventive
    Include justification for departing from mandatory requirements in the work papers. CC ID 13935 Establish/Maintain Documentation Preventive
    Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 Audits and Risk Management Preventive
    Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 Establish/Maintain Documentation Preventive
    Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 Establish/Maintain Documentation Preventive
    Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 Establish/Maintain Documentation Preventive
    Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 Establish/Maintain Documentation Preventive
    Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 Audits and Risk Management Detective
    Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 Audits and Risk Management Preventive
    Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 Testing Detective
    Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 Establish/Maintain Documentation Preventive
    Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 Establish/Maintain Documentation Preventive
    Investigate the nature and causes of identified in scope control deviations. CC ID 06986 Testing Detective
    Supervise interested personnel and affected parties participating in the audit. CC ID 07150 Monitor and Evaluate Occurrences Preventive
    Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 Establish Roles Preventive
    Respond to questions or clarification requests regarding the audit. CC ID 08902 Business Processes Preventive
    Track and measure the implementation of the organizational compliance framework. CC ID 06445 Monitor and Evaluate Occurrences Preventive
    Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 Business Processes Preventive
    Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 Process or Activity Preventive
    Review the subject matter expert's findings. CC ID 16559 Audits and Risk Management Detective
    Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 Establish/Maintain Documentation Preventive
    Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966
    [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90
    {access rights} {right to audit} {operational risks} {contract duration} {be critical} For the outsourcing of functions that are not critical or important, institutions and payment institutions should ensure the access and audit rights as set out in paragraph 87 (a) and (b) and Section 13.3, on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its scalability, the potential impact on the continuous performance of its activities and the contractual period. Institutions and payment institutions should take into account that functions may become critical or important over time. 4.13.3 88]     		Audits and Risk Management Preventive
    Permit assessment teams to conduct audits, as necessary. CC ID 16430 Investigate Detective
    Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 Business Processes Preventive
    Solve any access problems auditors encounter during the audit. CC ID 08959 Audits and Risk Management Corrective
    Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 Audits and Risk Management Preventive
    Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 Establish/Maintain Documentation Preventive
    Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 Establish/Maintain Documentation Preventive
    Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 Establish/Maintain Documentation Preventive
    Establish and maintain organizational audit reports. CC ID 06731 Establish/Maintain Documentation Preventive
    Determine what disclosures are required in the audit report. CC ID 14888 Establish/Maintain Documentation Detective
    Include the justification for not following the applicable requirements in the audit report. CC ID 16822 Audits and Risk Management Preventive
    Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 Audits and Risk Management Preventive
    Include audit subject matter in the audit report. CC ID 14882 Establish/Maintain Documentation Preventive
    Include an other-matter paragraph in the audit report. CC ID 14901 Establish/Maintain Documentation Preventive
    Identify the audit team members in the audit report. CC ID 15259 Human Resources Management Detective
    Include that the auditee did not provide comments in the audit report. CC ID 16849 Establish/Maintain Documentation Preventive
    Write the audit report using clear and conspicuous language. CC ID 13948 Establish/Maintain Documentation Preventive
    Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 Establish/Maintain Documentation Preventive
    Include a statement that the financial statements were audited in the audit report. CC ID 13963 Establish/Maintain Documentation Preventive
    Include the criteria that financial information was measured against in the audit report. CC ID 13966 Establish/Maintain Documentation Preventive
    Include a description of the financial information being reported on in the audit report. CC ID 13965 Establish/Maintain Documentation Preventive
    Include references to any adjustments of financial information in the audit report. CC ID 13964 Establish/Maintain Documentation Preventive
    Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 Establish/Maintain Documentation Preventive
    Include references to historical financial information used in the audit report. CC ID 13961 Establish/Maintain Documentation Preventive
    Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 Establish/Maintain Documentation Preventive
    Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 Establish/Maintain Documentation Preventive
    Include the word independent in the title of audit reports. CC ID 07003 Actionable Reports or Measurements Preventive
    Include the date of the audit in the audit report. CC ID 07024 Actionable Reports or Measurements Preventive
    Structure the audit report to be in the form of procedures and findings. CC ID 13940 Establish/Maintain Documentation Preventive
    Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 Actionable Reports or Measurements Preventive
    Include any discussions of significant findings in the audit report. CC ID 13955 Establish/Maintain Documentation Preventive
    Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 Establish/Maintain Documentation Preventive
    Include the audit criteria in the audit report. CC ID 13945 Establish/Maintain Documentation Preventive
    Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 Establish/Maintain Documentation Preventive
    Include all hypothetical assumptions in the audit report. CC ID 13947 Establish/Maintain Documentation Preventive
    Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 Actionable Reports or Measurements Preventive
    Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 Establish/Maintain Documentation Preventive
    Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 Establish/Maintain Documentation Preventive
    Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 Establish/Maintain Documentation Preventive
    Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 Establish/Maintain Documentation Preventive
    Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 Establish/Maintain Documentation Preventive
    Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 Establish/Maintain Documentation Preventive
    Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 Establish/Maintain Documentation Preventive
    Include a review of the subject matter expert's findings in the audit report. CC ID 13972 Establish/Maintain Documentation Preventive
    Include a statement of the character of the engagement in the audit report. CC ID 07166 Establish/Maintain Documentation Preventive
    Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 Establish/Maintain Documentation Preventive
    Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 Establish/Maintain Documentation Preventive
    Include all restrictions on the audit in the audit report. CC ID 13930 Establish/Maintain Documentation Preventive
    Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 Establish/Maintain Documentation Preventive
    Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 Establish/Maintain Documentation Preventive
    Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 Establish/Maintain Documentation Preventive
    Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 Establish/Maintain Documentation Preventive
    Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 Establish/Maintain Documentation Preventive
    Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 Establish/Maintain Documentation Preventive
    Refrain from referencing previous engagements in the audit report. CC ID 16516 Audits and Risk Management Preventive
    Refrain from referencing other auditor's work in the audit report. CC ID 13881 Establish/Maintain Documentation Preventive
    Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 Establish/Maintain Documentation Preventive
    Identify the participants from the organization being audited in the audit report. CC ID 15258 Audits and Risk Management Detective
    Include how in scope controls meet external requirements in the audit report. CC ID 16450 Establish/Maintain Documentation Preventive
    Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 Establish/Maintain Documentation Preventive
    Include recommended corrective actions in the audit report. CC ID 16197 Establish/Maintain Documentation Preventive
    Include risks and opportunities in the audit report. CC ID 16196 Establish/Maintain Documentation Preventive
    Include the description of tests of controls and results in the audit report. CC ID 14898 Establish/Maintain Documentation Preventive
    Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 Establish/Maintain Documentation Preventive
    Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 Establish/Maintain Documentation Preventive
    Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 Establish/Maintain Documentation Preventive
    Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 Audits and Risk Management Preventive
    Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 Establish/Maintain Documentation Preventive
    Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 Establish/Maintain Documentation Preventive
    Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 Actionable Reports or Measurements Preventive
    Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 Establish/Maintain Documentation Preventive
    Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 Establish/Maintain Documentation Preventive
    Include the attestation standards the auditor follows in the audit report. CC ID 07015 Establish/Maintain Documentation Preventive
    Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 Establish/Maintain Documentation Preventive
    Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 Establish/Maintain Documentation Preventive
    Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 Establish/Maintain Documentation Preventive
    Include the organization's in scope system description in the audit report. CC ID 11626 Audits and Risk Management Preventive
    Include any out of scope components of in scope systems in the audit report. CC ID 07006 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 Establish/Maintain Documentation Preventive
    Include the scope and work performed in the audit report. CC ID 11621 Audits and Risk Management Preventive
    Review the adequacy of the internal auditor's work papers. CC ID 01146 Audits and Risk Management Detective
    Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 Establish/Maintain Documentation Detective
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and Risk Management Detective
    Review past audit reports. CC ID 01155 Establish/Maintain Documentation Detective
    Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 Establish/Maintain Documentation Detective
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 Establish/Maintain Documentation Detective
    Resolve disputes before creating the audit summary. CC ID 08964 Behavior Preventive
    Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 Establish/Maintain Documentation Preventive
    Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 Establish/Maintain Documentation Preventive
    Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 Establish/Maintain Documentation Preventive
    Include deficiencies and non-compliance in the audit report. CC ID 14879 Establish/Maintain Documentation Corrective
    Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 Investigate Detective
    Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 Process or Activity Detective
    Include an audit opinion in the audit report. CC ID 07017 Establish/Maintain Documentation Preventive
    Include qualified opinions in the audit report. CC ID 13928 Establish/Maintain Documentation Preventive
    Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 Establish/Maintain Documentation Preventive
    Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 Establish/Maintain Documentation Corrective
    Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 Establish/Maintain Documentation Preventive
    Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 Business Processes Corrective
    Include items that were excluded from the audit report in the audit report. CC ID 07007 Establish/Maintain Documentation Preventive
    Include the organization's privacy practices in the audit report. CC ID 07029 Establish/Maintain Documentation Preventive
    Include items that pertain to third parties in the audit report. CC ID 07008 Establish/Maintain Documentation Preventive
    Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 Establish/Maintain Documentation Preventive
    Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 Establish/Maintain Documentation Preventive
    Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 Establish/Maintain Documentation Preventive
    Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 Establish/Maintain Documentation Preventive
    Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 Establish/Maintain Documentation Preventive
    Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 Establish/Maintain Documentation Preventive
    Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 Establish/Maintain Documentation Preventive
    Modify the audit opinion in the audit report under defined conditions. CC ID 13937 Establish/Maintain Documentation Corrective
    Disclose any audit irregularities in the audit report. CC ID 06995 Actionable Reports or Measurements Preventive
    Include the written signature of the auditor's organization in the audit report. CC ID 13897 Establish/Maintain Documentation Preventive
    Include a statement that additional reports are being submitted in the audit report. CC ID 16848 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 Establish/Maintain Documentation Preventive
    Define the roles and responsibilities for distributing the audit report. CC ID 16845 Human Resources Management Preventive
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 Log Management Detective
    Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 Communicate Preventive
    Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 Communicate Preventive
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Behavior Preventive
    Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 Establish/Maintain Documentation Preventive
    Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 Establish/Maintain Documentation Preventive
    Review the issues of non-compliance from past audit reports. CC ID 01148 Establish/Maintain Documentation Detective
    Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 Business Processes Preventive
    Submit an audit report that is complete. CC ID 01145 Testing Detective
    Accept the audit report. CC ID 07025 Establish/Maintain Documentation Preventive
    Implement a corrective action plan in response to the audit report. CC ID 06777 Establish/Maintain Documentation Corrective
    Assign responsibility for remediation actions. CC ID 13622 Human Resources Management Preventive
    Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 Actionable Reports or Measurements Corrective
    Review management's response to issues raised in past audit reports. CC ID 01149
    [With regard to the outsourcing process, the internal audit function should at least ascertain: the appropriate involvement of governance bodies; and 4.10 51(d)]     		Audits and Risk Management Detective
    Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 Establish/Maintain Documentation Preventive
    Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 Testing Detective
    Evaluate the competency of auditors. CC ID 15253 Human Resources Management Detective
    Review the audit program scope as it relates to the organization's profile. CC ID 01159 Audits and Risk Management Detective
    Assess the quality of the audit program in regards to its documentation. CC ID 11622 Audits and Risk Management Preventive
    Establish, implement, and maintain the audit plan. CC ID 01156
    [{audit program} The internal audit function's activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions. 4.10 50
    {third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied with the audit plan for the outsourced function; 4.13.3 93(a)]     		Testing Detective
    Include the audit criteria in the audit plan. CC ID 15262 Establish/Maintain Documentation Preventive
    Include a list of reference documents in the audit plan. CC ID 15260 Establish/Maintain Documentation Preventive
    Include the languages to be used for the audit in the audit plan. CC ID 15252 Establish/Maintain Documentation Preventive
    Include the allocation of resources in the audit plan. CC ID 15251 Establish/Maintain Documentation Preventive
    Include communication protocols in the audit plan. CC ID 15247 Establish/Maintain Documentation Preventive
    Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 Establish/Maintain Documentation Preventive
    Include meeting schedules in the audit plan. CC ID 15245 Establish/Maintain Documentation Preventive
    Include the time frames for the audit in the audit plan. CC ID 15244 Establish/Maintain Documentation Preventive
    Include the time frames for conducting the audit in the audit plan. CC ID 15243 Establish/Maintain Documentation Preventive
    Include the locations to be audited in the audit plan. CC ID 15242 Establish/Maintain Documentation Preventive
    Include the processes to be audited in the audit plan. CC ID 15241 Establish/Maintain Documentation Preventive
    Include audit objectives in the audit plan. CC ID 15240 Establish/Maintain Documentation Preventive
    Include the risks associated with audit activities in the audit plan. CC ID 15239 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 Communicate Preventive
    Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158
    [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90]     		Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a risk management program. CC ID 12051
    [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32]     		Establish/Maintain Documentation Preventive
    Include the scope of risk management activities in the risk management program. CC ID 13658 Establish/Maintain Documentation Preventive
    Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 Business Processes Detective
    Integrate the risk management program with the organization's business activities. CC ID 13661 Business Processes Preventive
    Integrate the risk management program into daily business decision-making. CC ID 13659 Business Processes Preventive
    Include managing mobile risks in the risk management program. CC ID 13535 Establish/Maintain Documentation Preventive
    Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 Audits and Risk Management Preventive
    Include regular updating in the risk management system. CC ID 14990 Business Processes Preventive
    Establish, implement, and maintain risk management strategies. CC ID 13209
    [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32]     		Establish/Maintain Documentation Preventive
    Include off-site storage of supplies in the risk management strategies. CC ID 13221 Establish/Maintain Documentation Preventive
    Include data quality in the risk management strategies. CC ID 15308 Data and Information Management Preventive
    Include the use of alternate service providers in the risk management strategies. CC ID 13217
    [{be difficult} {substitute} Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: concentration risks, including from: outsourcing to a dominant service provider that is not easily substitutable; and 4.12.2 66(a)(i)
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the ability to reintegrate the outsourced function into the institution or payment institution, if necessary or desirable; 4.4 31(i)
    {be able} {timely manner} When outsourcing, institutions and payment institutions should at least ensure that: with regard to the outsourcing of critical or important functions, they are able to undertake at least one of the following actions, within an appropriate time frame: transfer the function to alternative service providers; 4.6 40(f)(i)]     		Establish/Maintain Documentation Preventive
    Include minimizing service interruptions in the risk management strategies. CC ID 13215 Establish/Maintain Documentation Preventive
    Include off-site storage in the risk mitigation strategies. CC ID 13213 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Establish/Maintain Documentation Preventive
    Analyze the risk management strategy for addressing requirements. CC ID 12926
    [With regard to the outsourcing process, the internal audit function should at least ascertain: the adequacy, quality and effectiveness of the risk assessment for outsourcing arrangements and that the risks remain in line with the institution's risk strategy; 4.10 51(c)
    With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)]     		Audits and Risk Management Detective
    Analyze the risk management strategy for addressing threats. CC ID 12925 Audits and Risk Management Detective
    Analyze the risk management strategy for addressing opportunities. CC ID 12924 Audits and Risk Management Detective
    Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456
    [{be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c)
    {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the identification, assessment and management of conflicts of interest; 4.6 36(c)]     		Establish Roles Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687
    [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32]     		Establish/Maintain Documentation Preventive
    Address past incidents in the risk assessment program. CC ID 12743 Audits and Risk Management Preventive
    Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 Human Resources Management Detective
    Include the need for risk assessments in the risk assessment program. CC ID 06447 Establish/Maintain Documentation Preventive
    Include the information flow of restricted data in the risk assessment program. CC ID 12339 Establish/Maintain Documentation Preventive
    Establish and maintain the factors and context for risk to the organization. CC ID 12230
    [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33
    {outsourcing policy} {risk assessment} {risk management} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: risk identification, assessment and management in accordance with Section 12.2; 4.7 42(c)(iii)
    Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess all of the relevant risks of the outsourcing arrangement in accordance with Section 12.2; 4.12 61(c)
    When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)]     		Audits and Risk Management Preventive
    Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain insurance requirements. CC ID 16562 Establish/Maintain Documentation Preventive
    Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 Communicate Preventive
    Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 Communicate Preventive
    Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 Acquisition/Sale of Assets or Services Corrective
    Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 Business Processes Preventive
    Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 Business Processes Preventive
    Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903
    [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: the measures implemented by the institution or payment institution and by the service provider to manage and mitigate the risks. 4.12.2 66(d)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: 4.7 44
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the performance of their business activities. 4.7 44(d)
    When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)]     		Business Processes Preventive
    Address cybersecurity risks in the risk assessment program. CC ID 13193 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 Process or Activity Preventive
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Establish/Maintain Documentation Preventive
    Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 Establish/Maintain Documentation Preventive
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 Establish/Maintain Documentation Preventive
    Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 Establish/Maintain Documentation Preventive
    Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 Communicate Preventive
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 Establish/Maintain Documentation Preventive
    Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 Establish/Maintain Documentation Preventive
    Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 Establish/Maintain Documentation Preventive
    Use the risk taxonomy when managing risk. CC ID 12280 Behavior Preventive
    Establish, implement, and maintain a risk assessment policy. CC ID 14026 Establish/Maintain Documentation Preventive
    Include compliance requirements in the risk assessment policy. CC ID 14121 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the risk assessment policy. CC ID 14120 Establish/Maintain Documentation Preventive
    Include management commitment in the risk assessment policy. CC ID 14119 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the risk assessment policy. CC ID 14118 Establish/Maintain Documentation Preventive
    Include the scope in the risk assessment policy. CC ID 14117 Establish/Maintain Documentation Preventive
    Include the purpose in the risk assessment policy. CC ID 14116 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 Communicate Preventive
    Establish, implement, and maintain risk assessment procedures. CC ID 06446 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 Establish/Maintain Documentation Preventive
    Analyze the organization's information security environment. CC ID 13122 Technical Security Preventive
    Document cybersecurity risks. CC ID 12281 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account information classification. CC ID 06477 Establish/Maintain Documentation Preventive
    Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 Human Resources Management Preventive
    Employ risk assessment procedures that align with strategic objectives. CC ID 06474 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account the target environment. CC ID 06479 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account risk factors. CC ID 16560 Audits and Risk Management Preventive
    Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 Establish/Maintain Documentation Preventive
    Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 Establish/Maintain Documentation Preventive
    Document organizational risk criteria. CC ID 12277 Establish/Maintain Documentation Preventive
    Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 Technical Security Preventive
    Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 Investigate Detective
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443
    [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: identify and classify the relevant functions and related data and systems as regards their sensitivity and required security measures; 4.12.2 68(a)]     		Audits and Risk Management Preventive
    Review the risk profiles, as necessary. CC ID 16561 Audits and Risk Management Detective
    Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 Audits and Risk Management Preventive
    Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 Establish/Maintain Documentation Preventive
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 Audits and Risk Management Preventive
    Approve the threat and risk classification scheme. CC ID 15693 Business Processes Preventive
    Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 Audits and Risk Management Preventive
    Include language that is easy to understand in the risk assessment report. CC ID 06461 Establish/Maintain Documentation Preventive
    Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 Establish/Maintain Documentation Preventive
    Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 Establish/Maintain Documentation Preventive
    Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 Establish/Maintain Documentation Preventive
    Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 Establish/Maintain Documentation Preventive
    Automate as much of the risk assessment program, as necessary. CC ID 06459 Audits and Risk Management Preventive
    Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 Communicate Preventive
    Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 Establish/Maintain Documentation Preventive
    Perform risk assessments for all target environments, as necessary. CC ID 06452 Testing Preventive
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 Establish/Maintain Documentation Preventive
    Include physical assets in the scope of the risk assessment. CC ID 13075 Establish/Maintain Documentation Preventive
    Include the results of the risk assessment in the risk assessment report. CC ID 06481 Establish/Maintain Documentation Preventive
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 Audits and Risk Management Preventive
    Update the risk assessment upon discovery of a new threat. CC ID 00708 Establish/Maintain Documentation Detective
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and Risk Management Preventive
    Update the risk assessment upon changes to the risk profile. CC ID 11627 Establish/Maintain Documentation Detective
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and Risk Management Preventive
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Establish/Maintain Documentation Preventive
    Create a risk assessment report based on the risk assessment results. CC ID 15695 Establish/Maintain Documentation Preventive
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 Communicate Preventive
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and Risk Management Detective
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Communicate Preventive
    Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 Business Processes Preventive
    Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 Behavior Preventive
    Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 Investigate Detective
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and Risk Management Preventive
    Conduct a Business Impact Analysis, as necessary. CC ID 01147
    [{outsourced services} {outsourced activities} When developing exit strategies, institutions and payment institutions should: perform a business impact analysis that is commensurate with the risk of the outsourced processes, services or activities, with the aim of identifying what human and financial resources would be required to implement the exit plan and how much time it would take; 4.15 108(b)]     		Audits and Risk Management Detective
    Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 Establish/Maintain Documentation Preventive
    Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 Establish/Maintain Documentation Preventive
    Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 Establish/Maintain Documentation Preventive
    Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 Establish/Maintain Documentation Preventive
    Include pandemic risks in the Business Impact Analysis. CC ID 13219 Establish/Maintain Documentation Preventive
    Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 Communicate Preventive
    Establish, implement, and maintain a risk register. CC ID 14828 Establish/Maintain Documentation Preventive
    Document organizational risk tolerance in a risk register. CC ID 09961 Establish/Maintain Documentation Preventive
    Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 Business Processes Preventive
    Review the Business Impact Analysis, as necessary. CC ID 12774 Business Processes Preventive
    Analyze and quantify the risks to in scope systems and information. CC ID 00701
    [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: the aggregated risks resulting from outsourcing several functions across the institution or payment institution and, in the case of groups of institutions or institutional protection schemes, the aggregated risks on a consolidated basis or on the basis of the institutional protection scheme; 4.12.2 66(b)]     		Audits and Risk Management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 Audits and Risk Management Preventive
    Identify the material risks in the risk assessment report. CC ID 06482 Audits and Risk Management Preventive
    Assess the potential level of business impact risk associated with each business process. CC ID 06463
    [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced and address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced services are or may be provided and where the data are or are likely to be stored; 4.12.2 68(b)
    Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the deterioration of the quality of the function provided and actual or potential business disruptions caused by the inappropriate or failed provision of the function; 4.15 106(c)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: 4.7 44
    {be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65]     		Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464
    [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the consequences of where the service provider is located (within or outside the EU); 4.12.2 68(c)]     		Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and Risk Management Detective
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Investigate Detective
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 Audits and Risk Management Detective
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with external entities. CC ID 06469
    [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: concentration risks, including from: 4.12.2 66(a)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the institution's risk profile; 4.7 44(a)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the performance of their business activities. 4.7 44(d)
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the size and complexity of any business area affected; 4.4 31(f)
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: identify, monitor and manage all risks; 4.4 31(c)(i)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: 4.12.2 68(d)
    Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements. 4.12.2 64]     		Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 Actionable Reports or Measurements Detective
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and Risk Management Detective
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706
    [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)]     		Establish/Maintain Documentation Preventive
    Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 Investigate Preventive
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 Behavior Preventive
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 Establish/Maintain Documentation Detective
    Document the results of the gap analysis. CC ID 16271 Establish/Maintain Documentation Preventive
    Prioritize and select controls based on the risk assessment findings. CC ID 00707 Audits and Risk Management Preventive
    Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 Process or Activity Detective
    Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 Process or Activity Detective
    Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 Audits and Risk Management Preventive
    Determine the effectiveness of risk control measures. CC ID 06601 Testing Detective
    Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 Audits and Risk Management Preventive
    Establish, implement, and maintain a risk treatment plan. CC ID 11983 Establish/Maintain Documentation Preventive
    Include the date of the risk assessment in the risk treatment plan. CC ID 16321 Establish/Maintain Documentation Preventive
    Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 Audits and Risk Management Preventive
    Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 Audits and Risk Management Preventive
    Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 Audits and Risk Management Preventive
    Include the risk treatment strategy in the risk treatment plan. CC ID 12159 Establish/Maintain Documentation Preventive
    Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 Establish/Maintain Documentation Corrective
    Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 Establish/Maintain Documentation Preventive
    Include change control processes in the risk treatment plan. CC ID 11981 Establish/Maintain Documentation Preventive
    Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 Establish/Maintain Documentation Preventive
    Include the implemented risk management controls in the risk treatment plan. CC ID 11979 Establish/Maintain Documentation Preventive
    Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 Establish/Maintain Documentation Preventive
    Include risk assessment results in the risk treatment plan. CC ID 11978 Establish/Maintain Documentation Preventive
    Include a description of usage in the risk treatment plan. CC ID 11977 Establish/Maintain Documentation Preventive
    Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 Communicate Preventive
    Approve the risk treatment plan. CC ID 13495 Audits and Risk Management Preventive
    Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 Establish/Maintain Documentation Preventive
    Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 Establish/Maintain Documentation Corrective
    Review and approve the risk assessment findings. CC ID 06485 Establish/Maintain Documentation Preventive
    Include risk responses in the risk management program. CC ID 13195 Establish/Maintain Documentation Preventive
    Document residual risk in a residual risk report. CC ID 13664 Establish/Maintain Documentation Corrective
    Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 Business Processes Preventive
    Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 Establish/Maintain Documentation Preventive
    Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 Establish/Maintain Documentation Preventive
    Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 Business Processes Preventive
    Analyze the impact of artificial intelligence systems on society. CC ID 16317 Audits and Risk Management Detective
    Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 Audits and Risk Management Detective
    Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 Audits and Risk Management Preventive
    Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 Establish/Maintain Documentation Preventive
    Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 Establish/Maintain Documentation Preventive
    Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 Communicate Preventive
    Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 Communicate Preventive
    Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991
    [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32]     		Establish/Maintain Documentation Preventive
    Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 Establish/Maintain Documentation Preventive
    Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 Establish/Maintain Documentation Preventive
    Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 Communicate Preventive
    Evaluate the cyber insurance market. CC ID 12695 Business Processes Preventive
    Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 Business Processes Preventive
    Acquire cyber insurance, as necessary. CC ID 12693 Business Processes Preventive
    Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 Establish/Maintain Documentation Preventive
    Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 Establish/Maintain Documentation Preventive
    Include compliance requirements in the supply chain risk management policy. CC ID 14711 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 Establish/Maintain Documentation Preventive
    Include management commitment in the supply chain risk management policy. CC ID 14709 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 Establish/Maintain Documentation Preventive
    Include the scope in the supply chain risk management policy. CC ID 14707 Establish/Maintain Documentation Preventive
    Include the purpose in the supply chain risk management policy. CC ID 14706 Establish/Maintain Documentation Preventive
    Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 Communicate Preventive
    Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 Establish/Maintain Documentation Preventive
    Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 Establish/Maintain Documentation Preventive
    Include dates in the supply chain risk management plan. CC ID 15617 Establish/Maintain Documentation Preventive
    Include implementation milestones in the supply chain risk management plan. CC ID 15615 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 Establish/Maintain Documentation Preventive
    Include supply chain risk management procedures in the risk management program. CC ID 13190
    [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33
    Institutions and payment institutions should monitor and manage their internal concentration risks caused by outsourcing arrangements, taking into account Section 12.2 of these guidelines. 4.14 103
    When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)]     		Establish/Maintain Documentation Preventive
    Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 Communicate Preventive
    Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199
    [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: overseeing the day-to-day management of the institution or payment institution, including the management of all risks associated with outsourcing; and 4.6 36(e)]     		Human Resources Management Preventive
    Analyze supply chain risk management procedures, as necessary. CC ID 13198 Process or Activity Detective
    Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 Communicate Preventive
  • Human Resources management
    82
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Human Resources management CC ID 00763 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the responsibilities of the management body in line with paragraph 36, including its involvement, as appropriate, in the decision-making on outsourcing of critical or important functions; 4.7 42(a)]     		Establish Roles Preventive
    Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 Establish Roles Preventive
    Establish, implement, and maintain a security operations center. CC ID 14762 Human Resources Management Preventive
    Define the scope for the security operations center. CC ID 15713 Establish/Maintain Documentation Preventive
    Designate an alternate for each organizational leader. CC ID 12053 Human Resources Management Preventive
    Limit the activities performed as a proxy to an organizational leader. CC ID 12054 Behavior Preventive
    Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 Human Resources Management Preventive
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the responsibilities of the management body in line with paragraph 36, including its involvement, as appropriate, in the decision-making on outsourcing of critical or important functions; 4.7 42(a)
    {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the identification, assessment and management of conflicts of interest; 4.6 36(c)]     		Establish Roles Preventive
    Establish and maintain board committees, as necessary. CC ID 14789 Human Resources Management Preventive
    Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 Establish/Maintain Documentation Preventive
    Assign oversight of C-level executives to the Board of Directors. CC ID 14784 Human Resources Management Preventive
    Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 Establish/Maintain Documentation Preventive
    Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 Establish/Maintain Documentation Preventive
    Assign oversight of the financial management program to the board of directors. CC ID 14781 Human Resources Management Preventive
    Assign senior management to the role of supporting Quality Management. CC ID 13692 Human Resources Management Preventive
    Assign senior management to the role of authorizing official. CC ID 14238 Establish Roles Preventive
    Assign members who are independent from management to the Board of Directors. CC ID 12395 Human Resources Management Preventive
    Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 Human Resources Management Preventive
    Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 Human Resources Management Preventive
    Rotate members of the board of directors, as necessary. CC ID 14803 Human Resources Management Corrective
    Define and assign board committees, as necessary. CC ID 14787 Human Resources Management Preventive
    Define and assign risk committees, as necessary. CC ID 14795 Human Resources Management Preventive
    Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 Establish/Maintain Documentation Preventive
    Define and assign audit committees, as necessary. CC ID 14788 Human Resources Management Preventive
    Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 Human Resources Management Preventive
    Define and assign compensation committees, as necessary. CC ID 14793 Human Resources Management Preventive
    Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 Establish Roles Preventive
    Define and assign the network administrator's roles and responsibilities. CC ID 16363 Human Resources Management Preventive
    Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 Establish Roles Preventive
    Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 Human Resources Management Preventive
    Define and assign the business unit manager's roles and responsibilities. CC ID 00810 Establish Roles Preventive
    Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 Establish Roles Preventive
    Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 Human Resources Management Preventive
    Define and assign roles and responsibilities for network management. CC ID 13128 Human Resources Management Preventive
    Define and assign the technology security leader's roles and responsibilities. CC ID 01897 Establish Roles Preventive
    Define and assign the security staff roles and responsibilities. CC ID 11750 Establish/Maintain Documentation Preventive
    Define and assign the authorized representatives roles and responsibilities. CC ID 15033 Human Resources Management Preventive
    Define and assign the property management leader's roles and responsibilities. CC ID 00669 Establish Roles Preventive
    Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 Establish Roles Preventive
    Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 Establish Roles Preventive
    Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 Establish Roles Preventive
    Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383
    [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: overseeing the day-to-day management of the institution or payment institution, including the management of all risks associated with outsourcing; and 4.6 36(e)]     		Establish/Maintain Documentation Preventive
    Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 Establish Roles Preventive
    Establish and maintain an Information Technology steering committee. CC ID 12706 Human Resources Management Preventive
    Assign the Information Technology steering committee to report to senior management. CC ID 12731 Human Resources Management Preventive
    Convene the Information Technology steering committee, as necessary. CC ID 12730 Human Resources Management Preventive
    Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 Human Resources Management Preventive
    Assign a contact person to all business units. CC ID 07144 Establish Roles Preventive
    Define and assign the assessment team's roles and responsibilities. CC ID 08890 Business Processes Preventive
    Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 Human Resources Management Preventive
    Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 Human Resources Management Preventive
    Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 Human Resources Management Preventive
    Define and assign workforce roles and responsibilities. CC ID 13267 Human Resources Management Preventive
    Define and assign roles and responsibilities for dispute resolution. CC ID 13626
    [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the identification, assessment and management of conflicts of interest; 4.6 36(c)]     		Human Resources Management Preventive
    Establish, implement, and maintain a personnel management program. CC ID 14018 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personnel security program. CC ID 10628 Establish/Maintain Documentation Preventive
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782
    [Where the outsourcing arrangement carries a high level of technical complexity, for instance in the case of cloud outsourcing, the institution or payment institution should verify that whoever is performing the audit – whether it is its internal auditors, the pool of auditors or external auditors acting on its behalf – has appropriate and relevant skills and knowledge to perform relevant audits and/or assessments effectively. The same applies to any staff of the institution or payment institution reviewing third-party certifications or audits carried out by service providers. 4.13.3 97
    Outsourcing should not lower the suitability requirements applied to the members of an institution's management body, directors and persons responsible for the management of the payment institution and key function holders. Institutions and payment institutions should have adequate competence and sufficient and appropriately skilled resources to ensure appropriate management and oversight of outsourcing arrangements. 4.6 37]     		Testing Detective
    Perform security skills assessments for all critical employees. CC ID 12102 Human Resources Management Detective
    Assign security clearance procedures to qualified personnel. CC ID 06812 Establish Roles Preventive
    Assign personnel screening procedures to qualified personnel. CC ID 11699 Establish Roles Preventive
    Establish, implement, and maintain personnel screening procedures. CC ID 11700 Establish/Maintain Documentation Preventive
    Perform a background check during personnel screening. CC ID 11758 Human Resources Management Detective
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources Management Preventive
    Perform a criminal records check during personnel screening. CC ID 06643 Establish/Maintain Documentation Preventive
    Include all residences in the criminal records check. CC ID 13306 Process or Activity Preventive
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Establish/Maintain Documentation Preventive
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources Management Preventive
    Perform a credit check during personnel screening. CC ID 06646 Human Resources Management Preventive
    Perform an academic records check during personnel screening. CC ID 06647 Establish/Maintain Documentation Preventive
    Perform a drug test during personnel screening. CC ID 06648 Testing Preventive
    Perform a resume check during personnel screening. CC ID 06659 Human Resources Management Preventive
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources Management Preventive
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources Management Preventive
    Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 Communicate Preventive
    Perform personnel screening procedures, as necessary. CC ID 11763 Human Resources Management Preventive
    Document the personnel risk assessment results. CC ID 11764 Establish/Maintain Documentation Detective
    Establish, implement, and maintain security clearance procedures. CC ID 00783 Establish/Maintain Documentation Preventive
    Perform periodic background checks on designated roles, as necessary. CC ID 11759 Human Resources Management Detective
    Perform security clearance procedures, as necessary. CC ID 06644 Human Resources Management Preventive
    Establish and maintain security clearances. CC ID 01634 Human Resources Management Preventive
    Document the security clearance procedure results. CC ID 01635 Establish/Maintain Documentation Detective
  • Leadership and high level objectives
    227
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Leadership and high level objectives CC ID 00597 IT Impact Zone IT Impact Zone
    Analyze organizational objectives, functions, and activities. CC ID 00598
    [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced and address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced services are or may be provided and where the data are or are likely to be stored; 4.12.2 68(b)
    With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)]     		Monitor and Evaluate Occurrences Preventive
    Develop instructions for setting organizational objectives and strategies. CC ID 12931 Establish/Maintain Documentation Preventive
    Analyze the business environment in which the organization operates. CC ID 12798 Business Processes Preventive
    Identify the internal factors that may affect organizational objectives. CC ID 12957 Process or Activity Preventive
    Include key processes in the analysis of the internal business environment. CC ID 12947 Process or Activity Preventive
    Include existing information in the analysis of the internal business environment. CC ID 12943 Process or Activity Preventive
    Include resources in the analysis of the internal business environment. CC ID 12942 Process or Activity Preventive
    Include the operating plan in the analysis of the internal business environment. CC ID 12941 Process or Activity Preventive
    Include incentives in the analysis of the internal business environment. CC ID 12940 Process or Activity Preventive
    Include organizational structures in the analysis of the internal business environment. CC ID 12939 Process or Activity Preventive
    Include the strategic plan in the analysis of the internal business environment. CC ID 12937 Process or Activity Preventive
    Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 Process or Activity Preventive
    Align assets with business functions and the business environment. CC ID 13681 Business Processes Preventive
    Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 Communicate Preventive
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 Monitor and Evaluate Occurrences Preventive
    Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 Monitor and Evaluate Occurrences Preventive
    Analyze the external environment in which the organization operates. CC ID 12799 Business Processes Preventive
    Identify the external forces that may affect organizational objectives. CC ID 12960 Process or Activity Preventive
    Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 Monitor and Evaluate Occurrences Preventive
    Include environmental requirements in the analysis of the external environment. CC ID 12965 Business Processes Preventive
    Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 Monitor and Evaluate Occurrences Preventive
    Include regulatory requirements in the analysis of the external environment. CC ID 12964 Business Processes Preventive
    Include society in the analysis of the external environment. CC ID 12963 Business Processes Preventive
    Include opportunities in the analysis of the external environment. CC ID 12954 Business Processes Preventive
    Include third party relationships in the analysis of the external environment. CC ID 12952 Business Processes Preventive
    Include industry forces in the analysis of the external environment. CC ID 12904 Business Processes Preventive
    Include threats in the analysis of the external environment. CC ID 12898 Business Processes Preventive
    Include geopolitics in the analysis of the external environment. CC ID 12897 Business Processes Preventive
    Include legal requirements in the analysis of the external environment. CC ID 12896 Business Processes Preventive
    Include technology in the analysis of the external environment. CC ID 12837 Business Processes Preventive
    Include analyzing the market in the analysis of the external environment. CC ID 12836 Business Processes Preventive
    Conduct a context analysis to define objectives and strategies. CC ID 12864 Business Processes Preventive
    Establish, implement, and maintain organizational objectives. CC ID 09959
    [When developing exit strategies, institutions and payment institutions should: define the objectives of the exit strategy; 4.15 108(a)]     		Establish/Maintain Documentation Preventive
    Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814
    [Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: 4.15 106
    With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)]     		Process or Activity Preventive
    Identify events that may affect organizational objectives. CC ID 12961 Process or Activity Preventive
    Identify conditions that may affect organizational objectives. CC ID 12958
    [Institutions, in line with Title IV, Section 11, of the EBA Guidelines on internal governance, and payment institutions should identify, assess and manage conflicts of interests with regard to their outsourcing arrangements. 4.8 45]     		Process or Activity Preventive
    Identify requirements that could affect achieving organizational objectives. CC ID 12828 Business Processes Preventive
    Identify opportunities that could affect achieving organizational objectives. CC ID 12826 Business Processes Preventive
    Prioritize organizational objectives. CC ID 09960 Business Processes Preventive
    Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 Business Processes Preventive
    Establish, implement, and maintain a value generation model. CC ID 15591 Establish/Maintain Documentation Preventive
    Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 Communicate Preventive
    Include value distribution in the value generation model. CC ID 15603 Establish/Maintain Documentation Preventive
    Include value retention in the value generation model. CC ID 15600 Establish/Maintain Documentation Preventive
    Include value generation procedures in the value generation model. CC ID 15599 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain value generation objectives. CC ID 15583 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain social responsibility objectives. CC ID 15611 Establish/Maintain Documentation Preventive
    Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 Establish/Maintain Documentation Preventive
    Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 Establish/Maintain Documentation Preventive
    Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 Establish/Maintain Documentation Preventive
    Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 Establish/Maintain Documentation Preventive
    Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 Establish/Maintain Documentation Preventive
    Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 Establish/Maintain Documentation Preventive
    Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 Establish/Maintain Documentation Preventive
    Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 Communicate Preventive
    Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 Communicate Preventive
    Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements; 4.7 42(b)]     		Establish/Maintain Documentation Preventive
    Identify threats that could affect achieving organizational objectives. CC ID 12827 Business Processes Preventive
    Identify how opportunities, threats, and external requirements are trending. CC ID 12829 Process or Activity Preventive
    Identify relationships between opportunities, threats, and external requirements. CC ID 12805
    [Institutions, in line with Title IV, Section 11, of the EBA Guidelines on internal governance, and payment institutions should identify, assess and manage conflicts of interests with regard to their outsourcing arrangements. 4.8 45
    Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess conflicts of interest that the outsourcing may cause in line with Section 8. 4.12 61(e)]     		Process or Activity Preventive
    Review the organization's approach to managing information security, as necessary. CC ID 12005 Business Processes Preventive
    Identify all interested personnel and affected parties. CC ID 12845 Process or Activity Detective
    Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 Process or Activity Preventive
    Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 Business Processes Preventive
    Establish, implement, and maintain data governance and management practices. CC ID 14998 Establish/Maintain Documentation Preventive
    Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 Establish/Maintain Documentation Preventive
    Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 Establish/Maintain Documentation Preventive
    Include bias for data sets in the data governance and management practices. CC ID 15085 Establish/Maintain Documentation Preventive
    Include a data strategy in the data governance and management practices. CC ID 15304 Establish/Maintain Documentation Preventive
    Include data monitoring in the data governance and management practices. CC ID 15303 Establish/Maintain Documentation Preventive
    Include an assessment of the data sets in the data governance and management practices. CC ID 15084 Establish/Maintain Documentation Preventive
    Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 Establish/Maintain Documentation Preventive
    Include data collection for data sets in the data governance and management practices. CC ID 15082 Establish/Maintain Documentation Preventive
    Include data preparations for data sets in the data governance and management practices. CC ID 15081 Establish/Maintain Documentation Preventive
    Include design choices for data sets in the data governance and management practices. CC ID 15080 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an information classification standard. CC ID 00601 Establish/Maintain Documentation Preventive
    Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 Data and Information Management Preventive
    Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 Data and Information Management Preventive
    Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 Data and Information Management Preventive
    Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 Data and Information Management Preventive
    Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 Data and Information Management Preventive
    Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 Data and Information Management Preventive
    Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 Data and Information Management Preventive
    Classify the value of information in the information classification standard. CC ID 11995 Data and Information Management Preventive
    Classify the legal requirements of information in the information classification standard. CC ID 11994 Data and Information Management Preventive
    Establish, implement, and maintain a data classification scheme. CC ID 11628 Establish/Maintain Documentation Preventive
    Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 Data and Information Management Preventive
    Approve the data classification scheme. CC ID 13858 Establish/Maintain Documentation Detective
    Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 Communicate Preventive
    Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 Establish/Maintain Documentation Preventive
    Refrain from including metadata in the data dictionary. CC ID 13529 Establish/Maintain Documentation Preventive
    Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 Establish/Maintain Documentation Preventive
    Include information needed to understand each data element and population in the data dictionary. CC ID 13528 Establish/Maintain Documentation Preventive
    Ensure the data dictionary is complete and accurate. CC ID 13527 Investigate Detective
    Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 Establish/Maintain Documentation Preventive
    Include the date or time period the data was observed in the data dictionary. CC ID 13524 Establish/Maintain Documentation Preventive
    Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 Establish/Maintain Documentation Preventive
    Include the uncertainty of each data element in the data dictionary. CC ID 13521 Establish/Maintain Documentation Preventive
    Include the measurement units for each data element in the data dictionary. CC ID 13534 Establish/Maintain Documentation Preventive
    Include the precision of the measurement in the data dictionary. CC ID 13520 Establish/Maintain Documentation Preventive
    Include the data source in the data dictionary. CC ID 13519 Establish/Maintain Documentation Preventive
    Include the nature of each element in the data dictionary. CC ID 13518 Establish/Maintain Documentation Preventive
    Include the population of events or instances in the data dictionary. CC ID 13517 Establish/Maintain Documentation Preventive
    Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 Communicate Preventive
    Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 Establish/Maintain Documentation Preventive
    Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 Behavior Preventive
    Establish, implement, and maintain an organizational structure. CC ID 16310 Establish/Maintain Documentation Preventive
    Monitor regulatory trends to maintain compliance. CC ID 00604 Monitor and Evaluate Occurrences Detective
    Monitor for new Information Security solutions. CC ID 07078 Monitor and Evaluate Occurrences Detective
    Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 Technical Security Detective
    Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 Communicate Preventive
    Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 Communicate Corrective
    Establish, implement, and maintain a Quality Management framework. CC ID 07196 Establish/Maintain Documentation Preventive
    Include supply chain management standards in the Quality Management framework. CC ID 13701
    [Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the deterioration of the quality of the function provided and actual or potential business disruptions caused by the inappropriate or failed provision of the function; 4.15 106(c)]     		Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Quality Management policy. CC ID 13694 Establish/Maintain Documentation Preventive
    Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 Establish/Maintain Documentation Preventive
    Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 Establish/Maintain Documentation Preventive
    Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 Establish/Maintain Documentation Preventive
    Include critical Information Technology processes in the Quality Management framework. CC ID 13645 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 Communicate Preventive
    Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 Communicate Preventive
    Align the quality objectives with the Quality Management policy. CC ID 13697 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Quality Management standard. CC ID 01006 Establish/Maintain Documentation Preventive
    Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 Establish/Maintain Documentation Preventive
    Enforce a continuous Quality Control system. CC ID 01005
    [{performance standards} Institutions and payment institutions should ensure, on an ongoing basis, that outsourcing arrangements, with the main focus being on outsourced critical or important functions, meet appropriate performance and quality standards in line with their policies by: 4.14 104]     		Business Processes Detective
    Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 Testing Detective
    Establish, implement, and maintain a Quality Management program. CC ID 07201 Establish/Maintain Documentation Preventive
    Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 Communicate Preventive
    Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 Communicate Preventive
    Correct errors and deficiencies in a timely manner. CC ID 13501 Business Processes Corrective
    Include quality objectives in the Quality Management program. CC ID 13693 Establish/Maintain Documentation Preventive
    Include records management in the quality management system. CC ID 15055 Establish/Maintain Documentation Preventive
    Include risk management in the quality management system. CC ID 15054 Establish/Maintain Documentation Preventive
    Include data management procedures in the quality management system. CC ID 15052 Establish/Maintain Documentation Preventive
    Include a post-market monitoring system in the quality management system. CC ID 15027 Establish/Maintain Documentation Preventive
    Include operational roles and responsibilities in the quality management system. CC ID 15028 Establish/Maintain Documentation Preventive
    Include quality gates and testing milestones in the Quality Management program. CC ID 06825 Systems Design, Build, and Implementation Preventive
    Include resource management in the quality management system. CC ID 15026 Establish/Maintain Documentation Preventive
    Include communication protocols in the quality management system. CC ID 15025 Establish/Maintain Documentation Preventive
    Include incident reporting procedures in the quality management system. CC ID 15023 Establish/Maintain Documentation Preventive
    Include technical specifications in the quality management system. CC ID 15021 Establish/Maintain Documentation Preventive
    Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 Establish/Maintain Documentation Preventive
    Include program documentation standards in the Quality Management program. CC ID 01016 Establish/Maintain Documentation Preventive
    Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 Business Processes Detective
    Include program testing standards in the Quality Management program. CC ID 01017 Establish/Maintain Documentation Preventive
    Review and analyze any quality improvement goals that were missed. CC ID 07204 Business Processes Detective
    Include system testing standards in the Quality Management program. CC ID 01018 Establish/Maintain Documentation Preventive
    Include an issue tracking system in the Quality Management program. CC ID 06824 Systems Design, Build, and Implementation Preventive
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241
    [Institutions and payment institutions should maintain at all times sufficient substance and not become 'empty shells' or 'letter-box entities'. To this end, they should: 4.6 39]     		Establish/Maintain Documentation Preventive
    Define the scope of the security policy. CC ID 07145 Data and Information Management Preventive
    Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 Business Processes Preventive
    Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 Establish/Maintain Documentation Preventive
    Correlate Information Systems with applicable controls. CC ID 01621 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285
    [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the setting of the institution's or payment institution's strategies and policies (e.g. the business model, the risk appetite, the risk management framework); 4.6 36(d)]     		Establish/Maintain Documentation Preventive
    Include requirements in the organization’s policies, standards, and procedures. CC ID 12956
    [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41]     		Establish/Maintain Documentation Preventive
    Include the effective date on all organizational policies. CC ID 06820 Establish/Maintain Documentation Preventive
    Include threats in the organization’s policies, standards, and procedures. CC ID 12953 Establish/Maintain Documentation Preventive
    Analyze organizational policies, as necessary. CC ID 14037 Establish/Maintain Documentation Detective
    Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 Business Processes Preventive
    Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 Establish/Maintain Documentation Preventive
    Establish and maintain an Authority Document list. CC ID 07113 Establish/Maintain Documentation Preventive
    Map in scope assets and in scope records to external requirements. CC ID 12189 Establish/Maintain Documentation Detective
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the documentation and record-keeping, taking into account the requirements in Section 11; 4.7 42(e)
    allocate sufficient resources to ensure compliance with all legal and regulatory requirements, including these guidelines and the documentation and monitoring of all outsourcing arrangements; 4.6 38(b)
    clearly assign the responsibilities for the documentation, management and control of outsourcing arrangements; 4.6 38(a)]     		Establish/Maintain Documentation Preventive
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 Communicate Preventive
    Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 Establish/Maintain Documentation Preventive
    Classify controls according to their preventive, detective, or corrective status. CC ID 06436 Establish/Maintain Documentation Preventive
    Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 Establish/Maintain Documentation Preventive
    Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 Establish/Maintain Documentation Preventive
    Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 Establish/Maintain Documentation Corrective
    Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 Establish/Maintain Documentation Preventive
    Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 Establish/Maintain Documentation Preventive
    Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 Establish/Maintain Documentation Preventive
    Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 Establish/Maintain Documentation Preventive
    Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 Establish/Maintain Documentation Detective
    Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 Establish Roles Preventive
    Approve all compliance documents. CC ID 06286 Establish/Maintain Documentation Preventive
    Align the Authority Document list with external requirements. CC ID 06288 Establish/Maintain Documentation Preventive
    Assign the appropriate roles to all applicable compliance documents. CC ID 06284 Establish Roles Preventive
    Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a compliance exception standard. CC ID 01628 Establish/Maintain Documentation Preventive
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Establish/Maintain Documentation Preventive
    Include all compliance exceptions in the compliance exception standard. CC ID 01630 Establish/Maintain Documentation Detective
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 Establish/Maintain Documentation Preventive
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 Business Processes Preventive
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Establish/Maintain Documentation Preventive
    Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 Establish Roles Preventive
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Establish/Maintain Documentation Preventive
    Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 Behavior Preventive
    Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 Behavior Preventive
    Estimate the costs of implementing the compliance framework. CC ID 07191 Business Processes Preventive
    Define the Information Assurance strategic roles and responsibilities. CC ID 00608 Establish Roles Preventive
    Establish and maintain a compliance oversight committee. CC ID 00765
    [meet all the conditions of their authorisation at all times, including the management body effectively carrying out its responsibilities as set out in paragraph 36 of these guidelines; 4.6 39(a)
    {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making. 4.6 36(f)]     		Establish Roles Detective
    Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151 Establish/Maintain Documentation Detective
    Include recommendations for changes or updates to the information security program in the Board Report. CC ID 13180 Establish/Maintain Documentation Preventive
    Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 Establish/Maintain Documentation Detective
    Assign the review of project plans for critical projects to the compliance oversight committee. CC ID 01182 Establish Roles Preventive
    Assign the corporate governance of Information Technology to the compliance oversight committee. CC ID 01178 Establish Roles Preventive
    Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179 Establish Roles Preventive
    Involve the Board of Directors or senior management in Information Governance. CC ID 00609 Establish Roles Preventive
    Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management. CC ID 12058 Human Resources Management Preventive
    Address Information Security during the business planning processes. CC ID 06495 Data and Information Management Preventive
    Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 Establish/Maintain Documentation Preventive
    Assign reviewing and approving Quality Management standards to the appropriate oversight committee. CC ID 07192 Establish Roles Preventive
    Establish, implement, and maintain a strategic plan. CC ID 12784 Establish/Maintain Documentation Preventive
    Include the outsource partners in the strategic plan, as necessary. CC ID 13960
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: 4.7 42(c)]     		Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a decision management strategy. CC ID 06913
    [When outsourcing, institutions and payment institutions should at least ensure that: they can take and implement decisions related to their business activities and critical or important functions, including with regard to those that have been outsourced; 4.6 40(a)
    {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making. 4.6 36(f)]     		Establish/Maintain Documentation Preventive
    Align the reporting methodology with the decision management strategy. CC ID 15659 Business Processes Preventive
    Include an economic impact analysis in the decision management strategy. CC ID 14015 Establish/Maintain Documentation Preventive
    Include cost benefit analysis in the decision management strategy. CC ID 14014 Establish/Maintain Documentation Preventive
    Include criteria for compliance in the decision-making criteria. CC ID 12951
    [{Authority Document} When applying the principle of proportionality, institutions, payment institutions 31 and competent authorities should take into account the criteria specified in Title I of the EBA Guidelines on internal governance in line with Article 74(2) of Directive 2013/36/EU. 4.1 20]     		Establish/Maintain Documentation Preventive
    Include criteria for risk tolerance in the decision-making criteria. CC ID 12950
    [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b)]     		Establish/Maintain Documentation Preventive
    Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 Establish/Maintain Documentation Preventive
    Include criteria for setting priorities in the decision-making criteria. CC ID 12938 Establish/Maintain Documentation Preventive
    Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 Process or Activity Preventive
    Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 Process or Activity Preventive
    Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 Process or Activity Preventive
    Identify and document the events that initiate the decision management strategy. CC ID 06914 Establish/Maintain Documentation Detective
    Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 Process or Activity Preventive
    Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 Behavior Preventive
    Take actions in accordance with the decision-making criteria. CC ID 12909 Process or Activity Preventive
    Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 Establish/Maintain Documentation Preventive
    Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 Communicate Preventive
  • Monitoring and measurement
    297
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Monitoring and measurement CC ID 00636 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a risk monitoring program. CC ID 00658
    [Institutions and payment institutions should monitor and manage their internal concentration risks caused by outsourcing arrangements, taking into account Section 12.2 of these guidelines. 4.14 103]     		Establish/Maintain Documentation Preventive
    Monitor the organization's exposure to threats, as necessary. CC ID 06494 Monitor and Evaluate Occurrences Preventive
    Monitor and evaluate environmental threats. CC ID 13481 Monitor and Evaluate Occurrences Detective
    Implement a fraud detection system. CC ID 13081 Business Processes Preventive
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Process or Activity Corrective
    Monitor for new vulnerabilities. CC ID 06843 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a compliance testing strategy. CC ID 00659 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 Testing Preventive
    Test compliance controls for proper functionality. CC ID 00660 Testing Detective
    Establish, implement, and maintain a system security plan. CC ID 01922 Testing Preventive
    Include a system description in the system security plan. CC ID 16467 Establish/Maintain Documentation Preventive
    Include a description of the operational context in the system security plan. CC ID 14301 Establish/Maintain Documentation Preventive
    Include the results of the security categorization in the system security plan. CC ID 14281 Establish/Maintain Documentation Preventive
    Include the information types in the system security plan. CC ID 14696 Establish/Maintain Documentation Preventive
    Include the security requirements in the system security plan. CC ID 14274 Establish/Maintain Documentation Preventive
    Include threats in the system security plan. CC ID 14693 Establish/Maintain Documentation Preventive
    Include network diagrams in the system security plan. CC ID 14273 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the system security plan. CC ID 14682 Establish/Maintain Documentation Preventive
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Establish/Maintain Documentation Preventive
    Include remote access methods in the system security plan. CC ID 16441 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Communicate Preventive
    Include a description of the operational environment in the system security plan. CC ID 14272 Establish/Maintain Documentation Preventive
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Establish/Maintain Documentation Preventive
    Include the authorization boundary in the system security plan. CC ID 14257 Establish/Maintain Documentation Preventive
    Align the enterprise architecture with the system security plan. CC ID 14255 Process or Activity Preventive
    Include security controls in the system security plan. CC ID 14239 Establish/Maintain Documentation Preventive
    Create specific test plans to test each system component. CC ID 00661 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities in the test plan. CC ID 14299 Establish/Maintain Documentation Preventive
    Include the assessment team in the test plan. CC ID 14297 Establish/Maintain Documentation Preventive
    Include the scope in the test plans. CC ID 14293 Establish/Maintain Documentation Preventive
    Include the assessment environment in the test plan. CC ID 14271 Establish/Maintain Documentation Preventive
    Approve the system security plan. CC ID 14241 Business Processes Preventive
    Adhere to the system security plan. CC ID 11640 Testing Detective
    Review the test plans for each system component. CC ID 00662 Establish/Maintain Documentation Preventive
    Validate all testing assumptions in the test plans. CC ID 00663 Testing Detective
    Document validated testing processes in the testing procedures. CC ID 06200 Establish/Maintain Documentation Preventive
    Require testing procedures to be complete. CC ID 00664 Testing Detective
    Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 Establish/Maintain Documentation Preventive
    Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 Testing Preventive
    Implement automated audit tools. CC ID 04882 Acquisition/Sale of Assets or Services Preventive
    Assign senior management to approve test plans. CC ID 13071 Human Resources Management Preventive
    Analyze system audit reports and determine the need to perform more tests. CC ID 00666 Testing Detective
    Monitor devices continuously for conformance with production specifications. CC ID 06201 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain a testing program. CC ID 00654 Behavior Preventive
    Establish, implement, and maintain a penetration test program. CC ID 01105 Behavior Preventive
    Perform penetration tests, as necessary. CC ID 00655
    [{be able} {cyber security} In line with the EBA Guidelines on ICT risk assessment under the SREP, institutions should, where relevant, ensure that they are able to carry out security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes. Taking into account Title I, payment institutions should also have internal ICT control mechanisms, including ICT security control and mitigation measures. 4.13.3 94]     		Testing Detective
    Perform internal penetration tests, as necessary. CC ID 12471 Technical Security Detective
    Perform external penetration tests, as necessary. CC ID 12470 Technical Security Detective
    Include coverage of all in scope systems during penetration testing. CC ID 11957 Testing Detective
    Test the system for broken access controls. CC ID 01319 Testing Detective
    Test the system for broken authentication and session management. CC ID 01320 Testing Detective
    Test the system for insecure communications. CC ID 00535 Testing Detective
    Test the system for cross-site scripting attacks. CC ID 01321 Testing Detective
    Test the system for buffer overflows. CC ID 01322 Testing Detective
    Test the system for injection flaws. CC ID 01323 Testing Detective
    Ensure protocols are free from injection flaws. CC ID 16401 Process or Activity Preventive
    Test the system for Denial of Service. CC ID 01326 Testing Detective
    Test the system for insecure configuration management. CC ID 01327 Testing Detective
    Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 Testing Detective
    Test the system for cross-site request forgery. CC ID 06296 Testing Detective
    Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 Technical Security Detective
    Perform penetration testing on segmentation controls, as necessary. CC ID 12498 Technical Security Detective
    Verify segmentation controls are operational and effective. CC ID 12545 Audits and Risk Management Detective
    Repeat penetration testing, as necessary. CC ID 06860 Testing Detective
    Test the system for covert channels. CC ID 10652 Testing Detective
    Estimate the maximum bandwidth of any covert channels. CC ID 10653 Technical Security Detective
    Reduce the maximum bandwidth of covert channels. CC ID 10655 Technical Security Corrective
    Test systems to determine which covert channels might be exploited. CC ID 10654 Testing Detective
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671
    [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making. 4.6 36(f)]     		Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a metrics policy. CC ID 01654 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain risk management metrics. CC ID 01656 Establish/Maintain Documentation Preventive
    Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 Actionable Reports or Measurements Detective
    Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 Actionable Reports or Measurements Detective
    Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 Actionable Reports or Measurements Detective
    Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 Actionable Reports or Measurements Detective
    Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 Business Processes Preventive
    Identify information being used to support performance reviews for risk optimization. CC ID 12865 Audits and Risk Management Preventive
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 Monitor and Evaluate Occurrences Detective
    Identify and document instances of non-compliance with the compliance framework. CC ID 06499 Establish/Maintain Documentation Preventive
    Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 Business Processes Detective
    Determine the causes of compliance violations. CC ID 12401 Investigate Corrective
    Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 Establish/Maintain Documentation Preventive
    Determine if multiple compliance violations of the same type could occur. CC ID 12402 Investigate Detective
    Correct compliance violations. CC ID 13515
    [{not carry out} {corrective action} Institutions should take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, institutions and payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirements. If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions. Such actions may include terminating the outsourcing agreement, with immediate effect, if necessary. 4.14 105]     		Process or Activity Corrective
    Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 Investigate Detective
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 Behavior Corrective
    Align disciplinary actions with the level of compliance violation. CC ID 12404 Human Resources Management Preventive
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Establish/Maintain Documentation Preventive
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Establish/Maintain Documentation Preventive
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Establish/Maintain Documentation Preventive
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Establish/Maintain Documentation Preventive
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Establish/Maintain Documentation Preventive
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Establish/Maintain Documentation Preventive
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Establish/Maintain Documentation Preventive
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 Communicate Preventive
    Include required information in the disciplinary action notice. CC ID 16584 Establish/Maintain Documentation Preventive
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Establish/Maintain Documentation Preventive
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Establish/Maintain Documentation Preventive
    Include the investigation results in the disciplinary action notice. CC ID 16581 Establish/Maintain Documentation Preventive
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Establish/Maintain Documentation Preventive
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Establish/Maintain Documentation Preventive
    Include contact information in the disciplinary action notice. CC ID 16578 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain compliance program metrics. CC ID 11625 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a security program metrics program. CC ID 01660 Establish/Maintain Documentation Preventive
    Report on the policies and controls that have been implemented by management. CC ID 01670 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 Establish/Maintain Documentation Preventive
    Report on the percentage of security management roles that have been assigned. CC ID 01671 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 Establish/Maintain Documentation Preventive
    Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 Establish/Maintain Documentation Preventive
    Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 Actionable Reports or Measurements Detective
    Report on the Service Level Agreement performance of supply chain members. CC ID 06838 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 Establish/Maintain Documentation Preventive
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Actionable Reports or Measurements Detective
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Actionable Reports or Measurements Detective
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an audit metrics program. CC ID 01664 Establish/Maintain Documentation Preventive
    Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 Actionable Reports or Measurements Detective
    Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 Actionable Reports or Measurements Detective
    Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 Actionable Reports or Measurements Detective
    Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 Actionable Reports or Measurements Detective
    Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 Actionable Reports or Measurements Detective
    Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an Information Security metrics program. CC ID 01665 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a metrics standard and template. CC ID 02157 Establish/Maintain Documentation Preventive
    Convert data into standard units before reporting metrics. CC ID 15507 Process or Activity Corrective
    Monitor compliance with the Quality Control system. CC ID 01023 Actionable Reports or Measurements Preventive
    Report on the percentage of complaints received about products or delivered services. CC ID 07199 Actionable Reports or Measurements Preventive
    Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 Establish/Maintain Documentation Preventive
    Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 Actionable Reports or Measurements Detective
    Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 Actionable Reports or Measurements Detective
    Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 Actionable Reports or Measurements Detective
    Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 Establish/Maintain Documentation Preventive
    Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 Actionable Reports or Measurements Detective
    Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 Actionable Reports or Measurements Detective
    Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 Actionable Reports or Measurements Detective
    Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 Actionable Reports or Measurements Detective
    Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 Actionable Reports or Measurements Detective
    Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 Establish/Maintain Documentation Preventive
    Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 Actionable Reports or Measurements Detective
    Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 Actionable Reports or Measurements Detective
    Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 Actionable Reports or Measurements Detective
    Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 Actionable Reports or Measurements Detective
    Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 Establish/Maintain Documentation Preventive
    Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 Actionable Reports or Measurements Detective
    Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 Actionable Reports or Measurements Detective
    Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 Actionable Reports or Measurements Detective
    Report on the percentage of systems with approved System Security Plans. CC ID 02145 Actionable Reports or Measurements Detective
    Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 Establish/Maintain Documentation Preventive
    Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 Actionable Reports or Measurements Detective
    Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 Actionable Reports or Measurements Detective
    Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 Actionable Reports or Measurements Detective
    Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 Actionable Reports or Measurements Detective
    Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 Business Processes Preventive
    Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 Actionable Reports or Measurements Detective
    Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 Actionable Reports or Measurements Detective
    Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 Business Processes Preventive
    Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 Actionable Reports or Measurements Detective
    Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 Actionable Reports or Measurements Detective
    Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 Actionable Reports or Measurements Detective
    Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 Actionable Reports or Measurements Detective
    Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a physical environment metrics program. CC ID 02063 Business Processes Preventive
    Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 Actionable Reports or Measurements Detective
    Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 Actionable Reports or Measurements Detective
    Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 Actionable Reports or Measurements Detective
    Report on the percentage of servers located in controlled access areas. CC ID 02067 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a privacy metrics program. CC ID 15494 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain waste management metrics. CC ID 16152 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain emissions management metrics. CC ID 16145 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain financial management metrics. CC ID 16749 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 Business Processes Preventive
    Report on the percentage of unique active user identifiers. CC ID 02074 Actionable Reports or Measurements Detective
    Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 Actionable Reports or Measurements Detective
    Report on the percentage of active user passwords that are set to expire. CC ID 02087 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a user account management metrics program. CC ID 02075 Business Processes Preventive
    Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 Actionable Reports or Measurements Detective
    Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 Actionable Reports or Measurements Detective
    Report on the percentage of systems with account lockout thresholds set. CC ID 02091 Actionable Reports or Measurements Detective
    Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 Actionable Reports or Measurements Detective
    Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 Actionable Reports or Measurements Detective
    Report on the percentage of users with access to shared accounts. CC ID 04573 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 Actionable Reports or Measurements Preventive
    Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 Actionable Reports or Measurements Detective
    Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 Actionable Reports or Measurements Detective
    Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 Business Processes Preventive
    Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 Actionable Reports or Measurements Detective
    Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 Actionable Reports or Measurements Detective
    Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 Actionable Reports or Measurements Detective
    Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 Actionable Reports or Measurements Detective
    Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 Actionable Reports or Measurements Detective
    Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 Log Management Preventive
    Report on the percentage of systems for which event logging has been implemented. CC ID 02102 Log Management Detective
    Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 Log Management Detective
    Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 Log Management Detective
    Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 Business Processes Preventive
    Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 Actionable Reports or Measurements Detective
    Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 Actionable Reports or Measurements Detective
    Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 Actionable Reports or Measurements Detective
    Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 Business Processes Preventive
    Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 Actionable Reports or Measurements Detective
    Report on the percentage of servers that employ automated system security tools. CC ID 02111 Actionable Reports or Measurements Detective
    Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a software change management metrics program. CC ID 02081 Business Processes Preventive
    Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 Actionable Reports or Measurements Detective
    Report on the percentage of systems with all approved patches installed. CC ID 02113 Actionable Reports or Measurements Detective
    Report on the mean time from patch availability to patch installation. CC ID 02114 Actionable Reports or Measurements Detective
    Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 Business Processes Preventive
    Establish, implement, and maintain a network activity baseline. CC ID 13188 Technical Security Detective
    Report on the percentage of systems configured according to the configuration standard. CC ID 02116 Actionable Reports or Measurements Detective
    Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 Business Processes Preventive
    Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 Actionable Reports or Measurements Detective
    Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 Actionable Reports or Measurements Detective
    Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 Actionable Reports or Measurements Detective
    Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 Business Processes Preventive
    Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 Actionable Reports or Measurements Detective
    Report on the percentage of backup media stored off site in secure storage. CC ID 02122 Actionable Reports or Measurements Detective
    Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 Business Processes Preventive
    Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 Actionable Reports or Measurements Detective
    Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 Actionable Reports or Measurements Detective
    Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 Actionable Reports or Measurements Detective
    Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 Actionable Reports or Measurements Detective
    Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 Actionable Reports or Measurements Detective
    Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 Actionable Reports or Measurements Detective
    Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 Actionable Reports or Measurements Detective
    Delay the reporting of incident management metrics, as necessary. CC ID 15501 Communicate Preventive
    Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 Establish/Maintain Documentation Preventive
    Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 Actionable Reports or Measurements Preventive
    Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 Actionable Reports or Measurements Preventive
    Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 Actionable Reports or Measurements Preventive
    Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 Actionable Reports or Measurements Preventive
    Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 Actionable Reports or Measurements Preventive
    Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 Actionable Reports or Measurements Preventive
    Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 Actionable Reports or Measurements Preventive
    Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 Actionable Reports or Measurements Preventive
    Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 Actionable Reports or Measurements Preventive
    Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain a log management program. CC ID 00673 Establish/Maintain Documentation Preventive
    Deploy log normalization tools, as necessary. CC ID 12141 Technical Security Preventive
    Restrict access to logs to authorized individuals. CC ID 01342 Log Management Preventive
    Restrict access to audit trails to a need to know basis. CC ID 11641 Technical Security Preventive
    Refrain from recording unnecessary restricted data in logs. CC ID 06318 Log Management Preventive
    Back up audit trails according to backup procedures. CC ID 11642 Systems Continuity Preventive
    Back up logs according to backup procedures. CC ID 01344 Log Management Preventive
    Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 Log Management Preventive
    Identify hosts with logs that are not being stored. CC ID 06314 Log Management Preventive
    Identify hosts with logs that are being stored at the system level only. CC ID 06315 Log Management Preventive
    Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 Log Management Preventive
    Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 Log Management Preventive
    Protect logs from unauthorized activity. CC ID 01345 Log Management Preventive
    Perform testing and validating activities on all logs. CC ID 06322 Log Management Preventive
    Archive the audit trail in accordance with compliance requirements. CC ID 00674 Log Management Preventive
    Enforce dual authorization as a part of information flow control for logs. CC ID 10098 Configuration Preventive
    Preserve the identity of individuals in audit trails. CC ID 10594 Log Management Preventive
    Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 Establish/Maintain Documentation Preventive
    Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 Audits and Risk Management Preventive
    Establish, implement, and maintain a corrective action plan. CC ID 00675
    [{not carry out} {corrective action} Institutions should take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, institutions and payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirements. If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions. Such actions may include terminating the outsourcing agreement, with immediate effect, if necessary. 4.14 105]     		Monitor and Evaluate Occurrences Detective
    Align corrective actions with the level of environmental impact. CC ID 15193 Business Processes Preventive
    Include risks and opportunities in the corrective action plan. CC ID 15178 Establish/Maintain Documentation Preventive
    Include environmental aspects in the corrective action plan. CC ID 15177 Establish/Maintain Documentation Preventive
    Include the completion date in the corrective action plan. CC ID 13272 Establish/Maintain Documentation Preventive
    Include monitoring in the corrective action plan. CC ID 11645 Monitor and Evaluate Occurrences Detective
  • Operational and Systems Continuity
    50
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational and Systems Continuity CC ID 00731 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a business continuity program. CC ID 13210 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a continuity framework. CC ID 00732 Establish/Maintain Documentation Preventive
    Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907
    [Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: 4.15 106]     		Establish/Maintain Documentation Preventive
    Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374
    [Business continuity plans should take into account the possible event that the quality of the provision of the outsourced critical or important function deteriorates to an unacceptable level or fails. Such plans should also take into account the potential impact of the insolvency or other failures of service providers and, where relevant, political risks in the service provider's jurisdiction. 4.9 49
    Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: material risks arising for the appropriate and continuous application of the function. 4.15 106(d)
    {be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65]     		Systems Continuity Detective
    Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 Systems Continuity Preventive
    Establish, implement, and maintain a continuity plan. CC ID 00752 Establish/Maintain Documentation Preventive
    Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242
    [{establish and maintain} Institutions, in line with the requirements under Article 85(2) of Directive 2013/36/EU and Title VI of the EBA Guidelines on internal governance, and payment institutions should have in place, maintain and periodically test appropriate business continuity plans with regard to outsourced critical or important functions. Institutions and payment institutions within a group or institutional protection scheme may rely on centrally established business continuity plans regarding their outsourced functions. 4.9 48
    {business continuity testing} reviewing all other relevant information received from the service provider, including reports on business continuity measures and testing. 4.14 104(c)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the business continuity measures; and 4.7 44(c)]     		Establish/Maintain Documentation Preventive
    Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057
    [Business continuity plans should take into account the possible event that the quality of the provision of the outsourced critical or important function deteriorates to an unacceptable level or fails. Such plans should also take into account the potential impact of the insolvency or other failures of service providers and, where relevant, political risks in the service provider's jurisdiction. 4.9 49
    {be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65]     		Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a recovery plan. CC ID 13288 Establish/Maintain Documentation Preventive
    Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292
    [identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b)]     		Establish/Maintain Documentation Preventive
    Establish, implement, and maintain system continuity plan strategies. CC ID 00735 Establish/Maintain Documentation Preventive
    Define and prioritize critical business functions. CC ID 00736
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the criteria, including those referred to in Section 4, and processes for identifying critical or important functions; 4.7 42(c)(ii)
    The outsourcing policy should differentiate between the following: outsourcing of critical or important functions and other outsourcing arrangements; 4.7 43(a)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: identify and classify the relevant functions and related data and systems as regards their sensitivity and required security measures; 4.12.2 68(a)
    Before entering into any outsourcing arrangement, institutions and payment institutions should: assess if the outsourcing arrangement concerns a critical or important function, as set out in Title II; 4.12 61(a)
    If sub-outsourcing of critical or important functions is permitted, institutions and payment institutions should determine whether the part of the function to be sub-outsourced is, as such, critical or important (i.e. a material part of the critical or important function) and, if so, record it in the register. 4.13.1 77
    Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach and with the main focus being on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function in line with Section 4. 4.14 100
    {access rights} {right to audit} {operational risks} {contract duration} {be critical} For the outsourcing of functions that are not critical or important, institutions and payment institutions should ensure the access and audit rights as set out in paragraph 87 (a) and (b) and Section 13.3, on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its scalability, the potential impact on the continuous performance of its activities and the contractual period. Institutions and payment institutions should take into account that functions may become critical or important over time. 4.13.3 88]     		Establish/Maintain Documentation Detective
    Review and prioritize the importance of each business unit. CC ID 01165 Systems Continuity Preventive
    Review and prioritize the importance of each business process. CC ID 11689 Establish/Maintain Documentation Preventive
    Document the mean time to failure for system components. CC ID 10684 Systems Continuity Preventive
    Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 Audits and Risk Management Preventive
    Establish, implement, and maintain a critical third party list. CC ID 06815
    [If sub-outsourcing of critical or important functions is permitted, institutions and payment institutions should determine whether the part of the function to be sub-outsourced is, as such, critical or important (i.e. a material part of the critical or important function) and, if so, record it in the register. 4.13.1 77]     		Establish/Maintain Documentation Preventive
    Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 Behavior Preventive
    Validate information security continuity controls regularly. CC ID 12008
    [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the institution or payment institution and the compliance with relevant regulatory requirements; 4.13.3 93(b)]     		Systems Continuity Preventive
    Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 Testing Preventive
    Establish, implement, and maintain a continuity test plan. CC ID 04896
    [When developing exit strategies, institutions and payment institutions should: define success criteria for the transition of outsourced functions and data; and 4.15 108(d)]     		Establish/Maintain Documentation Preventive
    Include success criteria for testing the plan in the continuity test plan. CC ID 14877 Establish/Maintain Documentation Preventive
    Include recovery procedures in the continuity test plan. CC ID 14876 Establish/Maintain Documentation Preventive
    Include test scripts in the continuity test plan. CC ID 14875 Establish/Maintain Documentation Preventive
    Include test objectives and scope of testing in the continuity test plan. CC ID 14874 Establish/Maintain Documentation Preventive
    Include escalation procedures in the continuity test plan, as necessary. CC ID 14400 Establish/Maintain Documentation Preventive
    Include the succession plan in the continuity test plan, as necessary. CC ID 14401 Establish/Maintain Documentation Preventive
    Include contact information in the continuity test plan. CC ID 14399 Establish/Maintain Documentation Preventive
    Include testing all system components in the continuity test plan. CC ID 13508 Establish/Maintain Documentation Preventive
    Include test scenarios in the continuity test plan. CC ID 13506 Establish/Maintain Documentation Preventive
    Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243 Establish/Maintain Documentation Preventive
    Test the continuity plan, as necessary. CC ID 00755
    [develop and implement exit plans that are comprehensive, documented and, where appropriate, sufficiently tested (e.g. by carrying out an analysis of the potential costs, impacts, resources and timing implications of transferring an outsourced service to an alternative provider); and 4.15 107(a)]     		Testing Detective
    Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 Testing Preventive
    Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 Testing Preventive
    Validate the emergency communications procedures during continuity plan tests. CC ID 12777 Testing Preventive
    Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769
    [{establish and maintain} Institutions, in line with the requirements under Article 85(2) of Directive 2013/36/EU and Title VI of the EBA Guidelines on internal governance, and payment institutions should have in place, maintain and periodically test appropriate business continuity plans with regard to outsourced critical or important functions. Institutions and payment institutions within a group or institutional protection scheme may rely on centrally established business continuity plans regarding their outsourced functions. 4.9 48]     		Testing Preventive
    Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 Testing Detective
    Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 Testing Detective
    Analyze system interdependence during continuity plan tests. CC ID 13082 Testing Detective
    Validate the evacuation plans during continuity plan tests. CC ID 12760 Testing Preventive
    Test the continuity plan at the alternate facility. CC ID 01174
    [identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b)]     		Testing Detective
    Include predefined goals and realistic conditions during off-site testing. CC ID 01175 Establish/Maintain Documentation Preventive
    Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 Testing Preventive
    Review all third party's continuity plan test results. CC ID 01365
    [{business continuity testing} reviewing all other relevant information received from the service provider, including reports on business continuity measures and testing. 4.14 104(c)]     		Testing Detective
    Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 Testing Detective
    Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548
    [{be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65]     		Actionable Reports or Measurements Preventive
    Approve the continuity plan test results. CC ID 15718 Systems Continuity Preventive
    Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 Testing Detective
    Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 Testing Detective
  • Operational management
    85
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Establish/Maintain Documentation Preventive
    Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861
    [allocate sufficient resources to ensure compliance with all legal and regulatory requirements, including these guidelines and the documentation and monitoring of all outsourcing arrangements; 4.6 38(b)
    have sufficient resources and capacities to ensure compliance with points (a) to (c). 4.6 39(d)]     		Acquisition/Sale of Assets or Services Preventive
    Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523
    [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the internal organisation of the institution or the payment institution; 4.6 36(b)]     		Human Resources Management Preventive
    Establish, implement, and maintain an internal control framework. CC ID 00820
    [{be able} {cyber security} In line with the EBA Guidelines on ICT risk assessment under the SREP, institutions should, where relevant, ensure that they are able to carry out security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes. Taking into account Title I, payment institutions should also have internal ICT control mechanisms, including ICT security control and mitigation measures. 4.13.3 94]     		Establish/Maintain Documentation Preventive
    Define the scope for the internal control framework. CC ID 16325 Business Processes Preventive
    Measure policy compliance when reviewing the internal control framework. CC ID 06442 Actionable Reports or Measurements Corrective
    Review the relevance of information supporting internal controls. CC ID 12420 Business Processes Detective
    Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 Establish Roles Preventive
    Assign resources to implement the internal control framework. CC ID 00816 Business Processes Preventive
    Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 Establish Roles Preventive
    Establish, implement, and maintain a baseline of internal controls. CC ID 12415 Business Processes Preventive
    Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 Establish/Maintain Documentation Preventive
    Include the implementation status of controls in the baseline of internal controls. CC ID 16128 Establish/Maintain Documentation Preventive
    Leverage actionable information to support internal controls. CC ID 12414 Business Processes Preventive
    Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 Establish/Maintain Documentation Preventive
    Include continuous service account management procedures in the internal control framework. CC ID 13860 Establish/Maintain Documentation Preventive
    Include threat assessment in the internal control framework. CC ID 01347 Establish/Maintain Documentation Preventive
    Automate threat assessments, as necessary. CC ID 06877 Configuration Preventive
    Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 Establish/Maintain Documentation Preventive
    Automate vulnerability management, as necessary. CC ID 11730 Configuration Preventive
    Include personnel security procedures in the internal control framework. CC ID 01349 Establish/Maintain Documentation Preventive
    Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 Establish/Maintain Documentation Preventive
    Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 Establish/Maintain Documentation Preventive
    Include security information sharing procedures in the internal control framework. CC ID 06489 Establish/Maintain Documentation Preventive
    Share security information with interested personnel and affected parties. CC ID 11732 Communicate Preventive
    Evaluate information sharing partners, as necessary. CC ID 12749 Process or Activity Preventive
    Include security incident response procedures in the internal control framework. CC ID 01359 Establish/Maintain Documentation Preventive
    Include incident response escalation procedures in the internal control framework. CC ID 11745 Establish/Maintain Documentation Preventive
    Include continuous user account management procedures in the internal control framework. CC ID 01360 Establish/Maintain Documentation Preventive
    Include emergency response procedures in the internal control framework. CC ID 06779 Establish/Maintain Documentation Detective
    Authorize and document all exceptions to the internal control framework. CC ID 06781 Establish/Maintain Documentation Preventive
    Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 Communicate Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818
    [{be adequate} In accordance with Article 109 (2) of Directive2013/36/EU, these guidelines should also apply on a sub-consolidated and consolidated basis, taking into account the prudential scope of consolidation. For this purpose, the EU parent undertakings or the parent undertaking in a Member State should ensure that internal governance arrangements, processes and mechanisms in their subsidiaries, including payment institutions, are consistent, well integrated and adequate for the effective application of these guidelines at all relevant levels. 4.2 21]     		Business Processes Preventive
    Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 Process or Activity Preventive
    Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 Process or Activity Preventive
    Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 Process or Activity Preventive
    Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 Process or Activity Preventive
    Analyze the Governance, Risk, and Compliance approach. CC ID 12816 Process or Activity Preventive
    Analyze the organizational culture. CC ID 12899 Process or Activity Preventive
    Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 Process or Activity Detective
    Include the organizational climate in the analysis of the organizational culture. CC ID 12921 Process or Activity Detective
    Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 Process or Activity Detective
    Include employee engagement in the analysis of the organizational culture. CC ID 12914 Behavior Preventive
    Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 Business Processes Preventive
    Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 Business Processes Preventive
    Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 Business Processes Preventive
    Include skill development in the analysis of the organizational culture. CC ID 12913 Behavior Preventive
    Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 Behavior Preventive
    Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 Business Processes Preventive
    Include employee loyalty in the analysis of the organizational culture. CC ID 12911 Behavior Preventive
    Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 Behavior Preventive
    Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 Process or Activity Corrective
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [Institutions and payment institutions that are subsidiaries of an EU parent undertaking or of a parent undertaking in a Member State to which no waivers have been granted on the basis of Article 21 of Directive 2013/36/EU or Article 109(1) of Directive 2013/36/EU in conjunction with Article 7 of Regulation (EU) No 575/2013 should ensure that they comply with these Guidelines on an individual basis. 4.2 25
    Institutions, payment institutions and competent authorities should, when complying or supervising compliance with these guidelines, have regard to the principle of proportionality. The proportionality principle aims to ensure that governance arrangements, including those related to outsourcing, are consistent with the individual risk profile, the nature and business model of the institution or payment institution, and the scale and complexity of their activities so that the objectives of the regulatory requirements are effectively achieved. 4.1 18
    {third party relationship} Institutions and payment institutions should ensure that they comply with all requirements under Regulation (EU) 2016/679, including for their third-party and outsourcing arrangements. 4.5 34
    The management body is at all times fully responsible and accountable for at least: ensuring that the institution or payment institution meets on an ongoing basis the conditions with which it must comply to remain authorised, including any conditions imposed by the competent authority; 4.6 36(a)
    {remain responsible} {be accountable} The outsourcing of functions cannot result in the delegation of the management body's responsibilities. Institutions and payment institutions remain fully responsible and accountable for complying with all of their regulatory obligations, including the ability to oversee the outsourcing of critical or important functions. 4.6 35
    meet all the conditions of their authorisation at all times, including the management body effectively carrying out its responsibilities as set out in paragraph 36 of these guidelines; 4.6 39(a)]     		Establish/Maintain Documentation Preventive
    Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 Communicate Preventive
    Review systems for compliance with organizational information security policies. CC ID 12004 Business Processes Preventive
    Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 Behavior Preventive
    Establish, implement, and maintain a Service Management System. CC ID 13889 Business Processes Preventive
    Establish, implement, and maintain a service management program. CC ID 11388 Establish/Maintain Documentation Preventive
    Include the change management policy in the service management program. CC ID 13923
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the procedures for being notified and responding to changes to an outsourcing arrangement or service provider (e.g. to its financial position, organisational or ownership structures, sub-outsourcing); 4.7 42(d)(ii)]     		Establish/Maintain Documentation Preventive
    Assign roles and responsibilities in the service management program. CC ID 11393
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements; 4.7 42(b)
    When developing exit strategies, institutions and payment institutions should: assign roles, responsibilities and sufficient resources to manage exit plans and the transition of activities; 4.15 108(c)
    clearly assign the responsibilities for the documentation, management and control of outsourcing arrangements; 4.6 38(a)]     		Establish/Maintain Documentation Preventive
    Include all resources needed to achieve the objectives in the service management program. CC ID 11394
    [When developing exit strategies, institutions and payment institutions should: assign roles, responsibilities and sufficient resources to manage exit plans and the transition of activities; 4.15 108(c)]     		Establish/Maintain Documentation Preventive
    Include service management procedures in the service management program. CC ID 11396
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the criteria, including those referred to in Section 4, and processes for identifying critical or important functions; 4.7 42(c)(ii)]     		Establish/Maintain Documentation Preventive
    Include continuity plans in the Service Management program. CC ID 13919
    [identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b)]     		Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839
    [When outsourcing, institutions and payment institutions should at least ensure that: they maintain the orderliness of the conduct of their business and the banking and payment services they provide; 4.6 40(b)]     		Establish/Maintain Documentation Preventive
    Include exceptions in the Service Level Agreements, as necessary. CC ID 13912 Establish/Maintain Documentation Preventive
    Include the appropriate aspects of the Quality Management program in the Service Level Agreement. CC ID 00845 Establish/Maintain Documentation Detective
    Include the organizational structure for service level management in the Service Level Agreement framework. CC ID 13633
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements; 4.7 42(b)
    {organizational structure} retain a clear and transparent organisational framework and structure that enables them to ensure compliance with legal and regulatory requirements; 4.6 39(b)]     		Establish/Maintain Documentation Preventive
    Include the security mechanisms of network services in the Service Level Agreement. CC ID 12023 Establish/Maintain Documentation Preventive
    Include capacity planning in Service Level Agreements. CC ID 13096 Establish/Maintain Documentation Preventive
    Include Operational Level Agreements within Service Level Agreements, as necessary. CC ID 13631 Establish/Maintain Documentation Preventive
    Include funding sources in Service Level Agreements, as necessary. CC ID 13632 Establish/Maintain Documentation Preventive
    Include business requirements of delivered services in the Service Level Agreement. CC ID 00840
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the definition of business requirements regarding outsourcing arrangements; 4.7 42(c)(i)]     		Establish/Maintain Documentation Preventive
    Include the management requirements for network services in the Service Level Agreement. CC ID 12025 Establish/Maintain Documentation Preventive
    Include notification requirements in the service level agreement. CC ID 16675 Establish/Maintain Documentation Preventive
    Include performance requirements in the Service Level Agreement. CC ID 00841 Establish/Maintain Documentation Preventive
    Include the service levels for network services in the Service Level Agreement. CC ID 12024 Establish/Maintain Documentation Preventive
    Include the consequences for failure to meet service levels in Service Level Agreements. CC ID 15698 Establish/Maintain Documentation Preventive
    Include availability requirements in Service Level Agreements. CC ID 13095 Establish/Maintain Documentation Preventive
    Establish and maintain a service catalog. CC ID 13634 Establish/Maintain Documentation Preventive
    Include a service description in the service catalog. CC ID 13917 Establish/Maintain Documentation Preventive
    Assign unique reference numbers to all services in the service catalog. CC ID 14424
    [The register should include at least the following information for all existing outsourcing arrangements: a reference number for each outsourcing arrangement; 4.11 54(a)]     		Establish/Maintain Documentation Preventive
    Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914
    [{outsourcing arrangements} {time sensitive operation} For the outsourcing of critical or important functions, the register should include at least the following additional information: whether the outsourced critical or important function supports business operations that are time-critical; 4.11 55(j)
    {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: an outcome of the assessment of the service provider's substitutability (as easy, difficult or impossible), the possibility of reintegrating a critical or important function into the institution or the payment institution or the impact of discontinuing the critical or important function; 4.11 55(h)]     		Establish/Maintain Documentation Preventive
    Categorize services in the service catalog. CC ID 14419 Establish/Maintain Documentation Preventive
    Refrain from categorizing services as outsourced in the service catalog, as necessary. CC ID 14426
    [As a general principle, institutions and payment institutions should not consider the following as outsourcing: a function that is legally required to be performed by a service provider, e.g. statutory audit; 4.3 28(a)
    As a general principle, institutions and payment institutions should not consider the following as outsourcing: global network infrastructures (e.g. Visa, MasterCard); 4.3 28(c)
    As a general principle, institutions and payment institutions should not consider the following as outsourcing: correspondent banking services; and 4.3 28(f)
    As a general principle, institutions and payment institutions should not consider the following as outsourcing: the acquisition of services that would otherwise not be undertaken by the institution or payment institution (e.g. advice from an architect, providing legal opinion and representation in front of the court and administrative bodies, cleaning, gardening and maintenance of the institution's or payment institution's premises, medical services, servicing of company cars, catering, vending machine services, clerical services, travel services, post-room services, receptionists, secretaries and switchboard operators), goods (e.g. plastic cards, card readers, office supplies, personal computers, furniture) or utilities (e.g. electricity, gas, water, telephone line). 4.3 28(g)
    As a general principle, institutions and payment institutions should not consider the following as outsourcing: clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members; 4.3 28(d)
    As a general principle, institutions and payment institutions should not consider the following as outsourcing: market information services (e.g. provision of data by Bloomberg, Moody's, Standard & Poor's, Fitch); 4.3 28(b)
    As a general principle, institutions and payment institutions should not consider the following as outsourcing: global financial messaging infrastructures that are subject to oversight by relevant authorities; 4.3 28(e)]     		Establish/Maintain Documentation Preventive
  • Privacy protection for information and data
    104
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Privacy protection for information and data CC ID 00008 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data accountability program. CC ID 13432 Establish/Maintain Documentation Preventive
    Require data controllers to be accountable for their actions. CC ID 00470 Establish Roles Preventive
    Notify the supervisory authority. CC ID 00472
    [Institutions, without prejudice to Article 19(6) of Directive (EU) 2015/2366, and payment institutions should adequately inform competent authorities in a timely manner or engage in a supervisory dialogue with the competent authorities about the planned outsourcing of critical or important functions and/or where an outsourced function has become critical or important and provide at least the information specified in paragraph 54. 4.11 58
    Institutions and payment institutions should inform competent authorities in a timely manner of material changes and/or severe events regarding their outsourcing arrangements that could have a material impact on the continuing provision of the institutions' or payment institutions' business activities. 4.11 59]     		Behavior Preventive
    Establish, implement, and maintain approval applications. CC ID 16778 Establish/Maintain Documentation Preventive
    Define the requirements for approving or denying approval applications. CC ID 16780 Business Processes Preventive
    Submit approval applications to the supervisory authority. CC ID 16627 Communicate Preventive
    Include required information in the approval application. CC ID 16628 Establish/Maintain Documentation Preventive
    Extend the time limit for approving or denying approval applications. CC ID 16779 Business Processes Preventive
    Approve the approval application unless applicant has been convicted. CC ID 16603 Process or Activity Preventive
    Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606
    [Institutions and payment institutions should, upon request, make available to the competent authority all information necessary to enable the competent authority to execute the effective supervision of the institution or the payment institution, including, where required, a copy of the outsourcing agreement. 4.11 57]     		Process or Activity Preventive
    Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 Communicate Preventive
    Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 Communicate Corrective
    Establish, implement, and maintain a data handling program. CC ID 13427
    [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)]     		Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 Establish/Maintain Documentation Preventive
    Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 Data and Information Management Preventive
    Protect electronic messaging information. CC ID 12022 Technical Security Preventive
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 Data and Information Management Preventive
    Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 Configuration Preventive
    Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 Testing Detective
    Store payment card data in secure chips, if possible. CC ID 13065 Configuration Preventive
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 Configuration Preventive
    Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 Technical Security Preventive
    Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 Data and Information Management Preventive
    Log the disclosure of personal data. CC ID 06628 Log Management Preventive
    Log the modification of personal data. CC ID 11844 Log Management Preventive
    Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 Technical Security Preventive
    Implement security measures to protect personal data. CC ID 13606 Technical Security Preventive
    Implement physical controls to protect personal data. CC ID 00355 Testing Preventive
    Limit data leakage. CC ID 00356 Data and Information Management Preventive
    Conduct personal data risk assessments. CC ID 00357 Testing Detective
    Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 Business Processes Preventive
    Establish, implement, and maintain suspicious document procedures. CC ID 04852 Establish/Maintain Documentation Detective
    Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 Data and Information Management Detective
    Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 Data and Information Management Detective
    Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 Monitor and Evaluate Occurrences Detective
    Perform an identity check prior to approving an account change request. CC ID 13670 Investigate Detective
    Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 Behavior Detective
    Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 Data and Information Management Detective
    Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 Log Management Detective
    Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 Monitor and Evaluate Occurrences Corrective
    Log dates for account name changes or address changes. CC ID 04876 Log Management Detective
    Review accounts that are changed for additional user requests. CC ID 11846 Monitor and Evaluate Occurrences Detective
    Send change notices for change of address requests to the old address and the new address. CC ID 04877 Data and Information Management Detective
    Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 Acquisition/Sale of Assets or Services Preventive
    Search the Internet for evidence of data leakage. CC ID 10419 Process or Activity Detective
    Alert appropriate personnel when data leakage is detected. CC ID 14715 Process or Activity Preventive
    Review monitored websites for data leakage. CC ID 10593 Monitor and Evaluate Occurrences Detective
    Take appropriate action when a data leakage is discovered. CC ID 14716 Process or Activity Corrective
    Include text about data ownership in the data handling policy. CC ID 15720 Data and Information Management Preventive
    Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain call metadata controls. CC ID 04790 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 Data and Information Management Preventive
    Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 Data and Information Management Preventive
    Store de-identifying code and re-identifying code separately. CC ID 16535 Data and Information Management Preventive
    Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 Data and Information Management Preventive
    Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 Communicate Preventive
    Establish, implement, and maintain data handling procedures. CC ID 11756 Establish/Maintain Documentation Preventive
    Define personal data that falls under breach notification rules. CC ID 00800 Establish/Maintain Documentation Preventive
    Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 Data and Information Management Preventive
    Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 Data and Information Management Preventive
    Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 Data and Information Management Preventive
    Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 Data and Information Management Preventive
    Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 Data and Information Management Preventive
    Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 Data and Information Management Preventive
    Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 Data and Information Management Preventive
    Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 Data and Information Management Preventive
    Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 Data and Information Management Preventive
    Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 Data and Information Management Preventive
    Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 Data and Information Management Preventive
    Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 Data and Information Management Preventive
    Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 Data and Information Management Preventive
    Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 Data and Information Management Preventive
    Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 Data and Information Management Preventive
    Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 Data and Information Management Preventive
    Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 Data and Information Management Preventive
    Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 Data and Information Management Preventive
    Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 Data and Information Management Preventive
    Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 Data and Information Management Preventive
    Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 Data and Information Management Preventive
    Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 Data and Information Management Preventive
    Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 Data and Information Management Preventive
    Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 Data and Information Management Preventive
    Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 Data and Information Management Preventive
    Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 Data and Information Management Preventive
    Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 Data and Information Management Preventive
    Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 Data and Information Management Preventive
    Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 Data and Information Management Preventive
    Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 Data and Information Management Preventive
    Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 Data and Information Management Preventive
    Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 Data and Information Management Preventive
    Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 Data and Information Management Preventive
    Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 Data and Information Management Preventive
    Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 Data and Information Management Preventive
    Define an out of scope privacy breach. CC ID 04677 Establish/Maintain Documentation Preventive
    Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 Business Processes Preventive
    Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 Monitor and Evaluate Occurrences Preventive
    Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 Monitor and Evaluate Occurrences Preventive
    Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 Monitor and Evaluate Occurrences Preventive
    Conduct internal data processing audits. CC ID 00374 Testing Detective
    Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 Communicate Preventive
  • Records management
    57
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Records management CC ID 00902 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain records management policies. CC ID 00903 Establish/Maintain Documentation Preventive
    Define each system's preservation requirements for records and logs. CC ID 00904 Establish/Maintain Documentation Detective
    Determine how long to keep records and logs before disposing them. CC ID 11661 Process or Activity Preventive
    Retain records in accordance with applicable requirements. CC ID 00968
    [{outsourcing arrangements} Taking into account Title I of these guidelines, and under the conditions set out in paragraph 23(d), for institutions and payment institutions within a group, institutions permanently affiliated to a central body or institutions that are members of the same institutional protection scheme, the register may be kept centrally. 4.11 53]     		Records Management Preventive
    Establish, implement, and maintain records management procedures. CC ID 11619 Establish/Maintain Documentation Preventive
    Capture the records required by organizational compliance requirements. CC ID 00912
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the documentation and record-keeping, taking into account the requirements in Section 11; 4.7 42(e)]     		Records Management Detective
    Establish, implement, and maintain authorization records. CC ID 14367 Establish/Maintain Documentation Preventive
    Include the reasons for granting the authorization in the authorization records. CC ID 14371 Establish/Maintain Documentation Preventive
    Include the date and time the authorization was granted in the authorization records. CC ID 14370 Establish/Maintain Documentation Preventive
    Include the person's name who approved the authorization in the authorization records. CC ID 14369
    [For the outsourcing of critical or important functions, the register should include at least the following additional information: the individual or decision-making body (e.g. the management body) in the institution or the payment institution that approved the outsourcing arrangement; 4.11 55(d)]     		Establish/Maintain Documentation Preventive
    Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 Data and Information Management Detective
    Establish, implement, and maintain electronic health records. CC ID 14436 Data and Information Management Preventive
    Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 Data and Information Management Preventive
    Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 Records Management Preventive
    Display required information automatically in electronic health records. CC ID 14442 Process or Activity Preventive
    Create summary of care records in accordance with applicable standards. CC ID 14440 Establish/Maintain Documentation Preventive
    Provide the patient with a summary of care record, as necessary. CC ID 14441 Actionable Reports or Measurements Preventive
    Create export summaries, as necessary. CC ID 14446 Process or Activity Preventive
    Import data files into a patient's electronic health record. CC ID 14448 Data and Information Management Preventive
    Export requested sections of the electronic health record. CC ID 14447 Data and Information Management Preventive
    Identify patient-specific education resources. CC ID 14439 Process or Activity Detective
    Establish and maintain an implantable device list. CC ID 14444 Records Management Preventive
    Display the implantable device list to authorized users. CC ID 14445 Data and Information Management Preventive
    Establish, implement, and maintain decision support interventions. CC ID 14443 Business Processes Preventive
    Include attributes in the decision support intervention. CC ID 16766 Data and Information Management Preventive
    Establish, implement, and maintain a recordkeeping system. CC ID 15709 Records Management Preventive
    Log the termination date in the recordkeeping system. CC ID 16181 Records Management Preventive
    Log the name of the requestor in the recordkeeping system. CC ID 15712 Records Management Preventive
    Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 Records Management Preventive
    Log records as being received into the recordkeeping system. CC ID 11696 Records Management Preventive
    Log the date and time each item is received into the recordkeeping system. CC ID 11709 Log Management Preventive
    Log the date and time each item is made available into the recordkeeping system. CC ID 11710 Log Management Preventive
    Log the number of routine items received into the recordkeeping system. CC ID 11701 Establish/Maintain Documentation Preventive
    Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 Log Management Preventive
    Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 Log Management Preventive
    Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 Log Management Preventive
    Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 Log Management Preventive
    Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 Log Management Preventive
    Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 Log Management Preventive
    Log the number of non-routine items received into the recordkeeping system. CC ID 11706 Log Management Preventive
    Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 Log Management Preventive
    Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 Log Management Preventive
    Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 Log Management Preventive
    Log performance monitoring into the recordkeeping system. CC ID 11724 Log Management Preventive
    Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 Log Management Preventive
    Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 Log Management Preventive
    Establish, implement, and maintain a transfer journal. CC ID 11729 Records Management Preventive
    Log any notices filed by the organization into the recordkeeping system. CC ID 11725 Log Management Preventive
    Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 Log Management Preventive
    Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 Log Management Preventive
    Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 Log Management Preventive
    Provide a receipt of records logged into the recordkeeping system. CC ID 11697 Records Management Preventive
    Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 Log Management Preventive
    Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 Log Management Preventive
    Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 Log Management Preventive
    Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 Data and Information Management Detective
  • Third Party and supply chain oversight
    235
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Third Party and supply chain oversight CC ID 08807 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a supply chain management program. CC ID 11742
    [With regard to the outsourcing process, the internal audit function should at least ascertain: the appropriate monitoring and management of outsourcing arrangements. 4.10 51(e)
    When outsourcing, institutions and payment institutions should at least ensure that: they can take and implement decisions related to their business activities and critical or important functions, including with regard to those that have been outsourced; 4.6 40(a)]     		Establish/Maintain Documentation Preventive
    Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796
    [{ensure} where those institutions and payment institutions rely on an exit plan for a critical or important function that has been established at group level, within the institutional protection scheme or by the central body, all institutions and payment institutions should receive a summary of the plan and be satisfied that the plan can be effectively executed. 4.2 23(e)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the approval process of new outsourcing arrangements; 4.7 42(c)(vii)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the renewal processes; 4.7 42(d)(iv)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the exit strategies and termination processes, including a requirement for a documented exit plan for each critical or important function to be outsourced where such an exit is considered possible taking into account possible service interruptions or the unexpected termination of an outsourcing agreement. 4.7 42(f)
    Institutions and payment institutions should ensure that the service provider appropriately oversees the sub-service providers, in line with the policy defined by the institution or payment institution. If the sub-outsourcing proposed could have material adverse effects on the outsourcing arrangement of a critical or important function or would lead to a material increase of risk, including where the conditions in paragraph 79 would not be met, the institution or payment institution should exercise its right to object to the sub-outsourcing, if such a right was agreed, and/or terminate the contract. 4.13.1 80
    {be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42
    {substitutability} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the ability to transfer the proposed outsourcing arrangement to another service provider, if necessary or desirable, both contractually and in practice, including the estimated risks, impediments to business continuity, costs and time frame for doing so ('substitutability'); 4.4 31(h)
    The outsourcing agreement for critical or important functions should set out at least: the start date and end date, where applicable, of the agreement and the notice periods for the service provider and the institution or payment institution; 4.13 75(b)]     		Establish/Maintain Documentation Preventive
    Review and update all contracts, as necessary. CC ID 11612 Establish/Maintain Documentation Preventive
    Terminate supplier relationships, as necessary. CC ID 13489
    [{be able} {timely manner} When outsourcing, institutions and payment institutions should at least ensure that: with regard to the outsourcing of critical or important functions, they are able to undertake at least one of the following actions, within an appropriate time frame: discontinue the business activities that are depending on the function. 4.6 40(f)(iii)]     		Business Processes Corrective
    Document and maintain supply chain processes. CC ID 08816
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42]     		Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an exit plan. CC ID 15492 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the exit plan. CC ID 15497 Establish/Maintain Documentation Preventive
    Test the exit plan, as necessary. CC ID 15495 Testing Preventive
    Include contingency plans in the third party management plan. CC ID 10030
    [{ensure} where those institutions and payment institutions rely on an exit plan for a critical or important function that has been established at group level, within the institutional protection scheme or by the central body, all institutions and payment institutions should receive a summary of the plan and be satisfied that the plan can be effectively executed. 4.2 23(e)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the exit strategies and termination processes, including a requirement for a documented exit plan for each critical or important function to be outsourced where such an exit is considered possible taking into account possible service interruptions or the unexpected termination of an outsourcing agreement. 4.7 42(f)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: business continuity planning in accordance with Section 9; 4.7 42(c)(vi)
    develop and implement exit plans that are comprehensive, documented and, where appropriate, sufficiently tested (e.g. by carrying out an analysis of the potential costs, impacts, resources and timing implications of transferring an outsourced service to an alternative provider); and 4.15 107(a)
    Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: 4.15 106
    {be able} {timely manner} When outsourcing, institutions and payment institutions should at least ensure that: with regard to the outsourcing of critical or important functions, they are able to undertake at least one of the following actions, within an appropriate time frame: reintegrate the function; or 4.6 40(f)(ii)]     		Establish/Maintain Documentation Preventive
    Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 Systems Continuity Preventive
    Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 Process or Activity Detective
    Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 Establish/Maintain Documentation Preventive
    Include a description of the product or service to be provided in third party contracts. CC ID 06509
    [The outsourcing agreement for critical or important functions should set out at least: a clear description of the outsourced function to be provided; 4.13 75(a)]     		Establish/Maintain Documentation Preventive
    Include a description of the products or services fees in third party contracts. CC ID 10018 Establish/Maintain Documentation Preventive
    Include which parties are responsible for which fees in third party contracts. CC ID 10019 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543
    [Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach and with the main focus being on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function in line with Section 4. 4.14 100
    When outsourcing, institutions and payment institutions should at least ensure that: an appropriate flow of relevant information with service providers is maintained; 4.6 40(e)]     		Establish/Maintain Documentation Preventive
    Include the type of information being transmitted in the information flow agreement. CC ID 14245 Establish/Maintain Documentation Preventive
    Include the security requirements in the information flow agreement. CC ID 14244 Establish/Maintain Documentation Preventive
    Include the interface characteristics in the information flow agreement. CC ID 14240 Establish/Maintain Documentation Preventive
    Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528
    [Where an arrangement with a service provider covers multiple functions, institutions and payment institutions should consider all aspects of the arrangement within their assessment, e.g. if the service provided includes the provision of data storage hardware and the backup of data, both aspects should be considered together. 4.3 27]     		Establish/Maintain Documentation Preventive
    Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 Establish/Maintain Documentation Preventive
    Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 Establish/Maintain Documentation Preventive
    Include a description of the data or information to be covered in third party contracts. CC ID 06510 Establish/Maintain Documentation Preventive
    Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610
    [The outsourcing agreement for critical or important functions should set out at least: the location(s) (i.e. regions or countries) where the critical or important function will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the institution or payment institution if the service provider proposes to change the location(s); 4.13 75(f)
    The outsourcing agreement for critical or important functions should set out at least: provisions that ensure that the data that are owned by the institution or payment institution can be accessed in the case of the insolvency, resolution or discontinuation of business operations of the service provider; 4.13 75(m)
    With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider's external auditors ('access and information rights'); and 4.13.3 87(a)
    When outsourcing, institutions and payment institutions should at least ensure that: where personal data are processed by service providers located in the EU and/or third countries, appropriate measures are implemented and data are processed in accordance with Regulation (EU) 2016/679. 4.6 40(g)
    {be able} {be necessary} {supervise} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: obtain, upon request, the information necessary to carry out their supervisory tasks pursuant to Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive (EU) 2015/2366 and Directive 2009/110/EC; 4.12.1 63(c)(i)
    {be able} {supervise} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: obtain appropriate access to any data, documents, premises or personnel in the third country that are relevant for the performance of their supervisory powers; 4.12.1 63(c)(ii)]     		Business Processes Preventive
    Include text about data ownership in third party contracts. CC ID 06502 Establish/Maintain Documentation Preventive
    Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 Establish/Maintain Documentation Preventive
    Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 Establish/Maintain Documentation Preventive
    Include the contract duration in third party contracts. CC ID 16221 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in third party contracts. CC ID 13487
    [{data treatment} The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: clearly set out the obligations of the existing service provider, in the case of a transfer of the outsourced function to another service provider or back to the institution or payment institution, including the treatment of data; 4.13.4 99(a)
    {be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c)]     		Establish/Maintain Documentation Preventive
    Include cryptographic keys in third party contracts. CC ID 16179 Establish/Maintain Documentation Preventive
    Include bankruptcy provisions in third party contracts. CC ID 16519 Establish/Maintain Documentation Preventive
    Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 Establish/Maintain Documentation Preventive
    Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506
    [{third party relationship} Institutions and payment institutions should ensure that they comply with all requirements under Regulation (EU) 2016/679, including for their third-party and outsourcing arrangements. 4.5 34
    The outsourcing agreement for critical or important functions should set out at least: the parties' financial obligations; 4.13 75(d)]     		Establish/Maintain Documentation Preventive
    Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507
    [{access rights} Institutions and payment institutions should ensure that the outsourcing agreement or any other contractual arrangement does not impede or limit the effective exercise of the access and audit rights by them, competent authorities or third parties appointed by them to exercise these rights. 4.13.3 89
    {right to audit} With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: unrestricted rights of inspection and auditing related to the outsourcing arrangement ('audit rights'), to enable them to monitor the outsourcing arrangement and to ensure compliance with all applicable regulatory and contractual requirements. 4.13.3 87(b)
    With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider's external auditors ('access and information rights'); and 4.13.3 87(a)]     		Establish/Maintain Documentation Preventive
    Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508
    [Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: receive, as soon as possible, information from the supervisory authority in the third country for investigating apparent breaches of the requirements of Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive (EU) 2015/2366 and Directive 2009/110/EC; and 4.12.1 63(c)(iii)]     		Establish/Maintain Documentation Preventive
    Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513
    [The outsourcing agreement for critical or important functions should set out at least: the obligation of the service provider to cooperate with the competent authorities and resolution authorities of the institution or payment institution, including other persons appointed by them; 4.13 75(n)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b)
    {supervisory authority} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the service provider is authorised or registered to provide that banking activity or payment service in the third country and is supervised by a relevant competent authority in that third country (referred to as a 'supervisory authority'); 4.12.1 63(a)]     		Establish/Maintain Documentation Preventive
    Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 Establish/Maintain Documentation Preventive
    Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 Establish/Maintain Documentation Preventive
    Include compliance with the organization's privacy policy in third party contracts. CC ID 06518
    [When outsourcing, institutions and payment institutions should at least ensure that: appropriate confidentiality arrangements are in place regarding data and other information; 4.6 40(d)]     		Establish/Maintain Documentation Preventive
    Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 Establish/Maintain Documentation Preventive
    Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 Establish/Maintain Documentation Preventive
    Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 Establish/Maintain Documentation Preventive
    Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 Establish/Maintain Documentation Preventive
    Include compliance with the organization's physical access policy in third party contracts. CC ID 06878
    [With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider's external auditors ('access and information rights'); and 4.13.3 87(a)]     		Establish/Maintain Documentation Preventive
    Include a reporting structure in third party contracts. CC ID 06532
    [The outsourcing agreement for critical or important functions should set out at least: the reporting obligations of the service provider to the institution or payment institution, including the communication by the service provider of any development that may have a material impact on the service provider's ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider; 4.13 75(j)]     		Establish/Maintain Documentation Preventive
    Include points of contact in third party contracts. CC ID 12355 Establish/Maintain Documentation Preventive
    Include financial reporting in third party contracts, as necessary. CC ID 13573 Establish/Maintain Documentation Preventive
    Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512
    [where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), institutions and payment institutions should ensure that, at least for outsourced critical or important functions, both independent monitoring of the service provider and appropriate oversight by each institution or payment institution is possible, including by receiving, at least annually and upon request from the centralised monitoring function, reports that include, at least, a summary of the risk assessment and performance monitoring. In addition, institutions and payment institutions should receive from the centralised monitoring function a summary of the relevant audit reports for critical or important outsourcing and, upon request, the full audit report; 4.2 23(a)
    The outsourcing agreement for critical or important functions should set out at least: the reporting obligations of the service provider to the institution or payment institution, including the communication by the service provider of any development that may have a material impact on the service provider's ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider; 4.13 75(j)
    The outsourcing agreement for critical or important functions should set out at least: the requirements to implement and test business contingency plans; 4.13 75(l)
    {third party audit report} Without prejudice to their final responsibility regarding outsourcing arrangements, institutions and payment institutions may use: third-party certifications and third-party or internal audit reports, made available by the service provider. 4.13.3 91(b)]     		Establish/Maintain Documentation Preventive
    Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514
    [The outsourcing agreement for critical or important functions should set out at least: the unrestricted right of institutions, payment institutions and competent authorities to inspect and audit the service provider with regard to, in particular, the critical or important outsourced function, as specified in Section 13.3; 4.13 75(p)
    The outsourcing agreement for critical or important functions should set out at least: the right of the institution or payment institution to monitor the service provider's performance on an ongoing basis; 4.13 75(h)
    Institutions and payment institutions should ensure within the written outsourcing arrangement that the internal audit function is able to review the outsourced function using a risk-based approach. 4.13.3 85
    {access rights} Institutions and payment institutions should ensure that the outsourcing agreement or any other contractual arrangement does not impede or limit the effective exercise of the access and audit rights by them, competent authorities or third parties appointed by them to exercise these rights. 4.13.3 89
    {right to audit} With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: unrestricted rights of inspection and auditing related to the outsourcing arrangement ('audit rights'), to enable them to monitor the outsourcing arrangement and to ensure compliance with all applicable regulatory and contractual requirements. 4.13.3 87(b)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b)
    {third-party certifications} {third-party audit report} {be legitimate} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: have the contractual right to request the expansion of the scope of the certifications or audit reports to other relevant systems and controls; the number and frequency of such requests for scope modification should be reasonable and legitimate from a risk management perspective; and 4.13.3 93(g)
    {access rights} {right to audit} {operational risks} {contract duration} {be critical} For the outsourcing of functions that are not critical or important, institutions and payment institutions should ensure the access and audit rights as set out in paragraph 87 (a) and (b) and Section 13.3, on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its scalability, the potential impact on the continuous performance of its activities and the contractual period. Institutions and payment institutions should take into account that functions may become critical or important over time. 4.13.3 88
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: conduct appropriate audits regarding the outsourced function; 4.4 31(c)(iii)]     		Establish/Maintain Documentation Preventive
    Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516
    [The outsourcing agreement for critical or important functions should set out at least: the requirements to implement and test business contingency plans; 4.13 75(l)]     		Establish/Maintain Documentation Preventive
    Include training requirements in third party contracts. CC ID 16367 Acquisition/Sale of Assets or Services Preventive
    Include an indemnification and liability clause in third party contracts. CC ID 06517 Establish/Maintain Documentation Preventive
    Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521
    [The outsourcing agreement should specify whether or not sub-outsourcing of critical or important functions, or material parts thereof, is permitted. 4.13.1 76
    The outsourcing agreement for critical or important functions should set out at least: whether the sub-outsourcing of a critical or important function, or material parts thereof, is permitted and, if so, the conditions specified in Section 13.1 that the suboutsourcing is subject to; 4.13 75(e)]     		Establish/Maintain Documentation Preventive
    Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522
    [If sub-outsourcing of critical or important functions is permitted, the written agreement should: specify the conditions to be complied with in the case of sub-outsourcing; 4.13.1 78(b)
    Institutions and payment institutions should agree to sub-outsourcing only if the sub-contractor undertakes to: comply with all applicable laws, regulatory requirements and contractual obligations; and 4.13.1 79(a)
    Institutions and payment institutions should agree to sub-outsourcing only if the sub-contractor undertakes to: grant the institution, payment institution and competent authority the same contractual rights of access and audit as those granted by the service provider. 4.13.1 79(b)]     		Establish/Maintain Documentation Preventive
    Include text regarding foreign-based third parties in third party contracts. CC ID 06722
    [{confidential information} {personal information} Without prejudice to the requirements under the Regulation (EU) 2016/679, institutions and payment institutions, when outsourcing (in particular to third countries), should take into account differences in national provisions regarding the protection of data. Institutions and payment institutions should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the institution or payment institution (e.g. the protection of personal data and that banking secrecy or similar legal confidentiality duties with respect to clients' information, where applicable, are observed). 4.13.2 84
    The outsourcing agreement for critical or important functions should set out at least: the governing law of the agreement; 4.13 75(c)
    Regardless of the criticality or importance of the outsourced function, the written outsourcing arrangements between institutions and service providers should refer to the information gathering and investigatory powers of competent authorities and resolution authorities under Article 63(1)(a) of Directive 2014/59/EU and Article 65(3) of Directive 2013/36/EU with regard to service providers located in a Member State and should also ensure those rights with regard to service providers located in third countries. 4.13.3 86]     		Establish/Maintain Documentation Preventive
    Include change control clauses in third party contracts, as necessary. CC ID 06523
    [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41
    The outsourcing agreement for critical or important functions should set out at least: the location(s) (i.e. regions or countries) where the critical or important function will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the institution or payment institution if the service provider proposes to change the location(s); 4.13 75(f)
    The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where there are material changes affecting the outsourcing arrangement or the service provider (e.g. sub-outsourcing or changes of sub-contractors); 4.13.4 98(c)
    {refrain from replacing} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the possibility that the proposed outsourcing arrangement might be scaled up without replacing or revising the underlying agreement; 4.4 31(g)]     		Establish/Maintain Documentation Preventive
    Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the procedures for being notified and responding to changes to an outsourcing arrangement or service provider (e.g. to its financial position, organisational or ownership structures, sub-outsourcing); 4.7 42(d)(ii)
    The outsourcing agreement for critical or important functions should set out at least: the reporting obligations of the service provider to the institution or payment institution, including the communication by the service provider of any development that may have a material impact on the service provider's ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider; 4.13 75(j)
    If sub-outsourcing of critical or important functions is permitted, the written agreement should: include an obligation of the service provider to inform the institution or payment institution of any planned sub-outsourcing, or material changes thereof, in particular where that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement. This includes planned significant changes of subcontractors and to the notification period; in particular, the notification period to be set should allow the outsourcing institution or payment institution at least to carry out a risk assessment of the proposed changes and to object to changes before the planned sub-outsourcing, or material changes thereof, come into effect; 4.13.1 78(e)
    The outsourcing agreement for critical or important functions should set out at least: the start date and end date, where applicable, of the agreement and the notice periods for the service provider and the institution or payment institution; 4.13 75(b)]     		Establish/Maintain Documentation Preventive
    Include triggers for renegotiating the contract in third party contracts. CC ID 06527 Establish/Maintain Documentation Preventive
    Include change control notification processes in third party contracts. CC ID 06524
    [institutions and payment institutions should ensure that their management body will be duly informed of relevant planned changes regarding service providers that are monitored centrally and the potential impact of these changes on the critical or important functions provided, including a summary of the risk analysis, including legal risks, compliance with regulatory requirements and the impact on service levels, in order for them to assess the impact of these changes; 4.2 23(b)
    If sub-outsourcing of critical or important functions is permitted, the written agreement should: include an obligation of the service provider to inform the institution or payment institution of any planned sub-outsourcing, or material changes thereof, in particular where that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement. This includes planned significant changes of subcontractors and to the notification period; in particular, the notification period to be set should allow the outsourcing institution or payment institution at least to carry out a risk assessment of the proposed changes and to object to changes before the planned sub-outsourcing, or material changes thereof, come into effect; 4.13.1 78(e)]     		Establish/Maintain Documentation Preventive
    Include cost structure changes in third party contracts. CC ID 10021 Establish/Maintain Documentation Preventive
    Include a choice of venue clause in third party contracts. CC ID 06520 Establish/Maintain Documentation Preventive
    Include a dispute resolution clause in third party contracts. CC ID 06519
    [Institutions, in line with Title IV, Section 11, of the EBA Guidelines on internal governance, and payment institutions should identify, assess and manage conflicts of interests with regard to their outsourcing arrangements. 4.8 45
    Where outsourcing creates material conflicts of interest, including between entities within the same group or institutional protection scheme, institutions and payment institutions need to take appropriate measures to manage those conflicts of interest. 4.8 46
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v)]     		Establish/Maintain Documentation Preventive
    Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813
    [The outsourcing agreement for critical or important functions should set out at least: for institutions, a clear reference to the national resolution authority's powers, especially to Articles 68 and 71 of Directive 2014/59/EU (BRRD), and in particular a description of the 'substantive obligations' of the contract in the sense of Article 68 of that Directive; 4.13 75(o)]     		Establish/Maintain Documentation Preventive
    Include a termination provision clause in third party contracts. CC ID 01367
    [If sub-outsourcing of critical or important functions is permitted, the written agreement should: ensure that the institution or payment institution has the contractual right to terminate the agreement in the case of undue sub-outsourcing, e.g. where the sub-outsourcing materially increases the risks for the institution or payment institution or where the service provider sub-outsources without notifying the institution or payment institution. 4.13.1 78(g)
    The outsourcing agreement for critical or important functions should set out at least: termination rights, as specified in Section 13.4. 4.13 75(q)
    The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: 4.13.4 98
    Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the termination of outsourcing arrangements; 4.15 106(a)
    The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where instructions are given by the institution's or payment institution's competent authority, e.g. in the case that the competent authority is, caused by the outsourcing arrangement, no longer in a position to effectively supervise the institution or payment institution. 4.13.4 98(e)
    The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: include an obligation of the service provider to support the institution or payment institution in the orderly transfer of the function in the event of the termination of the outsourcing agreement. 4.13.4 99(c)
    {ability} {refrain from disrupting} {refrain from limiting} {avoiding} Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their compliance with regulatory requirements and without any detriment to the continuity and quality of its provision of services to clients. To achieve this, they should: 4.15 107
    {ability} {refrain from disrupting} {refrain from limiting} {avoiding} Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their compliance with regulatory requirements and without any detriment to the continuity and quality of its provision of services to clients. To achieve this, they should: 4.15 107
    {ability} {refrain from disrupting} {refrain from limiting} {avoiding} Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their compliance with regulatory requirements and without any detriment to the continuity and quality of its provision of services to clients. To achieve this, they should: 4.15 107]     		Establish/Maintain Documentation Detective
    Include early termination contingency plans in the third party contracts. CC ID 06526
    [{re-incorporate} The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: 4.13.4 99
    identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b)
    The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: set an appropriate transition period, during which the service provider, after the termination of the outsourcing arrangement, would continue to provide the outsourced function to reduce the risk of disruptions; and 4.13.4 99(b)]     		Establish/Maintain Documentation Preventive
    Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817
    [The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where the provider of the outsourced functions is in a breach of applicable law, regulations or contractual provisions; 4.13.4 98(a)
    Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the failure of the service provider; 4.15 106(b)]     		Establish/Maintain Documentation Preventive
    Include termination costs in third party contracts. CC ID 10023 Establish/Maintain Documentation Preventive
    Include text about obtaining adequate insurance in third party contracts. CC ID 06880
    [The outsourcing agreement for critical or important functions should set out at least: whether the service provider should take mandatory insurance against certain risks and, if applicable, the level of insurance cover requested; 4.13 75(k)]     		Establish/Maintain Documentation Preventive
    Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214
    [{be able} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: cooperate with the relevant supervisory authorities in the third country on enforcement in the case of a breach of the applicable regulatory requirements and national law in the Member State. Cooperation should include, but not necessarily be limited to, receiving information on potential breaches of the applicable regulatory requirements from the supervisory authorities in the third country as soon as is practicable. 4.12.1 63(c)(iv)]     		Establish/Maintain Documentation Preventive
    Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 Establish/Maintain Documentation Preventive
    Include end-of-life information in third party contracts. CC ID 15265 Establish/Maintain Documentation Preventive
    Include third party requirements for personnel security in third party contracts. CC ID 00790 Testing Detective
    Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 Establish/Maintain Documentation Preventive
    Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364
    [{confidential information} {personal information} Without prejudice to the requirements under the Regulation (EU) 2016/679, institutions and payment institutions, when outsourcing (in particular to third countries), should take into account differences in national provisions regarding the protection of data. Institutions and payment institutions should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the institution or payment institution (e.g. the protection of personal data and that banking secrecy or similar legal confidentiality duties with respect to clients' information, where applicable, are observed). 4.13.2 84
    {data treatment} The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: clearly set out the obligations of the existing service provider, in the case of a transfer of the outsourced function to another service provider or back to the institution or payment institution, including the treatment of data; 4.13.4 99(a)
    When outsourcing, institutions and payment institutions should at least ensure that: where personal data are processed by service providers located in the EU and/or third countries, appropriate measures are implemented and data are processed in accordance with Regulation (EU) 2016/679. 4.6 40(g)]     		Testing Detective
    Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366
    [Institutions and payment institutions should ensure that service providers, where relevant, comply with appropriate IT security standards. 4.13.2 81
    (ensure} {technical measure} Where outsourcing involves the processing of personal or confidential data, institutions and payment institutions should be satisfied that the service provider implements appropriate technical and organisational measures to protect the data. 4.12.3 72
    {third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: retain the contractual right to perform individual audits at their discretion with regard to the outsourcing of critical or important functions. 4.13.3 93(h)]     		Testing Detective
    Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 Establish/Maintain Documentation Preventive
    Establish the third party's service continuity. CC ID 00797
    [{outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the business continuity measures; and 4.7 44(c)]     		Testing Detective
    Determine the adequacy of a third party's alternate site preparations. CC ID 06879 Testing Detective
    Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 Data and Information Management Detective
    Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 Testing Detective
    Include disclosure requirements in third party contracts. CC ID 08825
    [Regardless of the criticality or importance of the outsourced function, the written outsourcing arrangements between institutions and service providers should refer to the information gathering and investigatory powers of competent authorities and resolution authorities under Article 63(1)(a) of Directive 2014/59/EU and Article 65(3) of Directive 2013/36/EU with regard to service providers located in a Member State and should also ensure those rights with regard to service providers located in third countries. 4.13.3 86]     		Business Processes Preventive
    Include requirements for alternate processing facilities in third party contracts. CC ID 13059
    [{personal data} In the case of outsourcing to cloud service providers and other outsourcing arrangements that involve the handling or transfer of personal or confidential data, institutions and payment institutions should adopt a risk-based approach to data storage and data processing location(s) (i.e. country or region) and information security considerations. 4.13.2 83]     		Establish/Maintain Documentation Preventive
    Document the organization's supply chain in the supply chain management program. CC ID 09958 Establish/Maintain Documentation Preventive
    Document supply chain dependencies in the supply chain management program. CC ID 08900
    [{critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: where a defect or failure in its performance would materially impair: the soundness or continuity of their banking and payment services and activities; 4.4 29(a)(iii)
    In the case of institutions, particular attention should be given to the assessment of the criticality or importance of functions if the outsourcing concerns functions related to core business lines and critical functions as defined in Article 2(1)(35) and 2(1)(36) of Directive 2014/59/EU and identified by institutions using the criteria set out in Articles 6 and 7 of Commission Delegated Regulation (EU) 2016/778. Functions that are necessary to perform activities of core business lines or critical functions should be considered as critical or important functions for the purpose of these guidelines, unless the institution's assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the operational continuity of the core business line or critical function. 4.4 30]     		Establish/Maintain Documentation Detective
    Establish and maintain a Third Party Service Provider list. CC ID 12480
    [where the register of all existing outsourcing arrangements, as referred to in Section 11, is established and maintained centrally within a group or institutional protection scheme, competent authorities, all institutions and payment institutions should be able to obtain their individual register without undue delay. This register should include all outsourcing arrangements, including outsourcing arrangements with service providers inside that group or institutional protection scheme; 4.2 23(d)
    As part of their risk management framework, institutions and payment institutions should maintain an updated register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels, as set out in Section 2, and should appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. Taking into account national law, institutions should maintain the documentation of ended outsourcing arrangements within the register and the supporting documentation for an appropriate period. 4.11 52]     		Establish/Maintain Documentation Preventive
    Include required information in the Third Party Service Provider list. CC ID 14429
    [The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e)
    The register should include at least the following information for all existing outsourcing arrangements: the date of the most recent assessment of the criticality or importance of the outsourced function. 4.11 54(i)
    {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the estimated annual budget cost. 4.11 55(k)
    {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the date of the most recent risk assessment and a brief summary of the main results; 4.11 55(c)]     		Establish/Maintain Documentation Preventive
    Include subcontractors in the Third Party Service Provider list. CC ID 14425
    [{outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g)]     		Establish/Maintain Documentation Preventive
    Include alternate service providers in the Third Party Service Provider list. CC ID 14420
    [{outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: identification of alternative service providers in line with point (h); 4.11 55(i)]     		Establish/Maintain Documentation Preventive
    Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422
    [{electronic format} Institutions and payment institutions should, upon request, make available to the competent authority either the full register of all existing outsourcing arrangements or sections specified thereof, such as information on all outsourcing arrangements falling under one of the categories referred to in point (d) of paragraph 54 of these guidelines (e.g. all IT outsourcing arrangements). Institutions and payment institutions should provide this information in a processable electronic form (e.g. a commonly used database format, comma separated values). 4.11 56
    {electronic format} Institutions and payment institutions should, upon request, make available to the competent authority either the full register of all existing outsourcing arrangements or sections specified thereof, such as information on all outsourcing arrangements falling under one of the categories referred to in point (d) of paragraph 54 of these guidelines (e.g. all IT outsourcing arrangements). Institutions and payment institutions should provide this information in a processable electronic form (e.g. a commonly used database format, comma separated values). 4.11 56]     		Communicate Preventive
    Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430
    [The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e)
    The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e)
    The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e)]     		Establish/Maintain Documentation Preventive
    Include all contract dates in the Third Party Service Provider list. CC ID 14421
    [The register should include at least the following information for all existing outsourcing arrangements: the start date and, as applicable, the next contract renewal date, the end date and/or notice periods for the service provider and for the institution or payment institution; 4.11 54(b)]     		Establish/Maintain Documentation Preventive
    Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481
    [where the register of all existing outsourcing arrangements, as referred to in Section 11, is established and maintained centrally within a group or institutional protection scheme, competent authorities, all institutions and payment institutions should be able to obtain their individual register without undue delay. This register should include all outsourcing arrangements, including outsourcing arrangements with service providers inside that group or institutional protection scheme; 4.2 23(d)
    The register should include at least the following information for all existing outsourcing arrangements: a brief description of the outsourced function, including the data that are outsourced and whether or not personal data (e.g. by providing a yes or no in a separate data field) have been transferred or if their processing is outsourced to a service provider; 4.11 54(c)
    The register should include at least the following information for all existing outsourcing arrangements: in the case of outsourcing to a cloud service provider, the cloud service and deployment models, i.e. public/private/hybrid/community, and the specific nature of the data to be held and the locations (i.e. countries or regions) where such data will be stored; 4.11 54(h)]     		Establish/Maintain Documentation Preventive
    Include criticality of services in the Third Party Service Provider list. CC ID 14428
    [{be critical} The register should include at least the following information for all existing outsourcing arrangements: whether or not (yes/no) the outsourced function is considered critical or important, including, where applicable, a brief summary of the reasons why the outsourced function is considered critical or important; 4.11 54(g)
    {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the date of the most recent risk assessment and a brief summary of the main results; 4.11 55(c)]     		Establish/Maintain Documentation Preventive
    Include a description of data used in the Third Party Service Provider list. CC ID 14427
    [The register should include at least the following information for all existing outsourcing arrangements: a brief description of the outsourced function, including the data that are outsourced and whether or not personal data (e.g. by providing a yes or no in a separate data field) have been transferred or if their processing is outsourced to a service provider; 4.11 54(c)
    The register should include at least the following information for all existing outsourcing arrangements: in the case of outsourcing to a cloud service provider, the cloud service and deployment models, i.e. public/private/hybrid/community, and the specific nature of the data to be held and the locations (i.e. countries or regions) where such data will be stored; 4.11 54(h)]     		Establish/Maintain Documentation Preventive
    Include the location of services provided in the Third Party Service Provider list. CC ID 14423
    [{outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g)
    The register should include at least the following information for all existing outsourcing arrangements: a brief description of the outsourced function, including the data that are outsourced and whether or not personal data (e.g. by providing a yes or no in a separate data field) have been transferred or if their processing is outsourced to a service provider; 4.11 54(c)
    {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the governing law of the outsourcing agreement; 4.11 55(e)
    The register should include at least the following information for all existing outsourcing arrangements: the country or countries where the service is to be performed, including the location (i.e. country or region) of the data; 4.11 54(f)
    The register should include at least the following information for all existing outsourcing arrangements: the country or countries where the service is to be performed, including the location (i.e. country or region) of the data; 4.11 54(f)
    {outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g)
    {outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g)
    The register should include at least the following information for all existing outsourcing arrangements: in the case of outsourcing to a cloud service provider, the cloud service and deployment models, i.e. public/private/hybrid/community, and the specific nature of the data to be held and the locations (i.e. countries or regions) where such data will be stored; 4.11 54(h)]     		Establish/Maintain Documentation Preventive
    Document supply chain transactions in the supply chain management program. CC ID 08857 Business Processes Preventive
    Document the supply chain's critical paths in the supply chain management program. CC ID 10032 Establish/Maintain Documentation Preventive
    Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 Establish/Maintain Documentation Preventive
    Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 Physical and Environmental Protection Preventive
    Establish, implement, and maintain Operational Level Agreements. CC ID 13637 Establish/Maintain Documentation Preventive
    Include technical processes in operational level agreements, as necessary. CC ID 13639 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838
    [The outsourcing agreement for critical or important functions should set out at least: the agreed service levels, which should include precise quantitative and qualitative performance targets for the outsourced function to allow for timely monitoring so that appropriate corrective action can be taken without undue delay if the agreed service levels are not met; 4.13 75(i)
    The rights and obligations of the institution, the payment institution and the service provider should be clearly allocated and set out in a written agreement. 4.13 74]     		Process or Activity Preventive
    Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842
    [When developing exit strategies, institutions and payment institutions should: define the indicators to be used for the monitoring of the outsourcing arrangement (as outlined under Section 14), including indicators based on unacceptable service levels that should trigger the exit. 4.15 108(e)
    allocate sufficient resources to ensure compliance with all legal and regulatory requirements, including these guidelines and the documentation and monitoring of all outsourcing arrangements; 4.6 38(b)]     		Establish/Maintain Documentation Detective
    Include the responsible party for managing complaints in third party contracts. CC ID 10022 Establish Roles Preventive
    Approve all Service Level Agreements. CC ID 00843 Establish/Maintain Documentation Detective
    Track all chargeable items in Service Level Agreements. CC ID 11616 Business Processes Detective
    Document all chargeable items in Service Level Agreements. CC ID 00844 Establish/Maintain Documentation Detective
    Enforce third party Service Level Agreements, as necessary. CC ID 07098 Business Processes Corrective
    Categorize all suppliers in the supply chain management program. CC ID 00792
    [The outsourcing policy should differentiate between the following: intragroup outsourcing arrangements, outsourcing arrangements within the same institutional protection scheme (including entities fully owned individually or collectively by institutions within the institutional protection scheme) and outsourcing to entities outside the group; and 4.7 43(c)
    The outsourcing policy should differentiate between the following: outsourcing to service providers located within a Member State and third countries. 4.7 43(d)
    Institutions and payment institutions should establish whether an arrangement with a third party falls under the definition of outsourcing. Within this assessment, consideration should be given to whether the function (or a part thereof) that is outsourced to a service provider is performed on a recurrent or an ongoing basis by the service provider and whether this function (or part thereof) would normally fall within the scope of functions that would or could realistically be performed by institutions or payment institutions, even if the institution or payment institution has not performed this function in the past itself. 4.3 26
    When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19
    As part of their risk management framework, institutions and payment institutions should maintain an updated register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels, as set out in Section 2, and should appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. Taking into account national law, institutions should maintain the documentation of ended outsourcing arrangements within the register and the supporting documentation for an appropriate period. 4.11 52
    {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the institutions, payment institutions and other firms within the scope of the prudential consolidation or institutional protection scheme, where applicable, that make use of the outsourcing; 4.11 55(a)
    {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: whether or not the service provider or sub-service provider is part of the group or a member of the institutional protection scheme or is owned by institutions or payment institutions within the group or is owned by members of an institutional protection scheme; 4.11 55(b)
    The register should include at least the following information for all existing outsourcing arrangements: a category assigned by the institution or payment institution that reflects the nature of the function as described under point (c) (e.g. information technology (IT), control function), which should facilitate the identification of different types of arrangements; 4.11 54(d)]     		Establish/Maintain Documentation Preventive
    Include risk management procedures in the supply chain management policy. CC ID 08811
    [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32
    {outsourcing policy} {risk assessment} {risk management} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: risk identification, assessment and management in accordance with Section 12.2; 4.7 42(c)(iii)
    where operational tasks of internal control functions are outsourced (e.g. in the case of intragroup outsourcing or outsourcing within institutional protection schemes), exercise appropriate oversight and be able to manage the risks that are generated by the outsourcing of critical or important functions; and 4.6 39(c)
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: operational risk, including conduct, information and communication technology (ICT) and legal risks; 4.4 31(b)(iii)]     		Establish/Maintain Documentation Preventive
    Perform risk assessments of third parties, as necessary. CC ID 06454
    [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33
    {outsourcing policy} {risk assessment} {risk management} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: risk identification, assessment and management in accordance with Section 12.2; 4.7 42(c)(iii)
    Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess all of the relevant risks of the outsourcing arrangement in accordance with Section 12.2; 4.12 61(c)
    When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the institution's risk profile; 4.7 44(a)
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: 4.4 31
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: all outsourcing arrangements, the institution's or payment institution's aggregated exposure to the same service provider and the potential cumulative impact of outsourcing arrangements in the same business area; 4.4 31(e)
    When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)]     		Testing Detective
    Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024
    [{financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a)
    where those institutions and payment institutions within the group, institutions affiliated to a central body or institutions that are part of an institutional protection scheme rely on a central pre-outsourcing assessment of outsourcing arrangements, as referred to in Section 12, each institution and payment institution should receive a summary of the assessment and ensure that it takes into consideration its specific structure and risks within the decision-making process; 4.2 23(c)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced and address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced services are or may be provided and where the data are or are likely to be stored; 4.12.2 68(b)
    When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19
    {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70]     		Business Processes Preventive
    Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025
    [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: 4.12.2 66
    {critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: where a defect or failure in its performance would materially impair: their financial performance; or 4.4 29(a)(ii)]     		Establish/Maintain Documentation Preventive
    Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 Establish/Maintain Documentation Preventive
    Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 Business Processes Preventive
    Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 Establish/Maintain Documentation Preventive
    Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029
    [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)]     		Establish/Maintain Documentation Preventive
    Re-evaluate risk assessments of third parties, as necessary. CC ID 12158
    [Institutions should regularly update their risk assessment in accordance with Section 12.2and should periodically report to the management body on the risks identified in respect of the outsourcing of critical or important functions. 4.14 102]     		Audits and Risk Management Detective
    Establish, implement, and maintain a supply chain management policy. CC ID 08808
    [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: 4.7 42(d)]     		Establish/Maintain Documentation Preventive
    Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397
    [Institutions and payment institutions should take appropriate steps to ensure that service providers act in a manner consistent with their values and code of conduct. In particular, with regard to service providers located in third countries and, if applicable, their sub-contractors, institutions and payment institutions should be satisfied that the service provider acts in an ethical and socially responsible manner and adheres to international standards on human rights (e.g. the European Convention on Human Rights), environmental protection and appropriate working conditions, including the prohibition of child labour. 4.12.3 73]     		Business Processes Preventive
    Require third parties to employ a Chief Information Security Officer. CC ID 12057 Human Resources Management Preventive
    Include supplier assessment principles in the supply chain management policy. CC ID 08809
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42]     		Establish/Maintain Documentation Preventive
    Include the third party selection process in the supply chain management policy. CC ID 13132 Establish/Maintain Documentation Preventive
    Select suppliers based on their qualifications. CC ID 00795 Establish/Maintain Documentation Preventive
    Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133
    [When functions are provided by a service provider that is part of a group or a member of an institutional protection scheme or that is owned by the institution, payment institution, group or institutions that are members of an institutional protection scheme, the conditions, including financial conditions, for the outsourced service should be set at arm's length. However, within the pricing of services synergies resulting from providing the same or similar services to several institutions within a group or an institutional protection scheme may be factored in, as long as the service provider remains viable on a stand-alone basis; within a group this should be irrespective of the failure of any other group entity. 4.8 47]     		Establish/Maintain Documentation Preventive
    Include a clear management process in the supply chain management policy. CC ID 08810
    [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41
    {not carry out} {corrective action} Institutions should take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, institutions and payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirements. If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions. Such actions may include terminating the outsourcing agreement, with immediate effect, if necessary. 4.14 105
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: 4.7 42(d)
    {be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c)]     		Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the supply chain management policy. CC ID 15499 Establish/Maintain Documentation Preventive
    Include third party due diligence standards in the supply chain management policy. CC ID 08812
    [Institutions and payment institutions should apply due skill, care and diligence when monitoring and managing outsourcing arrangements. 4.14 101]     		Establish/Maintain Documentation Preventive
    Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 Communicate Preventive
    Require suppliers to commit to the supply chain management policy. CC ID 08813 Establish/Maintain Documentation Preventive
    Support third parties in building their capabilities. CC ID 08814 Business Processes Preventive
    Implement measurable improvement plans with all third parties. CC ID 08815 Business Processes Preventive
    Post a list of compliant third parties on the organization's website. CC ID 08817 Business Processes Preventive
    Use third parties that are compliant with the applicable requirements. CC ID 08818
    [{selection process} Before entering into an outsourcing arrangement and considering the operational risks related to the function to be outsourced, institutions and payment institutions should ensure in their selection and assessment process that the service provider is suitable. 4.12.3 69
    {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70]     		Business Processes Preventive
    Establish, implement, and maintain a conflict minerals policy. CC ID 08943 Establish/Maintain Documentation Preventive
    Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 Establish/Maintain Documentation Preventive
    Include all in scope materials in the conflict minerals policy. CC ID 08945 Establish/Maintain Documentation Preventive
    Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 Establish/Maintain Documentation Preventive
    Include all applicable authority documents in the conflict minerals policy. CC ID 08947 Establish/Maintain Documentation Preventive
    Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 Establish/Maintain Documentation Preventive
    Make the conflict minerals policy Publicly Available Information. CC ID 08949 Data and Information Management Preventive
    Establish and maintain a conflict materials report. CC ID 08823 Establish/Maintain Documentation Preventive
    Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 Establish/Maintain Documentation Preventive
    Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 Establish/Maintain Documentation Preventive
    Identify supply sources for secondary materials. CC ID 08822 Business Processes Preventive
    Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 Business Processes Preventive
    Establish, implement, and maintain supply chain due diligence standards. CC ID 08846
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v)]     		Business Processes Preventive
    Provide management support for third party due diligence. CC ID 08847 Business Processes Preventive
    Commit to the supply chain due diligence process. CC ID 08849 Business Processes Preventive
    Structure the organization to support supply chain due diligence. CC ID 08850 Business Processes Preventive
    Schedule supply chain audits, as necessary. CC ID 10015
    [{outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the dates of the most recent and next scheduled audits, where applicable; 4.11 55(f)]     		Audits and Risk Management Preventive
    Establish, implement, and maintain internal accountability for the supply chain due diligence process. CC ID 08851
    [where those institutions or payment institutions have outsourcing arrangements with service providers within the group or the institutional protection scheme 33 , the management body of those institutions or payment institutions retains, also for these outsourcing arrangements, full responsibility for compliance with all regulatory requirements and the effective application of these guidelines; 4.2 22(a)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42]     		Business Processes Preventive
    Establish, implement, and maintain supply chain due diligence requirements. CC ID 08853 Business Processes Preventive
    Document and maintain records of supply chain transactions in a transaction file. CC ID 08858 Establish/Maintain Documentation Preventive
    Cross-check the supply chain due diligence practices against the supply chain management policy. CC ID 08859 Business Processes Preventive
    Exclude suppliers that have passed the conflict-free smelter program from the conflict materials report. CC ID 10016 Business Processes Preventive
    Assign the appropriate individuals or groups to oversee and support supply chain due diligence. CC ID 08861 Business Processes Preventive
    Develop and implement supply chain due diligence capability training program. CC ID 08862 Business Processes Preventive
    Determine if additional supply chain due diligence processes are required. CC ID 08863 Business Processes Preventive
    Review transaction files for compliance with the supply chain audit standard. CC ID 08864 Establish/Maintain Documentation Preventive
    Provide additional documentation to validate and approve the use of non-compliant materials. CC ID 08865 Establish/Maintain Documentation Preventive
    Define ways a third party may be non-compliant with the organization's supply chain due diligence requirements. CC ID 08870
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v)
    Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess conflicts of interest that the outsourcing may cause in line with Section 8. 4.12 61(e)]     		Business Processes Preventive
    Calculate and report the margin of error in the supply chain due diligence report. CC ID 08871 Business Processes Preventive
    Conduct all parts of the supply chain due diligence process. CC ID 08854
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: due diligence checks on prospective service providers, including the measures required under Section 12.3; 4.7 42(c)(iv)
    Before entering into any outsourcing arrangement, institutions and payment institutions should: undertake appropriate due diligence on the prospective service provider in accordance with Section 12.3; 4.12 61(d)
    {financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a)]     		Business Processes Preventive
    Identify all service providers in the supply chain. CC ID 12213
    [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider whether the service provider is a subsidiary or parent undertaking of the institution, is included in the scope of accounting consolidation or is a member of or owned by institutions that are members of an institutional protection scheme and, if so, the extent to which the institution controls it or has the ability to influence its actions in line with Section 2. 4.12.2 68(f)]     		Business Processes Preventive
    Establish, implement, and maintain deduplication procedures for third party services. CC ID 13915 Business Processes Detective
    Assess third parties' relevant experience during due diligence. CC ID 12070
    [{be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70]     		Business Processes Detective
    Assess third parties' legal risks to the organization during due diligence. CC ID 12078
    [{financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a)
    {legal requirement} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: comply with all legal and regulatory requirements; 4.4 31(c)(ii)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the laws in force, including laws on data protection; 4.12.2 68(d)(i)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the law enforcement provisions in place; and 4.12.2 68(d)(ii)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the insolvency law provisions that would apply in the event of a service provider's failure and any constraints that would arise in respect of the urgent recovery of the institution's or payment institution's data in particular; 4.12.2 68(d)(iii)]     		Business Processes Detective
    Assess third parties' business continuity capabilities during due diligence. CC ID 12077
    [{takeover} Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: in the case of significant institutions, the step-in risk, i.e. the risk that may result from the need to provide financial support to a service provider in distress or to take over its business operations; and 4.12.2 66(c)
    When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19
    {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: business continuity and operational resilience; 4.4 31(b)(ii)
    {recovery planning} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: where applicable, recovery and resolution planning, resolvability and operational continuity in an early intervention, recovery or resolution situation; 4.4 31(b)(v)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the insolvency law provisions that would apply in the event of a service provider's failure and any constraints that would arise in respect of the urgent recovery of the institution's or payment institution's data in particular; 4.12.2 68(d)(iii)]     		Business Processes Detective
    Review third parties' backup policies. CC ID 13043 Systems Continuity Detective
    Assess third parties' breach remediation status, as necessary, during due diligence. CC ID 12076
    [When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the protection of data and the potential impact of a confidentiality breach or failure to ensure data availability and integrity on the institution or payment institution and its clients, including but not limited to compliance with Regulation (EU) 2016/679. 4.4 31(j)]     		Business Processes Detective
    Assess third parties' abilities to provide services during due diligence. CC ID 12074
    [{be the same} Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: concentration risks, including from: multiple outsourcing arrangements with the same service provider or closely connected service providers; 4.12.2 66(a)(ii)
    {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact on the services provided to its clients; 4.4 31(d)
    Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in the same or another Member State takes place only if one of the following conditions is met: the service provider is otherwise allowed to carry out those banking activities or payment services in accordance with the relevant national legal framework. 4.12.1 62(b)]     		Business Processes Detective
    Assess third parties' financial stability during due diligence. CC ID 12066
    [{financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a)
    Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: whether the service provider is a parent undertaking or subsidiary of the institution or payment institution, is part of the accounting scope of consolidation of the institution or is a member of or is owned by institutions that are members of the same institutional protection scheme to which the institution belongs; 4.12.3 71(c)
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: short- and long-term financial resilience and viability, including, if applicable, its assets, capital, costs, funding, liquidity, profits and losses; 4.4 31(b)(i)]     		Business Processes Detective
    Assess third parties' use of subcontractors during due diligence. CC ID 12073
    [Where the outsourcing arrangement includes the possibility that the service provider sub-outsources critical or important functions to other service providers, institutions and payment institutions should take into account: the risks associated with sub-outsourcing, including the additional risks that may arise if the sub-contractor is located in a third country or a different country from the service provider; 4.12.2 67(a)
    Institutions and payment institutions should take appropriate steps to ensure that service providers act in a manner consistent with their values and code of conduct. In particular, with regard to service providers located in third countries and, if applicable, their sub-contractors, institutions and payment institutions should be satisfied that the service provider acts in an ethical and socially responsible manner and adheres to international standards on human rights (e.g. the European Convention on Human Rights), environmental protection and appropriate working conditions, including the prohibition of child labour. 4.12.3 73]     		Business Processes Detective
    Assess third parties' insurance coverage during due diligence. CC ID 12072 Business Processes Detective
    Assess the third parties' reputation during due diligence. CC ID 12068
    [Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: the long-term relationships with service providers that have already been assessed and perform services for the institution or payment institution; 4.12.3 71(b)
    {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: reputational risks; 4.4 31(b)(iv)]     		Business Processes Detective
    Assess any litigation case files against third parties during due diligence. CC ID 12071 Business Processes Detective
    Assess complaints against third parties during due diligence. CC ID 12069 Business Processes Detective
    Disallow engaging service providers that are restricted from performing their duties. CC ID 12214 Business Processes Preventive
    Collect evidence of each supplier's supply chain due diligence processes. CC ID 08855 Business Processes Preventive
    Conduct spot checks of the supplier's supply chain due diligence processes as necessary. CC ID 08860 Business Processes Preventive
    Determine if suppliers can meet the organization's production requirements. CC ID 11559 Business Processes Preventive
    Require suppliers to meet the organization's manufacturing and integration requirements. CC ID 11560 Business Processes Preventive
    Evaluate the impact of the authentication element of the anti-counterfeit measures on the manufacturing process. CC ID 11557 Business Processes Preventive
    Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359
    [{confidential information} {personal information} The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where there are weaknesses regarding the management and security of confidential, personal or otherwise sensitive data or information; and 4.13.4 98(d)
    Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements. 4.12.2 64]     		Testing Detective
    Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353
    [{data requirement} Where relevant (e.g. in the context of cloud or other ICT outsourcing), institutions and payment institutions should define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis. 4.13.2 82
    {confidential information} {personal information} Without prejudice to the requirements under the Regulation (EU) 2016/679, institutions and payment institutions, when outsourcing (in particular to third countries), should take into account differences in national provisions regarding the protection of data. Institutions and payment institutions should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the institution or payment institution (e.g. the protection of personal data and that banking secrecy or similar legal confidentiality duties with respect to clients' information, where applicable, are observed). 4.13.2 84
    {confidentiality, integrity, security and availability} The outsourcing agreement for critical or important functions should set out at least: where relevant, provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data, as specified in Section 13.2; 4.13 75(g)]     		Establish/Maintain Documentation Preventive
    Assess third parties' compliance environment during due diligence. CC ID 13134
    [{outsourcing policy} {independent audit} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the independent review and audit of compliance with legal and regulatory requirements and policies; 4.7 42(d)(iii)
    Before entering into any outsourcing arrangement, institutions and payment institutions should: assess if the supervisory conditions for outsourcing set out in Section 12.1 are met; 4.12 61(b)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider whether the service provider is a subsidiary or parent undertaking of the institution, is included in the scope of accounting consolidation or is a member of or owned by institutions that are members of an institutional protection scheme and, if so, the extent to which the institution controls it or has the ability to influence its actions in line with Section 2. 4.12.2 68(f)
    Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: whether or not the service provider is supervised by competent authorities. 4.12.3 71(d)]     		Process or Activity Detective
    Document that supply chain members investigate security events. CC ID 13348 Investigate Detective
    Engage third parties to scope third party services' applicability to the organization's compliance requirements, as necessary. CC ID 12064
    [{outsourcing policy} {independent audit} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the independent review and audit of compliance with legal and regulatory requirements and policies; 4.7 42(d)(iii)
    {be responsible} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: there is an appropriate cooperation agreement, e.g. in the form of a memorandum of understanding or college agreement, between the competent authorities responsible for the supervision of the institution and the supervisory authorities responsible for the supervision of the service provider; and 4.12.1 63(b)]     		Process or Activity Detective
    Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 Establish/Maintain Documentation Detective
    Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 Communicate Preventive
    Include the audit scope in the third party external audit report. CC ID 13138
    [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the institution or payment institution and the compliance with relevant regulatory requirements; 4.13.3 93(b)]     		Establish/Maintain Documentation Preventive
    Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 Establish/Maintain Documentation Detective
    Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065
    [{critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: where a defect or failure in its performance would materially impair: their continuing compliance with the conditions of their authorisation or its other obligations under Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive 2014/65/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC and their regulatory obligations; 4.4 29(a)(i)]     		Establish/Maintain Documentation Detective
    Request attestation of compliance from third parties. CC ID 12067
    [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied that the certifications are issued and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; 4.13.3 93(f)]     		Establish/Maintain Documentation Detective
    Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 Business Processes Detective
    Require individual attestations of compliance from each location a third party operates in. CC ID 12228 Business Processes Preventive
    Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 Business Processes Detective
    Document the third parties compliance with the organization's system hardening framework. CC ID 04263 Technical Security Detective
    Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819
    [{third party relationship} Institutions and payment institutions should ensure that they comply with all requirements under Regulation (EU) 2016/679, including for their third-party and outsourcing arrangements. 4.5 34
    {data requirement} Where relevant (e.g. in the context of cloud or other ICT outsourcing), institutions and payment institutions should define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis. 4.13.2 82
    {third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the institution or payment institution and the compliance with relevant regulatory requirements; 4.13.3 93(b)
    {third-party certifications} {third-party audit report} {are current} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: thoroughly assess the content of the certifications or audit reports on an ongoing basis and verify that the reports or certifications are not obsolete; 4.13.3 93(c)]     		Business Processes Preventive
    Determine third party compliance with third party contracts. CC ID 08866 Business Processes Preventive
    Quarantine non-compliant material. CC ID 08867 Business Processes Preventive
    Refrain from quarantining conflict-free materials. CC ID 08868 Business Processes Preventive
    Establish, implement, and maintain disposition processes for non-compliant material. CC ID 08869 Business Processes Preventive
    Review the information collected about each supplier for the supply chain due diligence report. CC ID 08856
    [where those institutions and payment institutions within the group, institutions affiliated to a central body or institutions that are part of an institutional protection scheme rely on a central pre-outsourcing assessment of outsourcing arrangements, as referred to in Section 12, each institution and payment institution should receive a summary of the assessment and ensure that it takes into consideration its specific structure and risks within the decision-making process; 4.2 23(c)
    Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements. 4.12.2 64]     		Business Processes Preventive
    Establish and maintain a supply chain due diligence report. CC ID 08824 Business Processes Preventive
    Submit the supply chain due diligence report. CC ID 08828 Business Processes Preventive
    Include supply chain risk assessment reports in the supply chain due diligence report. CC ID 08835
    [Institutions should regularly update their risk assessment in accordance with Section 12.2and should periodically report to the management body on the risks identified in respect of the outsourcing of critical or important functions. 4.14 102]     		Business Processes Preventive
    Include monitoring and tracking risk mitigation performance in the supply chain due diligence report. CC ID 08837
    [When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: identify, monitor and manage all risks; 4.4 31(c)(i)]     		Business Processes Preventive
    Include supplier agreement terminations in the supply chain due diligence report. CC ID 08845
    [As part of their risk management framework, institutions and payment institutions should maintain an updated register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels, as set out in Section 2, and should appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. Taking into account national law, institutions should maintain the documentation of ended outsourcing arrangements within the register and the supporting documentation for an appropriate period. 4.11 52]     		Business Processes Preventive
    Establish, implement, and maintain third party reporting requirements. CC ID 13289
    [where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), institutions and payment institutions should ensure that, at least for outsourced critical or important functions, both independent monitoring of the service provider and appropriate oversight by each institution or payment institution is possible, including by receiving, at least annually and upon request from the centralised monitoring function, reports that include, at least, a summary of the risk assessment and performance monitoring. In addition, institutions and payment institutions should receive from the centralised monitoring function a summary of the relevant audit reports for critical or important outsourcing and, upon request, the full audit report; 4.2 23(a)
    ensuring that they receive appropriate reports from service providers; 4.14 104(a)]     		Establish/Maintain Documentation Preventive
    Define timeliness factors for third party reporting requirements. CC ID 13304 Establish/Maintain Documentation Preventive
    Assess the effectiveness of third party services provided to the organization. CC ID 13142
    [{outsourcing policy} {ongoing basis} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the ongoing assessment of the service provider's performance in line with Section 14; 4.7 42(d)(i)
    evaluating the performance of service providers using tools such as key performance indicators, key control indicators, service delivery reports, self-certification and independent reviews; and 4.14 104(b)
    {performance standards} Institutions and payment institutions should ensure, on an ongoing basis, that outsourcing arrangements, with the main focus being on outsourced critical or important functions, meet appropriate performance and quality standards in line with their policies by: 4.14 104
    {audit program} The internal audit function's activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions. 4.10 50
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: 4.4 31(b)]     		Business Processes Detective
    Monitor third parties for performance and effectiveness, as necessary. CC ID 00799
    [where those institutions or payment institutions outsource the operational tasks of internal control functions to a service provider within the group or the institutional protection scheme, for the monitoring and auditing of outsourcing arrangements, institutions should ensure that, also for these outsourcing arrangements, those operational tasks are effectively performed, including through the receiving of appropriate reports. 4.2 22(b)
    where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), institutions and payment institutions should ensure that, at least for outsourced critical or important functions, both independent monitoring of the service provider and appropriate oversight by each institution or payment institution is possible, including by receiving, at least annually and upon request from the centralised monitoring function, reports that include, at least, a summary of the risk assessment and performance monitoring. In addition, institutions and payment institutions should receive from the centralised monitoring function a summary of the relevant audit reports for critical or important outsourcing and, upon request, the full audit report; 4.2 23(a)
    Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33
    Institutions and payment institutions should apply due skill, care and diligence when monitoring and managing outsourcing arrangements. 4.14 101
    Institutions and payment institutions should ensure that the service provider appropriately oversees the sub-service providers, in line with the policy defined by the institution or payment institution. If the sub-outsourcing proposed could have material adverse effects on the outsourcing arrangement of a critical or important function or would lead to a material increase of risk, including where the conditions in paragraph 79 would not be met, the institution or payment institution should exercise its right to object to the sub-outsourcing, if such a right was agreed, and/or terminate the contract. 4.13.1 80
    Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach and with the main focus being on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function in line with Section 4. 4.14 100
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: 4.7 42(d)
    With regard to the outsourcing process, the internal audit function should at least ascertain: the appropriate monitoring and management of outsourcing arrangements. 4.10 51(e)
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: identify, monitor and manage all risks; 4.4 31(c)(i)
    {remain responsible} {be accountable} The outsourcing of functions cannot result in the delegation of the management body's responsibilities. Institutions and payment institutions remain fully responsible and accountable for complying with all of their regulatory obligations, including the ability to oversee the outsourcing of critical or important functions. 4.6 35
    Institutions and payment institutions should appropriately document the assessments made under Title IV and the results of their ongoing monitoring (e.g. performance of the service provider, compliance with agreed service levels, other contractual and regulatory requirements, updates to the risk assessment). 4.11 60]     		Monitor and Evaluate Occurrences Detective
    Monitor third parties' financial conditions. CC ID 13170 Monitor and Evaluate Occurrences Detective
    Review the supply chain's service delivery on a regular basis. CC ID 12010 Business Processes Preventive
    Identify red flags in the supply chain. CC ID 08873 Business Processes Preventive
    Detect red flags in the supply chain. CC ID 08874 Business Processes Preventive
    Notify interested personnel and affected parties when critical components or materials are not obtained from an authorized source. CC ID 11516 Business Processes Preventive
    Review third party red flag locations to identify facts for the supply chain risk assessment. CC ID 08875 Business Processes Preventive
    Establish and maintain an interactive map of third party red flag locations. CC ID 08876 Business Processes Preventive
    Collect information on red-flagged supply chains. CC ID 08877 Business Processes Preventive
    Establish, implement, and maintain outsourcing contracts. CC ID 13124 Establish/Maintain Documentation Preventive
    Include performance standards in outsourcing contracts. CC ID 13140
    [{be capable} The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where impediments capable of altering the performance of the outsourced function are identified; 4.13.4 98(b)]     		Establish/Maintain Documentation Preventive
    Include the organization approving subcontractors in the outsourcing contract. CC ID 13131
    [{specific written authorisation} If sub-outsourcing of critical or important functions is permitted, the written agreement should: require the service provider to obtain prior specific or general written authorisation from the institution or payment institution before sub-outsourcing data; 4.13.1 78(d)
    If sub-outsourcing of critical or important functions is permitted, the written agreement should: ensure, where appropriate, that the institution or payment institution has the right to object to intended sub-outsourcing, or material changes thereof, or that explicit approval is required; 4.13.1 78(f)
    If sub-outsourcing of critical or important functions is permitted, the written agreement should: specify any types of activities that are excluded from sub-outsourcing; 4.13.1 78(a)]     		Establish/Maintain Documentation Preventive
    Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130
    [If sub-outsourcing of critical or important functions is permitted, the written agreement should: specify that the service provider is obliged to oversee those services that it has subcontracted to ensure that all contractual obligations between the service provider and the institution or payment institution are continuously met; 4.13.1 78(c)]     		Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 Business Processes Preventive
    Establish, implement, and maintain a system of transparency and controls over the entire supply chain. CC ID 08879
    [Where the outsourcing arrangement includes the possibility that the service provider sub-outsources critical or important functions to other service providers, institutions and payment institutions should take into account: the risk that long and complex chains of sub-outsourcing reduce the ability of institutions or payment institutions to oversee the outsourced critical or important function and the ability of competent authorities to effectively supervise them. 4.12.2 67(b)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)]     		Business Processes Preventive
    Establish, implement, and maintain supply chain onsite investigation procedures. CC ID 08919
    [{site visit} Before a planned on-site visit, institutions, payment institutions, competent authorities and auditors or third parties acting on behalf of the institution, payment institution or competent authorities should provide reasonable notice to the service provider, unless this is not possible due to an emergency or crisis situation or would lead to a situation where the audit would no longer be effective. 4.13.3 95]     		Business Processes Preventive
    Assist with local logistics in support of supply chain onsite investigations. CC ID 08920 Behavior Preventive
    Create an on-site mine visit report. CC ID 08921 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain information security controls for the supply chain. CC ID 13109
    [{personal data} In the case of outsourcing to cloud service providers and other outsourcing arrangements that involve the handling or transfer of personal or confidential data, institutions and payment institutions should adopt a risk-based approach to data storage and data processing location(s) (i.e. country or region) and information security considerations. 4.13.2 83]     		Establish/Maintain Documentation Preventive
Common Controls and
mandates by Type 203 Mandated Controls - bold    
70 Implied Controls - italic     1482 Implementation

Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.

Number of Controls
1755 Total
  • Acquisition/Sale of Assets or Services
    6
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Implement automated audit tools. CC ID 04882 Monitoring and measurement Preventive
    Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 Audits and risk management Corrective
    Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861
    [allocate sufficient resources to ensure compliance with all legal and regulatory requirements, including these guidelines and the documentation and monitoring of all outsourcing arrangements; 4.6 38(b)
    have sufficient resources and capacities to ensure compliance with points (a) to (c). 4.6 39(d)]     		Operational management Preventive
    Plan for acquiring facilities, technology, or services. CC ID 06892 Acquisition or sale of facilities, technology, and services Preventive
    Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 Privacy protection for information and data Preventive
    Include training requirements in third party contracts. CC ID 16367 Third Party and supply chain oversight Preventive
  • Actionable Reports or Measurements
    146
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 Monitoring and measurement Detective
    Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 Monitoring and measurement Detective
    Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 Monitoring and measurement Detective
    Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 Monitoring and measurement Detective
    Report on the policies and controls that have been implemented by management. CC ID 01670 Monitoring and measurement Detective
    Report on the percentage of security management roles that have been assigned. CC ID 01671 Monitoring and measurement Detective
    Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 Monitoring and measurement Detective
    Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 Monitoring and measurement Detective
    Report on the Service Level Agreement performance of supply chain members. CC ID 06838 Monitoring and measurement Preventive
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Monitoring and measurement Detective
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Monitoring and measurement Detective
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Monitoring and measurement Detective
    Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 Monitoring and measurement Detective
    Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 Monitoring and measurement Detective
    Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 Monitoring and measurement Detective
    Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 Monitoring and measurement Detective
    Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 Monitoring and measurement Detective
    Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 Monitoring and measurement Detective
    Monitor compliance with the Quality Control system. CC ID 01023 Monitoring and measurement Preventive
    Report on the percentage of complaints received about products or delivered services. CC ID 07199 Monitoring and measurement Preventive
    Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 Monitoring and measurement Preventive
    Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 Monitoring and measurement Detective
    Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 Monitoring and measurement Detective
    Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 Monitoring and measurement Detective
    Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 Monitoring and measurement Detective
    Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 Monitoring and measurement Detective
    Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 Monitoring and measurement Detective
    Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 Monitoring and measurement Detective
    Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 Monitoring and measurement Detective
    Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 Monitoring and measurement Detective
    Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 Monitoring and measurement Detective
    Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 Monitoring and measurement Detective
    Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 Monitoring and measurement Detective
    Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 Monitoring and measurement Detective
    Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 Monitoring and measurement Detective
    Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 Monitoring and measurement Detective
    Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 Monitoring and measurement Detective
    Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 Monitoring and measurement Detective
    Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 Monitoring and measurement Detective
    Report on the percentage of systems with approved System Security Plans. CC ID 02145 Monitoring and measurement Detective
    Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 Monitoring and measurement Detective
    Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 Monitoring and measurement Detective
    Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 Monitoring and measurement Detective
    Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 Monitoring and measurement Detective
    Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 Monitoring and measurement Detective
    Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 Monitoring and measurement Detective
    Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 Monitoring and measurement Detective
    Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 Monitoring and measurement Detective
    Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 Monitoring and measurement Detective
    Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 Monitoring and measurement Detective
    Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 Monitoring and measurement Detective
    Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 Monitoring and measurement Detective
    Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 Monitoring and measurement Detective
    Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 Monitoring and measurement Detective
    Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 Monitoring and measurement Detective
    Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 Monitoring and measurement Detective
    Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 Monitoring and measurement Detective
    Report on the percentage of servers located in controlled access areas. CC ID 02067 Monitoring and measurement Detective
    Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 Monitoring and measurement Preventive
    Establish, implement, and maintain waste management metrics. CC ID 16152 Monitoring and measurement Preventive
    Establish, implement, and maintain emissions management metrics. CC ID 16145 Monitoring and measurement Preventive
    Establish, implement, and maintain financial management metrics. CC ID 16749 Monitoring and measurement Preventive
    Report on the percentage of unique active user identifiers. CC ID 02074 Monitoring and measurement Detective
    Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 Monitoring and measurement Detective
    Report on the percentage of active user passwords that are set to expire. CC ID 02087 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 Monitoring and measurement Detective
    Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 Monitoring and measurement Detective
    Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 Monitoring and measurement Detective
    Report on the percentage of systems with account lockout thresholds set. CC ID 02091 Monitoring and measurement Detective
    Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 Monitoring and measurement Detective
    Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 Monitoring and measurement Detective
    Report on the percentage of users with access to shared accounts. CC ID 04573 Monitoring and measurement Detective
    Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 Monitoring and measurement Preventive
    Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 Monitoring and measurement Detective
    Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 Monitoring and measurement Detective
    Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 Monitoring and measurement Detective
    Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 Monitoring and measurement Detective
    Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 Monitoring and measurement Detective
    Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 Monitoring and measurement Detective
    Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 Monitoring and measurement Detective
    Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 Monitoring and measurement Detective
    Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 Monitoring and measurement Detective
    Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 Monitoring and measurement Detective
    Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 Monitoring and measurement Detective
    Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 Monitoring and measurement Detective
    Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 Monitoring and measurement Detective
    Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 Monitoring and measurement Detective
    Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 Monitoring and measurement Detective
    Report on the percentage of servers that employ automated system security tools. CC ID 02111 Monitoring and measurement Detective
    Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 Monitoring and measurement Detective
    Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 Monitoring and measurement Detective
    Report on the percentage of systems with all approved patches installed. CC ID 02113 Monitoring and measurement Detective
    Report on the mean time from patch availability to patch installation. CC ID 02114 Monitoring and measurement Detective
    Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 Monitoring and measurement Detective
    Report on the percentage of systems configured according to the configuration standard. CC ID 02116 Monitoring and measurement Detective
    Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 Monitoring and measurement Detective
    Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 Monitoring and measurement Detective
    Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 Monitoring and measurement Detective
    Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 Monitoring and measurement Detective
    Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 Monitoring and measurement Detective
    Report on the percentage of backup media stored off site in secure storage. CC ID 02122 Monitoring and measurement Detective
    Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 Monitoring and measurement Detective
    Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 Monitoring and measurement Detective
    Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 Monitoring and measurement Detective
    Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 Monitoring and measurement Detective
    Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 Monitoring and measurement Detective
    Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 Monitoring and measurement Detective
    Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 Monitoring and measurement Detective
    Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 Monitoring and measurement Detective
    Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 Monitoring and measurement Detective
    Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 Monitoring and measurement Detective
    Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 Monitoring and measurement Detective
    Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 Monitoring and measurement Preventive
    Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 Monitoring and measurement Preventive
    Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 Monitoring and measurement Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 Monitoring and measurement Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 Monitoring and measurement Preventive
    Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 Monitoring and measurement Preventive
    Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 Monitoring and measurement Preventive
    Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 Monitoring and measurement Preventive
    Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 Monitoring and measurement Preventive
    Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 Monitoring and measurement Preventive
    Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 Monitoring and measurement Preventive
    Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 Monitoring and measurement Preventive
    Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 Monitoring and measurement Preventive
    Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 Monitoring and measurement Preventive
    Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 Monitoring and measurement Preventive
    Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 Monitoring and measurement Preventive
    Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 Monitoring and measurement Preventive
    Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 Monitoring and measurement Preventive
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 Audits and risk management Preventive
    Include the word independent in the title of audit reports. CC ID 07003 Audits and risk management Preventive
    Include the date of the audit in the audit report. CC ID 07024 Audits and risk management Preventive
    Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 Audits and risk management Preventive
    Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 Audits and risk management Preventive
    Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 Audits and risk management Preventive
    Disclose any audit irregularities in the audit report. CC ID 06995 Audits and risk management Preventive
    Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 Audits and risk management Corrective
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 Audits and risk management Detective
    Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548
    [{be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65]     		Operational and Systems Continuity Preventive
    Measure policy compliance when reviewing the internal control framework. CC ID 06442 Operational management Corrective
    Provide the patient with a summary of care record, as necessary. CC ID 14441 Records management Preventive
  • Audits and Risk Management
    107
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Verify segmentation controls are operational and effective. CC ID 12545 Monitoring and measurement Detective
    Identify information being used to support performance reviews for risk optimization. CC ID 12865 Monitoring and measurement Preventive
    Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 Monitoring and measurement Preventive
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102
    [Where the outsourcing arrangement carries a high level of technical complexity, for instance in the case of cloud outsourcing, the institution or payment institution should verify that whoever is performing the audit – whether it is its internal auditors, the pool of auditors or external auditors acting on its behalf – has appropriate and relevant skills and knowledge to perform relevant audits and/or assessments effectively. The same applies to any staff of the institution or payment institution reviewing third-party certifications or audits carried out by service providers. 4.13.3 97]     		Audits and risk management Preventive
    Review the external auditor's qualifications. CC ID 01197
    [{third-party certifications} {third-party audit report}Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied with the aptitude of the certifying or auditing party (e.g. with regard to rotation of the certifying or auditing company, qualifications, expertise, reperformance/verification of the evidence in the underlying audit file); 4.13.3 93(e)]     		Audits and risk management Preventive
    Define what constitutes a threat to independence. CC ID 16824 Audits and risk management Preventive
    Determine if requested services create a threat to independence. CC ID 16823 Audits and risk management Detective
    Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 Audits and risk management Preventive
    Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 Audits and risk management Preventive
    Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 Audits and risk management Preventive
    Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 Audits and risk management Preventive
    Include third party data in the audit assertion's in scope system description. CC ID 16554 Audits and risk management Preventive
    Include third party personnel in the audit assertion's in scope system description. CC ID 16552 Audits and risk management Preventive
    Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 Audits and risk management Preventive
    Include third party assets in the audit assertion's in scope system description. CC ID 16550 Audits and risk management Preventive
    Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 Audits and risk management Preventive
    Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 Audits and risk management Detective
    Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 Audits and risk management Preventive
    Confirm audit requirements during the opening meeting. CC ID 15255 Audits and risk management Detective
    Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 Audits and risk management Preventive
    Include third party assets in the audit scope. CC ID 16504 Audits and risk management Preventive
    Determine the appropriateness of the audit subject matter. CC ID 16505 Audits and risk management Preventive
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and risk management Preventive
    Include the date of the audit in the representation letter. CC ID 16517 Audits and risk management Preventive
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 Audits and risk management Preventive
    Refrain from performing an attestation engagement under defined conditions. CC ID 13952 Audits and risk management Detective
    Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 Audits and risk management Preventive
    Audit in scope audit items and compliance documents. CC ID 06730
    [With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)]     		Audits and risk management Preventive
    Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 Audits and risk management Detective
    Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 Audits and risk management Detective
    Audit policies, standards, and procedures. CC ID 12927
    [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41
    With regard to the outsourcing process, the internal audit function should at least ascertain: the adequacy, quality and effectiveness of the assessment of the criticality or importance of functions; 4.10 51(b)]     		Audits and risk management Preventive
    Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 Audits and risk management Detective
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and risk management Detective
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 Audits and risk management Detective
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and risk management Detective
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and risk management Detective
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 Audits and risk management Detective
    Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 Audits and risk management Detective
    Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 Audits and risk management Detective
    Implement procedures that collect sufficient audit evidence. CC ID 07153 Audits and risk management Preventive
    Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 Audits and risk management Preventive
    Collect audit evidence sufficient to avoid misstatements. CC ID 07155 Audits and risk management Preventive
    Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 Audits and risk management Preventive
    Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 Audits and risk management Preventive
    Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 Audits and risk management Preventive
    Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 Audits and risk management Detective
    Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 Audits and risk management Preventive
    Review the subject matter expert's findings. CC ID 16559 Audits and risk management Detective
    Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966
    [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90
    {access rights} {right to audit} {operational risks} {contract duration} {be critical} For the outsourcing of functions that are not critical or important, institutions and payment institutions should ensure the access and audit rights as set out in paragraph 87 (a) and (b) and Section 13.3, on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its scalability, the potential impact on the continuous performance of its activities and the contractual period. Institutions and payment institutions should take into account that functions may become critical or important over time. 4.13.3 88]     		Audits and risk management Preventive
    Solve any access problems auditors encounter during the audit. CC ID 08959 Audits and risk management Corrective
    Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 Audits and risk management Preventive
    Include the justification for not following the applicable requirements in the audit report. CC ID 16822 Audits and risk management Preventive
    Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 Audits and risk management Preventive
    Refrain from referencing previous engagements in the audit report. CC ID 16516 Audits and risk management Preventive
    Identify the participants from the organization being audited in the audit report. CC ID 15258 Audits and risk management Detective
    Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 Audits and risk management Preventive
    Include the organization's in scope system description in the audit report. CC ID 11626 Audits and risk management Preventive
    Include the scope and work performed in the audit report. CC ID 11621 Audits and risk management Preventive
    Review the adequacy of the internal auditor's work papers. CC ID 01146 Audits and risk management Detective
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and risk management Detective
    Review management's response to issues raised in past audit reports. CC ID 01149
    [With regard to the outsourcing process, the internal audit function should at least ascertain: the appropriate involvement of governance bodies; and 4.10 51(d)]     		Audits and risk management Detective
    Review the audit program scope as it relates to the organization's profile. CC ID 01159 Audits and risk management Detective
    Assess the quality of the audit program in regards to its documentation. CC ID 11622 Audits and risk management Preventive
    Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 Audits and risk management Preventive
    Analyze the risk management strategy for addressing requirements. CC ID 12926
    [With regard to the outsourcing process, the internal audit function should at least ascertain: the adequacy, quality and effectiveness of the risk assessment for outsourcing arrangements and that the risks remain in line with the institution's risk strategy; 4.10 51(c)
    With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)]     		Audits and risk management Detective
    Analyze the risk management strategy for addressing threats. CC ID 12925 Audits and risk management Detective
    Analyze the risk management strategy for addressing opportunities. CC ID 12924 Audits and risk management Detective
    Address past incidents in the risk assessment program. CC ID 12743 Audits and risk management Preventive
    Establish and maintain the factors and context for risk to the organization. CC ID 12230
    [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33
    {outsourcing policy} {risk assessment} {risk management} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: risk identification, assessment and management in accordance with Section 12.2; 4.7 42(c)(iii)
    Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess all of the relevant risks of the outsourcing arrangement in accordance with Section 12.2; 4.12 61(c)
    When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)]     		Audits and risk management Preventive
    Employ risk assessment procedures that take into account risk factors. CC ID 16560 Audits and risk management Preventive
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443
    [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: identify and classify the relevant functions and related data and systems as regards their sensitivity and required security measures; 4.12.2 68(a)]     		Audits and risk management Preventive
    Review the risk profiles, as necessary. CC ID 16561 Audits and risk management Detective
    Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 Audits and risk management Preventive
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 Audits and risk management Preventive
    Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 Audits and risk management Preventive
    Automate as much of the risk assessment program, as necessary. CC ID 06459 Audits and risk management Preventive
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 Audits and risk management Preventive
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and risk management Preventive
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and risk management Preventive
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and risk management Detective
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and risk management Preventive
    Conduct a Business Impact Analysis, as necessary. CC ID 01147
    [{outsourced services} {outsourced activities} When developing exit strategies, institutions and payment institutions should: perform a business impact analysis that is commensurate with the risk of the outsourced processes, services or activities, with the aim of identifying what human and financial resources would be required to implement the exit plan and how much time it would take; 4.15 108(b)]     		Audits and risk management Detective
    Analyze and quantify the risks to in scope systems and information. CC ID 00701
    [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: the aggregated risks resulting from outsourcing several functions across the institution or payment institution and, in the case of groups of institutions or institutional protection schemes, the aggregated risks on a consolidated basis or on the basis of the institutional protection scheme; 4.12.2 66(b)]     		Audits and risk management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 Audits and risk management Preventive
    Identify the material risks in the risk assessment report. CC ID 06482 Audits and risk management Preventive
    Assess the potential level of business impact risk associated with each business process. CC ID 06463
    [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced and address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced services are or may be provided and where the data are or are likely to be stored; 4.12.2 68(b)
    Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the deterioration of the quality of the function provided and actual or potential business disruptions caused by the inappropriate or failed provision of the function; 4.15 106(c)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: 4.7 44
    {be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65]     		Audits and risk management Detective
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464
    [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the consequences of where the service provider is located (within or outside the EU); 4.12.2 68(c)]     		Audits and risk management Detective
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and risk management Detective
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 Audits and risk management Detective
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 Audits and risk management Detective
    Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 Audits and risk management Detective
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468 Audits and risk management Detective
    Assess the potential level of business impact risk associated with external entities. CC ID 06469
    [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: concentration risks, including from: 4.12.2 66(a)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the institution's risk profile; 4.7 44(a)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the performance of their business activities. 4.7 44(d)
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the size and complexity of any business area affected; 4.4 31(f)
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: identify, monitor and manage all risks; 4.4 31(c)(i)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: 4.12.2 68(d)
    Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements. 4.12.2 64]     		Audits and risk management Detective
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and risk management Detective
    Prioritize and select controls based on the risk assessment findings. CC ID 00707 Audits and risk management Preventive
    Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 Audits and risk management Preventive
    Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 Audits and risk management Preventive
    Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 Audits and risk management Preventive
    Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 Audits and risk management Preventive
    Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 Audits and risk management Preventive
    Approve the risk treatment plan. CC ID 13495 Audits and risk management Preventive
    Analyze the impact of artificial intelligence systems on society. CC ID 16317 Audits and risk management Detective
    Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 Audits and risk management Detective
    Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 Audits and risk management Preventive
    Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 Operational and Systems Continuity Preventive
    Re-evaluate risk assessments of third parties, as necessary. CC ID 12158
    [Institutions should regularly update their risk assessment in accordance with Section 12.2and should periodically report to the management body on the risks identified in respect of the outsourcing of critical or important functions. 4.14 102]     		Third Party and supply chain oversight Detective
    Schedule supply chain audits, as necessary. CC ID 10015
    [{outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the dates of the most recent and next scheduled audits, where applicable; 4.11 55(f)]     		Third Party and supply chain oversight Preventive
  • Behavior
    28
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 Leadership and high level objectives Preventive
    Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 Leadership and high level objectives Preventive
    Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 Leadership and high level objectives Preventive
    Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 Leadership and high level objectives Preventive
    Establish, implement, and maintain a testing program. CC ID 00654 Monitoring and measurement Preventive
    Establish, implement, and maintain a penetration test program. CC ID 01105 Monitoring and measurement Preventive
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 Monitoring and measurement Corrective
    Exercise due professional care during the planning and performance of the audit. CC ID 07119
    [When performing audits in multi-client environments, care should be taken to ensure that risks to another client's environment (e.g. impact on service levels, availability of data, confidentiality aspects) are avoided or mitigated. 4.13.3 96]     		Audits and risk management Preventive
    Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 Audits and risk management Preventive
    Verify statements made by interviewees are correct. CC ID 16299 Audits and risk management Detective
    Explain the goals of the interview to the interviewee. CC ID 07189 Audits and risk management Detective
    Resolve disputes before creating the audit summary. CC ID 08964 Audits and risk management Preventive
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Audits and risk management Preventive
    Use the risk taxonomy when managing risk. CC ID 12280 Audits and risk management Preventive
    Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 Audits and risk management Preventive
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 Audits and risk management Preventive
    Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 Operational and Systems Continuity Preventive
    Limit the activities performed as a proxy to an organizational leader. CC ID 12054 Human Resources management Preventive
    Include employee engagement in the analysis of the organizational culture. CC ID 12914 Operational management Preventive
    Include skill development in the analysis of the organizational culture. CC ID 12913 Operational management Preventive
    Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 Operational management Preventive
    Include employee loyalty in the analysis of the organizational culture. CC ID 12911 Operational management Preventive
    Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 Operational management Preventive
    Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 Operational management Preventive
    Obtain consent from affected parties prior to changes in payment and settlement functions. CC ID 15455 Acquisition or sale of facilities, technology, and services Preventive
    Notify the supervisory authority. CC ID 00472
    [Institutions, without prejudice to Article 19(6) of Directive (EU) 2015/2366, and payment institutions should adequately inform competent authorities in a timely manner or engage in a supervisory dialogue with the competent authorities about the planned outsourcing of critical or important functions and/or where an outsourced function has become critical or important and provide at least the information specified in paragraph 54. 4.11 58
    Institutions and payment institutions should inform competent authorities in a timely manner of material changes and/or severe events regarding their outsourcing arrangements that could have a material impact on the continuing provision of the institutions' or payment institutions' business activities. 4.11 59]     		Privacy protection for information and data Preventive
    Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 Privacy protection for information and data Detective
    Assist with local logistics in support of supply chain onsite investigations. CC ID 08920 Third Party and supply chain oversight Preventive
  • Business Processes
    188
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Analyze the business environment in which the organization operates. CC ID 12798 Leadership and high level objectives Preventive
    Align assets with business functions and the business environment. CC ID 13681 Leadership and high level objectives Preventive
    Analyze the external environment in which the organization operates. CC ID 12799 Leadership and high level objectives Preventive
    Include environmental requirements in the analysis of the external environment. CC ID 12965 Leadership and high level objectives Preventive
    Include regulatory requirements in the analysis of the external environment. CC ID 12964 Leadership and high level objectives Preventive
    Include society in the analysis of the external environment. CC ID 12963 Leadership and high level objectives Preventive
    Include opportunities in the analysis of the external environment. CC ID 12954 Leadership and high level objectives Preventive
    Include third party relationships in the analysis of the external environment. CC ID 12952 Leadership and high level objectives Preventive
    Include industry forces in the analysis of the external environment. CC ID 12904 Leadership and high level objectives Preventive
    Include threats in the analysis of the external environment. CC ID 12898 Leadership and high level objectives Preventive
    Include geopolitics in the analysis of the external environment. CC ID 12897 Leadership and high level objectives Preventive
    Include legal requirements in the analysis of the external environment. CC ID 12896 Leadership and high level objectives Preventive
    Include technology in the analysis of the external environment. CC ID 12837 Leadership and high level objectives Preventive
    Include analyzing the market in the analysis of the external environment. CC ID 12836 Leadership and high level objectives Preventive
    Conduct a context analysis to define objectives and strategies. CC ID 12864 Leadership and high level objectives Preventive
    Identify requirements that could affect achieving organizational objectives. CC ID 12828 Leadership and high level objectives Preventive
    Identify opportunities that could affect achieving organizational objectives. CC ID 12826 Leadership and high level objectives Preventive
    Prioritize organizational objectives. CC ID 09960 Leadership and high level objectives Preventive
    Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 Leadership and high level objectives Preventive
    Identify threats that could affect achieving organizational objectives. CC ID 12827 Leadership and high level objectives Preventive
    Review the organization's approach to managing information security, as necessary. CC ID 12005 Leadership and high level objectives Preventive
    Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 Leadership and high level objectives Preventive
    Enforce a continuous Quality Control system. CC ID 01005
    [{performance standards} Institutions and payment institutions should ensure, on an ongoing basis, that outsourcing arrangements, with the main focus being on outsourced critical or important functions, meet appropriate performance and quality standards in line with their policies by: 4.14 104]     		Leadership and high level objectives Detective
    Correct errors and deficiencies in a timely manner. CC ID 13501 Leadership and high level objectives Corrective
    Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 Leadership and high level objectives Detective
    Review and analyze any quality improvement goals that were missed. CC ID 07204 Leadership and high level objectives Detective
    Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 Leadership and high level objectives Preventive
    Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 Leadership and high level objectives Preventive
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 Leadership and high level objectives Preventive
    Estimate the costs of implementing the compliance framework. CC ID 07191 Leadership and high level objectives Preventive
    Align the reporting methodology with the decision management strategy. CC ID 15659 Leadership and high level objectives Preventive
    Implement a fraud detection system. CC ID 13081 Monitoring and measurement Preventive
    Approve the system security plan. CC ID 14241 Monitoring and measurement Preventive
    Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 Monitoring and measurement Preventive
    Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 Monitoring and measurement Detective
    Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 Monitoring and measurement Preventive
    Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 Monitoring and measurement Preventive
    Establish, implement, and maintain a physical environment metrics program. CC ID 02063 Monitoring and measurement Preventive
    Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 Monitoring and measurement Preventive
    Establish, implement, and maintain a user account management metrics program. CC ID 02075 Monitoring and measurement Preventive
    Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 Monitoring and measurement Preventive
    Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 Monitoring and measurement Preventive
    Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 Monitoring and measurement Preventive
    Establish, implement, and maintain a software change management metrics program. CC ID 02081 Monitoring and measurement Preventive
    Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 Monitoring and measurement Preventive
    Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 Monitoring and measurement Preventive
    Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 Monitoring and measurement Preventive
    Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 Monitoring and measurement Preventive
    Align corrective actions with the level of environmental impact. CC ID 15193 Monitoring and measurement Preventive
    Identify personnel who should attend the closing meeting. CC ID 15261 Audits and risk management Preventive
    Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 Audits and risk management Preventive
    Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 Audits and risk management Preventive
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Audits and risk management Preventive
    Respond to questions or clarification requests regarding the audit. CC ID 08902 Audits and risk management Preventive
    Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 Audits and risk management Preventive
    Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 Audits and risk management Preventive
    Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 Audits and risk management Corrective
    Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 Audits and risk management Preventive
    Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 Audits and risk management Detective
    Integrate the risk management program with the organization's business activities. CC ID 13661 Audits and risk management Preventive
    Integrate the risk management program into daily business decision-making. CC ID 13659 Audits and risk management Preventive
    Include regular updating in the risk management system. CC ID 14990 Audits and risk management Preventive
    Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 Audits and risk management Preventive
    Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 Audits and risk management Preventive
    Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903
    [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: the measures implemented by the institution or payment institution and by the service provider to manage and mitigate the risks. 4.12.2 66(d)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: 4.7 44
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the performance of their business activities. 4.7 44(d)
    When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)]     		Audits and risk management Preventive
    Approve the threat and risk classification scheme. CC ID 15693 Audits and risk management Preventive
    Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 Audits and risk management Preventive
    Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 Audits and risk management Preventive
    Review the Business Impact Analysis, as necessary. CC ID 12774 Audits and risk management Preventive
    Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 Audits and risk management Preventive
    Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 Audits and risk management Preventive
    Evaluate the cyber insurance market. CC ID 12695 Audits and risk management Preventive
    Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 Audits and risk management Preventive
    Acquire cyber insurance, as necessary. CC ID 12693 Audits and risk management Preventive
    Define and assign the assessment team's roles and responsibilities. CC ID 08890 Human Resources management Preventive
    Define the scope for the internal control framework. CC ID 16325 Operational management Preventive
    Review the relevance of information supporting internal controls. CC ID 12420 Operational management Detective
    Assign resources to implement the internal control framework. CC ID 00816 Operational management Preventive
    Establish, implement, and maintain a baseline of internal controls. CC ID 12415 Operational management Preventive
    Leverage actionable information to support internal controls. CC ID 12414 Operational management Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818
    [{be adequate} In accordance with Article 109 (2) of Directive2013/36/EU, these guidelines should also apply on a sub-consolidated and consolidated basis, taking into account the prudential scope of consolidation. For this purpose, the EU parent undertakings or the parent undertaking in a Member State should ensure that internal governance arrangements, processes and mechanisms in their subsidiaries, including payment institutions, are consistent, well integrated and adequate for the effective application of these guidelines at all relevant levels. 4.2 21]     		Operational management Preventive
    Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 Operational management Preventive
    Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 Operational management Preventive
    Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 Operational management Preventive
    Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 Operational management Preventive
    Review systems for compliance with organizational information security policies. CC ID 12004 Operational management Preventive
    Establish, implement, and maintain a Service Management System. CC ID 13889 Operational management Preventive
    Establish, implement, and maintain decision support interventions. CC ID 14443 Records management Preventive
    Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538
    [When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: whether the outsourcing arrangement is directly connected to the provision of banking activities or payment services for which they are authorised; 4.4 31(a)
    {critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: when they intend to outsource functions of banking activities or payment services to an extent that would require authorisation by a competent authority, as referred to in Section 12.1. 4.4 29(c)
    {supervisory authority} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the service provider is authorised or registered to provide that banking activity or payment service in the third country and is supervised by a relevant competent authority in that third country (referred to as a 'supervisory authority'); 4.12.1 63(a)
    Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in the same or another Member State takes place only if one of the following conditions is met: the service provider is authorised or registered by a competent authority to perform such banking activities or payment services; or 4.12.1 62(a)]     		Acquisition or sale of facilities, technology, and services Preventive
    Establish, implement, and maintain payment systems. CC ID 13539 Acquisition or sale of facilities, technology, and services Preventive
    Establish, implement, and maintain an inventory of payment page scripts. CC ID 15467 Acquisition or sale of facilities, technology, and services Preventive
    Establish, implement, and maintain retail payment activities supporting the retail payment system, as necessary. CC ID 13540 Acquisition or sale of facilities, technology, and services Preventive
    Establish, implement, and maintain an electronic commerce program. CC ID 08617 Acquisition or sale of facilities, technology, and services Preventive
    Define risk levels for Automated Clearing House activities, as necessary. CC ID 13542 Acquisition or sale of facilities, technology, and services Preventive
    Determine Automated Clearing House exposure limits, as necessary. CC ID 13549 Acquisition or sale of facilities, technology, and services Preventive
    Adjust the originator's activity levels to match Automated Clearing House exposure limits, as necessary. CC ID 13565 Acquisition or sale of facilities, technology, and services Corrective
    Adjust the originator's credit rating to match Automated Clearing House exposure limits, as necessary. CC ID 13564 Acquisition or sale of facilities, technology, and services Corrective
    Establish, implement, and maintain a list of approved third parties for payment transactions. CC ID 16349 Acquisition or sale of facilities, technology, and services Preventive
    Restrict transaction activities, as necessary. CC ID 16334 Acquisition or sale of facilities, technology, and services Preventive
    Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683 Acquisition or sale of facilities, technology, and services Preventive
    Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682 Acquisition or sale of facilities, technology, and services Preventive
    Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671 Acquisition or sale of facilities, technology, and services Preventive
    Obtain cardholder authorization prior to completing payment transactions. CC ID 13108 Acquisition or sale of facilities, technology, and services Preventive
    Protect the integrity of application service transactions. CC ID 12017 Acquisition or sale of facilities, technology, and services Preventive
    Establish, implement, and maintain telephone-initiated transaction security measures. CC ID 13566 Acquisition or sale of facilities, technology, and services Preventive
    Bill and settle electronic commerce transactions. CC ID 08622 Acquisition or sale of facilities, technology, and services Preventive
    Deliver incoming and outgoing electronic commerce transactions and messages to the correct Internet Protocol address. CC ID 08620 Acquisition or sale of facilities, technology, and services Preventive
    Use a risk-based approach to following up situations where customer notifications regarding electronic commerce transactions cannot be delivered. CC ID 13663 Acquisition or sale of facilities, technology, and services Corrective
    Disseminate and communicate transaction exceptions to consumers. CC ID 08619 Acquisition or sale of facilities, technology, and services Preventive
    Correct billing and settlement errors. CC ID 08623 Acquisition or sale of facilities, technology, and services Corrective
    Withhold payment and settlement functions, as necessary. CC ID 15460 Acquisition or sale of facilities, technology, and services Preventive
    Define the requirements for approving or denying approval applications. CC ID 16780 Privacy protection for information and data Preventive
    Extend the time limit for approving or denying approval applications. CC ID 16779 Privacy protection for information and data Preventive
    Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 Privacy protection for information and data Preventive
    Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 Privacy protection for information and data Preventive
    Terminate supplier relationships, as necessary. CC ID 13489
    [{be able} {timely manner} When outsourcing, institutions and payment institutions should at least ensure that: with regard to the outsourcing of critical or important functions, they are able to undertake at least one of the following actions, within an appropriate time frame: discontinue the business activities that are depending on the function. 4.6 40(f)(iii)]     		Third Party and supply chain oversight Corrective
    Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610
    [The outsourcing agreement for critical or important functions should set out at least: the location(s) (i.e. regions or countries) where the critical or important function will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the institution or payment institution if the service provider proposes to change the location(s); 4.13 75(f)
    The outsourcing agreement for critical or important functions should set out at least: provisions that ensure that the data that are owned by the institution or payment institution can be accessed in the case of the insolvency, resolution or discontinuation of business operations of the service provider; 4.13 75(m)
    With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider's external auditors ('access and information rights'); and 4.13.3 87(a)
    When outsourcing, institutions and payment institutions should at least ensure that: where personal data are processed by service providers located in the EU and/or third countries, appropriate measures are implemented and data are processed in accordance with Regulation (EU) 2016/679. 4.6 40(g)
    {be able} {be necessary} {supervise} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: obtain, upon request, the information necessary to carry out their supervisory tasks pursuant to Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive (EU) 2015/2366 and Directive 2009/110/EC; 4.12.1 63(c)(i)
    {be able} {supervise} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: obtain appropriate access to any data, documents, premises or personnel in the third country that are relevant for the performance of their supervisory powers; 4.12.1 63(c)(ii)]     		Third Party and supply chain oversight Preventive
    Include disclosure requirements in third party contracts. CC ID 08825
    [Regardless of the criticality or importance of the outsourced function, the written outsourcing arrangements between institutions and service providers should refer to the information gathering and investigatory powers of competent authorities and resolution authorities under Article 63(1)(a) of Directive 2014/59/EU and Article 65(3) of Directive 2013/36/EU with regard to service providers located in a Member State and should also ensure those rights with regard to service providers located in third countries. 4.13.3 86]     		Third Party and supply chain oversight Preventive
    Document supply chain transactions in the supply chain management program. CC ID 08857 Third Party and supply chain oversight Preventive
    Track all chargeable items in Service Level Agreements. CC ID 11616 Third Party and supply chain oversight Detective
    Enforce third party Service Level Agreements, as necessary. CC ID 07098 Third Party and supply chain oversight Corrective
    Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024
    [{financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a)
    where those institutions and payment institutions within the group, institutions affiliated to a central body or institutions that are part of an institutional protection scheme rely on a central pre-outsourcing assessment of outsourcing arrangements, as referred to in Section 12, each institution and payment institution should receive a summary of the assessment and ensure that it takes into consideration its specific structure and risks within the decision-making process; 4.2 23(c)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced and address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced services are or may be provided and where the data are or are likely to be stored; 4.12.2 68(b)
    When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19
    {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70]     		Third Party and supply chain oversight Preventive
    Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 Third Party and supply chain oversight Preventive
    Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397
    [Institutions and payment institutions should take appropriate steps to ensure that service providers act in a manner consistent with their values and code of conduct. In particular, with regard to service providers located in third countries and, if applicable, their sub-contractors, institutions and payment institutions should be satisfied that the service provider acts in an ethical and socially responsible manner and adheres to international standards on human rights (e.g. the European Convention on Human Rights), environmental protection and appropriate working conditions, including the prohibition of child labour. 4.12.3 73]     		Third Party and supply chain oversight Preventive
    Support third parties in building their capabilities. CC ID 08814 Third Party and supply chain oversight Preventive
    Implement measurable improvement plans with all third parties. CC ID 08815 Third Party and supply chain oversight Preventive
    Post a list of compliant third parties on the organization's website. CC ID 08817 Third Party and supply chain oversight Preventive
    Use third parties that are compliant with the applicable requirements. CC ID 08818
    [{selection process} Before entering into an outsourcing arrangement and considering the operational risks related to the function to be outsourced, institutions and payment institutions should ensure in their selection and assessment process that the service provider is suitable. 4.12.3 69
    {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70]     		Third Party and supply chain oversight Preventive
    Identify supply sources for secondary materials. CC ID 08822 Third Party and supply chain oversight Preventive
    Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain supply chain due diligence standards. CC ID 08846
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v)]     		Third Party and supply chain oversight Preventive
    Provide management support for third party due diligence. CC ID 08847 Third Party and supply chain oversight Preventive
    Commit to the supply chain due diligence process. CC ID 08849 Third Party and supply chain oversight Preventive
    Structure the organization to support supply chain due diligence. CC ID 08850 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain internal accountability for the supply chain due diligence process. CC ID 08851
    [where those institutions or payment institutions have outsourcing arrangements with service providers within the group or the institutional protection scheme 33 , the management body of those institutions or payment institutions retains, also for these outsourcing arrangements, full responsibility for compliance with all regulatory requirements and the effective application of these guidelines; 4.2 22(a)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42]     		Third Party and supply chain oversight Preventive
    Establish, implement, and maintain supply chain due diligence requirements. CC ID 08853 Third Party and supply chain oversight Preventive
    Cross-check the supply chain due diligence practices against the supply chain management policy. CC ID 08859 Third Party and supply chain oversight Preventive
    Exclude suppliers that have passed the conflict-free smelter program from the conflict materials report. CC ID 10016 Third Party and supply chain oversight Preventive
    Assign the appropriate individuals or groups to oversee and support supply chain due diligence. CC ID 08861 Third Party and supply chain oversight Preventive
    Develop and implement supply chain due diligence capability training program. CC ID 08862 Third Party and supply chain oversight Preventive
    Determine if additional supply chain due diligence processes are required. CC ID 08863 Third Party and supply chain oversight Preventive
    Define ways a third party may be non-compliant with the organization's supply chain due diligence requirements. CC ID 08870
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v)
    Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess conflicts of interest that the outsourcing may cause in line with Section 8. 4.12 61(e)]     		Third Party and supply chain oversight Preventive
    Calculate and report the margin of error in the supply chain due diligence report. CC ID 08871 Third Party and supply chain oversight Preventive
    Conduct all parts of the supply chain due diligence process. CC ID 08854
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: due diligence checks on prospective service providers, including the measures required under Section 12.3; 4.7 42(c)(iv)
    Before entering into any outsourcing arrangement, institutions and payment institutions should: undertake appropriate due diligence on the prospective service provider in accordance with Section 12.3; 4.12 61(d)
    {financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a)]     		Third Party and supply chain oversight Preventive
    Identify all service providers in the supply chain. CC ID 12213
    [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider whether the service provider is a subsidiary or parent undertaking of the institution, is included in the scope of accounting consolidation or is a member of or owned by institutions that are members of an institutional protection scheme and, if so, the extent to which the institution controls it or has the ability to influence its actions in line with Section 2. 4.12.2 68(f)]     		Third Party and supply chain oversight Preventive
    Establish, implement, and maintain deduplication procedures for third party services. CC ID 13915 Third Party and supply chain oversight Detective
    Assess third parties' relevant experience during due diligence. CC ID 12070
    [{be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70]     		Third Party and supply chain oversight Detective
    Assess third parties' legal risks to the organization during due diligence. CC ID 12078
    [{financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a)
    {legal requirement} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: comply with all legal and regulatory requirements; 4.4 31(c)(ii)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the laws in force, including laws on data protection; 4.12.2 68(d)(i)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the law enforcement provisions in place; and 4.12.2 68(d)(ii)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the insolvency law provisions that would apply in the event of a service provider's failure and any constraints that would arise in respect of the urgent recovery of the institution's or payment institution's data in particular; 4.12.2 68(d)(iii)]     		Third Party and supply chain oversight Detective
    Assess third parties' business continuity capabilities during due diligence. CC ID 12077
    [{takeover} Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: in the case of significant institutions, the step-in risk, i.e. the risk that may result from the need to provide financial support to a service provider in distress or to take over its business operations; and 4.12.2 66(c)
    When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19
    {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: business continuity and operational resilience; 4.4 31(b)(ii)
    {recovery planning} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: where applicable, recovery and resolution planning, resolvability and operational continuity in an early intervention, recovery or resolution situation; 4.4 31(b)(v)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the insolvency law provisions that would apply in the event of a service provider's failure and any constraints that would arise in respect of the urgent recovery of the institution's or payment institution's data in particular; 4.12.2 68(d)(iii)]     		Third Party and supply chain oversight Detective
    Assess third parties' breach remediation status, as necessary, during due diligence. CC ID 12076
    [When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the protection of data and the potential impact of a confidentiality breach or failure to ensure data availability and integrity on the institution or payment institution and its clients, including but not limited to compliance with Regulation (EU) 2016/679. 4.4 31(j)]     		Third Party and supply chain oversight Detective
    Assess third parties' abilities to provide services during due diligence. CC ID 12074
    [{be the same} Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: concentration risks, including from: multiple outsourcing arrangements with the same service provider or closely connected service providers; 4.12.2 66(a)(ii)
    {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact on the services provided to its clients; 4.4 31(d)
    Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in the same or another Member State takes place only if one of the following conditions is met: the service provider is otherwise allowed to carry out those banking activities or payment services in accordance with the relevant national legal framework. 4.12.1 62(b)]     		Third Party and supply chain oversight Detective
    Assess third parties' financial stability during due diligence. CC ID 12066
    [{financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a)
    Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: whether the service provider is a parent undertaking or subsidiary of the institution or payment institution, is part of the accounting scope of consolidation of the institution or is a member of or is owned by institutions that are members of the same institutional protection scheme to which the institution belongs; 4.12.3 71(c)
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: short- and long-term financial resilience and viability, including, if applicable, its assets, capital, costs, funding, liquidity, profits and losses; 4.4 31(b)(i)]     		Third Party and supply chain oversight Detective
    Assess third parties' use of subcontractors during due diligence. CC ID 12073
    [Where the outsourcing arrangement includes the possibility that the service provider sub-outsources critical or important functions to other service providers, institutions and payment institutions should take into account: the risks associated with sub-outsourcing, including the additional risks that may arise if the sub-contractor is located in a third country or a different country from the service provider; 4.12.2 67(a)
    Institutions and payment institutions should take appropriate steps to ensure that service providers act in a manner consistent with their values and code of conduct. In particular, with regard to service providers located in third countries and, if applicable, their sub-contractors, institutions and payment institutions should be satisfied that the service provider acts in an ethical and socially responsible manner and adheres to international standards on human rights (e.g. the European Convention on Human Rights), environmental protection and appropriate working conditions, including the prohibition of child labour. 4.12.3 73]     		Third Party and supply chain oversight Detective
    Assess third parties' insurance coverage during due diligence. CC ID 12072 Third Party and supply chain oversight Detective
    Assess the third parties' reputation during due diligence. CC ID 12068
    [Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: the long-term relationships with service providers that have already been assessed and perform services for the institution or payment institution; 4.12.3 71(b)
    {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: reputational risks; 4.4 31(b)(iv)]     		Third Party and supply chain oversight Detective
    Assess any litigation case files against third parties during due diligence. CC ID 12071 Third Party and supply chain oversight Detective
    Assess complaints against third parties during due diligence. CC ID 12069 Third Party and supply chain oversight Detective
    Disallow engaging service providers that are restricted from performing their duties. CC ID 12214 Third Party and supply chain oversight Preventive
    Collect evidence of each supplier's supply chain due diligence processes. CC ID 08855 Third Party and supply chain oversight Preventive
    Conduct spot checks of the supplier's supply chain due diligence processes as necessary. CC ID 08860 Third Party and supply chain oversight Preventive
    Determine if suppliers can meet the organization's production requirements. CC ID 11559 Third Party and supply chain oversight Preventive
    Require suppliers to meet the organization's manufacturing and integration requirements. CC ID 11560 Third Party and supply chain oversight Preventive
    Evaluate the impact of the authentication element of the anti-counterfeit measures on the manufacturing process. CC ID 11557 Third Party and supply chain oversight Preventive
    Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 Third Party and supply chain oversight Detective
    Require individual attestations of compliance from each location a third party operates in. CC ID 12228 Third Party and supply chain oversight Preventive
    Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 Third Party and supply chain oversight Detective
    Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819
    [{third party relationship} Institutions and payment institutions should ensure that they comply with all requirements under Regulation (EU) 2016/679, including for their third-party and outsourcing arrangements. 4.5 34
    {data requirement} Where relevant (e.g. in the context of cloud or other ICT outsourcing), institutions and payment institutions should define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis. 4.13.2 82
    {third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the institution or payment institution and the compliance with relevant regulatory requirements; 4.13.3 93(b)
    {third-party certifications} {third-party audit report} {are current} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: thoroughly assess the content of the certifications or audit reports on an ongoing basis and verify that the reports or certifications are not obsolete; 4.13.3 93(c)]     		Third Party and supply chain oversight Preventive
    Determine third party compliance with third party contracts. CC ID 08866 Third Party and supply chain oversight Preventive
    Quarantine non-compliant material. CC ID 08867 Third Party and supply chain oversight Preventive
    Refrain from quarantining conflict-free materials. CC ID 08868 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain disposition processes for non-compliant material. CC ID 08869 Third Party and supply chain oversight Preventive
    Review the information collected about each supplier for the supply chain due diligence report. CC ID 08856
    [where those institutions and payment institutions within the group, institutions affiliated to a central body or institutions that are part of an institutional protection scheme rely on a central pre-outsourcing assessment of outsourcing arrangements, as referred to in Section 12, each institution and payment institution should receive a summary of the assessment and ensure that it takes into consideration its specific structure and risks within the decision-making process; 4.2 23(c)
    Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements. 4.12.2 64]     		Third Party and supply chain oversight Preventive
    Establish and maintain a supply chain due diligence report. CC ID 08824 Third Party and supply chain oversight Preventive
    Submit the supply chain due diligence report. CC ID 08828 Third Party and supply chain oversight Preventive
    Include supply chain risk assessment reports in the supply chain due diligence report. CC ID 08835
    [Institutions should regularly update their risk assessment in accordance with Section 12.2and should periodically report to the management body on the risks identified in respect of the outsourcing of critical or important functions. 4.14 102]     		Third Party and supply chain oversight Preventive
    Include monitoring and tracking risk mitigation performance in the supply chain due diligence report. CC ID 08837
    [When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: identify, monitor and manage all risks; 4.4 31(c)(i)]     		Third Party and supply chain oversight Preventive
    Include supplier agreement terminations in the supply chain due diligence report. CC ID 08845
    [As part of their risk management framework, institutions and payment institutions should maintain an updated register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels, as set out in Section 2, and should appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. Taking into account national law, institutions should maintain the documentation of ended outsourcing arrangements within the register and the supporting documentation for an appropriate period. 4.11 52]     		Third Party and supply chain oversight Preventive
    Assess the effectiveness of third party services provided to the organization. CC ID 13142
    [{outsourcing policy} {ongoing basis} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the ongoing assessment of the service provider's performance in line with Section 14; 4.7 42(d)(i)
    evaluating the performance of service providers using tools such as key performance indicators, key control indicators, service delivery reports, self-certification and independent reviews; and 4.14 104(b)
    {performance standards} Institutions and payment institutions should ensure, on an ongoing basis, that outsourcing arrangements, with the main focus being on outsourced critical or important functions, meet appropriate performance and quality standards in line with their policies by: 4.14 104
    {audit program} The internal audit function's activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions. 4.10 50
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: 4.4 31(b)]     		Third Party and supply chain oversight Detective
    Review the supply chain's service delivery on a regular basis. CC ID 12010 Third Party and supply chain oversight Preventive
    Identify red flags in the supply chain. CC ID 08873 Third Party and supply chain oversight Preventive
    Detect red flags in the supply chain. CC ID 08874 Third Party and supply chain oversight Preventive
    Notify interested personnel and affected parties when critical components or materials are not obtained from an authorized source. CC ID 11516 Third Party and supply chain oversight Preventive
    Review third party red flag locations to identify facts for the supply chain risk assessment. CC ID 08875 Third Party and supply chain oversight Preventive
    Establish and maintain an interactive map of third party red flag locations. CC ID 08876 Third Party and supply chain oversight Preventive
    Collect information on red-flagged supply chains. CC ID 08877 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain a system of transparency and controls over the entire supply chain. CC ID 08879
    [Where the outsourcing arrangement includes the possibility that the service provider sub-outsources critical or important functions to other service providers, institutions and payment institutions should take into account: the risk that long and complex chains of sub-outsourcing reduce the ability of institutions or payment institutions to oversee the outsourced critical or important function and the ability of competent authorities to effectively supervise them. 4.12.2 67(b)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)]     		Third Party and supply chain oversight Preventive
    Establish, implement, and maintain supply chain onsite investigation procedures. CC ID 08919
    [{site visit} Before a planned on-site visit, institutions, payment institutions, competent authorities and auditors or third parties acting on behalf of the institution, payment institution or competent authorities should provide reasonable notice to the service provider, unless this is not possible due to an emergency or crisis situation or would lead to a situation where the audit would no longer be effective. 4.13.3 95]     		Third Party and supply chain oversight Preventive
  • Communicate
    53
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 Leadership and high level objectives Preventive
    Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 Leadership and high level objectives Preventive
    Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 Leadership and high level objectives Preventive
    Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 Leadership and high level objectives Preventive
    Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 Leadership and high level objectives Preventive
    Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 Leadership and high level objectives Preventive
    Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 Leadership and high level objectives Preventive
    Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 Leadership and high level objectives Corrective
    Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 Leadership and high level objectives Preventive
    Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 Leadership and high level objectives Preventive
    Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 Leadership and high level objectives Preventive
    Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 Leadership and high level objectives Preventive
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 Leadership and high level objectives Preventive
    Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 Leadership and high level objectives Preventive
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Monitoring and measurement Preventive
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 Monitoring and measurement Preventive
    Delay the reporting of incident management metrics, as necessary. CC ID 15501 Monitoring and measurement Preventive
    Include the scope for the desired level of assurance in the audit program. CC ID 12793 Audits and risk management Preventive
    Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 Audits and risk management Preventive
    Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 Audits and risk management Preventive
    Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 Audits and risk management Preventive
    Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 Audits and risk management Preventive
    Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 Audits and risk management Preventive
    Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 Audits and risk management Preventive
    Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 Audits and risk management Preventive
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 Audits and risk management Preventive
    Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 Audits and risk management Preventive
    Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 Audits and risk management Preventive
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 Audits and risk management Preventive
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Audits and risk management Preventive
    Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 Audits and risk management Preventive
    Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 Audits and risk management Preventive
    Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 Audits and risk management Preventive
    Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 Audits and risk management Preventive
    Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 Audits and risk management Preventive
    Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 Audits and risk management Preventive
    Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 Audits and risk management Preventive
    Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 Audits and risk management Preventive
    Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 Human Resources management Preventive
    Share security information with interested personnel and affected parties. CC ID 11732 Operational management Preventive
    Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 Operational management Preventive
    Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 Operational management Preventive
    Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687 Acquisition or sale of facilities, technology, and services Preventive
    Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571 Acquisition or sale of facilities, technology, and services Preventive
    Notify affected parties after successful card-not-present transactions. CC ID 13668 Acquisition or sale of facilities, technology, and services Preventive
    Submit approval applications to the supervisory authority. CC ID 16627 Privacy protection for information and data Preventive
    Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 Privacy protection for information and data Preventive
    Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 Privacy protection for information and data Corrective
    Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 Privacy protection for information and data Preventive
    Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 Privacy protection for information and data Preventive
    Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422
    [{electronic format} Institutions and payment institutions should, upon request, make available to the competent authority either the full register of all existing outsourcing arrangements or sections specified thereof, such as information on all outsourcing arrangements falling under one of the categories referred to in point (d) of paragraph 54 of these guidelines (e.g. all IT outsourcing arrangements). Institutions and payment institutions should provide this information in a processable electronic form (e.g. a commonly used database format, comma separated values). 4.11 56
    {electronic format} Institutions and payment institutions should, upon request, make available to the competent authority either the full register of all existing outsourcing arrangements or sections specified thereof, such as information on all outsourcing arrangements falling under one of the categories referred to in point (d) of paragraph 54 of these guidelines (e.g. all IT outsourcing arrangements). Institutions and payment institutions should provide this information in a processable electronic form (e.g. a commonly used database format, comma separated values). 4.11 56]     		Third Party and supply chain oversight Preventive
    Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 Third Party and supply chain oversight Preventive
    Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 Third Party and supply chain oversight Preventive
  • Configuration
    8
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Enforce dual authorization as a part of information flow control for logs. CC ID 10098 Monitoring and measurement Preventive
    Automate threat assessments, as necessary. CC ID 06877 Operational management Preventive
    Automate vulnerability management, as necessary. CC ID 11730 Operational management Preventive
    Employ Remote Deposit Capture systems, as necessary. CC ID 13570 Acquisition or sale of facilities, technology, and services Preventive
    Encrypt electronic commerce transactions and messages. CC ID 08621 Acquisition or sale of facilities, technology, and services Preventive
    Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 Privacy protection for information and data Preventive
    Store payment card data in secure chips, if possible. CC ID 13065 Privacy protection for information and data Preventive
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 Privacy protection for information and data Preventive
  • Data and Information Management
    73
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 Leadership and high level objectives Preventive
    Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 Leadership and high level objectives Preventive
    Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 Leadership and high level objectives Preventive
    Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 Leadership and high level objectives Preventive
    Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 Leadership and high level objectives Preventive
    Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 Leadership and high level objectives Preventive
    Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 Leadership and high level objectives Preventive
    Classify the value of information in the information classification standard. CC ID 11995 Leadership and high level objectives Preventive
    Classify the legal requirements of information in the information classification standard. CC ID 11994 Leadership and high level objectives Preventive
    Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 Leadership and high level objectives Preventive
    Define the scope of the security policy. CC ID 07145 Leadership and high level objectives Preventive
    Address Information Security during the business planning processes. CC ID 06495 Leadership and high level objectives Preventive
    Include data quality in the risk management strategies. CC ID 15308 Audits and risk management Preventive
    Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 Records management Detective
    Establish, implement, and maintain electronic health records. CC ID 14436 Records management Preventive
    Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 Records management Preventive
    Import data files into a patient's electronic health record. CC ID 14448 Records management Preventive
    Export requested sections of the electronic health record. CC ID 14447 Records management Preventive
    Display the implantable device list to authorized users. CC ID 14445 Records management Preventive
    Include attributes in the decision support intervention. CC ID 16766 Records management Preventive
    Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 Records management Detective
    Include required information in electronic commerce transactions and messages. CC ID 15318 Acquisition or sale of facilities, technology, and services Preventive
    Make electronic commerce order information available to the customer who ordered the product. CC ID 04585 Acquisition or sale of facilities, technology, and services Preventive
    Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 Privacy protection for information and data Preventive
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 Privacy protection for information and data Preventive
    Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 Privacy protection for information and data Preventive
    Limit data leakage. CC ID 00356 Privacy protection for information and data Preventive
    Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 Privacy protection for information and data Detective
    Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 Privacy protection for information and data Detective
    Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 Privacy protection for information and data Detective
    Send change notices for change of address requests to the old address and the new address. CC ID 04877 Privacy protection for information and data Detective
    Include text about data ownership in the data handling policy. CC ID 15720 Privacy protection for information and data Preventive
    Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 Privacy protection for information and data Preventive
    Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 Privacy protection for information and data Preventive
    Store de-identifying code and re-identifying code separately. CC ID 16535 Privacy protection for information and data Preventive
    Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 Privacy protection for information and data Preventive
    Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 Privacy protection for information and data Preventive
    Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 Privacy protection for information and data Preventive
    Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 Privacy protection for information and data Preventive
    Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 Privacy protection for information and data Preventive
    Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 Privacy protection for information and data Preventive
    Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 Privacy protection for information and data Preventive
    Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 Privacy protection for information and data Preventive
    Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 Privacy protection for information and data Preventive
    Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 Privacy protection for information and data Preventive
    Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 Privacy protection for information and data Preventive
    Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 Privacy protection for information and data Preventive
    Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 Privacy protection for information and data Preventive
    Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 Privacy protection for information and data Preventive
    Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 Privacy protection for information and data Preventive
    Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 Privacy protection for information and data Preventive
    Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 Privacy protection for information and data Preventive
    Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 Privacy protection for information and data Preventive
    Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 Privacy protection for information and data Preventive
    Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 Privacy protection for information and data Preventive
    Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 Privacy protection for information and data Preventive
    Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 Privacy protection for information and data Preventive
    Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 Privacy protection for information and data Preventive
    Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 Privacy protection for information and data Preventive
    Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 Privacy protection for information and data Preventive
    Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 Privacy protection for information and data Preventive
    Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 Privacy protection for information and data Preventive
    Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 Privacy protection for information and data Preventive
    Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 Privacy protection for information and data Preventive
    Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 Privacy protection for information and data Preventive
    Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 Third Party and supply chain oversight Detective
    Make the conflict minerals policy Publicly Available Information. CC ID 08949 Third Party and supply chain oversight Preventive
  • Establish Roles
    36
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 Leadership and high level objectives Preventive
    Assign the appropriate roles to all applicable compliance documents. CC ID 06284 Leadership and high level objectives Preventive
    Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 Leadership and high level objectives Preventive
    Define the Information Assurance strategic roles and responsibilities. CC ID 00608 Leadership and high level objectives Preventive
    Establish and maintain a compliance oversight committee. CC ID 00765
    [meet all the conditions of their authorisation at all times, including the management body effectively carrying out its responsibilities as set out in paragraph 36 of these guidelines; 4.6 39(a)
    {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making. 4.6 36(f)]     		Leadership and high level objectives Detective
    Assign the review of project plans for critical projects to the compliance oversight committee. CC ID 01182 Leadership and high level objectives Preventive
    Assign the corporate governance of Information Technology to the compliance oversight committee. CC ID 01178 Leadership and high level objectives Preventive
    Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179 Leadership and high level objectives Preventive
    Involve the Board of Directors or senior management in Information Governance. CC ID 00609 Leadership and high level objectives Preventive
    Assign reviewing and approving Quality Management standards to the appropriate oversight committee. CC ID 07192 Leadership and high level objectives Preventive
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 Audits and risk management Preventive
    Define and assign the external auditor's roles and responsibilities. CC ID 00683 Audits and risk management Preventive
    Assign the audit to impartial auditors. CC ID 07118 Audits and risk management Preventive
    Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 Audits and risk management Preventive
    Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456
    [{be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c)
    {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the identification, assessment and management of conflicts of interest; 4.6 36(c)]     		Audits and risk management Preventive
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the responsibilities of the management body in line with paragraph 36, including its involvement, as appropriate, in the decision-making on outsourcing of critical or important functions; 4.7 42(a)]     		Human Resources management Preventive
    Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 Human Resources management Preventive
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the responsibilities of the management body in line with paragraph 36, including its involvement, as appropriate, in the decision-making on outsourcing of critical or important functions; 4.7 42(a)
    {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the identification, assessment and management of conflicts of interest; 4.6 36(c)]     		Human Resources management Preventive
    Assign senior management to the role of authorizing official. CC ID 14238 Human Resources management Preventive
    Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 Human Resources management Preventive
    Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 Human Resources management Preventive
    Define and assign the business unit manager's roles and responsibilities. CC ID 00810 Human Resources management Preventive
    Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 Human Resources management Preventive
    Define and assign the technology security leader's roles and responsibilities. CC ID 01897 Human Resources management Preventive
    Define and assign the property management leader's roles and responsibilities. CC ID 00669 Human Resources management Preventive
    Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 Human Resources management Preventive
    Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 Human Resources management Preventive
    Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 Human Resources management Preventive
    Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 Human Resources management Preventive
    Assign a contact person to all business units. CC ID 07144 Human Resources management Preventive
    Assign security clearance procedures to qualified personnel. CC ID 06812 Human Resources management Preventive
    Assign personnel screening procedures to qualified personnel. CC ID 11699 Human Resources management Preventive
    Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 Operational management Preventive
    Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 Operational management Preventive
    Require data controllers to be accountable for their actions. CC ID 00470 Privacy protection for information and data Preventive
    Include the responsible party for managing complaints in third party contracts. CC ID 10022 Third Party and supply chain oversight Preventive
  • Establish/Maintain Documentation
    768
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Develop instructions for setting organizational objectives and strategies. CC ID 12931 Leadership and high level objectives Preventive
    Establish, implement, and maintain organizational objectives. CC ID 09959
    [When developing exit strategies, institutions and payment institutions should: define the objectives of the exit strategy; 4.15 108(a)]     		Leadership and high level objectives Preventive
    Establish, implement, and maintain a value generation model. CC ID 15591 Leadership and high level objectives Preventive
    Include value distribution in the value generation model. CC ID 15603 Leadership and high level objectives Preventive
    Include value retention in the value generation model. CC ID 15600 Leadership and high level objectives Preventive
    Include value generation procedures in the value generation model. CC ID 15599 Leadership and high level objectives Preventive
    Establish, implement, and maintain value generation objectives. CC ID 15583 Leadership and high level objectives Preventive
    Establish, implement, and maintain social responsibility objectives. CC ID 15611 Leadership and high level objectives Preventive
    Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 Leadership and high level objectives Preventive
    Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 Leadership and high level objectives Preventive
    Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 Leadership and high level objectives Preventive
    Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 Leadership and high level objectives Preventive
    Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 Leadership and high level objectives Preventive
    Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 Leadership and high level objectives Preventive
    Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 Leadership and high level objectives Preventive
    Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 Leadership and high level objectives Preventive
    Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements; 4.7 42(b)]     		Leadership and high level objectives Preventive
    Establish, implement, and maintain data governance and management practices. CC ID 14998 Leadership and high level objectives Preventive
    Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 Leadership and high level objectives Preventive
    Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 Leadership and high level objectives Preventive
    Include bias for data sets in the data governance and management practices. CC ID 15085 Leadership and high level objectives Preventive
    Include a data strategy in the data governance and management practices. CC ID 15304 Leadership and high level objectives Preventive
    Include data monitoring in the data governance and management practices. CC ID 15303 Leadership and high level objectives Preventive
    Include an assessment of the data sets in the data governance and management practices. CC ID 15084 Leadership and high level objectives Preventive
    Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 Leadership and high level objectives Preventive
    Include data collection for data sets in the data governance and management practices. CC ID 15082 Leadership and high level objectives Preventive
    Include data preparations for data sets in the data governance and management practices. CC ID 15081 Leadership and high level objectives Preventive
    Include design choices for data sets in the data governance and management practices. CC ID 15080 Leadership and high level objectives Preventive
    Establish, implement, and maintain an information classification standard. CC ID 00601 Leadership and high level objectives Preventive
    Establish, implement, and maintain a data classification scheme. CC ID 11628 Leadership and high level objectives Preventive
    Approve the data classification scheme. CC ID 13858 Leadership and high level objectives Detective
    Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 Leadership and high level objectives Preventive
    Refrain from including metadata in the data dictionary. CC ID 13529 Leadership and high level objectives Preventive
    Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 Leadership and high level objectives Preventive
    Include information needed to understand each data element and population in the data dictionary. CC ID 13528 Leadership and high level objectives Preventive
    Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 Leadership and high level objectives Preventive
    Include the date or time period the data was observed in the data dictionary. CC ID 13524 Leadership and high level objectives Preventive
    Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 Leadership and high level objectives Preventive
    Include the uncertainty of each data element in the data dictionary. CC ID 13521 Leadership and high level objectives Preventive
    Include the measurement units for each data element in the data dictionary. CC ID 13534 Leadership and high level objectives Preventive
    Include the precision of the measurement in the data dictionary. CC ID 13520 Leadership and high level objectives Preventive
    Include the data source in the data dictionary. CC ID 13519 Leadership and high level objectives Preventive
    Include the nature of each element in the data dictionary. CC ID 13518 Leadership and high level objectives Preventive
    Include the population of events or instances in the data dictionary. CC ID 13517 Leadership and high level objectives Preventive
    Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 Leadership and high level objectives Preventive
    Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 Leadership and high level objectives Preventive
    Establish, implement, and maintain an organizational structure. CC ID 16310 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Quality Management framework. CC ID 07196 Leadership and high level objectives Preventive
    Include supply chain management standards in the Quality Management framework. CC ID 13701
    [Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the deterioration of the quality of the function provided and actual or potential business disruptions caused by the inappropriate or failed provision of the function; 4.15 106(c)]     		Leadership and high level objectives Preventive
    Establish, implement, and maintain a Quality Management policy. CC ID 13694 Leadership and high level objectives Preventive
    Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 Leadership and high level objectives Preventive
    Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 Leadership and high level objectives Preventive
    Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 Leadership and high level objectives Preventive
    Include critical Information Technology processes in the Quality Management framework. CC ID 13645 Leadership and high level objectives Preventive
    Align the quality objectives with the Quality Management policy. CC ID 13697 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Quality Management standard. CC ID 01006 Leadership and high level objectives Preventive
    Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Quality Management program. CC ID 07201 Leadership and high level objectives Preventive
    Include quality objectives in the Quality Management program. CC ID 13693 Leadership and high level objectives Preventive
    Include records management in the quality management system. CC ID 15055 Leadership and high level objectives Preventive
    Include risk management in the quality management system. CC ID 15054 Leadership and high level objectives Preventive
    Include data management procedures in the quality management system. CC ID 15052 Leadership and high level objectives Preventive
    Include a post-market monitoring system in the quality management system. CC ID 15027 Leadership and high level objectives Preventive
    Include operational roles and responsibilities in the quality management system. CC ID 15028 Leadership and high level objectives Preventive
    Include resource management in the quality management system. CC ID 15026 Leadership and high level objectives Preventive
    Include communication protocols in the quality management system. CC ID 15025 Leadership and high level objectives Preventive
    Include incident reporting procedures in the quality management system. CC ID 15023 Leadership and high level objectives Preventive
    Include technical specifications in the quality management system. CC ID 15021 Leadership and high level objectives Preventive
    Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 Leadership and high level objectives Preventive
    Include program documentation standards in the Quality Management program. CC ID 01016 Leadership and high level objectives Preventive
    Include program testing standards in the Quality Management program. CC ID 01017 Leadership and high level objectives Preventive
    Include system testing standards in the Quality Management program. CC ID 01018 Leadership and high level objectives Preventive
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241
    [Institutions and payment institutions should maintain at all times sufficient substance and not become 'empty shells' or 'letter-box entities'. To this end, they should: 4.6 39]     		Leadership and high level objectives Preventive
    Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 Leadership and high level objectives Preventive
    Correlate Information Systems with applicable controls. CC ID 01621 Leadership and high level objectives Preventive
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285
    [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the setting of the institution's or payment institution's strategies and policies (e.g. the business model, the risk appetite, the risk management framework); 4.6 36(d)]     		Leadership and high level objectives Preventive
    Include requirements in the organization’s policies, standards, and procedures. CC ID 12956
    [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41]     		Leadership and high level objectives Preventive
    Include the effective date on all organizational policies. CC ID 06820 Leadership and high level objectives Preventive
    Analyze organizational policies, as necessary. CC ID 14037 Leadership and high level objectives Detective
    Include threats in the organization’s policies, standards, and procedures. CC ID 12953 Leadership and high level objectives Preventive
    Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 Leadership and high level objectives Preventive
    Establish and maintain an Authority Document list. CC ID 07113 Leadership and high level objectives Preventive
    Map in scope assets and in scope records to external requirements. CC ID 12189 Leadership and high level objectives Detective
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 Leadership and high level objectives Preventive
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the documentation and record-keeping, taking into account the requirements in Section 11; 4.7 42(e)
    allocate sufficient resources to ensure compliance with all legal and regulatory requirements, including these guidelines and the documentation and monitoring of all outsourcing arrangements; 4.6 38(b)
    clearly assign the responsibilities for the documentation, management and control of outsourcing arrangements; 4.6 38(a)]     		Leadership and high level objectives Preventive
    Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 Leadership and high level objectives Preventive
    Classify controls according to their preventive, detective, or corrective status. CC ID 06436 Leadership and high level objectives Preventive
    Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 Leadership and high level objectives Preventive
    Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 Leadership and high level objectives Preventive
    Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 Leadership and high level objectives Corrective
    Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 Leadership and high level objectives Preventive
    Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 Leadership and high level objectives Preventive
    Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 Leadership and high level objectives Preventive
    Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 Leadership and high level objectives Preventive
    Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 Leadership and high level objectives Preventive
    Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 Leadership and high level objectives Detective
    Approve all compliance documents. CC ID 06286 Leadership and high level objectives Preventive
    Align the Authority Document list with external requirements. CC ID 06288 Leadership and high level objectives Preventive
    Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 Leadership and high level objectives Preventive
    Establish, implement, and maintain a compliance exception standard. CC ID 01628 Leadership and high level objectives Preventive
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Leadership and high level objectives Preventive
    Include all compliance exceptions in the compliance exception standard. CC ID 01630 Leadership and high level objectives Detective
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 Leadership and high level objectives Preventive
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Leadership and high level objectives Preventive
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Leadership and high level objectives Preventive
    Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151 Leadership and high level objectives Detective
    Include recommendations for changes or updates to the information security program in the Board Report. CC ID 13180 Leadership and high level objectives Preventive
    Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 Leadership and high level objectives Detective
    Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 Leadership and high level objectives Preventive
    Establish, implement, and maintain a strategic plan. CC ID 12784 Leadership and high level objectives Preventive
    Include the outsource partners in the strategic plan, as necessary. CC ID 13960
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: 4.7 42(c)]     		Leadership and high level objectives Preventive
    Establish, implement, and maintain a decision management strategy. CC ID 06913
    [When outsourcing, institutions and payment institutions should at least ensure that: they can take and implement decisions related to their business activities and critical or important functions, including with regard to those that have been outsourced; 4.6 40(a)
    {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making. 4.6 36(f)]     		Leadership and high level objectives Preventive
    Include an economic impact analysis in the decision management strategy. CC ID 14015 Leadership and high level objectives Preventive
    Include cost benefit analysis in the decision management strategy. CC ID 14014 Leadership and high level objectives Preventive
    Include criteria for compliance in the decision-making criteria. CC ID 12951
    [{Authority Document} When applying the principle of proportionality, institutions, payment institutions 31 and competent authorities should take into account the criteria specified in Title I of the EBA Guidelines on internal governance in line with Article 74(2) of Directive 2013/36/EU. 4.1 20]     		Leadership and high level objectives Preventive
    Include criteria for risk tolerance in the decision-making criteria. CC ID 12950
    [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b)]     		Leadership and high level objectives Preventive
    Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 Leadership and high level objectives Preventive
    Include criteria for setting priorities in the decision-making criteria. CC ID 12938 Leadership and high level objectives Preventive
    Identify and document the events that initiate the decision management strategy. CC ID 06914 Leadership and high level objectives Detective
    Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 Leadership and high level objectives Preventive
    Establish, implement, and maintain a risk monitoring program. CC ID 00658
    [Institutions and payment institutions should monitor and manage their internal concentration risks caused by outsourcing arrangements, taking into account Section 12.2 of these guidelines. 4.14 103]     		Monitoring and measurement Preventive
    Establish, implement, and maintain a compliance testing strategy. CC ID 00659 Monitoring and measurement Preventive
    Include a system description in the system security plan. CC ID 16467 Monitoring and measurement Preventive
    Include a description of the operational context in the system security plan. CC ID 14301 Monitoring and measurement Preventive
    Include the results of the security categorization in the system security plan. CC ID 14281 Monitoring and measurement Preventive
    Include the information types in the system security plan. CC ID 14696 Monitoring and measurement Preventive
    Include the security requirements in the system security plan. CC ID 14274 Monitoring and measurement Preventive
    Include threats in the system security plan. CC ID 14693 Monitoring and measurement Preventive
    Include network diagrams in the system security plan. CC ID 14273 Monitoring and measurement Preventive
    Include roles and responsibilities in the system security plan. CC ID 14682 Monitoring and measurement Preventive
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Monitoring and measurement Preventive
    Include remote access methods in the system security plan. CC ID 16441 Monitoring and measurement Preventive
    Include a description of the operational environment in the system security plan. CC ID 14272 Monitoring and measurement Preventive
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Monitoring and measurement Preventive
    Include the authorization boundary in the system security plan. CC ID 14257 Monitoring and measurement Preventive
    Include security controls in the system security plan. CC ID 14239 Monitoring and measurement Preventive
    Create specific test plans to test each system component. CC ID 00661 Monitoring and measurement Preventive
    Include the roles and responsibilities in the test plan. CC ID 14299 Monitoring and measurement Preventive
    Include the assessment team in the test plan. CC ID 14297 Monitoring and measurement Preventive
    Include the scope in the test plans. CC ID 14293 Monitoring and measurement Preventive
    Include the assessment environment in the test plan. CC ID 14271 Monitoring and measurement Preventive
    Review the test plans for each system component. CC ID 00662 Monitoring and measurement Preventive
    Document validated testing processes in the testing procedures. CC ID 06200 Monitoring and measurement Preventive
    Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 Monitoring and measurement Preventive
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671
    [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making. 4.6 36(f)]     		Monitoring and measurement Preventive
    Establish, implement, and maintain a metrics policy. CC ID 01654 Monitoring and measurement Preventive
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 Monitoring and measurement Preventive
    Establish, implement, and maintain risk management metrics. CC ID 01656 Monitoring and measurement Preventive
    Identify and document instances of non-compliance with the compliance framework. CC ID 06499 Monitoring and measurement Preventive
    Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 Monitoring and measurement Preventive
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Monitoring and measurement Preventive
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Monitoring and measurement Preventive
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Monitoring and measurement Preventive
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Monitoring and measurement Preventive
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Monitoring and measurement Preventive
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Monitoring and measurement Preventive
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Monitoring and measurement Preventive
    Include required information in the disciplinary action notice. CC ID 16584 Monitoring and measurement Preventive
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Monitoring and measurement Preventive
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Monitoring and measurement Preventive
    Include the investigation results in the disciplinary action notice. CC ID 16581 Monitoring and measurement Preventive
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Monitoring and measurement Preventive
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Monitoring and measurement Preventive
    Include contact information in the disciplinary action notice. CC ID 16578 Monitoring and measurement Preventive
    Establish, implement, and maintain a security program metrics program. CC ID 01660 Monitoring and measurement Preventive
    Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 Monitoring and measurement Preventive
    Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 Monitoring and measurement Preventive
    Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 Monitoring and measurement Preventive
    Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 Monitoring and measurement Preventive
    Establish, implement, and maintain an audit metrics program. CC ID 01664 Monitoring and measurement Preventive
    Establish, implement, and maintain an Information Security metrics program. CC ID 01665 Monitoring and measurement Preventive
    Establish, implement, and maintain a metrics standard and template. CC ID 02157 Monitoring and measurement Preventive
    Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 Monitoring and measurement Preventive
    Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 Monitoring and measurement Preventive
    Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 Monitoring and measurement Preventive
    Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 Monitoring and measurement Preventive
    Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 Monitoring and measurement Preventive
    Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 Monitoring and measurement Preventive
    Establish, implement, and maintain a privacy metrics program. CC ID 15494 Monitoring and measurement Preventive
    Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 Monitoring and measurement Preventive
    Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 Monitoring and measurement Preventive
    Establish, implement, and maintain a log management program. CC ID 00673 Monitoring and measurement Preventive
    Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 Monitoring and measurement Preventive
    Include risks and opportunities in the corrective action plan. CC ID 15178 Monitoring and measurement Preventive
    Include environmental aspects in the corrective action plan. CC ID 15177 Monitoring and measurement Preventive
    Include the completion date in the corrective action plan. CC ID 13272 Monitoring and measurement Preventive
    Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 Audits and risk management Preventive
    Review external auditor outsourcing contracts and engagement letters. CC ID 01189 Audits and risk management Preventive
    Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 Audits and risk management Preventive
    Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199
    [{third party audit report} {are sufficient} For the outsourcing of critical or important functions, institutions and payment institutions should assess whether third-party certifications and reports as referred to in paragraph 91(b) are adequate and sufficient to comply with their regulatory obligations and should not rely solely on these reports over time. 4.13.3 92]     		Audits and risk management Preventive
    Establish, implement, and maintain an audit program. CC ID 00684
    [{audit program} The internal audit function's activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions. 4.10 50]     		Audits and risk management Preventive
    Establish, implement, and maintain audit policies. CC ID 13166 Audits and risk management Preventive
    Include resource requirements in the audit program. CC ID 15237 Audits and risk management Preventive
    Include risks and opportunities in the audit program. CC ID 15236 Audits and risk management Preventive
    Establish and maintain audit terms. CC ID 13880
    [{third-party certifications} {third-party audit report} {be legitimate} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: have the contractual right to request the expansion of the scope of the certifications or audit reports to other relevant systems and controls; the number and frequency of such requests for scope modification should be reasonable and legitimate from a risk management perspective; and 4.13.3 93(g)]     		Audits and risk management Preventive
    Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 Audits and risk management Preventive
    Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882
    [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90]     		Audits and risk management Preventive
    Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 Audits and risk management Preventive
    Establish, implement, and maintain an in scope system description. CC ID 14873 Audits and risk management Preventive
    Include third party services in the audit assertion's in scope system description. CC ID 16503 Audits and risk management Preventive
    Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 Audits and risk management Preventive
    Include availability commitments in the audit assertion's in scope system description. CC ID 14914 Audits and risk management Preventive
    Include changes in the audit assertion's in scope system description. CC ID 14894 Audits and risk management Preventive
    Include external communications in the audit assertion's in scope system description. CC ID 14913 Audits and risk management Preventive
    Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 Audits and risk management Preventive
    Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 Audits and risk management Preventive
    Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 Audits and risk management Preventive
    Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 Audits and risk management Preventive
    Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 Audits and risk management Preventive
    Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 Audits and risk management Preventive
    Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 Audits and risk management Preventive
    Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 Audits and risk management Preventive
    Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 Audits and risk management Preventive
    Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 Audits and risk management Preventive
    Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 Audits and risk management Preventive
    Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 Audits and risk management Preventive
    Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 Audits and risk management Preventive
    Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 Audits and risk management Preventive
    Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 Audits and risk management Preventive
    Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 Audits and risk management Preventive
    Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 Audits and risk management Detective
    Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 Audits and risk management Preventive
    Include commitments to third parties in the audit assertion. CC ID 14899 Audits and risk management Preventive
    Determine the completeness of the audit assertion's in scope system description. CC ID 14883 Audits and risk management Preventive
    Include system requirements in the audit assertion's in scope system description. CC ID 14881 Audits and risk management Preventive
    Include third party controls in the audit assertion's in scope system description. CC ID 14880 Audits and risk management Preventive
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 Audits and risk management Preventive
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077
    [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that key systems and controls are covered in future versions of the certification or audit report; 4.13.3 93(d)
    {access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90]     		Audits and risk management Preventive
    Include audit subject matter in the audit program. CC ID 07103 Audits and risk management Preventive
    Examine the objectivity of the audit criteria in the audit program. CC ID 07104 Audits and risk management Preventive
    Examine the measurability of the audit criteria in the audit program. CC ID 07105 Audits and risk management Preventive
    Examine the completeness of the audit criteria in the audit program. CC ID 07106 Audits and risk management Preventive
    Examine the relevance of the audit criteria in the audit program. CC ID 07107 Audits and risk management Preventive
    Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 Audits and risk management Preventive
    Include in scope information in the audit program. CC ID 16198 Audits and risk management Preventive
    Include the out of scope material or out of scope products in the audit program. CC ID 08962 Audits and risk management Preventive
    Provide a representation letter in support of the audit assertion. CC ID 07158 Audits and risk management Preventive
    Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 Audits and risk management Preventive
    Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 Audits and risk management Preventive
    Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 Audits and risk management Preventive
    Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 Audits and risk management Preventive
    Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 Audits and risk management Preventive
    Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 Audits and risk management Preventive
    Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 Audits and risk management Preventive
    Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 Audits and risk management Preventive
    Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 Audits and risk management Preventive
    Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 Audits and risk management Preventive
    Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 Audits and risk management Preventive
    Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 Audits and risk management Preventive
    Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 Audits and risk management Preventive
    Establish and maintain audit assertions, as necessary. CC ID 14871 Audits and risk management Detective
    Include an in scope system description in the audit assertion. CC ID 14872 Audits and risk management Preventive
    Include any assumptions that are improbable in the audit assertion. CC ID 13950 Audits and risk management Preventive
    Include investigations and legal proceedings in the audit assertion. CC ID 16846 Audits and risk management Preventive
    Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 Audits and risk management Preventive
    Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 Audits and risk management Preventive
    Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 Audits and risk management Preventive
    Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 Audits and risk management Preventive
    Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 Audits and risk management Preventive
    Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 Audits and risk management Preventive
    Include the in scope procedures in the audit assertion. CC ID 06972 Audits and risk management Preventive
    Include the in scope records produced in the audit assertion. CC ID 06968 Audits and risk management Preventive
    Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 Audits and risk management Preventive
    Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 Audits and risk management Preventive
    Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 Audits and risk management Preventive
    Include the in scope risk assessment processes in the audit assertion. CC ID 06975 Audits and risk management Preventive
    Include in scope change controls in the audit assertion. CC ID 06976 Audits and risk management Preventive
    Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 Audits and risk management Preventive
    Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 Audits and risk management Preventive
    Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 Audits and risk management Preventive
    Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 Audits and risk management Preventive
    Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 Audits and risk management Preventive
    Include the expectations for the audit report in the audit terms. CC ID 07148 Audits and risk management Preventive
    Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 Audits and risk management Preventive
    Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 Audits and risk management Corrective
    Include materiality levels in the audit terms. CC ID 01238 Audits and risk management Preventive
    Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 Audits and risk management Preventive
    Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 Audits and risk management Preventive
    Document any after the fact changes to the engagement file. CC ID 07002 Audits and risk management Preventive
    Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 Audits and risk management Preventive
    Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 Audits and risk management Preventive
    Edit the audit assertion for accuracy. CC ID 07030 Audits and risk management Preventive
    Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 Audits and risk management Preventive
    Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 Audits and risk management Preventive
    Establish, implement, and maintain interview procedures. CC ID 16282 Audits and risk management Preventive
    Establish and maintain work papers, as necessary. CC ID 13891 Audits and risk management Preventive
    Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 Audits and risk management Preventive
    Include audit irregularities in the work papers. CC ID 16774 Audits and risk management Preventive
    Include corrective actions in the work papers. CC ID 16771 Audits and risk management Preventive
    Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 Audits and risk management Preventive
    Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 Audits and risk management Preventive
    Include justification for departing from mandatory requirements in the work papers. CC ID 13935 Audits and risk management Preventive
    Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 Audits and risk management Preventive
    Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 Audits and risk management Preventive
    Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 Audits and risk management Preventive
    Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 Audits and risk management Preventive
    Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 Audits and risk management Preventive
    Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 Audits and risk management Preventive
    Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 Audits and risk management Preventive
    Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 Audits and risk management Preventive
    Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 Audits and risk management Preventive
    Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 Audits and risk management Preventive
    Establish and maintain organizational audit reports. CC ID 06731 Audits and risk management Preventive
    Determine what disclosures are required in the audit report. CC ID 14888 Audits and risk management Detective
    Include audit subject matter in the audit report. CC ID 14882 Audits and risk management Preventive
    Include an other-matter paragraph in the audit report. CC ID 14901 Audits and risk management Preventive
    Include that the auditee did not provide comments in the audit report. CC ID 16849 Audits and risk management Preventive
    Write the audit report using clear and conspicuous language. CC ID 13948 Audits and risk management Preventive
    Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 Audits and risk management Preventive
    Include a statement that the financial statements were audited in the audit report. CC ID 13963 Audits and risk management Preventive
    Include the criteria that financial information was measured against in the audit report. CC ID 13966 Audits and risk management Preventive
    Include a description of the financial information being reported on in the audit report. CC ID 13965 Audits and risk management Preventive
    Include references to any adjustments of financial information in the audit report. CC ID 13964 Audits and risk management Preventive
    Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 Audits and risk management Preventive
    Include references to historical financial information used in the audit report. CC ID 13961 Audits and risk management Preventive
    Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 Audits and risk management Preventive
    Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 Audits and risk management Preventive
    Structure the audit report to be in the form of procedures and findings. CC ID 13940 Audits and risk management Preventive
    Include any discussions of significant findings in the audit report. CC ID 13955 Audits and risk management Preventive
    Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 Audits and risk management Preventive
    Include the audit criteria in the audit report. CC ID 13945 Audits and risk management Preventive
    Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 Audits and risk management Preventive
    Include all hypothetical assumptions in the audit report. CC ID 13947 Audits and risk management Preventive
    Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 Audits and risk management Preventive
    Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 Audits and risk management Preventive
    Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 Audits and risk management Preventive
    Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 Audits and risk management Preventive
    Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 Audits and risk management Preventive
    Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 Audits and risk management Preventive
    Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 Audits and risk management Preventive
    Include a review of the subject matter expert's findings in the audit report. CC ID 13972 Audits and risk management Preventive
    Include a statement of the character of the engagement in the audit report. CC ID 07166 Audits and risk management Preventive
    Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 Audits and risk management Preventive
    Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 Audits and risk management Preventive
    Include all restrictions on the audit in the audit report. CC ID 13930 Audits and risk management Preventive
    Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 Audits and risk management Preventive
    Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 Audits and risk management Preventive
    Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 Audits and risk management Preventive
    Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 Audits and risk management Preventive
    Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 Audits and risk management Preventive
    Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 Audits and risk management Preventive
    Refrain from referencing other auditor's work in the audit report. CC ID 13881 Audits and risk management Preventive
    Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 Audits and risk management Preventive
    Include how in scope controls meet external requirements in the audit report. CC ID 16450 Audits and risk management Preventive
    Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 Audits and risk management Preventive
    Include recommended corrective actions in the audit report. CC ID 16197 Audits and risk management Preventive
    Include risks and opportunities in the audit report. CC ID 16196 Audits and risk management Preventive
    Include the description of tests of controls and results in the audit report. CC ID 14898 Audits and risk management Preventive
    Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 Audits and risk management Preventive
    Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 Audits and risk management Preventive
    Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 Audits and risk management Preventive
    Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 Audits and risk management Preventive
    Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 Audits and risk management Preventive
    Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 Audits and risk management Preventive
    Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 Audits and risk management Preventive
    Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 Audits and risk management Preventive
    Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 Audits and risk management Preventive
    Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 Audits and risk management Preventive
    Include the attestation standards the auditor follows in the audit report. CC ID 07015 Audits and risk management Preventive
    Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 Audits and risk management Preventive
    Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 Audits and risk management Preventive
    Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 Audits and risk management Preventive
    Include any out of scope components of in scope systems in the audit report. CC ID 07006 Audits and risk management Preventive
    Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 Audits and risk management Preventive
    Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 Audits and risk management Preventive
    Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 Audits and risk management Detective
    Review past audit reports. CC ID 01155 Audits and risk management Detective
    Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 Audits and risk management Detective
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 Audits and risk management Detective
    Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 Audits and risk management Preventive
    Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 Audits and risk management Preventive
    Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 Audits and risk management Preventive
    Include deficiencies and non-compliance in the audit report. CC ID 14879 Audits and risk management Corrective
    Include an audit opinion in the audit report. CC ID 07017 Audits and risk management Preventive
    Include qualified opinions in the audit report. CC ID 13928 Audits and risk management Preventive
    Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 Audits and risk management Preventive
    Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 Audits and risk management Corrective
    Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 Audits and risk management Preventive
    Include items that were excluded from the audit report in the audit report. CC ID 07007 Audits and risk management Preventive
    Include the organization's privacy practices in the audit report. CC ID 07029 Audits and risk management Preventive
    Include items that pertain to third parties in the audit report. CC ID 07008 Audits and risk management Preventive
    Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 Audits and risk management Preventive
    Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 Audits and risk management Preventive
    Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 Audits and risk management Preventive
    Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 Audits and risk management Preventive
    Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 Audits and risk management Preventive
    Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 Audits and risk management Preventive
    Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 Audits and risk management Preventive
    Modify the audit opinion in the audit report under defined conditions. CC ID 13937 Audits and risk management Corrective
    Include the written signature of the auditor's organization in the audit report. CC ID 13897 Audits and risk management Preventive
    Include a statement that additional reports are being submitted in the audit report. CC ID 16848 Audits and risk management Preventive
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 Audits and risk management Preventive
    Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 Audits and risk management Preventive
    Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 Audits and risk management Preventive
    Review the issues of non-compliance from past audit reports. CC ID 01148 Audits and risk management Detective
    Accept the audit report. CC ID 07025 Audits and risk management Preventive
    Implement a corrective action plan in response to the audit report. CC ID 06777 Audits and risk management Corrective
    Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 Audits and risk management Preventive
    Include the audit criteria in the audit plan. CC ID 15262 Audits and risk management Preventive
    Include a list of reference documents in the audit plan. CC ID 15260 Audits and risk management Preventive
    Include the languages to be used for the audit in the audit plan. CC ID 15252 Audits and risk management Preventive
    Include the allocation of resources in the audit plan. CC ID 15251 Audits and risk management Preventive
    Include communication protocols in the audit plan. CC ID 15247 Audits and risk management Preventive
    Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 Audits and risk management Preventive
    Include meeting schedules in the audit plan. CC ID 15245 Audits and risk management Preventive
    Include the time frames for the audit in the audit plan. CC ID 15244 Audits and risk management Preventive
    Include the time frames for conducting the audit in the audit plan. CC ID 15243 Audits and risk management Preventive
    Include the locations to be audited in the audit plan. CC ID 15242 Audits and risk management Preventive
    Include the processes to be audited in the audit plan. CC ID 15241 Audits and risk management Preventive
    Include audit objectives in the audit plan. CC ID 15240 Audits and risk management Preventive
    Include the risks associated with audit activities in the audit plan. CC ID 15239 Audits and risk management Preventive
    Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158
    [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90]     		Audits and risk management Preventive
    Establish, implement, and maintain a risk management program. CC ID 12051
    [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32]     		Audits and risk management Preventive
    Include the scope of risk management activities in the risk management program. CC ID 13658 Audits and risk management Preventive
    Include managing mobile risks in the risk management program. CC ID 13535 Audits and risk management Preventive
    Establish, implement, and maintain risk management strategies. CC ID 13209
    [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32]     		Audits and risk management Preventive
    Include off-site storage of supplies in the risk management strategies. CC ID 13221 Audits and risk management Preventive
    Include the use of alternate service providers in the risk management strategies. CC ID 13217
    [{be difficult} {substitute} Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: concentration risks, including from: outsourcing to a dominant service provider that is not easily substitutable; and 4.12.2 66(a)(i)
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the ability to reintegrate the outsourced function into the institution or payment institution, if necessary or desirable; 4.4 31(i)
    {be able} {timely manner} When outsourcing, institutions and payment institutions should at least ensure that: with regard to the outsourcing of critical or important functions, they are able to undertake at least one of the following actions, within an appropriate time frame: transfer the function to alternative service providers; 4.6 40(f)(i)]     		Audits and risk management Preventive
    Include minimizing service interruptions in the risk management strategies. CC ID 13215 Audits and risk management Preventive
    Include off-site storage in the risk mitigation strategies. CC ID 13213 Audits and risk management Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Audits and risk management Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687
    [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32]     		Audits and risk management Preventive
    Include the need for risk assessments in the risk assessment program. CC ID 06447 Audits and risk management Preventive
    Include the information flow of restricted data in the risk assessment program. CC ID 12339 Audits and risk management Preventive
    Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 Audits and risk management Preventive
    Establish, implement, and maintain insurance requirements. CC ID 16562 Audits and risk management Preventive
    Address cybersecurity risks in the risk assessment program. CC ID 13193 Audits and risk management Preventive
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Audits and risk management Preventive
    Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 Audits and risk management Preventive
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 Audits and risk management Preventive
    Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 Audits and risk management Preventive
    Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 Audits and risk management Preventive
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 Audits and risk management Preventive
    Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 Audits and risk management Preventive
    Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 Audits and risk management Preventive
    Establish, implement, and maintain a risk assessment policy. CC ID 14026 Audits and risk management Preventive
    Include compliance requirements in the risk assessment policy. CC ID 14121 Audits and risk management Preventive
    Include coordination amongst entities in the risk assessment policy. CC ID 14120 Audits and risk management Preventive
    Include management commitment in the risk assessment policy. CC ID 14119 Audits and risk management Preventive
    Include roles and responsibilities in the risk assessment policy. CC ID 14118 Audits and risk management Preventive
    Include the scope in the risk assessment policy. CC ID 14117 Audits and risk management Preventive
    Include the purpose in the risk assessment policy. CC ID 14116 Audits and risk management Preventive
    Establish, implement, and maintain risk assessment procedures. CC ID 06446 Audits and risk management Preventive
    Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 Audits and risk management Preventive
    Document cybersecurity risks. CC ID 12281 Audits and risk management Preventive
    Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 Audits and risk management Preventive
    Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 Audits and risk management Preventive
    Employ risk assessment procedures that take into account information classification. CC ID 06477 Audits and risk management Preventive
    Employ risk assessment procedures that align with strategic objectives. CC ID 06474 Audits and risk management Preventive
    Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 Audits and risk management Preventive
    Employ risk assessment procedures that take into account the target environment. CC ID 06479 Audits and risk management Preventive
    Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 Audits and risk management Preventive
    Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 Audits and risk management Preventive
    Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 Audits and risk management Preventive
    Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 Audits and risk management Preventive
    Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 Audits and risk management Preventive
    Document organizational risk criteria. CC ID 12277 Audits and risk management Preventive
    Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 Audits and risk management Preventive
    Include language that is easy to understand in the risk assessment report. CC ID 06461 Audits and risk management Preventive
    Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 Audits and risk management Preventive
    Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 Audits and risk management Preventive
    Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 Audits and risk management Preventive
    Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 Audits and risk management Preventive
    Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 Audits and risk management Preventive
    Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 Audits and risk management Preventive
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 Audits and risk management Preventive
    Include physical assets in the scope of the risk assessment. CC ID 13075 Audits and risk management Preventive
    Include the results of the risk assessment in the risk assessment report. CC ID 06481 Audits and risk management Preventive
    Update the risk assessment upon discovery of a new threat. CC ID 00708 Audits and risk management Detective
    Update the risk assessment upon changes to the risk profile. CC ID 11627 Audits and risk management Detective
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Audits and risk management Preventive
    Create a risk assessment report based on the risk assessment results. CC ID 15695 Audits and risk management Preventive
    Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 Audits and risk management Preventive
    Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 Audits and risk management Preventive
    Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 Audits and risk management Preventive
    Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 Audits and risk management Preventive
    Include pandemic risks in the Business Impact Analysis. CC ID 13219 Audits and risk management Preventive
    Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 Audits and risk management Preventive
    Establish, implement, and maintain a risk register. CC ID 14828 Audits and risk management Preventive
    Document organizational risk tolerance in a risk register. CC ID 09961 Audits and risk management Preventive
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706
    [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)]     		Audits and risk management Preventive
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 Audits and risk management Preventive
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 Audits and risk management Detective
    Document the results of the gap analysis. CC ID 16271 Audits and risk management Preventive
    Establish, implement, and maintain a risk treatment plan. CC ID 11983 Audits and risk management Preventive
    Include the date of the risk assessment in the risk treatment plan. CC ID 16321 Audits and risk management Preventive
    Include the risk treatment strategy in the risk treatment plan. CC ID 12159 Audits and risk management Preventive
    Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 Audits and risk management Corrective
    Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 Audits and risk management Preventive
    Include change control processes in the risk treatment plan. CC ID 11981 Audits and risk management Preventive
    Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 Audits and risk management Preventive
    Include the implemented risk management controls in the risk treatment plan. CC ID 11979 Audits and risk management Preventive
    Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 Audits and risk management Preventive
    Include risk assessment results in the risk treatment plan. CC ID 11978 Audits and risk management Preventive
    Include a description of usage in the risk treatment plan. CC ID 11977 Audits and risk management Preventive
    Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 Audits and risk management Preventive
    Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 Audits and risk management Preventive
    Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 Audits and risk management Corrective
    Review and approve the risk assessment findings. CC ID 06485 Audits and risk management Preventive
    Include risk responses in the risk management program. CC ID 13195 Audits and risk management Preventive
    Document residual risk in a residual risk report. CC ID 13664 Audits and risk management Corrective
    Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 Audits and risk management Preventive
    Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 Audits and risk management Preventive
    Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 Audits and risk management Preventive
    Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 Audits and risk management Preventive
    Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991
    [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32]     		Audits and risk management Preventive
    Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 Audits and risk management Preventive
    Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 Audits and risk management Preventive
    Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 Audits and risk management Preventive
    Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 Audits and risk management Preventive
    Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 Audits and risk management Preventive
    Include compliance requirements in the supply chain risk management policy. CC ID 14711 Audits and risk management Preventive
    Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 Audits and risk management Preventive
    Include management commitment in the supply chain risk management policy. CC ID 14709 Audits and risk management Preventive
    Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 Audits and risk management Preventive
    Include the scope in the supply chain risk management policy. CC ID 14707 Audits and risk management Preventive
    Include the purpose in the supply chain risk management policy. CC ID 14706 Audits and risk management Preventive
    Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 Audits and risk management Preventive
    Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 Audits and risk management Preventive
    Include dates in the supply chain risk management plan. CC ID 15617 Audits and risk management Preventive
    Include implementation milestones in the supply chain risk management plan. CC ID 15615 Audits and risk management Preventive
    Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 Audits and risk management Preventive
    Include supply chain risk management procedures in the risk management program. CC ID 13190
    [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33
    Institutions and payment institutions should monitor and manage their internal concentration risks caused by outsourcing arrangements, taking into account Section 12.2 of these guidelines. 4.14 103
    When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)]     		Audits and risk management Preventive
    Establish, implement, and maintain a business continuity program. CC ID 13210 Operational and Systems Continuity Preventive
    Establish, implement, and maintain a continuity framework. CC ID 00732 Operational and Systems Continuity Preventive
    Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907
    [Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: 4.15 106]     		Operational and Systems Continuity Preventive
    Establish, implement, and maintain a continuity plan. CC ID 00752 Operational and Systems Continuity Preventive
    Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242
    [{establish and maintain} Institutions, in line with the requirements under Article 85(2) of Directive 2013/36/EU and Title VI of the EBA Guidelines on internal governance, and payment institutions should have in place, maintain and periodically test appropriate business continuity plans with regard to outsourced critical or important functions. Institutions and payment institutions within a group or institutional protection scheme may rely on centrally established business continuity plans regarding their outsourced functions. 4.9 48
    {business continuity testing} reviewing all other relevant information received from the service provider, including reports on business continuity measures and testing. 4.14 104(c)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the business continuity measures; and 4.7 44(c)]     		Operational and Systems Continuity Preventive
    Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057
    [Business continuity plans should take into account the possible event that the quality of the provision of the outsourced critical or important function deteriorates to an unacceptable level or fails. Such plans should also take into account the potential impact of the insolvency or other failures of service providers and, where relevant, political risks in the service provider's jurisdiction. 4.9 49
    {be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65]     		Operational and Systems Continuity Preventive
    Establish, implement, and maintain a recovery plan. CC ID 13288 Operational and Systems Continuity Preventive
    Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292
    [identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b)]     		Operational and Systems Continuity Preventive
    Establish, implement, and maintain system continuity plan strategies. CC ID 00735 Operational and Systems Continuity Preventive
    Define and prioritize critical business functions. CC ID 00736
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the criteria, including those referred to in Section 4, and processes for identifying critical or important functions; 4.7 42(c)(ii)
    The outsourcing policy should differentiate between the following: outsourcing of critical or important functions and other outsourcing arrangements; 4.7 43(a)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: identify and classify the relevant functions and related data and systems as regards their sensitivity and required security measures; 4.12.2 68(a)
    Before entering into any outsourcing arrangement, institutions and payment institutions should: assess if the outsourcing arrangement concerns a critical or important function, as set out in Title II; 4.12 61(a)
    If sub-outsourcing of critical or important functions is permitted, institutions and payment institutions should determine whether the part of the function to be sub-outsourced is, as such, critical or important (i.e. a material part of the critical or important function) and, if so, record it in the register. 4.13.1 77
    Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach and with the main focus being on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function in line with Section 4. 4.14 100
    {access rights} {right to audit} {operational risks} {contract duration} {be critical} For the outsourcing of functions that are not critical or important, institutions and payment institutions should ensure the access and audit rights as set out in paragraph 87 (a) and (b) and Section 13.3, on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its scalability, the potential impact on the continuous performance of its activities and the contractual period. Institutions and payment institutions should take into account that functions may become critical or important over time. 4.13.3 88]     		Operational and Systems Continuity Detective
    Review and prioritize the importance of each business process. CC ID 11689 Operational and Systems Continuity Preventive
    Establish, implement, and maintain a critical third party list. CC ID 06815
    [If sub-outsourcing of critical or important functions is permitted, institutions and payment institutions should determine whether the part of the function to be sub-outsourced is, as such, critical or important (i.e. a material part of the critical or important function) and, if so, record it in the register. 4.13.1 77]     		Operational and Systems Continuity Preventive
    Establish, implement, and maintain a continuity test plan. CC ID 04896
    [When developing exit strategies, institutions and payment institutions should: define success criteria for the transition of outsourced functions and data; and 4.15 108(d)]     		Operational and Systems Continuity Preventive
    Include success criteria for testing the plan in the continuity test plan. CC ID 14877 Operational and Systems Continuity Preventive
    Include recovery procedures in the continuity test plan. CC ID 14876 Operational and Systems Continuity Preventive
    Include test scripts in the continuity test plan. CC ID 14875 Operational and Systems Continuity Preventive
    Include test objectives and scope of testing in the continuity test plan. CC ID 14874 Operational and Systems Continuity Preventive
    Include escalation procedures in the continuity test plan, as necessary. CC ID 14400 Operational and Systems Continuity Preventive
    Include the succession plan in the continuity test plan, as necessary. CC ID 14401 Operational and Systems Continuity Preventive
    Include contact information in the continuity test plan. CC ID 14399 Operational and Systems Continuity Preventive
    Include testing all system components in the continuity test plan. CC ID 13508 Operational and Systems Continuity Preventive
    Include test scenarios in the continuity test plan. CC ID 13506 Operational and Systems Continuity Preventive
    Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243 Operational and Systems Continuity Preventive
    Include predefined goals and realistic conditions during off-site testing. CC ID 01175 Operational and Systems Continuity Preventive
    Define the scope for the security operations center. CC ID 15713 Human Resources management Preventive
    Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 Human Resources management Preventive
    Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 Human Resources management Preventive
    Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 Human Resources management Preventive
    Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 Human Resources management Preventive
    Define and assign the security staff roles and responsibilities. CC ID 11750 Human Resources management Preventive
    Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383
    [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: overseeing the day-to-day management of the institution or payment institution, including the management of all risks associated with outsourcing; and 4.6 36(e)]     		Human Resources management Preventive
    Establish, implement, and maintain a personnel management program. CC ID 14018 Human Resources management Preventive
    Establish, implement, and maintain a personnel security program. CC ID 10628 Human Resources management Preventive
    Establish, implement, and maintain personnel screening procedures. CC ID 11700 Human Resources management Preventive
    Perform a criminal records check during personnel screening. CC ID 06643 Human Resources management Preventive
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Human Resources management Preventive
    Perform an academic records check during personnel screening. CC ID 06647 Human Resources management Preventive
    Document the personnel risk assessment results. CC ID 11764 Human Resources management Detective
    Establish, implement, and maintain security clearance procedures. CC ID 00783 Human Resources management Preventive
    Document the security clearance procedure results. CC ID 01635 Human Resources management Detective
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Operational management Preventive
    Establish, implement, and maintain an internal control framework. CC ID 00820
    [{be able} {cyber security} In line with the EBA Guidelines on ICT risk assessment under the SREP, institutions should, where relevant, ensure that they are able to carry out security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes. Taking into account Title I, payment institutions should also have internal ICT control mechanisms, including ICT security control and mitigation measures. 4.13.3 94]     		Operational management Preventive
    Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 Operational management Preventive
    Include the implementation status of controls in the baseline of internal controls. CC ID 16128 Operational management Preventive
    Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 Operational management Preventive
    Include continuous service account management procedures in the internal control framework. CC ID 13860 Operational management Preventive
    Include threat assessment in the internal control framework. CC ID 01347 Operational management Preventive
    Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 Operational management Preventive
    Include personnel security procedures in the internal control framework. CC ID 01349 Operational management Preventive
    Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 Operational management Preventive
    Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 Operational management Preventive
    Include security information sharing procedures in the internal control framework. CC ID 06489 Operational management Preventive
    Include security incident response procedures in the internal control framework. CC ID 01359 Operational management Preventive
    Include incident response escalation procedures in the internal control framework. CC ID 11745 Operational management Preventive
    Include continuous user account management procedures in the internal control framework. CC ID 01360 Operational management Preventive
    Include emergency response procedures in the internal control framework. CC ID 06779 Operational management Detective
    Authorize and document all exceptions to the internal control framework. CC ID 06781 Operational management Preventive
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [Institutions and payment institutions that are subsidiaries of an EU parent undertaking or of a parent undertaking in a Member State to which no waivers have been granted on the basis of Article 21 of Directive 2013/36/EU or Article 109(1) of Directive 2013/36/EU in conjunction with Article 7 of Regulation (EU) No 575/2013 should ensure that they comply with these Guidelines on an individual basis. 4.2 25
    Institutions, payment institutions and competent authorities should, when complying or supervising compliance with these guidelines, have regard to the principle of proportionality. The proportionality principle aims to ensure that governance arrangements, including those related to outsourcing, are consistent with the individual risk profile, the nature and business model of the institution or payment institution, and the scale and complexity of their activities so that the objectives of the regulatory requirements are effectively achieved. 4.1 18
    {third party relationship} Institutions and payment institutions should ensure that they comply with all requirements under Regulation (EU) 2016/679, including for their third-party and outsourcing arrangements. 4.5 34
    The management body is at all times fully responsible and accountable for at least: ensuring that the institution or payment institution meets on an ongoing basis the conditions with which it must comply to remain authorised, including any conditions imposed by the competent authority; 4.6 36(a)
    {remain responsible} {be accountable} The outsourcing of functions cannot result in the delegation of the management body's responsibilities. Institutions and payment institutions remain fully responsible and accountable for complying with all of their regulatory obligations, including the ability to oversee the outsourcing of critical or important functions. 4.6 35
    meet all the conditions of their authorisation at all times, including the management body effectively carrying out its responsibilities as set out in paragraph 36 of these guidelines; 4.6 39(a)]     		Operational management Preventive
    Establish, implement, and maintain a service management program. CC ID 11388 Operational management Preventive
    Include the change management policy in the service management program. CC ID 13923
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the procedures for being notified and responding to changes to an outsourcing arrangement or service provider (e.g. to its financial position, organisational or ownership structures, sub-outsourcing); 4.7 42(d)(ii)]     		Operational management Preventive
    Assign roles and responsibilities in the service management program. CC ID 11393
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements; 4.7 42(b)
    When developing exit strategies, institutions and payment institutions should: assign roles, responsibilities and sufficient resources to manage exit plans and the transition of activities; 4.15 108(c)
    clearly assign the responsibilities for the documentation, management and control of outsourcing arrangements; 4.6 38(a)]     		Operational management Preventive
    Include all resources needed to achieve the objectives in the service management program. CC ID 11394
    [When developing exit strategies, institutions and payment institutions should: assign roles, responsibilities and sufficient resources to manage exit plans and the transition of activities; 4.15 108(c)]     		Operational management Preventive
    Include service management procedures in the service management program. CC ID 11396
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the criteria, including those referred to in Section 4, and processes for identifying critical or important functions; 4.7 42(c)(ii)]     		Operational management Preventive
    Include continuity plans in the Service Management program. CC ID 13919
    [identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b)]     		Operational management Preventive
    Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839
    [When outsourcing, institutions and payment institutions should at least ensure that: they maintain the orderliness of the conduct of their business and the banking and payment services they provide; 4.6 40(b)]     		Operational management Preventive
    Include exceptions in the Service Level Agreements, as necessary. CC ID 13912 Operational management Preventive
    Include the appropriate aspects of the Quality Management program in the Service Level Agreement. CC ID 00845 Operational management Detective
    Include the organizational structure for service level management in the Service Level Agreement framework. CC ID 13633
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements; 4.7 42(b)
    {organizational structure} retain a clear and transparent organisational framework and structure that enables them to ensure compliance with legal and regulatory requirements; 4.6 39(b)]     		Operational management Preventive
    Include the security mechanisms of network services in the Service Level Agreement. CC ID 12023 Operational management Preventive
    Include capacity planning in Service Level Agreements. CC ID 13096 Operational management Preventive
    Include Operational Level Agreements within Service Level Agreements, as necessary. CC ID 13631 Operational management Preventive
    Include funding sources in Service Level Agreements, as necessary. CC ID 13632 Operational management Preventive
    Include business requirements of delivered services in the Service Level Agreement. CC ID 00840
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the definition of business requirements regarding outsourcing arrangements; 4.7 42(c)(i)]     		Operational management Preventive
    Include the management requirements for network services in the Service Level Agreement. CC ID 12025 Operational management Preventive
    Include notification requirements in the service level agreement. CC ID 16675 Operational management Preventive
    Include performance requirements in the Service Level Agreement. CC ID 00841 Operational management Preventive
    Include the service levels for network services in the Service Level Agreement. CC ID 12024 Operational management Preventive
    Include the consequences for failure to meet service levels in Service Level Agreements. CC ID 15698 Operational management Preventive
    Include availability requirements in Service Level Agreements. CC ID 13095 Operational management Preventive
    Establish and maintain a service catalog. CC ID 13634 Operational management Preventive
    Include a service description in the service catalog. CC ID 13917 Operational management Preventive
    Assign unique reference numbers to all services in the service catalog. CC ID 14424
    [The register should include at least the following information for all existing outsourcing arrangements: a reference number for each outsourcing arrangement; 4.11 54(a)]     		Operational management Preventive
    Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914
    [{outsourcing arrangements} {time sensitive operation} For the outsourcing of critical or important functions, the register should include at least the following additional information: whether the outsourced critical or important function supports business operations that are time-critical; 4.11 55(j)
    {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: an outcome of the assessment of the service provider's substitutability (as easy, difficult or impossible), the possibility of reintegrating a critical or important function into the institution or the payment institution or the impact of discontinuing the critical or important function; 4.11 55(h)]     		Operational management Preventive
    Categorize services in the service catalog. CC ID 14419 Operational management Preventive
    Refrain from categorizing services as outsourced in the service catalog, as necessary. CC ID 14426
    [As a general principle, institutions and payment institutions should not consider the following as outsourcing: a function that is legally required to be performed by a service provider, e.g. statutory audit; 4.3 28(a)
    As a general principle, institutions and payment institutions should not consider the following as outsourcing: global network infrastructures (e.g. Visa, MasterCard); 4.3 28(c)
    As a general principle, institutions and payment institutions should not consider the following as outsourcing: correspondent banking services; and 4.3 28(f)
    As a general principle, institutions and payment institutions should not consider the following as outsourcing: the acquisition of services that would otherwise not be undertaken by the institution or payment institution (e.g. advice from an architect, providing legal opinion and representation in front of the court and administrative bodies, cleaning, gardening and maintenance of the institution's or payment institution's premises, medical services, servicing of company cars, catering, vending machine services, clerical services, travel services, post-room services, receptionists, secretaries and switchboard operators), goods (e.g. plastic cards, card readers, office supplies, personal computers, furniture) or utilities (e.g. electricity, gas, water, telephone line). 4.3 28(g)
    As a general principle, institutions and payment institutions should not consider the following as outsourcing: clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members; 4.3 28(d)
    As a general principle, institutions and payment institutions should not consider the following as outsourcing: market information services (e.g. provision of data by Bloomberg, Moody's, Standard & Poor's, Fitch); 4.3 28(b)
    As a general principle, institutions and payment institutions should not consider the following as outsourcing: global financial messaging infrastructures that are subject to oversight by relevant authorities; 4.3 28(e)]     		Operational management Preventive
    Establish, implement, and maintain records management policies. CC ID 00903 Records management Preventive
    Define each system's preservation requirements for records and logs. CC ID 00904 Records management Detective
    Establish, implement, and maintain records management procedures. CC ID 11619 Records management Preventive
    Establish, implement, and maintain authorization records. CC ID 14367 Records management Preventive
    Include the reasons for granting the authorization in the authorization records. CC ID 14371 Records management Preventive
    Include the date and time the authorization was granted in the authorization records. CC ID 14370 Records management Preventive
    Include the person's name who approved the authorization in the authorization records. CC ID 14369
    [For the outsourcing of critical or important functions, the register should include at least the following additional information: the individual or decision-making body (e.g. the management body) in the institution or the payment institution that approved the outsourcing arrangement; 4.11 55(d)]     		Records management Preventive
    Create summary of care records in accordance with applicable standards. CC ID 14440 Records management Preventive
    Log the number of routine items received into the recordkeeping system. CC ID 11701 Records management Preventive
    Establish, implement, and maintain expedited recredit procedures. CC ID 13574 Acquisition or sale of facilities, technology, and services Preventive
    Document the business need justification for payment page scripts. CC ID 15480 Acquisition or sale of facilities, technology, and services Preventive
    Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182 Acquisition or sale of facilities, technology, and services Preventive
    Establish, implement, and maintain system acquisition contracts. CC ID 14758 Acquisition or sale of facilities, technology, and services Preventive
    Include security requirements in system acquisition contracts. CC ID 01124 Acquisition or sale of facilities, technology, and services Preventive
    Include operational requirements in system acquisition contracts. CC ID 00825
    [{critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: when operational tasks of internal control functions are outsourced, unless the assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the effectiveness of the internal control function; 4.4 29(b)]     		Acquisition or sale of facilities, technology, and services Preventive
    Provide suppliers with operational requirement information needed to define required service levels in system acquisition contracts. CC ID 06890 Acquisition or sale of facilities, technology, and services Preventive
    Establish and maintain a register of approved third parties, technologies and tools. CC ID 06836
    [{not authorized} The outsourcing policy should differentiate between the following: outsourcing to service providers that are authorised by a competent authority and those that are not; 4.7 43(b)]     		Acquisition or sale of facilities, technology, and services Preventive
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data accountability program. CC ID 13432 Privacy protection for information and data Preventive
    Establish, implement, and maintain approval applications. CC ID 16778 Privacy protection for information and data Preventive
    Include required information in the approval application. CC ID 16628 Privacy protection for information and data Preventive
    Establish, implement, and maintain a data handling program. CC ID 13427
    [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)]     		Privacy protection for information and data Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Privacy protection for information and data Preventive
    Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 Privacy protection for information and data Preventive
    Establish, implement, and maintain suspicious document procedures. CC ID 04852 Privacy protection for information and data Detective
    Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 Privacy protection for information and data Preventive
    Establish, implement, and maintain call metadata controls. CC ID 04790 Privacy protection for information and data Preventive
    Establish, implement, and maintain data handling procedures. CC ID 11756 Privacy protection for information and data Preventive
    Define personal data that falls under breach notification rules. CC ID 00800 Privacy protection for information and data Preventive
    Define an out of scope privacy breach. CC ID 04677 Privacy protection for information and data Preventive
    Establish, implement, and maintain a supply chain management program. CC ID 11742
    [With regard to the outsourcing process, the internal audit function should at least ascertain: the appropriate monitoring and management of outsourcing arrangements. 4.10 51(e)
    When outsourcing, institutions and payment institutions should at least ensure that: they can take and implement decisions related to their business activities and critical or important functions, including with regard to those that have been outsourced; 4.6 40(a)]     		Third Party and supply chain oversight Preventive
    Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796
    [{ensure} where those institutions and payment institutions rely on an exit plan for a critical or important function that has been established at group level, within the institutional protection scheme or by the central body, all institutions and payment institutions should receive a summary of the plan and be satisfied that the plan can be effectively executed. 4.2 23(e)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the approval process of new outsourcing arrangements; 4.7 42(c)(vii)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the renewal processes; 4.7 42(d)(iv)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the exit strategies and termination processes, including a requirement for a documented exit plan for each critical or important function to be outsourced where such an exit is considered possible taking into account possible service interruptions or the unexpected termination of an outsourcing agreement. 4.7 42(f)
    Institutions and payment institutions should ensure that the service provider appropriately oversees the sub-service providers, in line with the policy defined by the institution or payment institution. If the sub-outsourcing proposed could have material adverse effects on the outsourcing arrangement of a critical or important function or would lead to a material increase of risk, including where the conditions in paragraph 79 would not be met, the institution or payment institution should exercise its right to object to the sub-outsourcing, if such a right was agreed, and/or terminate the contract. 4.13.1 80
    {be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42
    {substitutability} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the ability to transfer the proposed outsourcing arrangement to another service provider, if necessary or desirable, both contractually and in practice, including the estimated risks, impediments to business continuity, costs and time frame for doing so ('substitutability'); 4.4 31(h)
    The outsourcing agreement for critical or important functions should set out at least: the start date and end date, where applicable, of the agreement and the notice periods for the service provider and the institution or payment institution; 4.13 75(b)]     		Third Party and supply chain oversight Preventive
    Review and update all contracts, as necessary. CC ID 11612 Third Party and supply chain oversight Preventive
    Document and maintain supply chain processes. CC ID 08816
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42]     		Third Party and supply chain oversight Preventive
    Establish, implement, and maintain an exit plan. CC ID 15492 Third Party and supply chain oversight Preventive
    Include roles and responsibilities in the exit plan. CC ID 15497 Third Party and supply chain oversight Preventive
    Include contingency plans in the third party management plan. CC ID 10030
    [{ensure} where those institutions and payment institutions rely on an exit plan for a critical or important function that has been established at group level, within the institutional protection scheme or by the central body, all institutions and payment institutions should receive a summary of the plan and be satisfied that the plan can be effectively executed. 4.2 23(e)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the exit strategies and termination processes, including a requirement for a documented exit plan for each critical or important function to be outsourced where such an exit is considered possible taking into account possible service interruptions or the unexpected termination of an outsourcing agreement. 4.7 42(f)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: business continuity planning in accordance with Section 9; 4.7 42(c)(vi)
    develop and implement exit plans that are comprehensive, documented and, where appropriate, sufficiently tested (e.g. by carrying out an analysis of the potential costs, impacts, resources and timing implications of transferring an outsourced service to an alternative provider); and 4.15 107(a)
    Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: 4.15 106
    {be able} {timely manner} When outsourcing, institutions and payment institutions should at least ensure that: with regard to the outsourcing of critical or important functions, they are able to undertake at least one of the following actions, within an appropriate time frame: reintegrate the function; or 4.6 40(f)(ii)]     		Third Party and supply chain oversight Preventive
    Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 Third Party and supply chain oversight Preventive
    Include a description of the product or service to be provided in third party contracts. CC ID 06509
    [The outsourcing agreement for critical or important functions should set out at least: a clear description of the outsourced function to be provided; 4.13 75(a)]     		Third Party and supply chain oversight Preventive
    Include a description of the products or services fees in third party contracts. CC ID 10018 Third Party and supply chain oversight Preventive
    Include which parties are responsible for which fees in third party contracts. CC ID 10019 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543
    [Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach and with the main focus being on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function in line with Section 4. 4.14 100
    When outsourcing, institutions and payment institutions should at least ensure that: an appropriate flow of relevant information with service providers is maintained; 4.6 40(e)]     		Third Party and supply chain oversight Preventive
    Include the type of information being transmitted in the information flow agreement. CC ID 14245 Third Party and supply chain oversight Preventive
    Include the security requirements in the information flow agreement. CC ID 14244 Third Party and supply chain oversight Preventive
    Include the interface characteristics in the information flow agreement. CC ID 14240 Third Party and supply chain oversight Preventive
    Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528
    [Where an arrangement with a service provider covers multiple functions, institutions and payment institutions should consider all aspects of the arrangement within their assessment, e.g. if the service provided includes the provision of data storage hardware and the backup of data, both aspects should be considered together. 4.3 27]     		Third Party and supply chain oversight Preventive
    Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 Third Party and supply chain oversight Preventive
    Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 Third Party and supply chain oversight Preventive
    Include a description of the data or information to be covered in third party contracts. CC ID 06510 Third Party and supply chain oversight Preventive
    Include text about data ownership in third party contracts. CC ID 06502 Third Party and supply chain oversight Preventive
    Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 Third Party and supply chain oversight Preventive
    Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 Third Party and supply chain oversight Preventive
    Include the contract duration in third party contracts. CC ID 16221 Third Party and supply chain oversight Preventive
    Include roles and responsibilities in third party contracts. CC ID 13487
    [{data treatment} The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: clearly set out the obligations of the existing service provider, in the case of a transfer of the outsourced function to another service provider or back to the institution or payment institution, including the treatment of data; 4.13.4 99(a)
    {be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c)]     		Third Party and supply chain oversight Preventive
    Include cryptographic keys in third party contracts. CC ID 16179 Third Party and supply chain oversight Preventive
    Include bankruptcy provisions in third party contracts. CC ID 16519 Third Party and supply chain oversight Preventive
    Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 Third Party and supply chain oversight Preventive
    Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506
    [{third party relationship} Institutions and payment institutions should ensure that they comply with all requirements under Regulation (EU) 2016/679, including for their third-party and outsourcing arrangements. 4.5 34
    The outsourcing agreement for critical or important functions should set out at least: the parties' financial obligations; 4.13 75(d)]     		Third Party and supply chain oversight Preventive
    Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507
    [{access rights} Institutions and payment institutions should ensure that the outsourcing agreement or any other contractual arrangement does not impede or limit the effective exercise of the access and audit rights by them, competent authorities or third parties appointed by them to exercise these rights. 4.13.3 89
    {right to audit} With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: unrestricted rights of inspection and auditing related to the outsourcing arrangement ('audit rights'), to enable them to monitor the outsourcing arrangement and to ensure compliance with all applicable regulatory and contractual requirements. 4.13.3 87(b)
    With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider's external auditors ('access and information rights'); and 4.13.3 87(a)]     		Third Party and supply chain oversight Preventive
    Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508
    [Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: receive, as soon as possible, information from the supervisory authority in the third country for investigating apparent breaches of the requirements of Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive (EU) 2015/2366 and Directive 2009/110/EC; and 4.12.1 63(c)(iii)]     		Third Party and supply chain oversight Preventive
    Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513
    [The outsourcing agreement for critical or important functions should set out at least: the obligation of the service provider to cooperate with the competent authorities and resolution authorities of the institution or payment institution, including other persons appointed by them; 4.13 75(n)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b)
    {supervisory authority} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the service provider is authorised or registered to provide that banking activity or payment service in the third country and is supervised by a relevant competent authority in that third country (referred to as a 'supervisory authority'); 4.12.1 63(a)]     		Third Party and supply chain oversight Preventive
    Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 Third Party and supply chain oversight Preventive
    Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 Third Party and supply chain oversight Preventive
    Include compliance with the organization's privacy policy in third party contracts. CC ID 06518
    [When outsourcing, institutions and payment institutions should at least ensure that: appropriate confidentiality arrangements are in place regarding data and other information; 4.6 40(d)]     		Third Party and supply chain oversight Preventive
    Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 Third Party and supply chain oversight Preventive
    Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 Third Party and supply chain oversight Preventive
    Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 Third Party and supply chain oversight Preventive
    Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 Third Party and supply chain oversight Preventive
    Include compliance with the organization's physical access policy in third party contracts. CC ID 06878
    [With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider's external auditors ('access and information rights'); and 4.13.3 87(a)]     		Third Party and supply chain oversight Preventive
    Include a reporting structure in third party contracts. CC ID 06532
    [The outsourcing agreement for critical or important functions should set out at least: the reporting obligations of the service provider to the institution or payment institution, including the communication by the service provider of any development that may have a material impact on the service provider's ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider; 4.13 75(j)]     		Third Party and supply chain oversight Preventive
    Include points of contact in third party contracts. CC ID 12355 Third Party and supply chain oversight Preventive
    Include financial reporting in third party contracts, as necessary. CC ID 13573 Third Party and supply chain oversight Preventive
    Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512
    [where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), institutions and payment institutions should ensure that, at least for outsourced critical or important functions, both independent monitoring of the service provider and appropriate oversight by each institution or payment institution is possible, including by receiving, at least annually and upon request from the centralised monitoring function, reports that include, at least, a summary of the risk assessment and performance monitoring. In addition, institutions and payment institutions should receive from the centralised monitoring function a summary of the relevant audit reports for critical or important outsourcing and, upon request, the full audit report; 4.2 23(a)
    The outsourcing agreement for critical or important functions should set out at least: the reporting obligations of the service provider to the institution or payment institution, including the communication by the service provider of any development that may have a material impact on the service provider's ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider; 4.13 75(j)
    The outsourcing agreement for critical or important functions should set out at least: the requirements to implement and test business contingency plans; 4.13 75(l)
    {third party audit report} Without prejudice to their final responsibility regarding outsourcing arrangements, institutions and payment institutions may use: third-party certifications and third-party or internal audit reports, made available by the service provider. 4.13.3 91(b)]     		Third Party and supply chain oversight Preventive
    Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514
    [The outsourcing agreement for critical or important functions should set out at least: the unrestricted right of institutions, payment institutions and competent authorities to inspect and audit the service provider with regard to, in particular, the critical or important outsourced function, as specified in Section 13.3; 4.13 75(p)
    The outsourcing agreement for critical or important functions should set out at least: the right of the institution or payment institution to monitor the service provider's performance on an ongoing basis; 4.13 75(h)
    Institutions and payment institutions should ensure within the written outsourcing arrangement that the internal audit function is able to review the outsourced function using a risk-based approach. 4.13.3 85
    {access rights} Institutions and payment institutions should ensure that the outsourcing agreement or any other contractual arrangement does not impede or limit the effective exercise of the access and audit rights by them, competent authorities or third parties appointed by them to exercise these rights. 4.13.3 89
    {right to audit} With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: unrestricted rights of inspection and auditing related to the outsourcing arrangement ('audit rights'), to enable them to monitor the outsourcing arrangement and to ensure compliance with all applicable regulatory and contractual requirements. 4.13.3 87(b)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b)
    {third-party certifications} {third-party audit report} {be legitimate} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: have the contractual right to request the expansion of the scope of the certifications or audit reports to other relevant systems and controls; the number and frequency of such requests for scope modification should be reasonable and legitimate from a risk management perspective; and 4.13.3 93(g)
    {access rights} {right to audit} {operational risks} {contract duration} {be critical} For the outsourcing of functions that are not critical or important, institutions and payment institutions should ensure the access and audit rights as set out in paragraph 87 (a) and (b) and Section 13.3, on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its scalability, the potential impact on the continuous performance of its activities and the contractual period. Institutions and payment institutions should take into account that functions may become critical or important over time. 4.13.3 88
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: conduct appropriate audits regarding the outsourced function; 4.4 31(c)(iii)]     		Third Party and supply chain oversight Preventive
    Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516
    [The outsourcing agreement for critical or important functions should set out at least: the requirements to implement and test business contingency plans; 4.13 75(l)]     		Third Party and supply chain oversight Preventive
    Include an indemnification and liability clause in third party contracts. CC ID 06517 Third Party and supply chain oversight Preventive
    Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521
    [The outsourcing agreement should specify whether or not sub-outsourcing of critical or important functions, or material parts thereof, is permitted. 4.13.1 76
    The outsourcing agreement for critical or important functions should set out at least: whether the sub-outsourcing of a critical or important function, or material parts thereof, is permitted and, if so, the conditions specified in Section 13.1 that the suboutsourcing is subject to; 4.13 75(e)]     		Third Party and supply chain oversight Preventive
    Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522
    [If sub-outsourcing of critical or important functions is permitted, the written agreement should: specify the conditions to be complied with in the case of sub-outsourcing; 4.13.1 78(b)
    Institutions and payment institutions should agree to sub-outsourcing only if the sub-contractor undertakes to: comply with all applicable laws, regulatory requirements and contractual obligations; and 4.13.1 79(a)
    Institutions and payment institutions should agree to sub-outsourcing only if the sub-contractor undertakes to: grant the institution, payment institution and competent authority the same contractual rights of access and audit as those granted by the service provider. 4.13.1 79(b)]     		Third Party and supply chain oversight Preventive
    Include text regarding foreign-based third parties in third party contracts. CC ID 06722
    [{confidential information} {personal information} Without prejudice to the requirements under the Regulation (EU) 2016/679, institutions and payment institutions, when outsourcing (in particular to third countries), should take into account differences in national provisions regarding the protection of data. Institutions and payment institutions should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the institution or payment institution (e.g. the protection of personal data and that banking secrecy or similar legal confidentiality duties with respect to clients' information, where applicable, are observed). 4.13.2 84
    The outsourcing agreement for critical or important functions should set out at least: the governing law of the agreement; 4.13 75(c)
    Regardless of the criticality or importance of the outsourced function, the written outsourcing arrangements between institutions and service providers should refer to the information gathering and investigatory powers of competent authorities and resolution authorities under Article 63(1)(a) of Directive 2014/59/EU and Article 65(3) of Directive 2013/36/EU with regard to service providers located in a Member State and should also ensure those rights with regard to service providers located in third countries. 4.13.3 86]     		Third Party and supply chain oversight Preventive
    Include change control clauses in third party contracts, as necessary. CC ID 06523
    [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41
    The outsourcing agreement for critical or important functions should set out at least: the location(s) (i.e. regions or countries) where the critical or important function will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the institution or payment institution if the service provider proposes to change the location(s); 4.13 75(f)
    The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where there are material changes affecting the outsourcing arrangement or the service provider (e.g. sub-outsourcing or changes of sub-contractors); 4.13.4 98(c)
    {refrain from replacing} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the possibility that the proposed outsourcing arrangement might be scaled up without replacing or revising the underlying agreement; 4.4 31(g)]     		Third Party and supply chain oversight Preventive
    Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the procedures for being notified and responding to changes to an outsourcing arrangement or service provider (e.g. to its financial position, organisational or ownership structures, sub-outsourcing); 4.7 42(d)(ii)
    The outsourcing agreement for critical or important functions should set out at least: the reporting obligations of the service provider to the institution or payment institution, including the communication by the service provider of any development that may have a material impact on the service provider's ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider; 4.13 75(j)
    If sub-outsourcing of critical or important functions is permitted, the written agreement should: include an obligation of the service provider to inform the institution or payment institution of any planned sub-outsourcing, or material changes thereof, in particular where that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement. This includes planned significant changes of subcontractors and to the notification period; in particular, the notification period to be set should allow the outsourcing institution or payment institution at least to carry out a risk assessment of the proposed changes and to object to changes before the planned sub-outsourcing, or material changes thereof, come into effect; 4.13.1 78(e)
    The outsourcing agreement for critical or important functions should set out at least: the start date and end date, where applicable, of the agreement and the notice periods for the service provider and the institution or payment institution; 4.13 75(b)]     		Third Party and supply chain oversight Preventive
    Include triggers for renegotiating the contract in third party contracts. CC ID 06527 Third Party and supply chain oversight Preventive
    Include change control notification processes in third party contracts. CC ID 06524
    [institutions and payment institutions should ensure that their management body will be duly informed of relevant planned changes regarding service providers that are monitored centrally and the potential impact of these changes on the critical or important functions provided, including a summary of the risk analysis, including legal risks, compliance with regulatory requirements and the impact on service levels, in order for them to assess the impact of these changes; 4.2 23(b)
    If sub-outsourcing of critical or important functions is permitted, the written agreement should: include an obligation of the service provider to inform the institution or payment institution of any planned sub-outsourcing, or material changes thereof, in particular where that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement. This includes planned significant changes of subcontractors and to the notification period; in particular, the notification period to be set should allow the outsourcing institution or payment institution at least to carry out a risk assessment of the proposed changes and to object to changes before the planned sub-outsourcing, or material changes thereof, come into effect; 4.13.1 78(e)]     		Third Party and supply chain oversight Preventive
    Include cost structure changes in third party contracts. CC ID 10021 Third Party and supply chain oversight Preventive
    Include a choice of venue clause in third party contracts. CC ID 06520 Third Party and supply chain oversight Preventive
    Include a dispute resolution clause in third party contracts. CC ID 06519
    [Institutions, in line with Title IV, Section 11, of the EBA Guidelines on internal governance, and payment institutions should identify, assess and manage conflicts of interests with regard to their outsourcing arrangements. 4.8 45
    Where outsourcing creates material conflicts of interest, including between entities within the same group or institutional protection scheme, institutions and payment institutions need to take appropriate measures to manage those conflicts of interest. 4.8 46
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v)]     		Third Party and supply chain oversight Preventive
    Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813
    [The outsourcing agreement for critical or important functions should set out at least: for institutions, a clear reference to the national resolution authority's powers, especially to Articles 68 and 71 of Directive 2014/59/EU (BRRD), and in particular a description of the 'substantive obligations' of the contract in the sense of Article 68 of that Directive; 4.13 75(o)]     		Third Party and supply chain oversight Preventive
    Include a termination provision clause in third party contracts. CC ID 01367
    [If sub-outsourcing of critical or important functions is permitted, the written agreement should: ensure that the institution or payment institution has the contractual right to terminate the agreement in the case of undue sub-outsourcing, e.g. where the sub-outsourcing materially increases the risks for the institution or payment institution or where the service provider sub-outsources without notifying the institution or payment institution. 4.13.1 78(g)
    The outsourcing agreement for critical or important functions should set out at least: termination rights, as specified in Section 13.4. 4.13 75(q)
    The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: 4.13.4 98
    Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the termination of outsourcing arrangements; 4.15 106(a)
    The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where instructions are given by the institution's or payment institution's competent authority, e.g. in the case that the competent authority is, caused by the outsourcing arrangement, no longer in a position to effectively supervise the institution or payment institution. 4.13.4 98(e)
    The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: include an obligation of the service provider to support the institution or payment institution in the orderly transfer of the function in the event of the termination of the outsourcing agreement. 4.13.4 99(c)
    {ability} {refrain from disrupting} {refrain from limiting} {avoiding} Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their compliance with regulatory requirements and without any detriment to the continuity and quality of its provision of services to clients. To achieve this, they should: 4.15 107
    {ability} {refrain from disrupting} {refrain from limiting} {avoiding} Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their compliance with regulatory requirements and without any detriment to the continuity and quality of its provision of services to clients. To achieve this, they should: 4.15 107
    {ability} {refrain from disrupting} {refrain from limiting} {avoiding} Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their compliance with regulatory requirements and without any detriment to the continuity and quality of its provision of services to clients. To achieve this, they should: 4.15 107]     		Third Party and supply chain oversight Detective
    Include early termination contingency plans in the third party contracts. CC ID 06526
    [{re-incorporate} The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: 4.13.4 99
    identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b)
    The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: set an appropriate transition period, during which the service provider, after the termination of the outsourcing arrangement, would continue to provide the outsourced function to reduce the risk of disruptions; and 4.13.4 99(b)]     		Third Party and supply chain oversight Preventive
    Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817
    [The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where the provider of the outsourced functions is in a breach of applicable law, regulations or contractual provisions; 4.13.4 98(a)
    Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the failure of the service provider; 4.15 106(b)]     		Third Party and supply chain oversight Preventive
    Include termination costs in third party contracts. CC ID 10023 Third Party and supply chain oversight Preventive
    Include text about obtaining adequate insurance in third party contracts. CC ID 06880
    [The outsourcing agreement for critical or important functions should set out at least: whether the service provider should take mandatory insurance against certain risks and, if applicable, the level of insurance cover requested; 4.13 75(k)]     		Third Party and supply chain oversight Preventive
    Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214
    [{be able} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: cooperate with the relevant supervisory authorities in the third country on enforcement in the case of a breach of the applicable regulatory requirements and national law in the Member State. Cooperation should include, but not necessarily be limited to, receiving information on potential breaches of the applicable regulatory requirements from the supervisory authorities in the third country as soon as is practicable. 4.12.1 63(c)(iv)]     		Third Party and supply chain oversight Preventive
    Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 Third Party and supply chain oversight Preventive
    Include end-of-life information in third party contracts. CC ID 15265 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 Third Party and supply chain oversight Preventive
    Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 Third Party and supply chain oversight Preventive
    Include requirements for alternate processing facilities in third party contracts. CC ID 13059
    [{personal data} In the case of outsourcing to cloud service providers and other outsourcing arrangements that involve the handling or transfer of personal or confidential data, institutions and payment institutions should adopt a risk-based approach to data storage and data processing location(s) (i.e. country or region) and information security considerations. 4.13.2 83]     		Third Party and supply chain oversight Preventive
    Document the organization's supply chain in the supply chain management program. CC ID 09958 Third Party and supply chain oversight Preventive
    Document supply chain dependencies in the supply chain management program. CC ID 08900
    [{critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: where a defect or failure in its performance would materially impair: the soundness or continuity of their banking and payment services and activities; 4.4 29(a)(iii)
    In the case of institutions, particular attention should be given to the assessment of the criticality or importance of functions if the outsourcing concerns functions related to core business lines and critical functions as defined in Article 2(1)(35) and 2(1)(36) of Directive 2014/59/EU and identified by institutions using the criteria set out in Articles 6 and 7 of Commission Delegated Regulation (EU) 2016/778. Functions that are necessary to perform activities of core business lines or critical functions should be considered as critical or important functions for the purpose of these guidelines, unless the institution's assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the operational continuity of the core business line or critical function. 4.4 30]     		Third Party and supply chain oversight Detective
    Establish and maintain a Third Party Service Provider list. CC ID 12480
    [where the register of all existing outsourcing arrangements, as referred to in Section 11, is established and maintained centrally within a group or institutional protection scheme, competent authorities, all institutions and payment institutions should be able to obtain their individual register without undue delay. This register should include all outsourcing arrangements, including outsourcing arrangements with service providers inside that group or institutional protection scheme; 4.2 23(d)
    As part of their risk management framework, institutions and payment institutions should maintain an updated register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels, as set out in Section 2, and should appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. Taking into account national law, institutions should maintain the documentation of ended outsourcing arrangements within the register and the supporting documentation for an appropriate period. 4.11 52]     		Third Party and supply chain oversight Preventive
    Include required information in the Third Party Service Provider list. CC ID 14429
    [The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e)
    The register should include at least the following information for all existing outsourcing arrangements: the date of the most recent assessment of the criticality or importance of the outsourced function. 4.11 54(i)
    {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the estimated annual budget cost. 4.11 55(k)
    {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the date of the most recent risk assessment and a brief summary of the main results; 4.11 55(c)]     		Third Party and supply chain oversight Preventive
    Include subcontractors in the Third Party Service Provider list. CC ID 14425
    [{outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g)]     		Third Party and supply chain oversight Preventive
    Include alternate service providers in the Third Party Service Provider list. CC ID 14420
    [{outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: identification of alternative service providers in line with point (h); 4.11 55(i)]     		Third Party and supply chain oversight Preventive
    Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430
    [The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e)
    The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e)
    The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e)]     		Third Party and supply chain oversight Preventive
    Include all contract dates in the Third Party Service Provider list. CC ID 14421
    [The register should include at least the following information for all existing outsourcing arrangements: the start date and, as applicable, the next contract renewal date, the end date and/or notice periods for the service provider and for the institution or payment institution; 4.11 54(b)]     		Third Party and supply chain oversight Preventive
    Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481
    [where the register of all existing outsourcing arrangements, as referred to in Section 11, is established and maintained centrally within a group or institutional protection scheme, competent authorities, all institutions and payment institutions should be able to obtain their individual register without undue delay. This register should include all outsourcing arrangements, including outsourcing arrangements with service providers inside that group or institutional protection scheme; 4.2 23(d)
    The register should include at least the following information for all existing outsourcing arrangements: a brief description of the outsourced function, including the data that are outsourced and whether or not personal data (e.g. by providing a yes or no in a separate data field) have been transferred or if their processing is outsourced to a service provider; 4.11 54(c)
    The register should include at least the following information for all existing outsourcing arrangements: in the case of outsourcing to a cloud service provider, the cloud service and deployment models, i.e. public/private/hybrid/community, and the specific nature of the data to be held and the locations (i.e. countries or regions) where such data will be stored; 4.11 54(h)]     		Third Party and supply chain oversight Preventive
    Include criticality of services in the Third Party Service Provider list. CC ID 14428
    [{be critical} The register should include at least the following information for all existing outsourcing arrangements: whether or not (yes/no) the outsourced function is considered critical or important, including, where applicable, a brief summary of the reasons why the outsourced function is considered critical or important; 4.11 54(g)
    {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the date of the most recent risk assessment and a brief summary of the main results; 4.11 55(c)]     		Third Party and supply chain oversight Preventive
    Include a description of data used in the Third Party Service Provider list. CC ID 14427
    [The register should include at least the following information for all existing outsourcing arrangements: a brief description of the outsourced function, including the data that are outsourced and whether or not personal data (e.g. by providing a yes or no in a separate data field) have been transferred or if their processing is outsourced to a service provider; 4.11 54(c)
    The register should include at least the following information for all existing outsourcing arrangements: in the case of outsourcing to a cloud service provider, the cloud service and deployment models, i.e. public/private/hybrid/community, and the specific nature of the data to be held and the locations (i.e. countries or regions) where such data will be stored; 4.11 54(h)]     		Third Party and supply chain oversight Preventive
    Include the location of services provided in the Third Party Service Provider list. CC ID 14423
    [{outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g)
    The register should include at least the following information for all existing outsourcing arrangements: a brief description of the outsourced function, including the data that are outsourced and whether or not personal data (e.g. by providing a yes or no in a separate data field) have been transferred or if their processing is outsourced to a service provider; 4.11 54(c)
    {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the governing law of the outsourcing agreement; 4.11 55(e)
    The register should include at least the following information for all existing outsourcing arrangements: the country or countries where the service is to be performed, including the location (i.e. country or region) of the data; 4.11 54(f)
    The register should include at least the following information for all existing outsourcing arrangements: the country or countries where the service is to be performed, including the location (i.e. country or region) of the data; 4.11 54(f)
    {outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g)
    {outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g)
    The register should include at least the following information for all existing outsourcing arrangements: in the case of outsourcing to a cloud service provider, the cloud service and deployment models, i.e. public/private/hybrid/community, and the specific nature of the data to be held and the locations (i.e. countries or regions) where such data will be stored; 4.11 54(h)]     		Third Party and supply chain oversight Preventive
    Document the supply chain's critical paths in the supply chain management program. CC ID 10032 Third Party and supply chain oversight Preventive
    Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain Operational Level Agreements. CC ID 13637 Third Party and supply chain oversight Preventive
    Include technical processes in operational level agreements, as necessary. CC ID 13639 Third Party and supply chain oversight Preventive
    Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842
    [When developing exit strategies, institutions and payment institutions should: define the indicators to be used for the monitoring of the outsourcing arrangement (as outlined under Section 14), including indicators based on unacceptable service levels that should trigger the exit. 4.15 108(e)
    allocate sufficient resources to ensure compliance with all legal and regulatory requirements, including these guidelines and the documentation and monitoring of all outsourcing arrangements; 4.6 38(b)]     		Third Party and supply chain oversight Detective
    Approve all Service Level Agreements. CC ID 00843 Third Party and supply chain oversight Detective
    Document all chargeable items in Service Level Agreements. CC ID 00844 Third Party and supply chain oversight Detective
    Categorize all suppliers in the supply chain management program. CC ID 00792
    [The outsourcing policy should differentiate between the following: intragroup outsourcing arrangements, outsourcing arrangements within the same institutional protection scheme (including entities fully owned individually or collectively by institutions within the institutional protection scheme) and outsourcing to entities outside the group; and 4.7 43(c)
    The outsourcing policy should differentiate between the following: outsourcing to service providers located within a Member State and third countries. 4.7 43(d)
    Institutions and payment institutions should establish whether an arrangement with a third party falls under the definition of outsourcing. Within this assessment, consideration should be given to whether the function (or a part thereof) that is outsourced to a service provider is performed on a recurrent or an ongoing basis by the service provider and whether this function (or part thereof) would normally fall within the scope of functions that would or could realistically be performed by institutions or payment institutions, even if the institution or payment institution has not performed this function in the past itself. 4.3 26
    When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19
    As part of their risk management framework, institutions and payment institutions should maintain an updated register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels, as set out in Section 2, and should appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. Taking into account national law, institutions should maintain the documentation of ended outsourcing arrangements within the register and the supporting documentation for an appropriate period. 4.11 52
    {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the institutions, payment institutions and other firms within the scope of the prudential consolidation or institutional protection scheme, where applicable, that make use of the outsourcing; 4.11 55(a)
    {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: whether or not the service provider or sub-service provider is part of the group or a member of the institutional protection scheme or is owned by institutions or payment institutions within the group or is owned by members of an institutional protection scheme; 4.11 55(b)
    The register should include at least the following information for all existing outsourcing arrangements: a category assigned by the institution or payment institution that reflects the nature of the function as described under point (c) (e.g. information technology (IT), control function), which should facilitate the identification of different types of arrangements; 4.11 54(d)]     		Third Party and supply chain oversight Preventive
    Include risk management procedures in the supply chain management policy. CC ID 08811
    [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32
    {outsourcing policy} {risk assessment} {risk management} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: risk identification, assessment and management in accordance with Section 12.2; 4.7 42(c)(iii)
    where operational tasks of internal control functions are outsourced (e.g. in the case of intragroup outsourcing or outsourcing within institutional protection schemes), exercise appropriate oversight and be able to manage the risks that are generated by the outsourcing of critical or important functions; and 4.6 39(c)
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: operational risk, including conduct, information and communication technology (ICT) and legal risks; 4.4 31(b)(iii)]     		Third Party and supply chain oversight Preventive
    Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025
    [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: 4.12.2 66
    {critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: where a defect or failure in its performance would materially impair: their financial performance; or 4.4 29(a)(ii)]     		Third Party and supply chain oversight Preventive
    Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 Third Party and supply chain oversight Preventive
    Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 Third Party and supply chain oversight Preventive
    Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029
    [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)]     		Third Party and supply chain oversight Preventive
    Establish, implement, and maintain a supply chain management policy. CC ID 08808
    [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: 4.7 42(d)]     		Third Party and supply chain oversight Preventive
    Include supplier assessment principles in the supply chain management policy. CC ID 08809
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42]     		Third Party and supply chain oversight Preventive
    Include the third party selection process in the supply chain management policy. CC ID 13132 Third Party and supply chain oversight Preventive
    Select suppliers based on their qualifications. CC ID 00795 Third Party and supply chain oversight Preventive
    Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133
    [When functions are provided by a service provider that is part of a group or a member of an institutional protection scheme or that is owned by the institution, payment institution, group or institutions that are members of an institutional protection scheme, the conditions, including financial conditions, for the outsourced service should be set at arm's length. However, within the pricing of services synergies resulting from providing the same or similar services to several institutions within a group or an institutional protection scheme may be factored in, as long as the service provider remains viable on a stand-alone basis; within a group this should be irrespective of the failure of any other group entity. 4.8 47]     		Third Party and supply chain oversight Preventive
    Include a clear management process in the supply chain management policy. CC ID 08810
    [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41
    {not carry out} {corrective action} Institutions should take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, institutions and payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirements. If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions. Such actions may include terminating the outsourcing agreement, with immediate effect, if necessary. 4.14 105
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: 4.7 42(d)
    {be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c)]     		Third Party and supply chain oversight Preventive
    Include roles and responsibilities in the supply chain management policy. CC ID 15499 Third Party and supply chain oversight Preventive
    Include third party due diligence standards in the supply chain management policy. CC ID 08812
    [Institutions and payment institutions should apply due skill, care and diligence when monitoring and managing outsourcing arrangements. 4.14 101]     		Third Party and supply chain oversight Preventive
    Require suppliers to commit to the supply chain management policy. CC ID 08813 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain a conflict minerals policy. CC ID 08943 Third Party and supply chain oversight Preventive
    Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 Third Party and supply chain oversight Preventive
    Include all in scope materials in the conflict minerals policy. CC ID 08945 Third Party and supply chain oversight Preventive
    Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 Third Party and supply chain oversight Preventive
    Include all applicable authority documents in the conflict minerals policy. CC ID 08947 Third Party and supply chain oversight Preventive
    Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 Third Party and supply chain oversight Preventive
    Establish and maintain a conflict materials report. CC ID 08823 Third Party and supply chain oversight Preventive
    Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 Third Party and supply chain oversight Preventive
    Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 Third Party and supply chain oversight Preventive
    Document and maintain records of supply chain transactions in a transaction file. CC ID 08858 Third Party and supply chain oversight Preventive
    Review transaction files for compliance with the supply chain audit standard. CC ID 08864 Third Party and supply chain oversight Preventive
    Provide additional documentation to validate and approve the use of non-compliant materials. CC ID 08865 Third Party and supply chain oversight Preventive
    Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353
    [{data requirement} Where relevant (e.g. in the context of cloud or other ICT outsourcing), institutions and payment institutions should define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis. 4.13.2 82
    {confidential information} {personal information} Without prejudice to the requirements under the Regulation (EU) 2016/679, institutions and payment institutions, when outsourcing (in particular to third countries), should take into account differences in national provisions regarding the protection of data. Institutions and payment institutions should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the institution or payment institution (e.g. the protection of personal data and that banking secrecy or similar legal confidentiality duties with respect to clients' information, where applicable, are observed). 4.13.2 84
    {confidentiality, integrity, security and availability} The outsourcing agreement for critical or important functions should set out at least: where relevant, provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data, as specified in Section 13.2; 4.13 75(g)]     		Third Party and supply chain oversight Preventive
    Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 Third Party and supply chain oversight Detective
    Include the audit scope in the third party external audit report. CC ID 13138
    [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the institution or payment institution and the compliance with relevant regulatory requirements; 4.13.3 93(b)]     		Third Party and supply chain oversight Preventive
    Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 Third Party and supply chain oversight Detective
    Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065
    [{critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: where a defect or failure in its performance would materially impair: their continuing compliance with the conditions of their authorisation or its other obligations under Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive 2014/65/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC and their regulatory obligations; 4.4 29(a)(i)]     		Third Party and supply chain oversight Detective
    Request attestation of compliance from third parties. CC ID 12067
    [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied that the certifications are issued and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; 4.13.3 93(f)]     		Third Party and supply chain oversight Detective
    Establish, implement, and maintain third party reporting requirements. CC ID 13289
    [where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), institutions and payment institutions should ensure that, at least for outsourced critical or important functions, both independent monitoring of the service provider and appropriate oversight by each institution or payment institution is possible, including by receiving, at least annually and upon request from the centralised monitoring function, reports that include, at least, a summary of the risk assessment and performance monitoring. In addition, institutions and payment institutions should receive from the centralised monitoring function a summary of the relevant audit reports for critical or important outsourcing and, upon request, the full audit report; 4.2 23(a)
    ensuring that they receive appropriate reports from service providers; 4.14 104(a)]     		Third Party and supply chain oversight Preventive
    Define timeliness factors for third party reporting requirements. CC ID 13304 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain outsourcing contracts. CC ID 13124 Third Party and supply chain oversight Preventive
    Include performance standards in outsourcing contracts. CC ID 13140
    [{be capable} The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where impediments capable of altering the performance of the outsourced function are identified; 4.13.4 98(b)]     		Third Party and supply chain oversight Preventive
    Include the organization approving subcontractors in the outsourcing contract. CC ID 13131
    [{specific written authorisation} If sub-outsourcing of critical or important functions is permitted, the written agreement should: require the service provider to obtain prior specific or general written authorisation from the institution or payment institution before sub-outsourcing data; 4.13.1 78(d)
    If sub-outsourcing of critical or important functions is permitted, the written agreement should: ensure, where appropriate, that the institution or payment institution has the right to object to intended sub-outsourcing, or material changes thereof, or that explicit approval is required; 4.13.1 78(f)
    If sub-outsourcing of critical or important functions is permitted, the written agreement should: specify any types of activities that are excluded from sub-outsourcing; 4.13.1 78(a)]     		Third Party and supply chain oversight Preventive
    Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130
    [If sub-outsourcing of critical or important functions is permitted, the written agreement should: specify that the service provider is obliged to oversee those services that it has subcontracted to ensure that all contractual obligations between the service provider and the institution or payment institution are continuously met; 4.13.1 78(c)]     		Third Party and supply chain oversight Preventive
    Create an on-site mine visit report. CC ID 08921 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain information security controls for the supply chain. CC ID 13109
    [{personal data} In the case of outsourcing to cloud service providers and other outsourcing arrangements that involve the handling or transfer of personal or confidential data, institutions and payment institutions should adopt a risk-based approach to data storage and data processing location(s) (i.e. country or region) and information security considerations. 4.13.2 83]     		Third Party and supply chain oversight Preventive
  • Human Resources Management
    55
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management. CC ID 12058 Leadership and high level objectives Preventive
    Assign senior management to approve test plans. CC ID 13071 Monitoring and measurement Preventive
    Align disciplinary actions with the level of compliance violation. CC ID 12404 Monitoring and measurement Preventive
    Include roles and responsibilities in the interview procedures. CC ID 16297 Audits and risk management Preventive
    Identify the audit team members in the audit report. CC ID 15259 Audits and risk management Detective
    Define the roles and responsibilities for distributing the audit report. CC ID 16845 Audits and risk management Preventive
    Assign responsibility for remediation actions. CC ID 13622 Audits and risk management Preventive
    Evaluate the competency of auditors. CC ID 15253 Audits and risk management Detective
    Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 Audits and risk management Detective
    Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 Audits and risk management Preventive
    Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199
    [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: overseeing the day-to-day management of the institution or payment institution, including the management of all risks associated with outsourcing; and 4.6 36(e)]     		Audits and risk management Preventive
    Establish, implement, and maintain a security operations center. CC ID 14762 Human Resources management Preventive
    Designate an alternate for each organizational leader. CC ID 12053 Human Resources management Preventive
    Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 Human Resources management Preventive
    Establish and maintain board committees, as necessary. CC ID 14789 Human Resources management Preventive
    Assign oversight of C-level executives to the Board of Directors. CC ID 14784 Human Resources management Preventive
    Assign oversight of the financial management program to the board of directors. CC ID 14781 Human Resources management Preventive
    Assign senior management to the role of supporting Quality Management. CC ID 13692 Human Resources management Preventive
    Assign members who are independent from management to the Board of Directors. CC ID 12395 Human Resources management Preventive
    Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 Human Resources management Preventive
    Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 Human Resources management Preventive
    Rotate members of the board of directors, as necessary. CC ID 14803 Human Resources management Corrective
    Define and assign board committees, as necessary. CC ID 14787 Human Resources management Preventive
    Define and assign risk committees, as necessary. CC ID 14795 Human Resources management Preventive
    Define and assign audit committees, as necessary. CC ID 14788 Human Resources management Preventive
    Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 Human Resources management Preventive
    Define and assign compensation committees, as necessary. CC ID 14793 Human Resources management Preventive
    Define and assign the network administrator's roles and responsibilities. CC ID 16363 Human Resources management Preventive
    Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 Human Resources management Preventive
    Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 Human Resources management Preventive
    Define and assign roles and responsibilities for network management. CC ID 13128 Human Resources management Preventive
    Define and assign the authorized representatives roles and responsibilities. CC ID 15033 Human Resources management Preventive
    Establish and maintain an Information Technology steering committee. CC ID 12706 Human Resources management Preventive
    Assign the Information Technology steering committee to report to senior management. CC ID 12731 Human Resources management Preventive
    Convene the Information Technology steering committee, as necessary. CC ID 12730 Human Resources management Preventive
    Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 Human Resources management Preventive
    Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 Human Resources management Preventive
    Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 Human Resources management Preventive
    Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 Human Resources management Preventive
    Define and assign workforce roles and responsibilities. CC ID 13267 Human Resources management Preventive
    Define and assign roles and responsibilities for dispute resolution. CC ID 13626
    [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the identification, assessment and management of conflicts of interest; 4.6 36(c)]     		Human Resources management Preventive
    Perform security skills assessments for all critical employees. CC ID 12102 Human Resources management Detective
    Perform a background check during personnel screening. CC ID 11758 Human Resources management Detective
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources management Preventive
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources management Preventive
    Perform a credit check during personnel screening. CC ID 06646 Human Resources management Preventive
    Perform a resume check during personnel screening. CC ID 06659 Human Resources management Preventive
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources management Preventive
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources management Preventive
    Perform personnel screening procedures, as necessary. CC ID 11763 Human Resources management Preventive
    Perform periodic background checks on designated roles, as necessary. CC ID 11759 Human Resources management Detective
    Perform security clearance procedures, as necessary. CC ID 06644 Human Resources management Preventive
    Establish and maintain security clearances. CC ID 01634 Human Resources management Preventive
    Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523
    [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the internal organisation of the institution or the payment institution; 4.6 36(b)]     		Operational management Preventive
    Require third parties to employ a Chief Information Security Officer. CC ID 12057 Third Party and supply chain oversight Preventive
  • IT Impact Zone
    10
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Operational and Systems Continuity CC ID 00731 Operational and Systems Continuity IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    Records management CC ID 00902 Records management IT Impact Zone
    Acquisition or sale of facilities, technology, and services CC ID 01123 Acquisition or sale of facilities, technology, and services IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Investigate
    17
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Ensure the data dictionary is complete and accurate. CC ID 13527 Leadership and high level objectives Detective
    Determine the causes of compliance violations. CC ID 12401 Monitoring and measurement Corrective
    Determine if multiple compliance violations of the same type could occur. CC ID 12402 Monitoring and measurement Detective
    Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 Monitoring and measurement Detective
    Examine the availability of the audit criteria in the audit program. CC ID 16520 Audits and risk management Preventive
    Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 Audits and risk management Detective
    Audit information systems, as necessary. CC ID 13010
    [Without prejudice to their final responsibility regarding outsourcing arrangements, institutions and payment institutions may use: pooled audits organised jointly with other clients of the same service provider, and performed by them and these clients or by a third party appointed by them, to use audit resources more efficiently and to decrease the organisational burden on both the clients and the service provider; 4.13.3 91(a)]     		Audits and risk management Detective
    Audit the potential costs of compromise to information systems. CC ID 13012 Audits and risk management Detective
    Permit assessment teams to conduct audits, as necessary. CC ID 16430 Audits and risk management Detective
    Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 Audits and risk management Detective
    Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 Audits and risk management Detective
    Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 Audits and risk management Detective
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Audits and risk management Detective
    Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 Audits and risk management Preventive
    Determine whether the financial institution uses positive pay for electronic check presentment. CC ID 13562 Acquisition or sale of facilities, technology, and services Detective
    Perform an identity check prior to approving an account change request. CC ID 13670 Privacy protection for information and data Detective
    Document that supply chain members investigate security events. CC ID 13348 Third Party and supply chain oversight Detective
  • Log Management
    43
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 Monitoring and measurement Preventive
    Report on the percentage of systems for which event logging has been implemented. CC ID 02102 Monitoring and measurement Detective
    Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 Monitoring and measurement Detective
    Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 Monitoring and measurement Detective
    Restrict access to logs to authorized individuals. CC ID 01342 Monitoring and measurement Preventive
    Refrain from recording unnecessary restricted data in logs. CC ID 06318 Monitoring and measurement Preventive
    Back up logs according to backup procedures. CC ID 01344 Monitoring and measurement Preventive
    Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 Monitoring and measurement Preventive
    Identify hosts with logs that are not being stored. CC ID 06314 Monitoring and measurement Preventive
    Identify hosts with logs that are being stored at the system level only. CC ID 06315 Monitoring and measurement Preventive
    Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 Monitoring and measurement Preventive
    Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 Monitoring and measurement Preventive
    Protect logs from unauthorized activity. CC ID 01345 Monitoring and measurement Preventive
    Perform testing and validating activities on all logs. CC ID 06322 Monitoring and measurement Preventive
    Archive the audit trail in accordance with compliance requirements. CC ID 00674 Monitoring and measurement Preventive
    Preserve the identity of individuals in audit trails. CC ID 10594 Monitoring and measurement Preventive
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 Audits and risk management Detective
    Log the date and time each item is received into the recordkeeping system. CC ID 11709 Records management Preventive
    Log the date and time each item is made available into the recordkeeping system. CC ID 11710 Records management Preventive
    Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 Records management Preventive
    Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 Records management Preventive
    Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 Records management Preventive
    Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 Records management Preventive
    Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 Records management Preventive
    Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 Records management Preventive
    Log the number of non-routine items received into the recordkeeping system. CC ID 11706 Records management Preventive
    Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 Records management Preventive
    Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 Records management Preventive
    Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 Records management Preventive
    Log performance monitoring into the recordkeeping system. CC ID 11724 Records management Preventive
    Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 Records management Preventive
    Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 Records management Preventive
    Log any notices filed by the organization into the recordkeeping system. CC ID 11725 Records management Preventive
    Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 Records management Preventive
    Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 Records management Preventive
    Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 Records management Preventive
    Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 Records management Preventive
    Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 Records management Preventive
    Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 Records management Preventive
    Log the disclosure of personal data. CC ID 06628 Privacy protection for information and data Preventive
    Log the modification of personal data. CC ID 11844 Privacy protection for information and data Preventive
    Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 Privacy protection for information and data Detective
    Log dates for account name changes or address changes. CC ID 04876 Privacy protection for information and data Detective
  • Monitor and Evaluate Occurrences
    29
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Analyze organizational objectives, functions, and activities. CC ID 00598
    [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced and address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced services are or may be provided and where the data are or are likely to be stored; 4.12.2 68(b)
    With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)]     		Leadership and high level objectives Preventive
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 Leadership and high level objectives Preventive
    Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 Leadership and high level objectives Preventive
    Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 Leadership and high level objectives Preventive
    Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 Leadership and high level objectives Preventive
    Monitor regulatory trends to maintain compliance. CC ID 00604 Leadership and high level objectives Detective
    Monitor for new Information Security solutions. CC ID 07078 Leadership and high level objectives Detective
    Monitor the organization's exposure to threats, as necessary. CC ID 06494 Monitoring and measurement Preventive
    Monitor and evaluate environmental threats. CC ID 13481 Monitoring and measurement Detective
    Monitor for new vulnerabilities. CC ID 06843 Monitoring and measurement Preventive
    Monitor devices continuously for conformance with production specifications. CC ID 06201 Monitoring and measurement Detective
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 Monitoring and measurement Detective
    Establish, implement, and maintain compliance program metrics. CC ID 11625 Monitoring and measurement Preventive
    Establish, implement, and maintain a corrective action plan. CC ID 00675
    [{not carry out} {corrective action} Institutions should take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, institutions and payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirements. If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions. Such actions may include terminating the outsourcing agreement, with immediate effect, if necessary. 4.14 105]     		Monitoring and measurement Detective
    Include monitoring in the corrective action plan. CC ID 11645 Monitoring and measurement Detective
    Supervise interested personnel and affected parties participating in the audit. CC ID 07150 Audits and risk management Preventive
    Track and measure the implementation of the organizational compliance framework. CC ID 06445 Audits and risk management Preventive
    Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 Audits and risk management Preventive
    Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 Audits and risk management Preventive
    Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 Privacy protection for information and data Preventive
    Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 Privacy protection for information and data Detective
    Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 Privacy protection for information and data Corrective
    Review accounts that are changed for additional user requests. CC ID 11846 Privacy protection for information and data Detective
    Review monitored websites for data leakage. CC ID 10593 Privacy protection for information and data Detective
    Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 Privacy protection for information and data Preventive
    Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 Privacy protection for information and data Preventive
    Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 Privacy protection for information and data Preventive
    Monitor third parties for performance and effectiveness, as necessary. CC ID 00799
    [where those institutions or payment institutions outsource the operational tasks of internal control functions to a service provider within the group or the institutional protection scheme, for the monitoring and auditing of outsourcing arrangements, institutions should ensure that, also for these outsourcing arrangements, those operational tasks are effectively performed, including through the receiving of appropriate reports. 4.2 22(b)
    where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), institutions and payment institutions should ensure that, at least for outsourced critical or important functions, both independent monitoring of the service provider and appropriate oversight by each institution or payment institution is possible, including by receiving, at least annually and upon request from the centralised monitoring function, reports that include, at least, a summary of the risk assessment and performance monitoring. In addition, institutions and payment institutions should receive from the centralised monitoring function a summary of the relevant audit reports for critical or important outsourcing and, upon request, the full audit report; 4.2 23(a)
    Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33
    Institutions and payment institutions should apply due skill, care and diligence when monitoring and managing outsourcing arrangements. 4.14 101
    Institutions and payment institutions should ensure that the service provider appropriately oversees the sub-service providers, in line with the policy defined by the institution or payment institution. If the sub-outsourcing proposed could have material adverse effects on the outsourcing arrangement of a critical or important function or would lead to a material increase of risk, including where the conditions in paragraph 79 would not be met, the institution or payment institution should exercise its right to object to the sub-outsourcing, if such a right was agreed, and/or terminate the contract. 4.13.1 80
    Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach and with the main focus being on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function in line with Section 4. 4.14 100
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: 4.7 42(d)
    With regard to the outsourcing process, the internal audit function should at least ascertain: the appropriate monitoring and management of outsourcing arrangements. 4.10 51(e)
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: identify, monitor and manage all risks; 4.4 31(c)(i)
    {remain responsible} {be accountable} The outsourcing of functions cannot result in the delegation of the management body's responsibilities. Institutions and payment institutions remain fully responsible and accountable for complying with all of their regulatory obligations, including the ability to oversee the outsourcing of critical or important functions. 4.6 35
    Institutions and payment institutions should appropriately document the assessments made under Title IV and the results of their ongoing monitoring (e.g. performance of the service provider, compliance with agreed service levels, other contractual and regulatory requirements, updates to the risk assessment). 4.11 60]     		Third Party and supply chain oversight Detective
    Monitor third parties' financial conditions. CC ID 13170 Third Party and supply chain oversight Detective
  • Physical and Environmental Protection
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 Third Party and supply chain oversight Preventive
  • Process or Activity
    71
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Identify the internal factors that may affect organizational objectives. CC ID 12957 Leadership and high level objectives Preventive
    Include key processes in the analysis of the internal business environment. CC ID 12947 Leadership and high level objectives Preventive
    Include existing information in the analysis of the internal business environment. CC ID 12943 Leadership and high level objectives Preventive
    Include resources in the analysis of the internal business environment. CC ID 12942 Leadership and high level objectives Preventive
    Include the operating plan in the analysis of the internal business environment. CC ID 12941 Leadership and high level objectives Preventive
    Include incentives in the analysis of the internal business environment. CC ID 12940 Leadership and high level objectives Preventive
    Include organizational structures in the analysis of the internal business environment. CC ID 12939 Leadership and high level objectives Preventive
    Include the strategic plan in the analysis of the internal business environment. CC ID 12937 Leadership and high level objectives Preventive
    Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 Leadership and high level objectives Preventive
    Identify the external forces that may affect organizational objectives. CC ID 12960 Leadership and high level objectives Preventive
    Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814
    [Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: 4.15 106
    With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)]     		Leadership and high level objectives Preventive
    Identify events that may affect organizational objectives. CC ID 12961 Leadership and high level objectives Preventive
    Identify conditions that may affect organizational objectives. CC ID 12958
    [Institutions, in line with Title IV, Section 11, of the EBA Guidelines on internal governance, and payment institutions should identify, assess and manage conflicts of interests with regard to their outsourcing arrangements. 4.8 45]     		Leadership and high level objectives Preventive
    Identify how opportunities, threats, and external requirements are trending. CC ID 12829 Leadership and high level objectives Preventive
    Identify relationships between opportunities, threats, and external requirements. CC ID 12805
    [Institutions, in line with Title IV, Section 11, of the EBA Guidelines on internal governance, and payment institutions should identify, assess and manage conflicts of interests with regard to their outsourcing arrangements. 4.8 45
    Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess conflicts of interest that the outsourcing may cause in line with Section 8. 4.12 61(e)]     		Leadership and high level objectives Preventive
    Identify all interested personnel and affected parties. CC ID 12845 Leadership and high level objectives Detective
    Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 Leadership and high level objectives Preventive
    Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 Leadership and high level objectives Preventive
    Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 Leadership and high level objectives Preventive
    Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 Leadership and high level objectives Preventive
    Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 Leadership and high level objectives Preventive
    Take actions in accordance with the decision-making criteria. CC ID 12909 Leadership and high level objectives Preventive
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Monitoring and measurement Corrective
    Align the enterprise architecture with the system security plan. CC ID 14255 Monitoring and measurement Preventive
    Ensure protocols are free from injection flaws. CC ID 16401 Monitoring and measurement Preventive
    Correct compliance violations. CC ID 13515
    [{not carry out} {corrective action} Institutions should take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, institutions and payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirements. If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions. Such actions may include terminating the outsourcing agreement, with immediate effect, if necessary. 4.14 105]     		Monitoring and measurement Corrective
    Convert data into standard units before reporting metrics. CC ID 15507 Monitoring and measurement Corrective
    Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 Audits and risk management Preventive
    Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 Audits and risk management Detective
    Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 Audits and risk management Detective
    Review documentation to determine the effectiveness of in scope controls. CC ID 16522 Audits and risk management Preventive
    Coordinate the scheduling of interviews. CC ID 16293 Audits and risk management Preventive
    Create a schedule for the interviews. CC ID 16292 Audits and risk management Preventive
    Identify interviewees. CC ID 16290 Audits and risk management Preventive
    Discuss unsolved questions with the interviewee. CC ID 16298 Audits and risk management Detective
    Allow interviewee to respond to explanations. CC ID 16296 Audits and risk management Detective
    Explain the requirements being discussed to the interviewee. CC ID 16294 Audits and risk management Detective
    Explain the testing results to the interviewee. CC ID 16291 Audits and risk management Preventive
    Withdraw from the audit, when defined conditions exist. CC ID 13885 Audits and risk management Corrective
    Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 Audits and risk management Preventive
    Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 Audits and risk management Detective
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 Audits and risk management Preventive
    Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 Audits and risk management Detective
    Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 Audits and risk management Detective
    Analyze supply chain risk management procedures, as necessary. CC ID 13198 Audits and risk management Detective
    Include all residences in the criminal records check. CC ID 13306 Human Resources management Preventive
    Evaluate information sharing partners, as necessary. CC ID 12749 Operational management Preventive
    Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 Operational management Preventive
    Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 Operational management Preventive
    Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 Operational management Preventive
    Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 Operational management Preventive
    Analyze the Governance, Risk, and Compliance approach. CC ID 12816 Operational management Preventive
    Analyze the organizational culture. CC ID 12899 Operational management Preventive
    Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 Operational management Detective
    Include the organizational climate in the analysis of the organizational culture. CC ID 12921 Operational management Detective
    Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 Operational management Detective
    Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 Operational management Corrective
    Determine how long to keep records and logs before disposing them. CC ID 11661 Records management Preventive
    Display required information automatically in electronic health records. CC ID 14442 Records management Preventive
    Create export summaries, as necessary. CC ID 14446 Records management Preventive
    Identify patient-specific education resources. CC ID 14439 Records management Detective
    Include liquidity plans in the payment and settlement functions. CC ID 16722 Acquisition or sale of facilities, technology, and services Preventive
    Approve the approval application unless applicant has been convicted. CC ID 16603 Privacy protection for information and data Preventive
    Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606
    [Institutions and payment institutions should, upon request, make available to the competent authority all information necessary to enable the competent authority to execute the effective supervision of the institution or the payment institution, including, where required, a copy of the outsourcing agreement. 4.11 57]     		Privacy protection for information and data Preventive
    Search the Internet for evidence of data leakage. CC ID 10419 Privacy protection for information and data Detective
    Alert appropriate personnel when data leakage is detected. CC ID 14715 Privacy protection for information and data Preventive
    Take appropriate action when a data leakage is discovered. CC ID 14716 Privacy protection for information and data Corrective
    Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 Third Party and supply chain oversight Detective
    Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838
    [The outsourcing agreement for critical or important functions should set out at least: the agreed service levels, which should include precise quantitative and qualitative performance targets for the outsourced function to allow for timely monitoring so that appropriate corrective action can be taken without undue delay if the agreed service levels are not met; 4.13 75(i)
    The rights and obligations of the institution, the payment institution and the service provider should be clearly allocated and set out in a written agreement. 4.13 74]     		Third Party and supply chain oversight Preventive
    Assess third parties' compliance environment during due diligence. CC ID 13134
    [{outsourcing policy} {independent audit} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the independent review and audit of compliance with legal and regulatory requirements and policies; 4.7 42(d)(iii)
    Before entering into any outsourcing arrangement, institutions and payment institutions should: assess if the supervisory conditions for outsourcing set out in Section 12.1 are met; 4.12 61(b)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider whether the service provider is a subsidiary or parent undertaking of the institution, is included in the scope of accounting consolidation or is a member of or owned by institutions that are members of an institutional protection scheme and, if so, the extent to which the institution controls it or has the ability to influence its actions in line with Section 2. 4.12.2 68(f)
    Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: whether or not the service provider is supervised by competent authorities. 4.12.3 71(d)]     		Third Party and supply chain oversight Detective
    Engage third parties to scope third party services' applicability to the organization's compliance requirements, as necessary. CC ID 12064
    [{outsourcing policy} {independent audit} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the independent review and audit of compliance with legal and regulatory requirements and policies; 4.7 42(d)(iii)
    {be responsible} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: there is an appropriate cooperation agreement, e.g. in the form of a memorandum of understanding or college agreement, between the competent authorities responsible for the supervision of the institution and the supervisory authorities responsible for the supervision of the service provider; and 4.12.1 63(b)]     		Third Party and supply chain oversight Detective
  • Records Management
    12
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 Audits and risk management Preventive
    Retain records in accordance with applicable requirements. CC ID 00968
    [{outsourcing arrangements} Taking into account Title I of these guidelines, and under the conditions set out in paragraph 23(d), for institutions and payment institutions within a group, institutions permanently affiliated to a central body or institutions that are members of the same institutional protection scheme, the register may be kept centrally. 4.11 53]     		Records management Preventive
    Capture the records required by organizational compliance requirements. CC ID 00912
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the documentation and record-keeping, taking into account the requirements in Section 11; 4.7 42(e)]     		Records management Detective
    Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 Records management Preventive
    Establish and maintain an implantable device list. CC ID 14444 Records management Preventive
    Establish, implement, and maintain a recordkeeping system. CC ID 15709 Records management Preventive
    Log the termination date in the recordkeeping system. CC ID 16181 Records management Preventive
    Log the name of the requestor in the recordkeeping system. CC ID 15712 Records management Preventive
    Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 Records management Preventive
    Log records as being received into the recordkeeping system. CC ID 11696 Records management Preventive
    Establish, implement, and maintain a transfer journal. CC ID 11729 Records management Preventive
    Provide a receipt of records logged into the recordkeeping system. CC ID 11697 Records management Preventive
  • Systems Continuity
    9
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Back up audit trails according to backup procedures. CC ID 11642 Monitoring and measurement Preventive
    Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374
    [Business continuity plans should take into account the possible event that the quality of the provision of the outsourced critical or important function deteriorates to an unacceptable level or fails. Such plans should also take into account the potential impact of the insolvency or other failures of service providers and, where relevant, political risks in the service provider's jurisdiction. 4.9 49
    Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: material risks arising for the appropriate and continuous application of the function. 4.15 106(d)
    {be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65]     		Operational and Systems Continuity Detective
    Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 Operational and Systems Continuity Preventive
    Review and prioritize the importance of each business unit. CC ID 01165 Operational and Systems Continuity Preventive
    Document the mean time to failure for system components. CC ID 10684 Operational and Systems Continuity Preventive
    Validate information security continuity controls regularly. CC ID 12008
    [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the institution or payment institution and the compliance with relevant regulatory requirements; 4.13.3 93(b)]     		Operational and Systems Continuity Preventive
    Approve the continuity plan test results. CC ID 15718 Operational and Systems Continuity Preventive
    Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 Third Party and supply chain oversight Preventive
    Review third parties' backup policies. CC ID 13043 Third Party and supply chain oversight Detective
  • Systems Design, Build, and Implementation
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include quality gates and testing milestones in the Quality Management program. CC ID 06825 Leadership and high level objectives Preventive
    Include an issue tracking system in the Quality Management program. CC ID 06824 Leadership and high level objectives Preventive
  • Technical Security
    19
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 Leadership and high level objectives Detective
    Perform internal penetration tests, as necessary. CC ID 12471 Monitoring and measurement Detective
    Perform external penetration tests, as necessary. CC ID 12470 Monitoring and measurement Detective
    Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 Monitoring and measurement Detective
    Perform penetration testing on segmentation controls, as necessary. CC ID 12498 Monitoring and measurement Detective
    Estimate the maximum bandwidth of any covert channels. CC ID 10653 Monitoring and measurement Detective
    Reduce the maximum bandwidth of covert channels. CC ID 10655 Monitoring and measurement Corrective
    Establish, implement, and maintain a network activity baseline. CC ID 13188 Monitoring and measurement Detective
    Deploy log normalization tools, as necessary. CC ID 12141 Monitoring and measurement Preventive
    Restrict access to audit trails to a need to know basis. CC ID 11641 Monitoring and measurement Preventive
    Analyze the organization's information security environment. CC ID 13122 Audits and risk management Preventive
    Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 Audits and risk management Preventive
    Establish, implement, and maintain payment transaction security measures. CC ID 13088 Acquisition or sale of facilities, technology, and services Preventive
    Install software that originates from approved third parties. CC ID 12184 Acquisition or sale of facilities, technology, and services Preventive
    Protect electronic messaging information. CC ID 12022 Privacy protection for information and data Preventive
    Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 Privacy protection for information and data Preventive
    Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 Privacy protection for information and data Preventive
    Implement security measures to protect personal data. CC ID 13606 Privacy protection for information and data Preventive
    Document the third parties compliance with the organization's system hardening framework. CC ID 04263 Third Party and supply chain oversight Detective
  • Testing
    74
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 Leadership and high level objectives Detective
    Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 Monitoring and measurement Preventive
    Test compliance controls for proper functionality. CC ID 00660 Monitoring and measurement Detective
    Establish, implement, and maintain a system security plan. CC ID 01922 Monitoring and measurement Preventive
    Adhere to the system security plan. CC ID 11640 Monitoring and measurement Detective
    Validate all testing assumptions in the test plans. CC ID 00663 Monitoring and measurement Detective
    Require testing procedures to be complete. CC ID 00664 Monitoring and measurement Detective
    Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 Monitoring and measurement Preventive
    Analyze system audit reports and determine the need to perform more tests. CC ID 00666 Monitoring and measurement Detective
    Perform penetration tests, as necessary. CC ID 00655
    [{be able} {cyber security} In line with the EBA Guidelines on ICT risk assessment under the SREP, institutions should, where relevant, ensure that they are able to carry out security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes. Taking into account Title I, payment institutions should also have internal ICT control mechanisms, including ICT security control and mitigation measures. 4.13.3 94]     		Monitoring and measurement Detective
    Include coverage of all in scope systems during penetration testing. CC ID 11957 Monitoring and measurement Detective
    Test the system for broken access controls. CC ID 01319 Monitoring and measurement Detective
    Test the system for broken authentication and session management. CC ID 01320 Monitoring and measurement Detective
    Test the system for insecure communications. CC ID 00535 Monitoring and measurement Detective
    Test the system for cross-site scripting attacks. CC ID 01321 Monitoring and measurement Detective
    Test the system for buffer overflows. CC ID 01322 Monitoring and measurement Detective
    Test the system for injection flaws. CC ID 01323 Monitoring and measurement Detective
    Test the system for Denial of Service. CC ID 01326 Monitoring and measurement Detective
    Test the system for insecure configuration management. CC ID 01327 Monitoring and measurement Detective
    Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 Monitoring and measurement Detective
    Test the system for cross-site request forgery. CC ID 06296 Monitoring and measurement Detective
    Repeat penetration testing, as necessary. CC ID 06860 Monitoring and measurement Detective
    Test the system for covert channels. CC ID 10652 Monitoring and measurement Detective
    Test systems to determine which covert channels might be exploited. CC ID 10654 Monitoring and measurement Detective
    Review the risk assessments as compared to the in scope controls. CC ID 06978
    [With regard to the outsourcing process, the internal audit function should at least ascertain: the adequacy, quality and effectiveness of the risk assessment for outsourcing arrangements and that the risks remain in line with the institution's risk strategy; 4.10 51(c)]     		Audits and risk management Detective
    Conduct onsite inspections, as necessary. CC ID 16199 Audits and risk management Preventive
    Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 Audits and risk management Detective
    Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 Audits and risk management Detective
    Determine if the audit assertion's in scope controls are reasonable. CC ID 06980
    [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied that the certifications are issued and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; 4.13.3 93(f)]     		Audits and risk management Detective
    Document test plans for auditing in scope controls. CC ID 06985 Audits and risk management Detective
    Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 Audits and risk management Detective
    Determine the effectiveness of in scope controls. CC ID 06984 Audits and risk management Detective
    Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 Audits and risk management Detective
    Audit the in scope system according to the test plan using relevant evidence. CC ID 07112
    [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90]     		Audits and risk management Preventive
    Provide transactional walkthrough procedures for external auditors. CC ID 00672 Audits and risk management Preventive
    Conduct interviews, as necessary. CC ID 07188 Audits and risk management Detective
    Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 Audits and risk management Detective
    Investigate the nature and causes of identified in scope control deviations. CC ID 06986 Audits and risk management Detective
    Submit an audit report that is complete. CC ID 01145 Audits and risk management Detective
    Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 Audits and risk management Detective
    Establish, implement, and maintain the audit plan. CC ID 01156
    [{audit program} The internal audit function's activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions. 4.10 50
    {third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied with the audit plan for the outsourced function; 4.13.3 93(a)]     		Audits and risk management Detective
    Perform risk assessments for all target environments, as necessary. CC ID 06452 Audits and risk management Preventive
    Determine the effectiveness of risk control measures. CC ID 06601 Audits and risk management Detective
    Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 Operational and Systems Continuity Preventive
    Test the continuity plan, as necessary. CC ID 00755
    [develop and implement exit plans that are comprehensive, documented and, where appropriate, sufficiently tested (e.g. by carrying out an analysis of the potential costs, impacts, resources and timing implications of transferring an outsourced service to an alternative provider); and 4.15 107(a)]     		Operational and Systems Continuity Detective
    Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 Operational and Systems Continuity Preventive
    Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 Operational and Systems Continuity Preventive
    Validate the emergency communications procedures during continuity plan tests. CC ID 12777 Operational and Systems Continuity Preventive
    Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769
    [{establish and maintain} Institutions, in line with the requirements under Article 85(2) of Directive 2013/36/EU and Title VI of the EBA Guidelines on internal governance, and payment institutions should have in place, maintain and periodically test appropriate business continuity plans with regard to outsourced critical or important functions. Institutions and payment institutions within a group or institutional protection scheme may rely on centrally established business continuity plans regarding their outsourced functions. 4.9 48]     		Operational and Systems Continuity Preventive
    Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 Operational and Systems Continuity Detective
    Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 Operational and Systems Continuity Detective
    Analyze system interdependence during continuity plan tests. CC ID 13082 Operational and Systems Continuity Detective
    Validate the evacuation plans during continuity plan tests. CC ID 12760 Operational and Systems Continuity Preventive
    Test the continuity plan at the alternate facility. CC ID 01174
    [identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b)]     		Operational and Systems Continuity Detective
    Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 Operational and Systems Continuity Preventive
    Review all third party's continuity plan test results. CC ID 01365
    [{business continuity testing} reviewing all other relevant information received from the service provider, including reports on business continuity measures and testing. 4.14 104(c)]     		Operational and Systems Continuity Detective
    Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 Operational and Systems Continuity Detective
    Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 Operational and Systems Continuity Detective
    Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 Operational and Systems Continuity Detective
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782
    [Where the outsourcing arrangement carries a high level of technical complexity, for instance in the case of cloud outsourcing, the institution or payment institution should verify that whoever is performing the audit – whether it is its internal auditors, the pool of auditors or external auditors acting on its behalf – has appropriate and relevant skills and knowledge to perform relevant audits and/or assessments effectively. The same applies to any staff of the institution or payment institution reviewing third-party certifications or audits carried out by service providers. 4.13.3 97
    Outsourcing should not lower the suitability requirements applied to the members of an institution's management body, directors and persons responsible for the management of the payment institution and key function holders. Institutions and payment institutions should have adequate competence and sufficient and appropriately skilled resources to ensure appropriate management and oversight of outsourcing arrangements. 4.6 37]     		Human Resources management Detective
    Perform a drug test during personnel screening. CC ID 06648 Human Resources management Preventive
    Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 Privacy protection for information and data Detective
    Implement physical controls to protect personal data. CC ID 00355 Privacy protection for information and data Preventive
    Conduct personal data risk assessments. CC ID 00357 Privacy protection for information and data Detective
    Conduct internal data processing audits. CC ID 00374 Privacy protection for information and data Detective
    Test the exit plan, as necessary. CC ID 15495 Third Party and supply chain oversight Preventive
    Include third party requirements for personnel security in third party contracts. CC ID 00790 Third Party and supply chain oversight Detective
    Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364
    [{confidential information} {personal information} Without prejudice to the requirements under the Regulation (EU) 2016/679, institutions and payment institutions, when outsourcing (in particular to third countries), should take into account differences in national provisions regarding the protection of data. Institutions and payment institutions should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the institution or payment institution (e.g. the protection of personal data and that banking secrecy or similar legal confidentiality duties with respect to clients' information, where applicable, are observed). 4.13.2 84
    {data treatment} The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: clearly set out the obligations of the existing service provider, in the case of a transfer of the outsourced function to another service provider or back to the institution or payment institution, including the treatment of data; 4.13.4 99(a)
    When outsourcing, institutions and payment institutions should at least ensure that: where personal data are processed by service providers located in the EU and/or third countries, appropriate measures are implemented and data are processed in accordance with Regulation (EU) 2016/679. 4.6 40(g)]     		Third Party and supply chain oversight Detective
    Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366
    [Institutions and payment institutions should ensure that service providers, where relevant, comply with appropriate IT security standards. 4.13.2 81
    (ensure} {technical measure} Where outsourcing involves the processing of personal or confidential data, institutions and payment institutions should be satisfied that the service provider implements appropriate technical and organisational measures to protect the data. 4.12.3 72
    {third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: retain the contractual right to perform individual audits at their discretion with regard to the outsourcing of critical or important functions. 4.13.3 93(h)]     		Third Party and supply chain oversight Detective
    Establish the third party's service continuity. CC ID 00797
    [{outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the business continuity measures; and 4.7 44(c)]     		Third Party and supply chain oversight Detective
    Determine the adequacy of a third party's alternate site preparations. CC ID 06879 Third Party and supply chain oversight Detective
    Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 Third Party and supply chain oversight Detective
    Perform risk assessments of third parties, as necessary. CC ID 06454
    [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33
    {outsourcing policy} {risk assessment} {risk management} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: risk identification, assessment and management in accordance with Section 12.2; 4.7 42(c)(iii)
    Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess all of the relevant risks of the outsourcing arrangement in accordance with Section 12.2; 4.12 61(c)
    When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the institution's risk profile; 4.7 44(a)
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: 4.4 31
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: all outsourcing arrangements, the institution's or payment institution's aggregated exposure to the same service provider and the potential cumulative impact of outsourcing arrangements in the same business area; 4.4 31(e)
    When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)]     		Third Party and supply chain oversight Detective
    Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359
    [{confidential information} {personal information} The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where there are weaknesses regarding the management and security of confidential, personal or otherwise sensitive data or information; and 4.13.4 98(d)
    Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements. 4.12.2 64]     		Third Party and supply chain oversight Detective
Common Controls and
mandates by Classification 203 Mandated Controls - bold    
70 Implied Controls - italic     1482 Implementation

There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.

Number of Controls
1755 Total
  • Corrective
    34
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 Leadership and high level objectives Communicate
    Correct errors and deficiencies in a timely manner. CC ID 13501 Leadership and high level objectives Business Processes
    Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 Leadership and high level objectives Establish/Maintain Documentation
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Monitoring and measurement Process or Activity
    Reduce the maximum bandwidth of covert channels. CC ID 10655 Monitoring and measurement Technical Security
    Determine the causes of compliance violations. CC ID 12401 Monitoring and measurement Investigate
    Correct compliance violations. CC ID 13515
    [{not carry out} {corrective action} Institutions should take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, institutions and payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirements. If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions. Such actions may include terminating the outsourcing agreement, with immediate effect, if necessary. 4.14 105]     		Monitoring and measurement Process or Activity
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 Monitoring and measurement Behavior
    Convert data into standard units before reporting metrics. CC ID 15507 Monitoring and measurement Process or Activity
    Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 Audits and risk management Establish/Maintain Documentation
    Withdraw from the audit, when defined conditions exist. CC ID 13885 Audits and risk management Process or Activity
    Solve any access problems auditors encounter during the audit. CC ID 08959 Audits and risk management Audits and Risk Management
    Include deficiencies and non-compliance in the audit report. CC ID 14879 Audits and risk management Establish/Maintain Documentation
    Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 Audits and risk management Establish/Maintain Documentation
    Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 Audits and risk management Business Processes
    Modify the audit opinion in the audit report under defined conditions. CC ID 13937 Audits and risk management Establish/Maintain Documentation
    Implement a corrective action plan in response to the audit report. CC ID 06777 Audits and risk management Establish/Maintain Documentation
    Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 Audits and risk management Actionable Reports or Measurements
    Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 Audits and risk management Acquisition/Sale of Assets or Services
    Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 Audits and risk management Establish/Maintain Documentation
    Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 Audits and risk management Establish/Maintain Documentation
    Document residual risk in a residual risk report. CC ID 13664 Audits and risk management Establish/Maintain Documentation
    Rotate members of the board of directors, as necessary. CC ID 14803 Human Resources management Human Resources Management
    Measure policy compliance when reviewing the internal control framework. CC ID 06442 Operational management Actionable Reports or Measurements
    Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 Operational management Process or Activity
    Adjust the originator's activity levels to match Automated Clearing House exposure limits, as necessary. CC ID 13565 Acquisition or sale of facilities, technology, and services Business Processes
    Adjust the originator's credit rating to match Automated Clearing House exposure limits, as necessary. CC ID 13564 Acquisition or sale of facilities, technology, and services Business Processes
    Use a risk-based approach to following up situations where customer notifications regarding electronic commerce transactions cannot be delivered. CC ID 13663 Acquisition or sale of facilities, technology, and services Business Processes
    Correct billing and settlement errors. CC ID 08623 Acquisition or sale of facilities, technology, and services Business Processes
    Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 Privacy protection for information and data Communicate
    Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 Privacy protection for information and data Monitor and Evaluate Occurrences
    Take appropriate action when a data leakage is discovered. CC ID 14716 Privacy protection for information and data Process or Activity
    Terminate supplier relationships, as necessary. CC ID 13489
    [{be able} {timely manner} When outsourcing, institutions and payment institutions should at least ensure that: with regard to the outsourcing of critical or important functions, they are able to undertake at least one of the following actions, within an appropriate time frame: discontinue the business activities that are depending on the function. 4.6 40(f)(iii)]     		Third Party and supply chain oversight Business Processes
    Enforce third party Service Level Agreements, as necessary. CC ID 07098 Third Party and supply chain oversight Business Processes
  • Detective
    340
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Identify all interested personnel and affected parties. CC ID 12845 Leadership and high level objectives Process or Activity
    Approve the data classification scheme. CC ID 13858 Leadership and high level objectives Establish/Maintain Documentation
    Ensure the data dictionary is complete and accurate. CC ID 13527 Leadership and high level objectives Investigate
    Monitor regulatory trends to maintain compliance. CC ID 00604 Leadership and high level objectives Monitor and Evaluate Occurrences
    Monitor for new Information Security solutions. CC ID 07078 Leadership and high level objectives Monitor and Evaluate Occurrences
    Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 Leadership and high level objectives Technical Security
    Enforce a continuous Quality Control system. CC ID 01005
    [{performance standards} Institutions and payment institutions should ensure, on an ongoing basis, that outsourcing arrangements, with the main focus being on outsourced critical or important functions, meet appropriate performance and quality standards in line with their policies by: 4.14 104]     		Leadership and high level objectives Business Processes
    Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 Leadership and high level objectives Testing
    Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 Leadership and high level objectives Business Processes
    Review and analyze any quality improvement goals that were missed. CC ID 07204 Leadership and high level objectives Business Processes
    Analyze organizational policies, as necessary. CC ID 14037 Leadership and high level objectives Establish/Maintain Documentation
    Map in scope assets and in scope records to external requirements. CC ID 12189 Leadership and high level objectives Establish/Maintain Documentation
    Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 Leadership and high level objectives Establish/Maintain Documentation
    Include all compliance exceptions in the compliance exception standard. CC ID 01630 Leadership and high level objectives Establish/Maintain Documentation
    Establish and maintain a compliance oversight committee. CC ID 00765
    [meet all the conditions of their authorisation at all times, including the management body effectively carrying out its responsibilities as set out in paragraph 36 of these guidelines; 4.6 39(a)
    {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making. 4.6 36(f)]     		Leadership and high level objectives Establish Roles
    Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151 Leadership and high level objectives Establish/Maintain Documentation
    Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 Leadership and high level objectives Establish/Maintain Documentation
    Identify and document the events that initiate the decision management strategy. CC ID 06914 Leadership and high level objectives Establish/Maintain Documentation
    Monitor and evaluate environmental threats. CC ID 13481 Monitoring and measurement Monitor and Evaluate Occurrences
    Test compliance controls for proper functionality. CC ID 00660 Monitoring and measurement Testing
    Adhere to the system security plan. CC ID 11640 Monitoring and measurement Testing
    Validate all testing assumptions in the test plans. CC ID 00663 Monitoring and measurement Testing
    Require testing procedures to be complete. CC ID 00664 Monitoring and measurement Testing
    Analyze system audit reports and determine the need to perform more tests. CC ID 00666 Monitoring and measurement Testing
    Monitor devices continuously for conformance with production specifications. CC ID 06201 Monitoring and measurement Monitor and Evaluate Occurrences
    Perform penetration tests, as necessary. CC ID 00655
    [{be able} {cyber security} In line with the EBA Guidelines on ICT risk assessment under the SREP, institutions should, where relevant, ensure that they are able to carry out security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes. Taking into account Title I, payment institutions should also have internal ICT control mechanisms, including ICT security control and mitigation measures. 4.13.3 94]     		Monitoring and measurement Testing
    Perform internal penetration tests, as necessary. CC ID 12471 Monitoring and measurement Technical Security
    Perform external penetration tests, as necessary. CC ID 12470 Monitoring and measurement Technical Security
    Include coverage of all in scope systems during penetration testing. CC ID 11957 Monitoring and measurement Testing
    Test the system for broken access controls. CC ID 01319 Monitoring and measurement Testing
    Test the system for broken authentication and session management. CC ID 01320 Monitoring and measurement Testing
    Test the system for insecure communications. CC ID 00535 Monitoring and measurement Testing
    Test the system for cross-site scripting attacks. CC ID 01321 Monitoring and measurement Testing
    Test the system for buffer overflows. CC ID 01322 Monitoring and measurement Testing
    Test the system for injection flaws. CC ID 01323 Monitoring and measurement Testing
    Test the system for Denial of Service. CC ID 01326 Monitoring and measurement Testing
    Test the system for insecure configuration management. CC ID 01327 Monitoring and measurement Testing
    Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 Monitoring and measurement Testing
    Test the system for cross-site request forgery. CC ID 06296 Monitoring and measurement Testing
    Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 Monitoring and measurement Technical Security
    Perform penetration testing on segmentation controls, as necessary. CC ID 12498 Monitoring and measurement Technical Security
    Verify segmentation controls are operational and effective. CC ID 12545 Monitoring and measurement Audits and Risk Management
    Repeat penetration testing, as necessary. CC ID 06860 Monitoring and measurement Testing
    Test the system for covert channels. CC ID 10652 Monitoring and measurement Testing
    Estimate the maximum bandwidth of any covert channels. CC ID 10653 Monitoring and measurement Technical Security
    Test systems to determine which covert channels might be exploited. CC ID 10654 Monitoring and measurement Testing
    Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 Monitoring and measurement Actionable Reports or Measurements
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 Monitoring and measurement Monitor and Evaluate Occurrences
    Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 Monitoring and measurement Business Processes
    Determine if multiple compliance violations of the same type could occur. CC ID 12402 Monitoring and measurement Investigate
    Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 Monitoring and measurement Investigate
    Report on the policies and controls that have been implemented by management. CC ID 01670 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of security management roles that have been assigned. CC ID 01671 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with approved System Security Plans. CC ID 02145 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of servers located in controlled access areas. CC ID 02067 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique active user identifiers. CC ID 02074 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of active user passwords that are set to expire. CC ID 02087 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with account lockout thresholds set. CC ID 02091 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of users with access to shared accounts. CC ID 04573 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems for which event logging has been implemented. CC ID 02102 Monitoring and measurement Log Management
    Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 Monitoring and measurement Log Management
    Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 Monitoring and measurement Log Management
    Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of servers that employ automated system security tools. CC ID 02111 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with all approved patches installed. CC ID 02113 Monitoring and measurement Actionable Reports or Measurements
    Report on the mean time from patch availability to patch installation. CC ID 02114 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain a network activity baseline. CC ID 13188 Monitoring and measurement Technical Security
    Report on the percentage of systems configured according to the configuration standard. CC ID 02116 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of backup media stored off site in secure storage. CC ID 02122 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 Monitoring and measurement Actionable Reports or Measurements
    Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 Monitoring and measurement Actionable Reports or Measurements
    Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 Monitoring and measurement Actionable Reports or Measurements
    Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain a corrective action plan. CC ID 00675
    [{not carry out} {corrective action} Institutions should take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, institutions and payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirements. If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions. Such actions may include terminating the outsourcing agreement, with immediate effect, if necessary. 4.14 105]     		Monitoring and measurement Monitor and Evaluate Occurrences
    Include monitoring in the corrective action plan. CC ID 11645 Monitoring and measurement Monitor and Evaluate Occurrences
    Review the risk assessments as compared to the in scope controls. CC ID 06978
    [With regard to the outsourcing process, the internal audit function should at least ascertain: the adequacy, quality and effectiveness of the risk assessment for outsourcing arrangements and that the risks remain in line with the institution's risk strategy; 4.10 51(c)]     		Audits and risk management Testing
    Determine if requested services create a threat to independence. CC ID 16823 Audits and risk management Audits and Risk Management
    Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 Audits and risk management Establish/Maintain Documentation
    Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 Audits and risk management Audits and Risk Management
    Confirm audit requirements during the opening meeting. CC ID 15255 Audits and risk management Audits and Risk Management
    Establish and maintain audit assertions, as necessary. CC ID 14871 Audits and risk management Establish/Maintain Documentation
    Refrain from performing an attestation engagement under defined conditions. CC ID 13952 Audits and risk management Audits and Risk Management
    Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 Audits and risk management Audits and Risk Management
    Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 Audits and risk management Audits and Risk Management
    Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 Audits and risk management Investigate
    Audit information systems, as necessary. CC ID 13010
    [Without prejudice to their final responsibility regarding outsourcing arrangements, institutions and payment institutions may use: pooled audits organised jointly with other clients of the same service provider, and performed by them and these clients or by a third party appointed by them, to use audit resources more efficiently and to decrease the organisational burden on both the clients and the service provider; 4.13.3 91(a)]     		Audits and risk management Investigate
    Audit the potential costs of compromise to information systems. CC ID 13012 Audits and risk management Investigate
    Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 Audits and risk management Testing
    Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 Audits and risk management Testing
    Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 Audits and risk management Audits and Risk Management
    Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 Audits and risk management Process or Activity
    Determine if the audit assertion's in scope controls are reasonable. CC ID 06980
    [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied that the certifications are issued and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; 4.13.3 93(f)]     		Audits and risk management Testing
    Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 Audits and risk management Process or Activity
    Document test plans for auditing in scope controls. CC ID 06985 Audits and risk management Testing
    Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 Audits and risk management Testing
    Determine the effectiveness of in scope controls. CC ID 06984 Audits and risk management Testing
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and risk management Audits and Risk Management
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 Audits and risk management Audits and Risk Management
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and risk management Audits and Risk Management
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and risk management Audits and Risk Management
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 Audits and risk management Audits and Risk Management
    Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 Audits and risk management Audits and Risk Management
    Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 Audits and risk management Audits and Risk Management
    Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 Audits and risk management Testing
    Conduct interviews, as necessary. CC ID 07188 Audits and risk management Testing
    Verify statements made by interviewees are correct. CC ID 16299 Audits and risk management Behavior
    Discuss unsolved questions with the interviewee. CC ID 16298 Audits and risk management Process or Activity
    Allow interviewee to respond to explanations. CC ID 16296 Audits and risk management Process or Activity
    Explain the requirements being discussed to the interviewee. CC ID 16294 Audits and risk management Process or Activity
    Explain the goals of the interview to the interviewee. CC ID 07189 Audits and risk management Behavior
    Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 Audits and risk management Audits and Risk Management
    Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 Audits and risk management Testing
    Investigate the nature and causes of identified in scope control deviations. CC ID 06986 Audits and risk management Testing
    Review the subject matter expert's findings. CC ID 16559 Audits and risk management Audits and Risk Management
    Permit assessment teams to conduct audits, as necessary. CC ID 16430 Audits and risk management Investigate
    Determine what disclosures are required in the audit report. CC ID 14888 Audits and risk management Establish/Maintain Documentation
    Identify the audit team members in the audit report. CC ID 15259 Audits and risk management Human Resources Management
    Identify the participants from the organization being audited in the audit report. CC ID 15258 Audits and risk management Audits and Risk Management
    Review the adequacy of the internal auditor's work papers. CC ID 01146 Audits and risk management Audits and Risk Management
    Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 Audits and risk management Establish/Maintain Documentation
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and risk management Audits and Risk Management
    Review past audit reports. CC ID 01155 Audits and risk management Establish/Maintain Documentation
    Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 Audits and risk management Establish/Maintain Documentation
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 Audits and risk management Establish/Maintain Documentation
    Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 Audits and risk management Investigate
    Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 Audits and risk management Process or Activity
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 Audits and risk management Log Management
    Review the issues of non-compliance from past audit reports. CC ID 01148 Audits and risk management Establish/Maintain Documentation
    Submit an audit report that is complete. CC ID 01145 Audits and risk management Testing
    Review management's response to issues raised in past audit reports. CC ID 01149
    [With regard to the outsourcing process, the internal audit function should at least ascertain: the appropriate involvement of governance bodies; and 4.10 51(d)]     		Audits and risk management Audits and Risk Management
    Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 Audits and risk management Testing
    Evaluate the competency of auditors. CC ID 15253 Audits and risk management Human Resources Management
    Review the audit program scope as it relates to the organization's profile. CC ID 01159 Audits and risk management Audits and Risk Management
    Establish, implement, and maintain the audit plan. CC ID 01156
    [{audit program} The internal audit function's activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions. 4.10 50
    {third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied with the audit plan for the outsourced function; 4.13.3 93(a)]     		Audits and risk management Testing
    Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 Audits and risk management Business Processes
    Analyze the risk management strategy for addressing requirements. CC ID 12926
    [With regard to the outsourcing process, the internal audit function should at least ascertain: the adequacy, quality and effectiveness of the risk assessment for outsourcing arrangements and that the risks remain in line with the institution's risk strategy; 4.10 51(c)
    With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)]     		Audits and risk management Audits and Risk Management
    Analyze the risk management strategy for addressing threats. CC ID 12925 Audits and risk management Audits and Risk Management
    Analyze the risk management strategy for addressing opportunities. CC ID 12924 Audits and risk management Audits and Risk Management
    Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 Audits and risk management Human Resources Management
    Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 Audits and risk management Investigate
    Review the risk profiles, as necessary. CC ID 16561 Audits and risk management Audits and Risk Management
    Update the risk assessment upon discovery of a new threat. CC ID 00708 Audits and risk management Establish/Maintain Documentation
    Update the risk assessment upon changes to the risk profile. CC ID 11627 Audits and risk management Establish/Maintain Documentation
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and risk management Audits and Risk Management
    Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 Audits and risk management Investigate
    Conduct a Business Impact Analysis, as necessary. CC ID 01147
    [{outsourced services} {outsourced activities} When developing exit strategies, institutions and payment institutions should: perform a business impact analysis that is commensurate with the risk of the outsourced processes, services or activities, with the aim of identifying what human and financial resources would be required to implement the exit plan and how much time it would take; 4.15 108(b)]     		Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with each business process. CC ID 06463
    [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced and address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced services are or may be provided and where the data are or are likely to be stored; 4.12.2 68(b)
    Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the deterioration of the quality of the function provided and actual or potential business disruptions caused by the inappropriate or failed provision of the function; 4.15 106(c)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: 4.7 44
    {be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65]     		Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464
    [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the consequences of where the service provider is located (within or outside the EU); 4.12.2 68(c)]     		Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and risk management Audits and Risk Management
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Audits and risk management Investigate
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468 Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with external entities. CC ID 06469
    [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: concentration risks, including from: 4.12.2 66(a)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the institution's risk profile; 4.7 44(a)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the performance of their business activities. 4.7 44(d)
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the size and complexity of any business area affected; 4.4 31(f)
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: identify, monitor and manage all risks; 4.4 31(c)(i)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: 4.12.2 68(d)
    Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements. 4.12.2 64]     		Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 Audits and risk management Actionable Reports or Measurements
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and risk management Audits and Risk Management
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 Audits and risk management Establish/Maintain Documentation
    Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 Audits and risk management Process or Activity
    Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 Audits and risk management Process or Activity
    Determine the effectiveness of risk control measures. CC ID 06601 Audits and risk management Testing
    Analyze the impact of artificial intelligence systems on society. CC ID 16317 Audits and risk management Audits and Risk Management
    Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 Audits and risk management Audits and Risk Management
    Analyze supply chain risk management procedures, as necessary. CC ID 13198 Audits and risk management Process or Activity
    Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374
    [Business continuity plans should take into account the possible event that the quality of the provision of the outsourced critical or important function deteriorates to an unacceptable level or fails. Such plans should also take into account the potential impact of the insolvency or other failures of service providers and, where relevant, political risks in the service provider's jurisdiction. 4.9 49
    Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: material risks arising for the appropriate and continuous application of the function. 4.15 106(d)
    {be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65]     		Operational and Systems Continuity Systems Continuity
    Define and prioritize critical business functions. CC ID 00736
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the criteria, including those referred to in Section 4, and processes for identifying critical or important functions; 4.7 42(c)(ii)
    The outsourcing policy should differentiate between the following: outsourcing of critical or important functions and other outsourcing arrangements; 4.7 43(a)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: identify and classify the relevant functions and related data and systems as regards their sensitivity and required security measures; 4.12.2 68(a)
    Before entering into any outsourcing arrangement, institutions and payment institutions should: assess if the outsourcing arrangement concerns a critical or important function, as set out in Title II; 4.12 61(a)
    If sub-outsourcing of critical or important functions is permitted, institutions and payment institutions should determine whether the part of the function to be sub-outsourced is, as such, critical or important (i.e. a material part of the critical or important function) and, if so, record it in the register. 4.13.1 77
    Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach and with the main focus being on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function in line with Section 4. 4.14 100
    {access rights} {right to audit} {operational risks} {contract duration} {be critical} For the outsourcing of functions that are not critical or important, institutions and payment institutions should ensure the access and audit rights as set out in paragraph 87 (a) and (b) and Section 13.3, on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its scalability, the potential impact on the continuous performance of its activities and the contractual period. Institutions and payment institutions should take into account that functions may become critical or important over time. 4.13.3 88]     		Operational and Systems Continuity Establish/Maintain Documentation
    Test the continuity plan, as necessary. CC ID 00755
    [develop and implement exit plans that are comprehensive, documented and, where appropriate, sufficiently tested (e.g. by carrying out an analysis of the potential costs, impacts, resources and timing implications of transferring an outsourced service to an alternative provider); and 4.15 107(a)]     		Operational and Systems Continuity Testing
    Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 Operational and Systems Continuity Testing
    Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 Operational and Systems Continuity Testing
    Analyze system interdependence during continuity plan tests. CC ID 13082 Operational and Systems Continuity Testing
    Test the continuity plan at the alternate facility. CC ID 01174
    [identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b)]     		Operational and Systems Continuity Testing
    Review all third party's continuity plan test results. CC ID 01365
    [{business continuity testing} reviewing all other relevant information received from the service provider, including reports on business continuity measures and testing. 4.14 104(c)]     		Operational and Systems Continuity Testing
    Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 Operational and Systems Continuity Testing
    Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 Operational and Systems Continuity Testing
    Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 Operational and Systems Continuity Testing
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782
    [Where the outsourcing arrangement carries a high level of technical complexity, for instance in the case of cloud outsourcing, the institution or payment institution should verify that whoever is performing the audit – whether it is its internal auditors, the pool of auditors or external auditors acting on its behalf – has appropriate and relevant skills and knowledge to perform relevant audits and/or assessments effectively. The same applies to any staff of the institution or payment institution reviewing third-party certifications or audits carried out by service providers. 4.13.3 97
    Outsourcing should not lower the suitability requirements applied to the members of an institution's management body, directors and persons responsible for the management of the payment institution and key function holders. Institutions and payment institutions should have adequate competence and sufficient and appropriately skilled resources to ensure appropriate management and oversight of outsourcing arrangements. 4.6 37]     		Human Resources management Testing
    Perform security skills assessments for all critical employees. CC ID 12102 Human Resources management Human Resources Management
    Perform a background check during personnel screening. CC ID 11758 Human Resources management Human Resources Management
    Document the personnel risk assessment results. CC ID 11764 Human Resources management Establish/Maintain Documentation
    Perform periodic background checks on designated roles, as necessary. CC ID 11759 Human Resources management Human Resources Management
    Document the security clearance procedure results. CC ID 01635 Human Resources management Establish/Maintain Documentation
    Review the relevance of information supporting internal controls. CC ID 12420 Operational management Business Processes
    Include emergency response procedures in the internal control framework. CC ID 06779 Operational management Establish/Maintain Documentation
    Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 Operational management Process or Activity
    Include the organizational climate in the analysis of the organizational culture. CC ID 12921 Operational management Process or Activity
    Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 Operational management Process or Activity
    Include the appropriate aspects of the Quality Management program in the Service Level Agreement. CC ID 00845 Operational management Establish/Maintain Documentation
    Define each system's preservation requirements for records and logs. CC ID 00904 Records management Establish/Maintain Documentation
    Capture the records required by organizational compliance requirements. CC ID 00912
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the documentation and record-keeping, taking into account the requirements in Section 11; 4.7 42(e)]     		Records management Records Management
    Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 Records management Data and Information Management
    Identify patient-specific education resources. CC ID 14439 Records management Process or Activity
    Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 Records management Data and Information Management
    Determine whether the financial institution uses positive pay for electronic check presentment. CC ID 13562 Acquisition or sale of facilities, technology, and services Investigate
    Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 Privacy protection for information and data Testing
    Conduct personal data risk assessments. CC ID 00357 Privacy protection for information and data Testing
    Establish, implement, and maintain suspicious document procedures. CC ID 04852 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 Privacy protection for information and data Data and Information Management
    Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 Privacy protection for information and data Monitor and Evaluate Occurrences
    Perform an identity check prior to approving an account change request. CC ID 13670 Privacy protection for information and data Investigate
    Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 Privacy protection for information and data Behavior
    Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 Privacy protection for information and data Data and Information Management
    Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 Privacy protection for information and data Log Management
    Log dates for account name changes or address changes. CC ID 04876 Privacy protection for information and data Log Management
    Review accounts that are changed for additional user requests. CC ID 11846 Privacy protection for information and data Monitor and Evaluate Occurrences
    Send change notices for change of address requests to the old address and the new address. CC ID 04877 Privacy protection for information and data Data and Information Management
    Search the Internet for evidence of data leakage. CC ID 10419 Privacy protection for information and data Process or Activity
    Review monitored websites for data leakage. CC ID 10593 Privacy protection for information and data Monitor and Evaluate Occurrences
    Conduct internal data processing audits. CC ID 00374 Privacy protection for information and data Testing
    Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 Third Party and supply chain oversight Process or Activity
    Include a termination provision clause in third party contracts. CC ID 01367
    [If sub-outsourcing of critical or important functions is permitted, the written agreement should: ensure that the institution or payment institution has the contractual right to terminate the agreement in the case of undue sub-outsourcing, e.g. where the sub-outsourcing materially increases the risks for the institution or payment institution or where the service provider sub-outsources without notifying the institution or payment institution. 4.13.1 78(g)
    The outsourcing agreement for critical or important functions should set out at least: termination rights, as specified in Section 13.4. 4.13 75(q)
    The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: 4.13.4 98
    Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the termination of outsourcing arrangements; 4.15 106(a)
    The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where instructions are given by the institution's or payment institution's competent authority, e.g. in the case that the competent authority is, caused by the outsourcing arrangement, no longer in a position to effectively supervise the institution or payment institution. 4.13.4 98(e)
    The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: include an obligation of the service provider to support the institution or payment institution in the orderly transfer of the function in the event of the termination of the outsourcing agreement. 4.13.4 99(c)
    {ability} {refrain from disrupting} {refrain from limiting} {avoiding} Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their compliance with regulatory requirements and without any detriment to the continuity and quality of its provision of services to clients. To achieve this, they should: 4.15 107
    {ability} {refrain from disrupting} {refrain from limiting} {avoiding} Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their compliance with regulatory requirements and without any detriment to the continuity and quality of its provision of services to clients. To achieve this, they should: 4.15 107
    {ability} {refrain from disrupting} {refrain from limiting} {avoiding} Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their compliance with regulatory requirements and without any detriment to the continuity and quality of its provision of services to clients. To achieve this, they should: 4.15 107]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include third party requirements for personnel security in third party contracts. CC ID 00790 Third Party and supply chain oversight Testing
    Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364
    [{confidential information} {personal information} Without prejudice to the requirements under the Regulation (EU) 2016/679, institutions and payment institutions, when outsourcing (in particular to third countries), should take into account differences in national provisions regarding the protection of data. Institutions and payment institutions should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the institution or payment institution (e.g. the protection of personal data and that banking secrecy or similar legal confidentiality duties with respect to clients' information, where applicable, are observed). 4.13.2 84
    {data treatment} The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: clearly set out the obligations of the existing service provider, in the case of a transfer of the outsourced function to another service provider or back to the institution or payment institution, including the treatment of data; 4.13.4 99(a)
    When outsourcing, institutions and payment institutions should at least ensure that: where personal data are processed by service providers located in the EU and/or third countries, appropriate measures are implemented and data are processed in accordance with Regulation (EU) 2016/679. 4.6 40(g)]     		Third Party and supply chain oversight Testing
    Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366
    [Institutions and payment institutions should ensure that service providers, where relevant, comply with appropriate IT security standards. 4.13.2 81
    (ensure} {technical measure} Where outsourcing involves the processing of personal or confidential data, institutions and payment institutions should be satisfied that the service provider implements appropriate technical and organisational measures to protect the data. 4.12.3 72
    {third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: retain the contractual right to perform individual audits at their discretion with regard to the outsourcing of critical or important functions. 4.13.3 93(h)]     		Third Party and supply chain oversight Testing
    Establish the third party's service continuity. CC ID 00797
    [{outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the business continuity measures; and 4.7 44(c)]     		Third Party and supply chain oversight Testing
    Determine the adequacy of a third party's alternate site preparations. CC ID 06879 Third Party and supply chain oversight Testing
    Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 Third Party and supply chain oversight Data and Information Management
    Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 Third Party and supply chain oversight Testing
    Document supply chain dependencies in the supply chain management program. CC ID 08900
    [{critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: where a defect or failure in its performance would materially impair: the soundness or continuity of their banking and payment services and activities; 4.4 29(a)(iii)
    In the case of institutions, particular attention should be given to the assessment of the criticality or importance of functions if the outsourcing concerns functions related to core business lines and critical functions as defined in Article 2(1)(35) and 2(1)(36) of Directive 2014/59/EU and identified by institutions using the criteria set out in Articles 6 and 7 of Commission Delegated Regulation (EU) 2016/778. Functions that are necessary to perform activities of core business lines or critical functions should be considered as critical or important functions for the purpose of these guidelines, unless the institution's assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the operational continuity of the core business line or critical function. 4.4 30]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842
    [When developing exit strategies, institutions and payment institutions should: define the indicators to be used for the monitoring of the outsourcing arrangement (as outlined under Section 14), including indicators based on unacceptable service levels that should trigger the exit. 4.15 108(e)
    allocate sufficient resources to ensure compliance with all legal and regulatory requirements, including these guidelines and the documentation and monitoring of all outsourcing arrangements; 4.6 38(b)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Approve all Service Level Agreements. CC ID 00843 Third Party and supply chain oversight Establish/Maintain Documentation
    Track all chargeable items in Service Level Agreements. CC ID 11616 Third Party and supply chain oversight Business Processes
    Document all chargeable items in Service Level Agreements. CC ID 00844 Third Party and supply chain oversight Establish/Maintain Documentation
    Perform risk assessments of third parties, as necessary. CC ID 06454
    [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33
    {outsourcing policy} {risk assessment} {risk management} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: risk identification, assessment and management in accordance with Section 12.2; 4.7 42(c)(iii)
    Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess all of the relevant risks of the outsourcing arrangement in accordance with Section 12.2; 4.12 61(c)
    When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the institution's risk profile; 4.7 44(a)
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: 4.4 31
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: all outsourcing arrangements, the institution's or payment institution's aggregated exposure to the same service provider and the potential cumulative impact of outsourcing arrangements in the same business area; 4.4 31(e)
    When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)]     		Third Party and supply chain oversight Testing
    Re-evaluate risk assessments of third parties, as necessary. CC ID 12158
    [Institutions should regularly update their risk assessment in accordance with Section 12.2and should periodically report to the management body on the risks identified in respect of the outsourcing of critical or important functions. 4.14 102]     		Third Party and supply chain oversight Audits and Risk Management
    Establish, implement, and maintain deduplication procedures for third party services. CC ID 13915 Third Party and supply chain oversight Business Processes
    Assess third parties' relevant experience during due diligence. CC ID 12070
    [{be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70]     		Third Party and supply chain oversight Business Processes
    Assess third parties' legal risks to the organization during due diligence. CC ID 12078
    [{financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a)
    {legal requirement} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: comply with all legal and regulatory requirements; 4.4 31(c)(ii)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the laws in force, including laws on data protection; 4.12.2 68(d)(i)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the law enforcement provisions in place; and 4.12.2 68(d)(ii)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the insolvency law provisions that would apply in the event of a service provider's failure and any constraints that would arise in respect of the urgent recovery of the institution's or payment institution's data in particular; 4.12.2 68(d)(iii)]     		Third Party and supply chain oversight Business Processes
    Assess third parties' business continuity capabilities during due diligence. CC ID 12077
    [{takeover} Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: in the case of significant institutions, the step-in risk, i.e. the risk that may result from the need to provide financial support to a service provider in distress or to take over its business operations; and 4.12.2 66(c)
    When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19
    {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: business continuity and operational resilience; 4.4 31(b)(ii)
    {recovery planning} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: where applicable, recovery and resolution planning, resolvability and operational continuity in an early intervention, recovery or resolution situation; 4.4 31(b)(v)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the insolvency law provisions that would apply in the event of a service provider's failure and any constraints that would arise in respect of the urgent recovery of the institution's or payment institution's data in particular; 4.12.2 68(d)(iii)]     		Third Party and supply chain oversight Business Processes
    Review third parties' backup policies. CC ID 13043 Third Party and supply chain oversight Systems Continuity
    Assess third parties' breach remediation status, as necessary, during due diligence. CC ID 12076
    [When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the protection of data and the potential impact of a confidentiality breach or failure to ensure data availability and integrity on the institution or payment institution and its clients, including but not limited to compliance with Regulation (EU) 2016/679. 4.4 31(j)]     		Third Party and supply chain oversight Business Processes
    Assess third parties' abilities to provide services during due diligence. CC ID 12074
    [{be the same} Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: concentration risks, including from: multiple outsourcing arrangements with the same service provider or closely connected service providers; 4.12.2 66(a)(ii)
    {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact on the services provided to its clients; 4.4 31(d)
    Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in the same or another Member State takes place only if one of the following conditions is met: the service provider is otherwise allowed to carry out those banking activities or payment services in accordance with the relevant national legal framework. 4.12.1 62(b)]     		Third Party and supply chain oversight Business Processes
    Assess third parties' financial stability during due diligence. CC ID 12066
    [{financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a)
    Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: whether the service provider is a parent undertaking or subsidiary of the institution or payment institution, is part of the accounting scope of consolidation of the institution or is a member of or is owned by institutions that are members of the same institutional protection scheme to which the institution belongs; 4.12.3 71(c)
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: short- and long-term financial resilience and viability, including, if applicable, its assets, capital, costs, funding, liquidity, profits and losses; 4.4 31(b)(i)]     		Third Party and supply chain oversight Business Processes
    Assess third parties' use of subcontractors during due diligence. CC ID 12073
    [Where the outsourcing arrangement includes the possibility that the service provider sub-outsources critical or important functions to other service providers, institutions and payment institutions should take into account: the risks associated with sub-outsourcing, including the additional risks that may arise if the sub-contractor is located in a third country or a different country from the service provider; 4.12.2 67(a)
    Institutions and payment institutions should take appropriate steps to ensure that service providers act in a manner consistent with their values and code of conduct. In particular, with regard to service providers located in third countries and, if applicable, their sub-contractors, institutions and payment institutions should be satisfied that the service provider acts in an ethical and socially responsible manner and adheres to international standards on human rights (e.g. the European Convention on Human Rights), environmental protection and appropriate working conditions, including the prohibition of child labour. 4.12.3 73]     		Third Party and supply chain oversight Business Processes
    Assess third parties' insurance coverage during due diligence. CC ID 12072 Third Party and supply chain oversight Business Processes
    Assess the third parties' reputation during due diligence. CC ID 12068
    [Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: the long-term relationships with service providers that have already been assessed and perform services for the institution or payment institution; 4.12.3 71(b)
    {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: reputational risks; 4.4 31(b)(iv)]     		Third Party and supply chain oversight Business Processes
    Assess any litigation case files against third parties during due diligence. CC ID 12071 Third Party and supply chain oversight Business Processes
    Assess complaints against third parties during due diligence. CC ID 12069 Third Party and supply chain oversight Business Processes
    Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359
    [{confidential information} {personal information} The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where there are weaknesses regarding the management and security of confidential, personal or otherwise sensitive data or information; and 4.13.4 98(d)
    Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements. 4.12.2 64]     		Third Party and supply chain oversight Testing
    Assess third parties' compliance environment during due diligence. CC ID 13134
    [{outsourcing policy} {independent audit} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the independent review and audit of compliance with legal and regulatory requirements and policies; 4.7 42(d)(iii)
    Before entering into any outsourcing arrangement, institutions and payment institutions should: assess if the supervisory conditions for outsourcing set out in Section 12.1 are met; 4.12 61(b)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider whether the service provider is a subsidiary or parent undertaking of the institution, is included in the scope of accounting consolidation or is a member of or owned by institutions that are members of an institutional protection scheme and, if so, the extent to which the institution controls it or has the ability to influence its actions in line with Section 2. 4.12.2 68(f)
    Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: whether or not the service provider is supervised by competent authorities. 4.12.3 71(d)]     		Third Party and supply chain oversight Process or Activity
    Document that supply chain members investigate security events. CC ID 13348 Third Party and supply chain oversight Investigate
    Engage third parties to scope third party services' applicability to the organization's compliance requirements, as necessary. CC ID 12064
    [{outsourcing policy} {independent audit} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the independent review and audit of compliance with legal and regulatory requirements and policies; 4.7 42(d)(iii)
    {be responsible} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: there is an appropriate cooperation agreement, e.g. in the form of a memorandum of understanding or college agreement, between the competent authorities responsible for the supervision of the institution and the supervisory authorities responsible for the supervision of the service provider; and 4.12.1 63(b)]     		Third Party and supply chain oversight Process or Activity
    Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 Third Party and supply chain oversight Establish/Maintain Documentation
    Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 Third Party and supply chain oversight Establish/Maintain Documentation
    Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065
    [{critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: where a defect or failure in its performance would materially impair: their continuing compliance with the conditions of their authorisation or its other obligations under Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive 2014/65/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC and their regulatory obligations; 4.4 29(a)(i)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Request attestation of compliance from third parties. CC ID 12067
    [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied that the certifications are issued and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; 4.13.3 93(f)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 Third Party and supply chain oversight Business Processes
    Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 Third Party and supply chain oversight Business Processes
    Document the third parties compliance with the organization's system hardening framework. CC ID 04263 Third Party and supply chain oversight Technical Security
    Assess the effectiveness of third party services provided to the organization. CC ID 13142
    [{outsourcing policy} {ongoing basis} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the ongoing assessment of the service provider's performance in line with Section 14; 4.7 42(d)(i)
    evaluating the performance of service providers using tools such as key performance indicators, key control indicators, service delivery reports, self-certification and independent reviews; and 4.14 104(b)
    {performance standards} Institutions and payment institutions should ensure, on an ongoing basis, that outsourcing arrangements, with the main focus being on outsourced critical or important functions, meet appropriate performance and quality standards in line with their policies by: 4.14 104
    {audit program} The internal audit function's activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions. 4.10 50
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: 4.4 31(b)]     		Third Party and supply chain oversight Business Processes
    Monitor third parties for performance and effectiveness, as necessary. CC ID 00799
    [where those institutions or payment institutions outsource the operational tasks of internal control functions to a service provider within the group or the institutional protection scheme, for the monitoring and auditing of outsourcing arrangements, institutions should ensure that, also for these outsourcing arrangements, those operational tasks are effectively performed, including through the receiving of appropriate reports. 4.2 22(b)
    where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), institutions and payment institutions should ensure that, at least for outsourced critical or important functions, both independent monitoring of the service provider and appropriate oversight by each institution or payment institution is possible, including by receiving, at least annually and upon request from the centralised monitoring function, reports that include, at least, a summary of the risk assessment and performance monitoring. In addition, institutions and payment institutions should receive from the centralised monitoring function a summary of the relevant audit reports for critical or important outsourcing and, upon request, the full audit report; 4.2 23(a)
    Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33
    Institutions and payment institutions should apply due skill, care and diligence when monitoring and managing outsourcing arrangements. 4.14 101
    Institutions and payment institutions should ensure that the service provider appropriately oversees the sub-service providers, in line with the policy defined by the institution or payment institution. If the sub-outsourcing proposed could have material adverse effects on the outsourcing arrangement of a critical or important function or would lead to a material increase of risk, including where the conditions in paragraph 79 would not be met, the institution or payment institution should exercise its right to object to the sub-outsourcing, if such a right was agreed, and/or terminate the contract. 4.13.1 80
    Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach and with the main focus being on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function in line with Section 4. 4.14 100
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: 4.7 42(d)
    With regard to the outsourcing process, the internal audit function should at least ascertain: the appropriate monitoring and management of outsourcing arrangements. 4.10 51(e)
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: identify, monitor and manage all risks; 4.4 31(c)(i)
    {remain responsible} {be accountable} The outsourcing of functions cannot result in the delegation of the management body's responsibilities. Institutions and payment institutions remain fully responsible and accountable for complying with all of their regulatory obligations, including the ability to oversee the outsourcing of critical or important functions. 4.6 35
    Institutions and payment institutions should appropriately document the assessments made under Title IV and the results of their ongoing monitoring (e.g. performance of the service provider, compliance with agreed service levels, other contractual and regulatory requirements, updates to the risk assessment). 4.11 60]     		Third Party and supply chain oversight Monitor and Evaluate Occurrences
    Monitor third parties' financial conditions. CC ID 13170 Third Party and supply chain oversight Monitor and Evaluate Occurrences
  • IT Impact Zone
    10
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Operational and Systems Continuity CC ID 00731 Operational and Systems Continuity IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    Records management CC ID 00902 Records management IT Impact Zone
    Acquisition or sale of facilities, technology, and services CC ID 01123 Acquisition or sale of facilities, technology, and services IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Preventive
    1371
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Analyze organizational objectives, functions, and activities. CC ID 00598
    [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced and address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced services are or may be provided and where the data are or are likely to be stored; 4.12.2 68(b)
    With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)]     		Leadership and high level objectives Monitor and Evaluate Occurrences
    Develop instructions for setting organizational objectives and strategies. CC ID 12931 Leadership and high level objectives Establish/Maintain Documentation
    Analyze the business environment in which the organization operates. CC ID 12798 Leadership and high level objectives Business Processes
    Identify the internal factors that may affect organizational objectives. CC ID 12957 Leadership and high level objectives Process or Activity
    Include key processes in the analysis of the internal business environment. CC ID 12947 Leadership and high level objectives Process or Activity
    Include existing information in the analysis of the internal business environment. CC ID 12943 Leadership and high level objectives Process or Activity
    Include resources in the analysis of the internal business environment. CC ID 12942 Leadership and high level objectives Process or Activity
    Include the operating plan in the analysis of the internal business environment. CC ID 12941 Leadership and high level objectives Process or Activity
    Include incentives in the analysis of the internal business environment. CC ID 12940 Leadership and high level objectives Process or Activity
    Include organizational structures in the analysis of the internal business environment. CC ID 12939 Leadership and high level objectives Process or Activity
    Include the strategic plan in the analysis of the internal business environment. CC ID 12937 Leadership and high level objectives Process or Activity
    Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 Leadership and high level objectives Process or Activity
    Align assets with business functions and the business environment. CC ID 13681 Leadership and high level objectives Business Processes
    Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 Leadership and high level objectives Communicate
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 Leadership and high level objectives Monitor and Evaluate Occurrences
    Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 Leadership and high level objectives Monitor and Evaluate Occurrences
    Analyze the external environment in which the organization operates. CC ID 12799 Leadership and high level objectives Business Processes
    Identify the external forces that may affect organizational objectives. CC ID 12960 Leadership and high level objectives Process or Activity
    Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 Leadership and high level objectives Monitor and Evaluate Occurrences
    Include environmental requirements in the analysis of the external environment. CC ID 12965 Leadership and high level objectives Business Processes
    Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 Leadership and high level objectives Monitor and Evaluate Occurrences
    Include regulatory requirements in the analysis of the external environment. CC ID 12964 Leadership and high level objectives Business Processes
    Include society in the analysis of the external environment. CC ID 12963 Leadership and high level objectives Business Processes
    Include opportunities in the analysis of the external environment. CC ID 12954 Leadership and high level objectives Business Processes
    Include third party relationships in the analysis of the external environment. CC ID 12952 Leadership and high level objectives Business Processes
    Include industry forces in the analysis of the external environment. CC ID 12904 Leadership and high level objectives Business Processes
    Include threats in the analysis of the external environment. CC ID 12898 Leadership and high level objectives Business Processes
    Include geopolitics in the analysis of the external environment. CC ID 12897 Leadership and high level objectives Business Processes
    Include legal requirements in the analysis of the external environment. CC ID 12896 Leadership and high level objectives Business Processes
    Include technology in the analysis of the external environment. CC ID 12837 Leadership and high level objectives Business Processes
    Include analyzing the market in the analysis of the external environment. CC ID 12836 Leadership and high level objectives Business Processes
    Conduct a context analysis to define objectives and strategies. CC ID 12864 Leadership and high level objectives Business Processes
    Establish, implement, and maintain organizational objectives. CC ID 09959
    [When developing exit strategies, institutions and payment institutions should: define the objectives of the exit strategy; 4.15 108(a)]     		Leadership and high level objectives Establish/Maintain Documentation
    Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814
    [Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: 4.15 106
    With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)]     		Leadership and high level objectives Process or Activity
    Identify events that may affect organizational objectives. CC ID 12961 Leadership and high level objectives Process or Activity
    Identify conditions that may affect organizational objectives. CC ID 12958
    [Institutions, in line with Title IV, Section 11, of the EBA Guidelines on internal governance, and payment institutions should identify, assess and manage conflicts of interests with regard to their outsourcing arrangements. 4.8 45]     		Leadership and high level objectives Process or Activity
    Identify requirements that could affect achieving organizational objectives. CC ID 12828 Leadership and high level objectives Business Processes
    Identify opportunities that could affect achieving organizational objectives. CC ID 12826 Leadership and high level objectives Business Processes
    Prioritize organizational objectives. CC ID 09960 Leadership and high level objectives Business Processes
    Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 Leadership and high level objectives Business Processes
    Establish, implement, and maintain a value generation model. CC ID 15591 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 Leadership and high level objectives Communicate
    Include value distribution in the value generation model. CC ID 15603 Leadership and high level objectives Establish/Maintain Documentation
    Include value retention in the value generation model. CC ID 15600 Leadership and high level objectives Establish/Maintain Documentation
    Include value generation procedures in the value generation model. CC ID 15599 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain value generation objectives. CC ID 15583 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain social responsibility objectives. CC ID 15611 Leadership and high level objectives Establish/Maintain Documentation
    Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 Leadership and high level objectives Establish/Maintain Documentation
    Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 Leadership and high level objectives Establish/Maintain Documentation
    Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 Leadership and high level objectives Establish/Maintain Documentation
    Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 Leadership and high level objectives Establish/Maintain Documentation
    Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 Leadership and high level objectives Establish/Maintain Documentation
    Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 Leadership and high level objectives Establish/Maintain Documentation
    Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 Leadership and high level objectives Establish/Maintain Documentation
    Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 Leadership and high level objectives Communicate
    Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 Leadership and high level objectives Communicate
    Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements; 4.7 42(b)]     		Leadership and high level objectives Establish/Maintain Documentation
    Identify threats that could affect achieving organizational objectives. CC ID 12827 Leadership and high level objectives Business Processes
    Identify how opportunities, threats, and external requirements are trending. CC ID 12829 Leadership and high level objectives Process or Activity
    Identify relationships between opportunities, threats, and external requirements. CC ID 12805
    [Institutions, in line with Title IV, Section 11, of the EBA Guidelines on internal governance, and payment institutions should identify, assess and manage conflicts of interests with regard to their outsourcing arrangements. 4.8 45
    Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess conflicts of interest that the outsourcing may cause in line with Section 8. 4.12 61(e)]     		Leadership and high level objectives Process or Activity
    Review the organization's approach to managing information security, as necessary. CC ID 12005 Leadership and high level objectives Business Processes
    Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 Leadership and high level objectives Process or Activity
    Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 Leadership and high level objectives Business Processes
    Establish, implement, and maintain data governance and management practices. CC ID 14998 Leadership and high level objectives Establish/Maintain Documentation
    Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 Leadership and high level objectives Establish/Maintain Documentation
    Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 Leadership and high level objectives Establish/Maintain Documentation
    Include bias for data sets in the data governance and management practices. CC ID 15085 Leadership and high level objectives Establish/Maintain Documentation
    Include a data strategy in the data governance and management practices. CC ID 15304 Leadership and high level objectives Establish/Maintain Documentation
    Include data monitoring in the data governance and management practices. CC ID 15303 Leadership and high level objectives Establish/Maintain Documentation
    Include an assessment of the data sets in the data governance and management practices. CC ID 15084 Leadership and high level objectives Establish/Maintain Documentation
    Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 Leadership and high level objectives Establish/Maintain Documentation
    Include data collection for data sets in the data governance and management practices. CC ID 15082 Leadership and high level objectives Establish/Maintain Documentation
    Include data preparations for data sets in the data governance and management practices. CC ID 15081 Leadership and high level objectives Establish/Maintain Documentation
    Include design choices for data sets in the data governance and management practices. CC ID 15080 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain an information classification standard. CC ID 00601 Leadership and high level objectives Establish/Maintain Documentation
    Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 Leadership and high level objectives Data and Information Management
    Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 Leadership and high level objectives Data and Information Management
    Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 Leadership and high level objectives Data and Information Management
    Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 Leadership and high level objectives Data and Information Management
    Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 Leadership and high level objectives Data and Information Management
    Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 Leadership and high level objectives Data and Information Management
    Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 Leadership and high level objectives Data and Information Management
    Classify the value of information in the information classification standard. CC ID 11995 Leadership and high level objectives Data and Information Management
    Classify the legal requirements of information in the information classification standard. CC ID 11994 Leadership and high level objectives Data and Information Management
    Establish, implement, and maintain a data classification scheme. CC ID 11628 Leadership and high level objectives Establish/Maintain Documentation
    Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 Leadership and high level objectives Data and Information Management
    Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 Leadership and high level objectives Communicate
    Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 Leadership and high level objectives Establish/Maintain Documentation
    Refrain from including metadata in the data dictionary. CC ID 13529 Leadership and high level objectives Establish/Maintain Documentation
    Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 Leadership and high level objectives Establish/Maintain Documentation
    Include information needed to understand each data element and population in the data dictionary. CC ID 13528 Leadership and high level objectives Establish/Maintain Documentation
    Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 Leadership and high level objectives Establish/Maintain Documentation
    Include the date or time period the data was observed in the data dictionary. CC ID 13524 Leadership and high level objectives Establish/Maintain Documentation
    Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 Leadership and high level objectives Establish/Maintain Documentation
    Include the uncertainty of each data element in the data dictionary. CC ID 13521 Leadership and high level objectives Establish/Maintain Documentation
    Include the measurement units for each data element in the data dictionary. CC ID 13534 Leadership and high level objectives Establish/Maintain Documentation
    Include the precision of the measurement in the data dictionary. CC ID 13520 Leadership and high level objectives Establish/Maintain Documentation
    Include the data source in the data dictionary. CC ID 13519 Leadership and high level objectives Establish/Maintain Documentation
    Include the nature of each element in the data dictionary. CC ID 13518 Leadership and high level objectives Establish/Maintain Documentation
    Include the population of events or instances in the data dictionary. CC ID 13517 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 Leadership and high level objectives Communicate
    Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 Leadership and high level objectives Establish/Maintain Documentation
    Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 Leadership and high level objectives Behavior
    Establish, implement, and maintain an organizational structure. CC ID 16310 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 Leadership and high level objectives Communicate
    Establish, implement, and maintain a Quality Management framework. CC ID 07196 Leadership and high level objectives Establish/Maintain Documentation
    Include supply chain management standards in the Quality Management framework. CC ID 13701
    [Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the deterioration of the quality of the function provided and actual or potential business disruptions caused by the inappropriate or failed provision of the function; 4.15 106(c)]     		Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a Quality Management policy. CC ID 13694 Leadership and high level objectives Establish/Maintain Documentation
    Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 Leadership and high level objectives Establish/Maintain Documentation
    Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 Leadership and high level objectives Establish/Maintain Documentation
    Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 Leadership and high level objectives Establish/Maintain Documentation
    Include critical Information Technology processes in the Quality Management framework. CC ID 13645 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 Leadership and high level objectives Communicate
    Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 Leadership and high level objectives Communicate
    Align the quality objectives with the Quality Management policy. CC ID 13697 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a Quality Management standard. CC ID 01006 Leadership and high level objectives Establish/Maintain Documentation
    Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a Quality Management program. CC ID 07201 Leadership and high level objectives Establish/Maintain Documentation
    Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 Leadership and high level objectives Communicate
    Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 Leadership and high level objectives Communicate
    Include quality objectives in the Quality Management program. CC ID 13693 Leadership and high level objectives Establish/Maintain Documentation
    Include records management in the quality management system. CC ID 15055 Leadership and high level objectives Establish/Maintain Documentation
    Include risk management in the quality management system. CC ID 15054 Leadership and high level objectives Establish/Maintain Documentation
    Include data management procedures in the quality management system. CC ID 15052 Leadership and high level objectives Establish/Maintain Documentation
    Include a post-market monitoring system in the quality management system. CC ID 15027 Leadership and high level objectives Establish/Maintain Documentation
    Include operational roles and responsibilities in the quality management system. CC ID 15028 Leadership and high level objectives Establish/Maintain Documentation
    Include quality gates and testing milestones in the Quality Management program. CC ID 06825 Leadership and high level objectives Systems Design, Build, and Implementation
    Include resource management in the quality management system. CC ID 15026 Leadership and high level objectives Establish/Maintain Documentation
    Include communication protocols in the quality management system. CC ID 15025 Leadership and high level objectives Establish/Maintain Documentation
    Include incident reporting procedures in the quality management system. CC ID 15023 Leadership and high level objectives Establish/Maintain Documentation
    Include technical specifications in the quality management system. CC ID 15021 Leadership and high level objectives Establish/Maintain Documentation
    Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 Leadership and high level objectives Establish/Maintain Documentation
    Include program documentation standards in the Quality Management program. CC ID 01016 Leadership and high level objectives Establish/Maintain Documentation
    Include program testing standards in the Quality Management program. CC ID 01017 Leadership and high level objectives Establish/Maintain Documentation
    Include system testing standards in the Quality Management program. CC ID 01018 Leadership and high level objectives Establish/Maintain Documentation
    Include an issue tracking system in the Quality Management program. CC ID 06824 Leadership and high level objectives Systems Design, Build, and Implementation
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241
    [Institutions and payment institutions should maintain at all times sufficient substance and not become 'empty shells' or 'letter-box entities'. To this end, they should: 4.6 39]     		Leadership and high level objectives Establish/Maintain Documentation
    Define the scope of the security policy. CC ID 07145 Leadership and high level objectives Data and Information Management
    Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 Leadership and high level objectives Business Processes
    Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 Leadership and high level objectives Establish/Maintain Documentation
    Correlate Information Systems with applicable controls. CC ID 01621 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285
    [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the setting of the institution's or payment institution's strategies and policies (e.g. the business model, the risk appetite, the risk management framework); 4.6 36(d)]     		Leadership and high level objectives Establish/Maintain Documentation
    Include the effective date on all organizational policies. CC ID 06820 Leadership and high level objectives Establish/Maintain Documentation
    Include requirements in the organization’s policies, standards, and procedures. CC ID 12956
    [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41]     		Leadership and high level objectives Establish/Maintain Documentation
    Include threats in the organization’s policies, standards, and procedures. CC ID 12953 Leadership and high level objectives Establish/Maintain Documentation
    Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 Leadership and high level objectives Business Processes
    Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 Leadership and high level objectives Establish/Maintain Documentation
    Establish and maintain an Authority Document list. CC ID 07113 Leadership and high level objectives Establish/Maintain Documentation
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the documentation and record-keeping, taking into account the requirements in Section 11; 4.7 42(e)
    allocate sufficient resources to ensure compliance with all legal and regulatory requirements, including these guidelines and the documentation and monitoring of all outsourcing arrangements; 4.6 38(b)
    clearly assign the responsibilities for the documentation, management and control of outsourcing arrangements; 4.6 38(a)]     		Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 Leadership and high level objectives Communicate
    Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 Leadership and high level objectives Establish/Maintain Documentation
    Classify controls according to their preventive, detective, or corrective status. CC ID 06436 Leadership and high level objectives Establish/Maintain Documentation
    Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 Leadership and high level objectives Establish/Maintain Documentation
    Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 Leadership and high level objectives Establish/Maintain Documentation
    Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 Leadership and high level objectives Establish/Maintain Documentation
    Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 Leadership and high level objectives Establish/Maintain Documentation
    Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 Leadership and high level objectives Establish/Maintain Documentation
    Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 Leadership and high level objectives Establish/Maintain Documentation
    Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 Leadership and high level objectives Establish/Maintain Documentation
    Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 Leadership and high level objectives Establish Roles
    Approve all compliance documents. CC ID 06286 Leadership and high level objectives Establish/Maintain Documentation
    Align the Authority Document list with external requirements. CC ID 06288 Leadership and high level objectives Establish/Maintain Documentation
    Assign the appropriate roles to all applicable compliance documents. CC ID 06284 Leadership and high level objectives Establish Roles
    Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a compliance exception standard. CC ID 01628 Leadership and high level objectives Establish/Maintain Documentation
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Leadership and high level objectives Establish/Maintain Documentation
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 Leadership and high level objectives Establish/Maintain Documentation
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 Leadership and high level objectives Business Processes
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Leadership and high level objectives Establish/Maintain Documentation
    Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 Leadership and high level objectives Establish Roles
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 Leadership and high level objectives Behavior
    Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 Leadership and high level objectives Behavior
    Estimate the costs of implementing the compliance framework. CC ID 07191 Leadership and high level objectives Business Processes
    Define the Information Assurance strategic roles and responsibilities. CC ID 00608 Leadership and high level objectives Establish Roles
    Include recommendations for changes or updates to the information security program in the Board Report. CC ID 13180 Leadership and high level objectives Establish/Maintain Documentation
    Assign the review of project plans for critical projects to the compliance oversight committee. CC ID 01182 Leadership and high level objectives Establish Roles
    Assign the corporate governance of Information Technology to the compliance oversight committee. CC ID 01178 Leadership and high level objectives Establish Roles
    Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179 Leadership and high level objectives Establish Roles
    Involve the Board of Directors or senior management in Information Governance. CC ID 00609 Leadership and high level objectives Establish Roles
    Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management. CC ID 12058 Leadership and high level objectives Human Resources Management
    Address Information Security during the business planning processes. CC ID 06495 Leadership and high level objectives Data and Information Management
    Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 Leadership and high level objectives Establish/Maintain Documentation
    Assign reviewing and approving Quality Management standards to the appropriate oversight committee. CC ID 07192 Leadership and high level objectives Establish Roles
    Establish, implement, and maintain a strategic plan. CC ID 12784 Leadership and high level objectives Establish/Maintain Documentation
    Include the outsource partners in the strategic plan, as necessary. CC ID 13960
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: 4.7 42(c)]     		Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a decision management strategy. CC ID 06913
    [When outsourcing, institutions and payment institutions should at least ensure that: they can take and implement decisions related to their business activities and critical or important functions, including with regard to those that have been outsourced; 4.6 40(a)
    {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making. 4.6 36(f)]     		Leadership and high level objectives Establish/Maintain Documentation
    Align the reporting methodology with the decision management strategy. CC ID 15659 Leadership and high level objectives Business Processes
    Include an economic impact analysis in the decision management strategy. CC ID 14015 Leadership and high level objectives Establish/Maintain Documentation
    Include cost benefit analysis in the decision management strategy. CC ID 14014 Leadership and high level objectives Establish/Maintain Documentation
    Include criteria for compliance in the decision-making criteria. CC ID 12951
    [{Authority Document} When applying the principle of proportionality, institutions, payment institutions 31 and competent authorities should take into account the criteria specified in Title I of the EBA Guidelines on internal governance in line with Article 74(2) of Directive 2013/36/EU. 4.1 20]     		Leadership and high level objectives Establish/Maintain Documentation
    Include criteria for risk tolerance in the decision-making criteria. CC ID 12950
    [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b)]     		Leadership and high level objectives Establish/Maintain Documentation
    Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 Leadership and high level objectives Establish/Maintain Documentation
    Include criteria for setting priorities in the decision-making criteria. CC ID 12938 Leadership and high level objectives Establish/Maintain Documentation
    Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 Leadership and high level objectives Process or Activity
    Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 Leadership and high level objectives Process or Activity
    Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 Leadership and high level objectives Process or Activity
    Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 Leadership and high level objectives Process or Activity
    Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 Leadership and high level objectives Behavior
    Take actions in accordance with the decision-making criteria. CC ID 12909 Leadership and high level objectives Process or Activity
    Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 Leadership and high level objectives Communicate
    Establish, implement, and maintain a risk monitoring program. CC ID 00658
    [Institutions and payment institutions should monitor and manage their internal concentration risks caused by outsourcing arrangements, taking into account Section 12.2 of these guidelines. 4.14 103]     		Monitoring and measurement Establish/Maintain Documentation
    Monitor the organization's exposure to threats, as necessary. CC ID 06494 Monitoring and measurement Monitor and Evaluate Occurrences
    Implement a fraud detection system. CC ID 13081 Monitoring and measurement Business Processes
    Monitor for new vulnerabilities. CC ID 06843 Monitoring and measurement Monitor and Evaluate Occurrences
    Establish, implement, and maintain a compliance testing strategy. CC ID 00659 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 Monitoring and measurement Testing
    Establish, implement, and maintain a system security plan. CC ID 01922 Monitoring and measurement Testing
    Include a system description in the system security plan. CC ID 16467 Monitoring and measurement Establish/Maintain Documentation
    Include a description of the operational context in the system security plan. CC ID 14301 Monitoring and measurement Establish/Maintain Documentation
    Include the results of the security categorization in the system security plan. CC ID 14281 Monitoring and measurement Establish/Maintain Documentation
    Include the information types in the system security plan. CC ID 14696 Monitoring and measurement Establish/Maintain Documentation
    Include the security requirements in the system security plan. CC ID 14274 Monitoring and measurement Establish/Maintain Documentation
    Include threats in the system security plan. CC ID 14693 Monitoring and measurement Establish/Maintain Documentation
    Include network diagrams in the system security plan. CC ID 14273 Monitoring and measurement Establish/Maintain Documentation
    Include roles and responsibilities in the system security plan. CC ID 14682 Monitoring and measurement Establish/Maintain Documentation
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Monitoring and measurement Establish/Maintain Documentation
    Include remote access methods in the system security plan. CC ID 16441 Monitoring and measurement Establish/Maintain Documentation
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Monitoring and measurement Communicate
    Include a description of the operational environment in the system security plan. CC ID 14272 Monitoring and measurement Establish/Maintain Documentation
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Monitoring and measurement Establish/Maintain Documentation
    Include the authorization boundary in the system security plan. CC ID 14257 Monitoring and measurement Establish/Maintain Documentation
    Align the enterprise architecture with the system security plan. CC ID 14255 Monitoring and measurement Process or Activity
    Include security controls in the system security plan. CC ID 14239 Monitoring and measurement Establish/Maintain Documentation
    Create specific test plans to test each system component. CC ID 00661 Monitoring and measurement Establish/Maintain Documentation
    Include the roles and responsibilities in the test plan. CC ID 14299 Monitoring and measurement Establish/Maintain Documentation
    Include the assessment team in the test plan. CC ID 14297 Monitoring and measurement Establish/Maintain Documentation
    Include the scope in the test plans. CC ID 14293 Monitoring and measurement Establish/Maintain Documentation
    Include the assessment environment in the test plan. CC ID 14271 Monitoring and measurement Establish/Maintain Documentation
    Approve the system security plan. CC ID 14241 Monitoring and measurement Business Processes
    Review the test plans for each system component. CC ID 00662 Monitoring and measurement Establish/Maintain Documentation
    Document validated testing processes in the testing procedures. CC ID 06200 Monitoring and measurement Establish/Maintain Documentation
    Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 Monitoring and measurement Establish/Maintain Documentation
    Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 Monitoring and measurement Testing
    Implement automated audit tools. CC ID 04882 Monitoring and measurement Acquisition/Sale of Assets or Services
    Assign senior management to approve test plans. CC ID 13071 Monitoring and measurement Human Resources Management
    Establish, implement, and maintain a testing program. CC ID 00654 Monitoring and measurement Behavior
    Establish, implement, and maintain a penetration test program. CC ID 01105 Monitoring and measurement Behavior
    Ensure protocols are free from injection flaws. CC ID 16401 Monitoring and measurement Process or Activity
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671
    [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making. 4.6 36(f)]     		Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a metrics policy. CC ID 01654 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain risk management metrics. CC ID 01656 Monitoring and measurement Establish/Maintain Documentation
    Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 Monitoring and measurement Business Processes
    Identify information being used to support performance reviews for risk optimization. CC ID 12865 Monitoring and measurement Audits and Risk Management
    Identify and document instances of non-compliance with the compliance framework. CC ID 06499 Monitoring and measurement Establish/Maintain Documentation
    Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 Monitoring and measurement Establish/Maintain Documentation
    Align disciplinary actions with the level of compliance violation. CC ID 12404 Monitoring and measurement Human Resources Management
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Monitoring and measurement Establish/Maintain Documentation
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Monitoring and measurement Establish/Maintain Documentation
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Monitoring and measurement Establish/Maintain Documentation
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Monitoring and measurement Establish/Maintain Documentation
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Monitoring and measurement Establish/Maintain Documentation
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Monitoring and measurement Establish/Maintain Documentation
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Monitoring and measurement Establish/Maintain Documentation
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 Monitoring and measurement Communicate
    Include required information in the disciplinary action notice. CC ID 16584 Monitoring and measurement Establish/Maintain Documentation
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Monitoring and measurement Establish/Maintain Documentation
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Monitoring and measurement Establish/Maintain Documentation
    Include the investigation results in the disciplinary action notice. CC ID 16581 Monitoring and measurement Establish/Maintain Documentation
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Monitoring and measurement Establish/Maintain Documentation
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Monitoring and measurement Establish/Maintain Documentation
    Include contact information in the disciplinary action notice. CC ID 16578 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain compliance program metrics. CC ID 11625 Monitoring and measurement Monitor and Evaluate Occurrences
    Establish, implement, and maintain a security program metrics program. CC ID 01660 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 Monitoring and measurement Establish/Maintain Documentation
    Report on the Service Level Agreement performance of supply chain members. CC ID 06838 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain an audit metrics program. CC ID 01664 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain an Information Security metrics program. CC ID 01665 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a metrics standard and template. CC ID 02157 Monitoring and measurement Establish/Maintain Documentation
    Monitor compliance with the Quality Control system. CC ID 01023 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of complaints received about products or delivered services. CC ID 07199 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 Monitoring and measurement Establish/Maintain Documentation
    Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 Monitoring and measurement Business Processes
    Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 Monitoring and measurement Business Processes
    Establish, implement, and maintain a physical environment metrics program. CC ID 02063 Monitoring and measurement Business Processes
    Establish, implement, and maintain a privacy metrics program. CC ID 15494 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain waste management metrics. CC ID 16152 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain emissions management metrics. CC ID 16145 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain financial management metrics. CC ID 16749 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 Monitoring and measurement Business Processes
    Establish, implement, and maintain a user account management metrics program. CC ID 02075 Monitoring and measurement Business Processes
    Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 Monitoring and measurement Business Processes
    Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 Monitoring and measurement Log Management
    Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 Monitoring and measurement Business Processes
    Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 Monitoring and measurement Business Processes
    Establish, implement, and maintain a software change management metrics program. CC ID 02081 Monitoring and measurement Business Processes
    Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 Monitoring and measurement Business Processes
    Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 Monitoring and measurement Business Processes
    Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 Monitoring and measurement Business Processes
    Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 Monitoring and measurement Business Processes
    Delay the reporting of incident management metrics, as necessary. CC ID 15501 Monitoring and measurement Communicate
    Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 Monitoring and measurement Establish/Maintain Documentation
    Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain a log management program. CC ID 00673 Monitoring and measurement Establish/Maintain Documentation
    Deploy log normalization tools, as necessary. CC ID 12141 Monitoring and measurement Technical Security
    Restrict access to logs to authorized individuals. CC ID 01342 Monitoring and measurement Log Management
    Restrict access to audit trails to a need to know basis. CC ID 11641 Monitoring and measurement Technical Security
    Refrain from recording unnecessary restricted data in logs. CC ID 06318 Monitoring and measurement Log Management
    Back up audit trails according to backup procedures. CC ID 11642 Monitoring and measurement Systems Continuity
    Back up logs according to backup procedures. CC ID 01344 Monitoring and measurement Log Management
    Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 Monitoring and measurement Log Management
    Identify hosts with logs that are not being stored. CC ID 06314 Monitoring and measurement Log Management
    Identify hosts with logs that are being stored at the system level only. CC ID 06315 Monitoring and measurement Log Management
    Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 Monitoring and measurement Log Management
    Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 Monitoring and measurement Log Management
    Protect logs from unauthorized activity. CC ID 01345 Monitoring and measurement Log Management
    Perform testing and validating activities on all logs. CC ID 06322 Monitoring and measurement Log Management
    Archive the audit trail in accordance with compliance requirements. CC ID 00674 Monitoring and measurement Log Management
    Enforce dual authorization as a part of information flow control for logs. CC ID 10098 Monitoring and measurement Configuration
    Preserve the identity of individuals in audit trails. CC ID 10594 Monitoring and measurement Log Management
    Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 Monitoring and measurement Establish/Maintain Documentation
    Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 Monitoring and measurement Audits and Risk Management
    Align corrective actions with the level of environmental impact. CC ID 15193 Monitoring and measurement Business Processes
    Include risks and opportunities in the corrective action plan. CC ID 15178 Monitoring and measurement Establish/Maintain Documentation
    Include environmental aspects in the corrective action plan. CC ID 15177 Monitoring and measurement Establish/Maintain Documentation
    Include the completion date in the corrective action plan. CC ID 13272 Monitoring and measurement Establish/Maintain Documentation
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 Audits and risk management Establish Roles
    Define and assign the external auditor's roles and responsibilities. CC ID 00683 Audits and risk management Establish Roles
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102
    [Where the outsourcing arrangement carries a high level of technical complexity, for instance in the case of cloud outsourcing, the institution or payment institution should verify that whoever is performing the audit – whether it is its internal auditors, the pool of auditors or external auditors acting on its behalf – has appropriate and relevant skills and knowledge to perform relevant audits and/or assessments effectively. The same applies to any staff of the institution or payment institution reviewing third-party certifications or audits carried out by service providers. 4.13.3 97]     		Audits and risk management Audits and Risk Management
    Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 Audits and risk management Establish/Maintain Documentation
    Review external auditor outsourcing contracts and engagement letters. CC ID 01189 Audits and risk management Establish/Maintain Documentation
    Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 Audits and risk management Establish/Maintain Documentation
    Review the external auditor's qualifications. CC ID 01197
    [{third-party certifications} {third-party audit report}Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied with the aptitude of the certifying or auditing party (e.g. with regard to rotation of the certifying or auditing company, qualifications, expertise, reperformance/verification of the evidence in the underlying audit file); 4.13.3 93(e)]     		Audits and risk management Audits and Risk Management
    Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199
    [{third party audit report} {are sufficient} For the outsourcing of critical or important functions, institutions and payment institutions should assess whether third-party certifications and reports as referred to in paragraph 91(b) are adequate and sufficient to comply with their regulatory obligations and should not rely solely on these reports over time. 4.13.3 92]     		Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain an audit program. CC ID 00684
    [{audit program} The internal audit function's activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions. 4.10 50]     		Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain audit policies. CC ID 13166 Audits and risk management Establish/Maintain Documentation
    Assign the audit to impartial auditors. CC ID 07118 Audits and risk management Establish Roles
    Define what constitutes a threat to independence. CC ID 16824 Audits and risk management Audits and Risk Management
    Exercise due professional care during the planning and performance of the audit. CC ID 07119
    [When performing audits in multi-client environments, care should be taken to ensure that risks to another client's environment (e.g. impact on service levels, availability of data, confidentiality aspects) are avoided or mitigated. 4.13.3 96]     		Audits and risk management Behavior
    Include resource requirements in the audit program. CC ID 15237 Audits and risk management Establish/Maintain Documentation
    Include risks and opportunities in the audit program. CC ID 15236 Audits and risk management Establish/Maintain Documentation
    Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 Audits and risk management Audits and Risk Management
    Establish and maintain audit terms. CC ID 13880
    [{third-party certifications} {third-party audit report} {be legitimate} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: have the contractual right to request the expansion of the scope of the certifications or audit reports to other relevant systems and controls; the number and frequency of such requests for scope modification should be reasonable and legitimate from a risk management perspective; and 4.13.3 93(g)]     		Audits and risk management Establish/Maintain Documentation
    Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 Audits and risk management Process or Activity
    Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 Audits and risk management Establish/Maintain Documentation
    Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882
    [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90]     		Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain an in scope system description. CC ID 14873 Audits and risk management Establish/Maintain Documentation
    Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 Audits and risk management Audits and Risk Management
    Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 Audits and risk management Audits and Risk Management
    Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 Audits and risk management Audits and Risk Management
    Include third party data in the audit assertion's in scope system description. CC ID 16554 Audits and risk management Audits and Risk Management
    Include third party personnel in the audit assertion's in scope system description. CC ID 16552 Audits and risk management Audits and Risk Management
    Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 Audits and risk management Audits and Risk Management
    Include third party assets in the audit assertion's in scope system description. CC ID 16550 Audits and risk management Audits and Risk Management
    Include third party services in the audit assertion's in scope system description. CC ID 16503 Audits and risk management Establish/Maintain Documentation
    Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 Audits and risk management Establish/Maintain Documentation
    Include availability commitments in the audit assertion's in scope system description. CC ID 14914 Audits and risk management Establish/Maintain Documentation
    Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 Audits and risk management Audits and Risk Management
    Include changes in the audit assertion's in scope system description. CC ID 14894 Audits and risk management Establish/Maintain Documentation
    Include external communications in the audit assertion's in scope system description. CC ID 14913 Audits and risk management Establish/Maintain Documentation
    Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 Audits and risk management Establish/Maintain Documentation
    Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 Audits and risk management Establish/Maintain Documentation
    Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 Audits and risk management Establish/Maintain Documentation
    Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 Audits and risk management Establish/Maintain Documentation
    Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 Audits and risk management Establish/Maintain Documentation
    Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 Audits and risk management Establish/Maintain Documentation
    Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 Audits and risk management Establish/Maintain Documentation
    Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 Audits and risk management Establish/Maintain Documentation
    Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 Audits and risk management Establish/Maintain Documentation
    Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 Audits and risk management Establish/Maintain Documentation
    Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 Audits and risk management Establish/Maintain Documentation
    Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 Audits and risk management Establish/Maintain Documentation
    Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 Audits and risk management Establish/Maintain Documentation
    Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 Audits and risk management Establish/Maintain Documentation
    Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 Audits and risk management Establish/Maintain Documentation
    Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 Audits and risk management Establish/Maintain Documentation
    Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 Audits and risk management Establish/Maintain Documentation
    Include commitments to third parties in the audit assertion. CC ID 14899 Audits and risk management Establish/Maintain Documentation
    Determine the completeness of the audit assertion's in scope system description. CC ID 14883 Audits and risk management Establish/Maintain Documentation
    Include system requirements in the audit assertion's in scope system description. CC ID 14881 Audits and risk management Establish/Maintain Documentation
    Include third party controls in the audit assertion's in scope system description. CC ID 14880 Audits and risk management Establish/Maintain Documentation
    Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 Audits and risk management Audits and Risk Management
    Identify personnel who should attend the closing meeting. CC ID 15261 Audits and risk management Business Processes
    Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 Audits and risk management Audits and Risk Management
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 Audits and risk management Establish/Maintain Documentation
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077
    [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that key systems and controls are covered in future versions of the certification or audit report; 4.13.3 93(d)
    {access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90]     		Audits and risk management Establish/Maintain Documentation
    Include third party assets in the audit scope. CC ID 16504 Audits and risk management Audits and Risk Management
    Include audit subject matter in the audit program. CC ID 07103 Audits and risk management Establish/Maintain Documentation
    Examine the availability of the audit criteria in the audit program. CC ID 16520 Audits and risk management Investigate
    Examine the objectivity of the audit criteria in the audit program. CC ID 07104 Audits and risk management Establish/Maintain Documentation
    Examine the measurability of the audit criteria in the audit program. CC ID 07105 Audits and risk management Establish/Maintain Documentation
    Examine the completeness of the audit criteria in the audit program. CC ID 07106 Audits and risk management Establish/Maintain Documentation
    Examine the relevance of the audit criteria in the audit program. CC ID 07107 Audits and risk management Establish/Maintain Documentation
    Determine the appropriateness of the audit subject matter. CC ID 16505 Audits and risk management Audits and Risk Management
    Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 Audits and risk management Establish/Maintain Documentation
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and risk management Audits and Risk Management
    Include in scope information in the audit program. CC ID 16198 Audits and risk management Establish/Maintain Documentation
    Include the out of scope material or out of scope products in the audit program. CC ID 08962 Audits and risk management Establish/Maintain Documentation
    Provide a representation letter in support of the audit assertion. CC ID 07158 Audits and risk management Establish/Maintain Documentation
    Include the date of the audit in the representation letter. CC ID 16517 Audits and risk management Audits and Risk Management
    Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 Audits and risk management Establish/Maintain Documentation
    Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 Audits and risk management Establish/Maintain Documentation
    Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 Audits and risk management Establish/Maintain Documentation
    Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 Audits and risk management Establish/Maintain Documentation
    Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 Audits and risk management Establish/Maintain Documentation
    Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 Audits and risk management Establish/Maintain Documentation
    Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 Audits and risk management Establish/Maintain Documentation
    Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 Audits and risk management Establish/Maintain Documentation
    Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 Audits and risk management Establish/Maintain Documentation
    Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 Audits and risk management Establish/Maintain Documentation
    Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 Audits and risk management Establish/Maintain Documentation
    Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 Audits and risk management Establish/Maintain Documentation
    Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 Audits and risk management Establish/Maintain Documentation
    Include an in scope system description in the audit assertion. CC ID 14872 Audits and risk management Establish/Maintain Documentation
    Include any assumptions that are improbable in the audit assertion. CC ID 13950 Audits and risk management Establish/Maintain Documentation
    Include investigations and legal proceedings in the audit assertion. CC ID 16846 Audits and risk management Establish/Maintain Documentation
    Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 Audits and risk management Establish/Maintain Documentation
    Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 Audits and risk management Establish/Maintain Documentation
    Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 Audits and risk management Establish/Maintain Documentation
    Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 Audits and risk management Establish/Maintain Documentation
    Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 Audits and risk management Establish/Maintain Documentation
    Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 Audits and risk management Establish/Maintain Documentation
    Include the in scope procedures in the audit assertion. CC ID 06972 Audits and risk management Establish/Maintain Documentation
    Include the in scope records produced in the audit assertion. CC ID 06968 Audits and risk management Establish/Maintain Documentation
    Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 Audits and risk management Establish/Maintain Documentation
    Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 Audits and risk management Establish/Maintain Documentation
    Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 Audits and risk management Establish/Maintain Documentation
    Include the in scope risk assessment processes in the audit assertion. CC ID 06975 Audits and risk management Establish/Maintain Documentation
    Include in scope change controls in the audit assertion. CC ID 06976 Audits and risk management Establish/Maintain Documentation
    Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 Audits and risk management Establish/Maintain Documentation
    Include the scope for the desired level of assurance in the audit program. CC ID 12793 Audits and risk management Communicate
    Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 Audits and risk management Establish/Maintain Documentation
    Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 Audits and risk management Establish/Maintain Documentation
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 Audits and risk management Audits and Risk Management
    Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 Audits and risk management Establish/Maintain Documentation
    Include the expectations for the audit report in the audit terms. CC ID 07148 Audits and risk management Establish/Maintain Documentation
    Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 Audits and risk management Establish/Maintain Documentation
    Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 Audits and risk management Communicate
    Include materiality levels in the audit terms. CC ID 01238 Audits and risk management Establish/Maintain Documentation
    Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 Audits and risk management Establish/Maintain Documentation
    Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 Audits and risk management Establish/Maintain Documentation
    Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 Audits and risk management Business Processes
    Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 Audits and risk management Business Processes
    Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 Audits and risk management Behavior
    Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 Audits and risk management Audits and Risk Management
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Audits and risk management Business Processes
    Audit in scope audit items and compliance documents. CC ID 06730
    [With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)]     		Audits and risk management Audits and Risk Management
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 Audits and risk management Actionable Reports or Measurements
    Document any after the fact changes to the engagement file. CC ID 07002 Audits and risk management Establish/Maintain Documentation
    Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 Audits and risk management Establish/Maintain Documentation
    Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 Audits and risk management Establish/Maintain Documentation
    Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 Audits and risk management Records Management
    Conduct onsite inspections, as necessary. CC ID 16199 Audits and risk management Testing
    Audit policies, standards, and procedures. CC ID 12927
    [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41
    With regard to the outsourcing process, the internal audit function should at least ascertain: the adequacy, quality and effectiveness of the assessment of the criticality or importance of functions; 4.10 51(b)]     		Audits and risk management Audits and Risk Management
    Edit the audit assertion for accuracy. CC ID 07030 Audits and risk management Establish/Maintain Documentation
    Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 Audits and risk management Establish/Maintain Documentation
    Review documentation to determine the effectiveness of in scope controls. CC ID 16522 Audits and risk management Process or Activity
    Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 Audits and risk management Establish/Maintain Documentation
    Audit the in scope system according to the test plan using relevant evidence. CC ID 07112
    [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90]     		Audits and risk management Testing
    Implement procedures that collect sufficient audit evidence. CC ID 07153 Audits and risk management Audits and Risk Management
    Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 Audits and risk management Audits and Risk Management
    Collect audit evidence sufficient to avoid misstatements. CC ID 07155 Audits and risk management Audits and Risk Management
    Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 Audits and risk management Audits and Risk Management
    Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 Audits and risk management Audits and Risk Management
    Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 Audits and risk management Communicate
    Provide transactional walkthrough procedures for external auditors. CC ID 00672 Audits and risk management Testing
    Establish, implement, and maintain interview procedures. CC ID 16282 Audits and risk management Establish/Maintain Documentation
    Include roles and responsibilities in the interview procedures. CC ID 16297 Audits and risk management Human Resources Management
    Coordinate the scheduling of interviews. CC ID 16293 Audits and risk management Process or Activity
    Create a schedule for the interviews. CC ID 16292 Audits and risk management Process or Activity
    Identify interviewees. CC ID 16290 Audits and risk management Process or Activity
    Explain the testing results to the interviewee. CC ID 16291 Audits and risk management Process or Activity
    Establish and maintain work papers, as necessary. CC ID 13891 Audits and risk management Establish/Maintain Documentation
    Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 Audits and risk management Establish/Maintain Documentation
    Include audit irregularities in the work papers. CC ID 16774 Audits and risk management Establish/Maintain Documentation
    Include corrective actions in the work papers. CC ID 16771 Audits and risk management Establish/Maintain Documentation
    Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 Audits and risk management Establish/Maintain Documentation
    Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 Audits and risk management Establish/Maintain Documentation
    Include justification for departing from mandatory requirements in the work papers. CC ID 13935 Audits and risk management Establish/Maintain Documentation
    Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 Audits and risk management Audits and Risk Management
    Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 Audits and risk management Establish/Maintain Documentation
    Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 Audits and risk management Establish/Maintain Documentation
    Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 Audits and risk management Establish/Maintain Documentation
    Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 Audits and risk management Establish/Maintain Documentation
    Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 Audits and risk management Audits and Risk Management
    Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 Audits and risk management Establish/Maintain Documentation
    Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 Audits and risk management Establish/Maintain Documentation
    Supervise interested personnel and affected parties participating in the audit. CC ID 07150 Audits and risk management Monitor and Evaluate Occurrences
    Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 Audits and risk management Establish Roles
    Respond to questions or clarification requests regarding the audit. CC ID 08902 Audits and risk management Business Processes
    Track and measure the implementation of the organizational compliance framework. CC ID 06445 Audits and risk management Monitor and Evaluate Occurrences
    Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 Audits and risk management Business Processes
    Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 Audits and risk management Process or Activity
    Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 Audits and risk management Establish/Maintain Documentation
    Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966
    [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90
    {access rights} {right to audit} {operational risks} {contract duration} {be critical} For the outsourcing of functions that are not critical or important, institutions and payment institutions should ensure the access and audit rights as set out in paragraph 87 (a) and (b) and Section 13.3, on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its scalability, the potential impact on the continuous performance of its activities and the contractual period. Institutions and payment institutions should take into account that functions may become critical or important over time. 4.13.3 88]     		Audits and risk management Audits and Risk Management
    Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 Audits and risk management Business Processes
    Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 Audits and risk management Audits and Risk Management
    Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 Audits and risk management Establish/Maintain Documentation
    Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 Audits and risk management Establish/Maintain Documentation
    Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 Audits and risk management Establish/Maintain Documentation
    Establish and maintain organizational audit reports. CC ID 06731 Audits and risk management Establish/Maintain Documentation
    Include the justification for not following the applicable requirements in the audit report. CC ID 16822 Audits and risk management Audits and Risk Management
    Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 Audits and risk management Audits and Risk Management
    Include audit subject matter in the audit report. CC ID 14882 Audits and risk management Establish/Maintain Documentation
    Include an other-matter paragraph in the audit report. CC ID 14901 Audits and risk management Establish/Maintain Documentation
    Include that the auditee did not provide comments in the audit report. CC ID 16849 Audits and risk management Establish/Maintain Documentation
    Write the audit report using clear and conspicuous language. CC ID 13948 Audits and risk management Establish/Maintain Documentation
    Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 Audits and risk management Establish/Maintain Documentation
    Include a statement that the financial statements were audited in the audit report. CC ID 13963 Audits and risk management Establish/Maintain Documentation
    Include the criteria that financial information was measured against in the audit report. CC ID 13966 Audits and risk management Establish/Maintain Documentation
    Include a description of the financial information being reported on in the audit report. CC ID 13965 Audits and risk management Establish/Maintain Documentation
    Include references to any adjustments of financial information in the audit report. CC ID 13964 Audits and risk management Establish/Maintain Documentation
    Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 Audits and risk management Establish/Maintain Documentation
    Include references to historical financial information used in the audit report. CC ID 13961 Audits and risk management Establish/Maintain Documentation
    Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 Audits and risk management Establish/Maintain Documentation
    Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 Audits and risk management Establish/Maintain Documentation
    Include the word independent in the title of audit reports. CC ID 07003 Audits and risk management Actionable Reports or Measurements
    Include the date of the audit in the audit report. CC ID 07024 Audits and risk management Actionable Reports or Measurements
    Structure the audit report to be in the form of procedures and findings. CC ID 13940 Audits and risk management Establish/Maintain Documentation
    Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 Audits and risk management Actionable Reports or Measurements
    Include any discussions of significant findings in the audit report. CC ID 13955 Audits and risk management Establish/Maintain Documentation
    Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 Audits and risk management Establish/Maintain Documentation
    Include the audit criteria in the audit report. CC ID 13945 Audits and risk management Establish/Maintain Documentation
    Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 Audits and risk management Establish/Maintain Documentation
    Include all hypothetical assumptions in the audit report. CC ID 13947 Audits and risk management Establish/Maintain Documentation
    Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 Audits and risk management Actionable Reports or Measurements
    Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 Audits and risk management Establish/Maintain Documentation
    Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 Audits and risk management Establish/Maintain Documentation
    Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 Audits and risk management Establish/Maintain Documentation
    Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 Audits and risk management Establish/Maintain Documentation
    Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 Audits and risk management Establish/Maintain Documentation
    Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 Audits and risk management Establish/Maintain Documentation
    Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 Audits and risk management Establish/Maintain Documentation
    Include a review of the subject matter expert's findings in the audit report. CC ID 13972 Audits and risk management Establish/Maintain Documentation
    Include a statement of the character of the engagement in the audit report. CC ID 07166 Audits and risk management Establish/Maintain Documentation
    Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 Audits and risk management Establish/Maintain Documentation
    Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 Audits and risk management Establish/Maintain Documentation
    Include all restrictions on the audit in the audit report. CC ID 13930 Audits and risk management Establish/Maintain Documentation
    Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 Audits and risk management Establish/Maintain Documentation
    Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 Audits and risk management Establish/Maintain Documentation
    Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 Audits and risk management Establish/Maintain Documentation
    Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 Audits and risk management Establish/Maintain Documentation
    Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 Audits and risk management Establish/Maintain Documentation
    Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 Audits and risk management Establish/Maintain Documentation
    Refrain from referencing previous engagements in the audit report. CC ID 16516 Audits and risk management Audits and Risk Management
    Refrain from referencing other auditor's work in the audit report. CC ID 13881 Audits and risk management Establish/Maintain Documentation
    Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 Audits and risk management Establish/Maintain Documentation
    Include how in scope controls meet external requirements in the audit report. CC ID 16450 Audits and risk management Establish/Maintain Documentation
    Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 Audits and risk management Establish/Maintain Documentation
    Include recommended corrective actions in the audit report. CC ID 16197 Audits and risk management Establish/Maintain Documentation
    Include risks and opportunities in the audit report. CC ID 16196 Audits and risk management Establish/Maintain Documentation
    Include the description of tests of controls and results in the audit report. CC ID 14898 Audits and risk management Establish/Maintain Documentation
    Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 Audits and risk management Establish/Maintain Documentation
    Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 Audits and risk management Establish/Maintain Documentation
    Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 Audits and risk management Establish/Maintain Documentation
    Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 Audits and risk management Audits and Risk Management
    Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 Audits and risk management Establish/Maintain Documentation
    Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 Audits and risk management Establish/Maintain Documentation
    Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 Audits and risk management Actionable Reports or Measurements
    Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 Audits and risk management Establish/Maintain Documentation
    Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 Audits and risk management Establish/Maintain Documentation
    Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 Audits and risk management Establish/Maintain Documentation
    Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 Audits and risk management Establish/Maintain Documentation
    Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 Audits and risk management Establish/Maintain Documentation
    Include the attestation standards the auditor follows in the audit report. CC ID 07015 Audits and risk management Establish/Maintain Documentation
    Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 Audits and risk management Establish/Maintain Documentation
    Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 Audits and risk management Establish/Maintain Documentation
    Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 Audits and risk management Establish/Maintain Documentation
    Include the organization's in scope system description in the audit report. CC ID 11626 Audits and risk management Audits and Risk Management
    Include any out of scope components of in scope systems in the audit report. CC ID 07006 Audits and risk management Establish/Maintain Documentation
    Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 Audits and risk management Establish/Maintain Documentation
    Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 Audits and risk management Establish/Maintain Documentation
    Include the scope and work performed in the audit report. CC ID 11621 Audits and risk management Audits and Risk Management
    Resolve disputes before creating the audit summary. CC ID 08964 Audits and risk management Behavior
    Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 Audits and risk management Establish/Maintain Documentation
    Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 Audits and risk management Establish/Maintain Documentation
    Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 Audits and risk management Establish/Maintain Documentation
    Include an audit opinion in the audit report. CC ID 07017 Audits and risk management Establish/Maintain Documentation
    Include qualified opinions in the audit report. CC ID 13928 Audits and risk management Establish/Maintain Documentation
    Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 Audits and risk management Establish/Maintain Documentation
    Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 Audits and risk management Establish/Maintain Documentation
    Include items that were excluded from the audit report in the audit report. CC ID 07007 Audits and risk management Establish/Maintain Documentation
    Include the organization's privacy practices in the audit report. CC ID 07029 Audits and risk management Establish/Maintain Documentation
    Include items that pertain to third parties in the audit report. CC ID 07008 Audits and risk management Establish/Maintain Documentation
    Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 Audits and risk management Establish/Maintain Documentation
    Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 Audits and risk management Establish/Maintain Documentation
    Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 Audits and risk management Establish/Maintain Documentation
    Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 Audits and risk management Establish/Maintain Documentation
    Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 Audits and risk management Establish/Maintain Documentation
    Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 Audits and risk management Establish/Maintain Documentation
    Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 Audits and risk management Establish/Maintain Documentation
    Disclose any audit irregularities in the audit report. CC ID 06995 Audits and risk management Actionable Reports or Measurements
    Include the written signature of the auditor's organization in the audit report. CC ID 13897 Audits and risk management Establish/Maintain Documentation
    Include a statement that additional reports are being submitted in the audit report. CC ID 16848 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 Audits and risk management Establish/Maintain Documentation
    Define the roles and responsibilities for distributing the audit report. CC ID 16845 Audits and risk management Human Resources Management
    Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 Audits and risk management Communicate
    Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 Audits and risk management Communicate
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Audits and risk management Behavior
    Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 Audits and risk management Establish/Maintain Documentation
    Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 Audits and risk management Establish/Maintain Documentation
    Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 Audits and risk management Business Processes
    Accept the audit report. CC ID 07025 Audits and risk management Establish/Maintain Documentation
    Assign responsibility for remediation actions. CC ID 13622 Audits and risk management Human Resources Management
    Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 Audits and risk management Establish/Maintain Documentation
    Assess the quality of the audit program in regards to its documentation. CC ID 11622 Audits and risk management Audits and Risk Management
    Include the audit criteria in the audit plan. CC ID 15262 Audits and risk management Establish/Maintain Documentation
    Include a list of reference documents in the audit plan. CC ID 15260 Audits and risk management Establish/Maintain Documentation
    Include the languages to be used for the audit in the audit plan. CC ID 15252 Audits and risk management Establish/Maintain Documentation
    Include the allocation of resources in the audit plan. CC ID 15251 Audits and risk management Establish/Maintain Documentation
    Include communication protocols in the audit plan. CC ID 15247 Audits and risk management Establish/Maintain Documentation
    Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 Audits and risk management Establish/Maintain Documentation
    Include meeting schedules in the audit plan. CC ID 15245 Audits and risk management Establish/Maintain Documentation
    Include the time frames for the audit in the audit plan. CC ID 15244 Audits and risk management Establish/Maintain Documentation
    Include the time frames for conducting the audit in the audit plan. CC ID 15243 Audits and risk management Establish/Maintain Documentation
    Include the locations to be audited in the audit plan. CC ID 15242 Audits and risk management Establish/Maintain Documentation
    Include the processes to be audited in the audit plan. CC ID 15241 Audits and risk management Establish/Maintain Documentation
    Include audit objectives in the audit plan. CC ID 15240 Audits and risk management Establish/Maintain Documentation
    Include the risks associated with audit activities in the audit plan. CC ID 15239 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 Audits and risk management Communicate
    Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158
    [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90]     		Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain a risk management program. CC ID 12051
    [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32]     		Audits and risk management Establish/Maintain Documentation
    Include the scope of risk management activities in the risk management program. CC ID 13658 Audits and risk management Establish/Maintain Documentation
    Integrate the risk management program with the organization's business activities. CC ID 13661 Audits and risk management Business Processes
    Integrate the risk management program into daily business decision-making. CC ID 13659 Audits and risk management Business Processes
    Include managing mobile risks in the risk management program. CC ID 13535 Audits and risk management Establish/Maintain Documentation
    Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 Audits and risk management Audits and Risk Management
    Include regular updating in the risk management system. CC ID 14990 Audits and risk management Business Processes
    Establish, implement, and maintain risk management strategies. CC ID 13209
    [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32]     		Audits and risk management Establish/Maintain Documentation
    Include off-site storage of supplies in the risk management strategies. CC ID 13221 Audits and risk management Establish/Maintain Documentation
    Include data quality in the risk management strategies. CC ID 15308 Audits and risk management Data and Information Management
    Include the use of alternate service providers in the risk management strategies. CC ID 13217
    [{be difficult} {substitute} Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: concentration risks, including from: outsourcing to a dominant service provider that is not easily substitutable; and 4.12.2 66(a)(i)
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the ability to reintegrate the outsourced function into the institution or payment institution, if necessary or desirable; 4.4 31(i)
    {be able} {timely manner} When outsourcing, institutions and payment institutions should at least ensure that: with regard to the outsourcing of critical or important functions, they are able to undertake at least one of the following actions, within an appropriate time frame: transfer the function to alternative service providers; 4.6 40(f)(i)]     		Audits and risk management Establish/Maintain Documentation
    Include minimizing service interruptions in the risk management strategies. CC ID 13215 Audits and risk management Establish/Maintain Documentation
    Include off-site storage in the risk mitigation strategies. CC ID 13213 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Audits and risk management Establish/Maintain Documentation
    Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456
    [{be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c)
    {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the identification, assessment and management of conflicts of interest; 4.6 36(c)]     		Audits and risk management Establish Roles
    Establish, implement, and maintain a risk assessment program. CC ID 00687
    [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32]     		Audits and risk management Establish/Maintain Documentation
    Address past incidents in the risk assessment program. CC ID 12743 Audits and risk management Audits and Risk Management
    Include the need for risk assessments in the risk assessment program. CC ID 06447 Audits and risk management Establish/Maintain Documentation
    Include the information flow of restricted data in the risk assessment program. CC ID 12339 Audits and risk management Establish/Maintain Documentation
    Establish and maintain the factors and context for risk to the organization. CC ID 12230
    [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33
    {outsourcing policy} {risk assessment} {risk management} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: risk identification, assessment and management in accordance with Section 12.2; 4.7 42(c)(iii)
    Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess all of the relevant risks of the outsourcing arrangement in accordance with Section 12.2; 4.12 61(c)
    When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)]     		Audits and risk management Audits and Risk Management
    Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain insurance requirements. CC ID 16562 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 Audits and risk management Communicate
    Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 Audits and risk management Communicate
    Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 Audits and risk management Business Processes
    Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 Audits and risk management Business Processes
    Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903
    [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: the measures implemented by the institution or payment institution and by the service provider to manage and mitigate the risks. 4.12.2 66(d)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: 4.7 44
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the performance of their business activities. 4.7 44(d)
    When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)]     		Audits and risk management Business Processes
    Address cybersecurity risks in the risk assessment program. CC ID 13193 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 Audits and risk management Process or Activity
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Audits and risk management Establish/Maintain Documentation
    Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 Audits and risk management Establish/Maintain Documentation
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 Audits and risk management Establish/Maintain Documentation
    Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 Audits and risk management Establish/Maintain Documentation
    Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 Audits and risk management Communicate
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 Audits and risk management Establish/Maintain Documentation
    Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 Audits and risk management Establish/Maintain Documentation
    Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 Audits and risk management Establish/Maintain Documentation
    Use the risk taxonomy when managing risk. CC ID 12280 Audits and risk management Behavior
    Establish, implement, and maintain a risk assessment policy. CC ID 14026 Audits and risk management Establish/Maintain Documentation
    Include compliance requirements in the risk assessment policy. CC ID 14121 Audits and risk management Establish/Maintain Documentation
    Include coordination amongst entities in the risk assessment policy. CC ID 14120 Audits and risk management Establish/Maintain Documentation
    Include management commitment in the risk assessment policy. CC ID 14119 Audits and risk management Establish/Maintain Documentation
    Include roles and responsibilities in the risk assessment policy. CC ID 14118 Audits and risk management Establish/Maintain Documentation
    Include the scope in the risk assessment policy. CC ID 14117 Audits and risk management Establish/Maintain Documentation
    Include the purpose in the risk assessment policy. CC ID 14116 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 Audits and risk management Communicate
    Establish, implement, and maintain risk assessment procedures. CC ID 06446 Audits and risk management Establish/Maintain Documentation
    Analyze the organization's information security environment. CC ID 13122 Audits and risk management Technical Security
    Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 Audits and risk management Establish/Maintain Documentation
    Document cybersecurity risks. CC ID 12281 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that take into account information classification. CC ID 06477 Audits and risk management Establish/Maintain Documentation
    Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 Audits and risk management Human Resources Management
    Employ risk assessment procedures that align with strategic objectives. CC ID 06474 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that take into account the target environment. CC ID 06479 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that take into account risk factors. CC ID 16560 Audits and risk management Audits and Risk Management
    Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 Audits and risk management Establish/Maintain Documentation
    Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 Audits and risk management Establish/Maintain Documentation
    Document organizational risk criteria. CC ID 12277 Audits and risk management Establish/Maintain Documentation
    Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 Audits and risk management Technical Security
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443
    [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: identify and classify the relevant functions and related data and systems as regards their sensitivity and required security measures; 4.12.2 68(a)]     		Audits and risk management Audits and Risk Management
    Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 Audits and risk management Audits and Risk Management
    Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 Audits and risk management Establish/Maintain Documentation
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 Audits and risk management Audits and Risk Management
    Approve the threat and risk classification scheme. CC ID 15693 Audits and risk management Business Processes
    Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 Audits and risk management Audits and Risk Management
    Include language that is easy to understand in the risk assessment report. CC ID 06461 Audits and risk management Establish/Maintain Documentation
    Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 Audits and risk management Establish/Maintain Documentation
    Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 Audits and risk management Establish/Maintain Documentation
    Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 Audits and risk management Establish/Maintain Documentation
    Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 Audits and risk management Establish/Maintain Documentation
    Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 Audits and risk management Establish/Maintain Documentation
    Automate as much of the risk assessment program, as necessary. CC ID 06459 Audits and risk management Audits and Risk Management
    Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 Audits and risk management Communicate
    Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 Audits and risk management Establish/Maintain Documentation
    Perform risk assessments for all target environments, as necessary. CC ID 06452 Audits and risk management Testing
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 Audits and risk management Establish/Maintain Documentation
    Include physical assets in the scope of the risk assessment. CC ID 13075 Audits and risk management Establish/Maintain Documentation
    Include the results of the risk assessment in the risk assessment report. CC ID 06481 Audits and risk management Establish/Maintain Documentation
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 Audits and risk management Audits and Risk Management
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and risk management Audits and Risk Management
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and risk management Audits and Risk Management
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Audits and risk management Establish/Maintain Documentation
    Create a risk assessment report based on the risk assessment results. CC ID 15695 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 Audits and risk management Communicate
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Audits and risk management Communicate
    Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 Audits and risk management Business Processes
    Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 Audits and risk management Behavior
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and risk management Audits and Risk Management
    Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 Audits and risk management Establish/Maintain Documentation
    Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 Audits and risk management Establish/Maintain Documentation
    Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 Audits and risk management Establish/Maintain Documentation
    Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 Audits and risk management Establish/Maintain Documentation
    Include pandemic risks in the Business Impact Analysis. CC ID 13219 Audits and risk management Establish/Maintain Documentation
    Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 Audits and risk management Communicate
    Establish, implement, and maintain a risk register. CC ID 14828 Audits and risk management Establish/Maintain Documentation
    Document organizational risk tolerance in a risk register. CC ID 09961 Audits and risk management Establish/Maintain Documentation
    Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 Audits and risk management Business Processes
    Review the Business Impact Analysis, as necessary. CC ID 12774 Audits and risk management Business Processes
    Analyze and quantify the risks to in scope systems and information. CC ID 00701
    [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: the aggregated risks resulting from outsourcing several functions across the institution or payment institution and, in the case of groups of institutions or institutional protection schemes, the aggregated risks on a consolidated basis or on the basis of the institutional protection scheme; 4.12.2 66(b)]     		Audits and risk management Audits and Risk Management
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 Audits and risk management Audits and Risk Management
    Identify the material risks in the risk assessment report. CC ID 06482 Audits and risk management Audits and Risk Management
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706
    [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)]     		Audits and risk management Establish/Maintain Documentation
    Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 Audits and risk management Investigate
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 Audits and risk management Behavior
    Document the results of the gap analysis. CC ID 16271 Audits and risk management Establish/Maintain Documentation
    Prioritize and select controls based on the risk assessment findings. CC ID 00707 Audits and risk management Audits and Risk Management
    Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 Audits and risk management Audits and Risk Management
    Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 Audits and risk management Audits and Risk Management
    Establish, implement, and maintain a risk treatment plan. CC ID 11983 Audits and risk management Establish/Maintain Documentation
    Include the date of the risk assessment in the risk treatment plan. CC ID 16321 Audits and risk management Establish/Maintain Documentation
    Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 Audits and risk management Audits and Risk Management
    Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 Audits and risk management Audits and Risk Management
    Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 Audits and risk management Audits and Risk Management
    Include the risk treatment strategy in the risk treatment plan. CC ID 12159 Audits and risk management Establish/Maintain Documentation
    Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 Audits and risk management Establish/Maintain Documentation
    Include change control processes in the risk treatment plan. CC ID 11981 Audits and risk management Establish/Maintain Documentation
    Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 Audits and risk management Establish/Maintain Documentation
    Include the implemented risk management controls in the risk treatment plan. CC ID 11979 Audits and risk management Establish/Maintain Documentation
    Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 Audits and risk management Establish/Maintain Documentation
    Include risk assessment results in the risk treatment plan. CC ID 11978 Audits and risk management Establish/Maintain Documentation
    Include a description of usage in the risk treatment plan. CC ID 11977 Audits and risk management Establish/Maintain Documentation
    Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 Audits and risk management Communicate
    Approve the risk treatment plan. CC ID 13495 Audits and risk management Audits and Risk Management
    Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 Audits and risk management Establish/Maintain Documentation
    Review and approve the risk assessment findings. CC ID 06485 Audits and risk management Establish/Maintain Documentation
    Include risk responses in the risk management program. CC ID 13195 Audits and risk management Establish/Maintain Documentation
    Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 Audits and risk management Business Processes
    Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 Audits and risk management Establish/Maintain Documentation
    Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 Audits and risk management Establish/Maintain Documentation
    Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 Audits and risk management Business Processes
    Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 Audits and risk management Audits and Risk Management
    Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 Audits and risk management Establish/Maintain Documentation
    Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 Audits and risk management Monitor and Evaluate Occurrences
    Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 Audits and risk management Communicate
    Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 Audits and risk management Communicate
    Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991
    [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32]     		Audits and risk management Establish/Maintain Documentation
    Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 Audits and risk management Establish/Maintain Documentation
    Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 Audits and risk management Communicate
    Evaluate the cyber insurance market. CC ID 12695 Audits and risk management Business Processes
    Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 Audits and risk management Business Processes
    Acquire cyber insurance, as necessary. CC ID 12693 Audits and risk management Business Processes
    Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 Audits and risk management Establish/Maintain Documentation
    Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 Audits and risk management Monitor and Evaluate Occurrences
    Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 Audits and risk management Establish/Maintain Documentation
    Include compliance requirements in the supply chain risk management policy. CC ID 14711 Audits and risk management Establish/Maintain Documentation
    Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 Audits and risk management Establish/Maintain Documentation
    Include management commitment in the supply chain risk management policy. CC ID 14709 Audits and risk management Establish/Maintain Documentation
    Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 Audits and risk management Establish/Maintain Documentation
    Include the scope in the supply chain risk management policy. CC ID 14707 Audits and risk management Establish/Maintain Documentation
    Include the purpose in the supply chain risk management policy. CC ID 14706 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 Audits and risk management Communicate
    Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 Audits and risk management Establish/Maintain Documentation
    Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 Audits and risk management Establish/Maintain Documentation
    Include dates in the supply chain risk management plan. CC ID 15617 Audits and risk management Establish/Maintain Documentation
    Include implementation milestones in the supply chain risk management plan. CC ID 15615 Audits and risk management Establish/Maintain Documentation
    Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 Audits and risk management Establish/Maintain Documentation
    Include supply chain risk management procedures in the risk management program. CC ID 13190
    [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33
    Institutions and payment institutions should monitor and manage their internal concentration risks caused by outsourcing arrangements, taking into account Section 12.2 of these guidelines. 4.14 103
    When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)]     		Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 Audits and risk management Communicate
    Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199
    [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: overseeing the day-to-day management of the institution or payment institution, including the management of all risks associated with outsourcing; and 4.6 36(e)]     		Audits and risk management Human Resources Management
    Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 Audits and risk management Communicate
    Establish, implement, and maintain a business continuity program. CC ID 13210 Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain a continuity framework. CC ID 00732 Operational and Systems Continuity Establish/Maintain Documentation
    Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907
    [Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: 4.15 106]     		Operational and Systems Continuity Establish/Maintain Documentation
    Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 Operational and Systems Continuity Systems Continuity
    Establish, implement, and maintain a continuity plan. CC ID 00752 Operational and Systems Continuity Establish/Maintain Documentation
    Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242
    [{establish and maintain} Institutions, in line with the requirements under Article 85(2) of Directive 2013/36/EU and Title VI of the EBA Guidelines on internal governance, and payment institutions should have in place, maintain and periodically test appropriate business continuity plans with regard to outsourced critical or important functions. Institutions and payment institutions within a group or institutional protection scheme may rely on centrally established business continuity plans regarding their outsourced functions. 4.9 48
    {business continuity testing} reviewing all other relevant information received from the service provider, including reports on business continuity measures and testing. 4.14 104(c)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the business continuity measures; and 4.7 44(c)]     		Operational and Systems Continuity Establish/Maintain Documentation
    Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057
    [Business continuity plans should take into account the possible event that the quality of the provision of the outsourced critical or important function deteriorates to an unacceptable level or fails. Such plans should also take into account the potential impact of the insolvency or other failures of service providers and, where relevant, political risks in the service provider's jurisdiction. 4.9 49
    {be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65]     		Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain a recovery plan. CC ID 13288 Operational and Systems Continuity Establish/Maintain Documentation
    Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292
    [identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b)]     		Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain system continuity plan strategies. CC ID 00735 Operational and Systems Continuity Establish/Maintain Documentation
    Review and prioritize the importance of each business unit. CC ID 01165 Operational and Systems Continuity Systems Continuity
    Review and prioritize the importance of each business process. CC ID 11689 Operational and Systems Continuity Establish/Maintain Documentation
    Document the mean time to failure for system components. CC ID 10684 Operational and Systems Continuity Systems Continuity
    Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 Operational and Systems Continuity Audits and Risk Management
    Establish, implement, and maintain a critical third party list. CC ID 06815
    [If sub-outsourcing of critical or important functions is permitted, institutions and payment institutions should determine whether the part of the function to be sub-outsourced is, as such, critical or important (i.e. a material part of the critical or important function) and, if so, record it in the register. 4.13.1 77]     		Operational and Systems Continuity Establish/Maintain Documentation
    Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 Operational and Systems Continuity Behavior
    Validate information security continuity controls regularly. CC ID 12008
    [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the institution or payment institution and the compliance with relevant regulatory requirements; 4.13.3 93(b)]     		Operational and Systems Continuity Systems Continuity
    Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 Operational and Systems Continuity Testing
    Establish, implement, and maintain a continuity test plan. CC ID 04896
    [When developing exit strategies, institutions and payment institutions should: define success criteria for the transition of outsourced functions and data; and 4.15 108(d)]     		Operational and Systems Continuity Establish/Maintain Documentation
    Include success criteria for testing the plan in the continuity test plan. CC ID 14877 Operational and Systems Continuity Establish/Maintain Documentation
    Include recovery procedures in the continuity test plan. CC ID 14876 Operational and Systems Continuity Establish/Maintain Documentation
    Include test scripts in the continuity test plan. CC ID 14875 Operational and Systems Continuity Establish/Maintain Documentation
    Include test objectives and scope of testing in the continuity test plan. CC ID 14874 Operational and Systems Continuity Establish/Maintain Documentation
    Include escalation procedures in the continuity test plan, as necessary. CC ID 14400 Operational and Systems Continuity Establish/Maintain Documentation
    Include the succession plan in the continuity test plan, as necessary. CC ID 14401 Operational and Systems Continuity Establish/Maintain Documentation
    Include contact information in the continuity test plan. CC ID 14399 Operational and Systems Continuity Establish/Maintain Documentation
    Include testing all system components in the continuity test plan. CC ID 13508 Operational and Systems Continuity Establish/Maintain Documentation
    Include test scenarios in the continuity test plan. CC ID 13506 Operational and Systems Continuity Establish/Maintain Documentation
    Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243 Operational and Systems Continuity Establish/Maintain Documentation
    Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 Operational and Systems Continuity Testing
    Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 Operational and Systems Continuity Testing
    Validate the emergency communications procedures during continuity plan tests. CC ID 12777 Operational and Systems Continuity Testing
    Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769
    [{establish and maintain} Institutions, in line with the requirements under Article 85(2) of Directive 2013/36/EU and Title VI of the EBA Guidelines on internal governance, and payment institutions should have in place, maintain and periodically test appropriate business continuity plans with regard to outsourced critical or important functions. Institutions and payment institutions within a group or institutional protection scheme may rely on centrally established business continuity plans regarding their outsourced functions. 4.9 48]     		Operational and Systems Continuity Testing
    Validate the evacuation plans during continuity plan tests. CC ID 12760 Operational and Systems Continuity Testing
    Include predefined goals and realistic conditions during off-site testing. CC ID 01175 Operational and Systems Continuity Establish/Maintain Documentation
    Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 Operational and Systems Continuity Testing
    Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548
    [{be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65]     		Operational and Systems Continuity Actionable Reports or Measurements
    Approve the continuity plan test results. CC ID 15718 Operational and Systems Continuity Systems Continuity
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the responsibilities of the management body in line with paragraph 36, including its involvement, as appropriate, in the decision-making on outsourcing of critical or important functions; 4.7 42(a)]     		Human Resources management Establish Roles
    Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 Human Resources management Establish Roles
    Establish, implement, and maintain a security operations center. CC ID 14762 Human Resources management Human Resources Management
    Define the scope for the security operations center. CC ID 15713 Human Resources management Establish/Maintain Documentation
    Designate an alternate for each organizational leader. CC ID 12053 Human Resources management Human Resources Management
    Limit the activities performed as a proxy to an organizational leader. CC ID 12054 Human Resources management Behavior
    Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 Human Resources management Human Resources Management
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the responsibilities of the management body in line with paragraph 36, including its involvement, as appropriate, in the decision-making on outsourcing of critical or important functions; 4.7 42(a)
    {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the identification, assessment and management of conflicts of interest; 4.6 36(c)]     		Human Resources management Establish Roles
    Establish and maintain board committees, as necessary. CC ID 14789 Human Resources management Human Resources Management
    Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 Human Resources management Establish/Maintain Documentation
    Assign oversight of C-level executives to the Board of Directors. CC ID 14784 Human Resources management Human Resources Management
    Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 Human Resources management Establish/Maintain Documentation
    Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 Human Resources management Establish/Maintain Documentation
    Assign oversight of the financial management program to the board of directors. CC ID 14781 Human Resources management Human Resources Management
    Assign senior management to the role of supporting Quality Management. CC ID 13692 Human Resources management Human Resources Management
    Assign senior management to the role of authorizing official. CC ID 14238 Human Resources management Establish Roles
    Assign members who are independent from management to the Board of Directors. CC ID 12395 Human Resources management Human Resources Management
    Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 Human Resources management Human Resources Management
    Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 Human Resources management Human Resources Management
    Define and assign board committees, as necessary. CC ID 14787 Human Resources management Human Resources Management
    Define and assign risk committees, as necessary. CC ID 14795 Human Resources management Human Resources Management
    Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 Human Resources management Establish/Maintain Documentation
    Define and assign audit committees, as necessary. CC ID 14788 Human Resources management Human Resources Management
    Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 Human Resources management Human Resources Management
    Define and assign compensation committees, as necessary. CC ID 14793 Human Resources management Human Resources Management
    Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 Human Resources management Establish Roles
    Define and assign the network administrator's roles and responsibilities. CC ID 16363 Human Resources management Human Resources Management
    Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 Human Resources management Establish Roles
    Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 Human Resources management Human Resources Management
    Define and assign the business unit manager's roles and responsibilities. CC ID 00810 Human Resources management Establish Roles
    Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 Human Resources management Establish Roles
    Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 Human Resources management Human Resources Management
    Define and assign roles and responsibilities for network management. CC ID 13128 Human Resources management Human Resources Management
    Define and assign the technology security leader's roles and responsibilities. CC ID 01897 Human Resources management Establish Roles
    Define and assign the security staff roles and responsibilities. CC ID 11750 Human Resources management Establish/Maintain Documentation
    Define and assign the authorized representatives roles and responsibilities. CC ID 15033 Human Resources management Human Resources Management
    Define and assign the property management leader's roles and responsibilities. CC ID 00669 Human Resources management Establish Roles
    Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 Human Resources management Establish Roles
    Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 Human Resources management Establish Roles
    Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 Human Resources management Establish Roles
    Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383
    [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: overseeing the day-to-day management of the institution or payment institution, including the management of all risks associated with outsourcing; and 4.6 36(e)]     		Human Resources management Establish/Maintain Documentation
    Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 Human Resources management Establish Roles
    Establish and maintain an Information Technology steering committee. CC ID 12706 Human Resources management Human Resources Management
    Assign the Information Technology steering committee to report to senior management. CC ID 12731 Human Resources management Human Resources Management
    Convene the Information Technology steering committee, as necessary. CC ID 12730 Human Resources management Human Resources Management
    Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 Human Resources management Human Resources Management
    Assign a contact person to all business units. CC ID 07144 Human Resources management Establish Roles
    Define and assign the assessment team's roles and responsibilities. CC ID 08890 Human Resources management Business Processes
    Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 Human Resources management Human Resources Management
    Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 Human Resources management Human Resources Management
    Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 Human Resources management Human Resources Management
    Define and assign workforce roles and responsibilities. CC ID 13267 Human Resources management Human Resources Management
    Define and assign roles and responsibilities for dispute resolution. CC ID 13626
    [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the identification, assessment and management of conflicts of interest; 4.6 36(c)]     		Human Resources management Human Resources Management
    Establish, implement, and maintain a personnel management program. CC ID 14018 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain a personnel security program. CC ID 10628 Human Resources management Establish/Maintain Documentation
    Assign security clearance procedures to qualified personnel. CC ID 06812 Human Resources management Establish Roles
    Assign personnel screening procedures to qualified personnel. CC ID 11699 Human Resources management Establish Roles
    Establish, implement, and maintain personnel screening procedures. CC ID 11700 Human Resources management Establish/Maintain Documentation
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources management Human Resources Management
    Perform a criminal records check during personnel screening. CC ID 06643 Human Resources management Establish/Maintain Documentation
    Include all residences in the criminal records check. CC ID 13306 Human Resources management Process or Activity
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Human Resources management Establish/Maintain Documentation
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources management Human Resources Management
    Perform a credit check during personnel screening. CC ID 06646 Human Resources management Human Resources Management
    Perform an academic records check during personnel screening. CC ID 06647 Human Resources management Establish/Maintain Documentation
    Perform a drug test during personnel screening. CC ID 06648 Human Resources management Testing
    Perform a resume check during personnel screening. CC ID 06659 Human Resources management Human Resources Management
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources management Human Resources Management
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources management Human Resources Management
    Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 Human Resources management Communicate
    Perform personnel screening procedures, as necessary. CC ID 11763 Human Resources management Human Resources Management
    Establish, implement, and maintain security clearance procedures. CC ID 00783 Human Resources management Establish/Maintain Documentation
    Perform security clearance procedures, as necessary. CC ID 06644 Human Resources management Human Resources Management
    Establish and maintain security clearances. CC ID 01634 Human Resources management Human Resources Management
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Operational management Establish/Maintain Documentation
    Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861
    [allocate sufficient resources to ensure compliance with all legal and regulatory requirements, including these guidelines and the documentation and monitoring of all outsourcing arrangements; 4.6 38(b)
    have sufficient resources and capacities to ensure compliance with points (a) to (c). 4.6 39(d)]     		Operational management Acquisition/Sale of Assets or Services
    Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523
    [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the internal organisation of the institution or the payment institution; 4.6 36(b)]     		Operational management Human Resources Management
    Establish, implement, and maintain an internal control framework. CC ID 00820
    [{be able} {cyber security} In line with the EBA Guidelines on ICT risk assessment under the SREP, institutions should, where relevant, ensure that they are able to carry out security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes. Taking into account Title I, payment institutions should also have internal ICT control mechanisms, including ICT security control and mitigation measures. 4.13.3 94]     		Operational management Establish/Maintain Documentation
    Define the scope for the internal control framework. CC ID 16325 Operational management Business Processes
    Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 Operational management Establish Roles
    Assign resources to implement the internal control framework. CC ID 00816 Operational management Business Processes
    Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 Operational management Establish Roles
    Establish, implement, and maintain a baseline of internal controls. CC ID 12415 Operational management Business Processes
    Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 Operational management Establish/Maintain Documentation
    Include the implementation status of controls in the baseline of internal controls. CC ID 16128 Operational management Establish/Maintain Documentation
    Leverage actionable information to support internal controls. CC ID 12414 Operational management Business Processes
    Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 Operational management Establish/Maintain Documentation
    Include continuous service account management procedures in the internal control framework. CC ID 13860 Operational management Establish/Maintain Documentation
    Include threat assessment in the internal control framework. CC ID 01347 Operational management Establish/Maintain Documentation
    Automate threat assessments, as necessary. CC ID 06877 Operational management Configuration
    Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 Operational management Establish/Maintain Documentation
    Automate vulnerability management, as necessary. CC ID 11730 Operational management Configuration
    Include personnel security procedures in the internal control framework. CC ID 01349 Operational management Establish/Maintain Documentation
    Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 Operational management Establish/Maintain Documentation
    Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 Operational management Establish/Maintain Documentation
    Include security information sharing procedures in the internal control framework. CC ID 06489 Operational management Establish/Maintain Documentation
    Share security information with interested personnel and affected parties. CC ID 11732 Operational management Communicate
    Evaluate information sharing partners, as necessary. CC ID 12749 Operational management Process or Activity
    Include security incident response procedures in the internal control framework. CC ID 01359 Operational management Establish/Maintain Documentation
    Include incident response escalation procedures in the internal control framework. CC ID 11745 Operational management Establish/Maintain Documentation
    Include continuous user account management procedures in the internal control framework. CC ID 01360 Operational management Establish/Maintain Documentation
    Authorize and document all exceptions to the internal control framework. CC ID 06781 Operational management Establish/Maintain Documentation
    Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 Operational management Communicate
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818
    [{be adequate} In accordance with Article 109 (2) of Directive2013/36/EU, these guidelines should also apply on a sub-consolidated and consolidated basis, taking into account the prudential scope of consolidation. For this purpose, the EU parent undertakings or the parent undertaking in a Member State should ensure that internal governance arrangements, processes and mechanisms in their subsidiaries, including payment institutions, are consistent, well integrated and adequate for the effective application of these guidelines at all relevant levels. 4.2 21]     		Operational management Business Processes
    Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 Operational management Process or Activity
    Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 Operational management Process or Activity
    Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 Operational management Process or Activity
    Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 Operational management Process or Activity
    Analyze the Governance, Risk, and Compliance approach. CC ID 12816 Operational management Process or Activity
    Analyze the organizational culture. CC ID 12899 Operational management Process or Activity
    Include employee engagement in the analysis of the organizational culture. CC ID 12914 Operational management Behavior
    Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 Operational management Business Processes
    Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 Operational management Business Processes
    Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 Operational management Business Processes
    Include skill development in the analysis of the organizational culture. CC ID 12913 Operational management Behavior
    Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 Operational management Behavior
    Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 Operational management Business Processes
    Include employee loyalty in the analysis of the organizational culture. CC ID 12911 Operational management Behavior
    Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 Operational management Behavior
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [Institutions and payment institutions that are subsidiaries of an EU parent undertaking or of a parent undertaking in a Member State to which no waivers have been granted on the basis of Article 21 of Directive 2013/36/EU or Article 109(1) of Directive 2013/36/EU in conjunction with Article 7 of Regulation (EU) No 575/2013 should ensure that they comply with these Guidelines on an individual basis. 4.2 25
    Institutions, payment institutions and competent authorities should, when complying or supervising compliance with these guidelines, have regard to the principle of proportionality. The proportionality principle aims to ensure that governance arrangements, including those related to outsourcing, are consistent with the individual risk profile, the nature and business model of the institution or payment institution, and the scale and complexity of their activities so that the objectives of the regulatory requirements are effectively achieved. 4.1 18
    {third party relationship} Institutions and payment institutions should ensure that they comply with all requirements under Regulation (EU) 2016/679, including for their third-party and outsourcing arrangements. 4.5 34
    The management body is at all times fully responsible and accountable for at least: ensuring that the institution or payment institution meets on an ongoing basis the conditions with which it must comply to remain authorised, including any conditions imposed by the competent authority; 4.6 36(a)
    {remain responsible} {be accountable} The outsourcing of functions cannot result in the delegation of the management body's responsibilities. Institutions and payment institutions remain fully responsible and accountable for complying with all of their regulatory obligations, including the ability to oversee the outsourcing of critical or important functions. 4.6 35
    meet all the conditions of their authorisation at all times, including the management body effectively carrying out its responsibilities as set out in paragraph 36 of these guidelines; 4.6 39(a)]     		Operational management Establish/Maintain Documentation
    Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 Operational management Communicate
    Review systems for compliance with organizational information security policies. CC ID 12004 Operational management Business Processes
    Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 Operational management Behavior
    Establish, implement, and maintain a Service Management System. CC ID 13889 Operational management Business Processes
    Establish, implement, and maintain a service management program. CC ID 11388 Operational management Establish/Maintain Documentation
    Include the change management policy in the service management program. CC ID 13923
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the procedures for being notified and responding to changes to an outsourcing arrangement or service provider (e.g. to its financial position, organisational or ownership structures, sub-outsourcing); 4.7 42(d)(ii)]     		Operational management Establish/Maintain Documentation
    Assign roles and responsibilities in the service management program. CC ID 11393
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements; 4.7 42(b)
    When developing exit strategies, institutions and payment institutions should: assign roles, responsibilities and sufficient resources to manage exit plans and the transition of activities; 4.15 108(c)
    clearly assign the responsibilities for the documentation, management and control of outsourcing arrangements; 4.6 38(a)]     		Operational management Establish/Maintain Documentation
    Include all resources needed to achieve the objectives in the service management program. CC ID 11394
    [When developing exit strategies, institutions and payment institutions should: assign roles, responsibilities and sufficient resources to manage exit plans and the transition of activities; 4.15 108(c)]     		Operational management Establish/Maintain Documentation
    Include service management procedures in the service management program. CC ID 11396
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the criteria, including those referred to in Section 4, and processes for identifying critical or important functions; 4.7 42(c)(ii)]     		Operational management Establish/Maintain Documentation
    Include continuity plans in the Service Management program. CC ID 13919
    [identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b)]     		Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839
    [When outsourcing, institutions and payment institutions should at least ensure that: they maintain the orderliness of the conduct of their business and the banking and payment services they provide; 4.6 40(b)]     		Operational management Establish/Maintain Documentation
    Include exceptions in the Service Level Agreements, as necessary. CC ID 13912 Operational management Establish/Maintain Documentation
    Include the organizational structure for service level management in the Service Level Agreement framework. CC ID 13633
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements; 4.7 42(b)
    {organizational structure} retain a clear and transparent organisational framework and structure that enables them to ensure compliance with legal and regulatory requirements; 4.6 39(b)]     		Operational management Establish/Maintain Documentation
    Include the security mechanisms of network services in the Service Level Agreement. CC ID 12023 Operational management Establish/Maintain Documentation
    Include capacity planning in Service Level Agreements. CC ID 13096 Operational management Establish/Maintain Documentation
    Include Operational Level Agreements within Service Level Agreements, as necessary. CC ID 13631 Operational management Establish/Maintain Documentation
    Include funding sources in Service Level Agreements, as necessary. CC ID 13632 Operational management Establish/Maintain Documentation
    Include business requirements of delivered services in the Service Level Agreement. CC ID 00840
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the definition of business requirements regarding outsourcing arrangements; 4.7 42(c)(i)]     		Operational management Establish/Maintain Documentation
    Include the management requirements for network services in the Service Level Agreement. CC ID 12025 Operational management Establish/Maintain Documentation
    Include notification requirements in the service level agreement. CC ID 16675 Operational management Establish/Maintain Documentation
    Include performance requirements in the Service Level Agreement. CC ID 00841 Operational management Establish/Maintain Documentation
    Include the service levels for network services in the Service Level Agreement. CC ID 12024 Operational management Establish/Maintain Documentation
    Include the consequences for failure to meet service levels in Service Level Agreements. CC ID 15698 Operational management Establish/Maintain Documentation
    Include availability requirements in Service Level Agreements. CC ID 13095 Operational management Establish/Maintain Documentation
    Establish and maintain a service catalog. CC ID 13634 Operational management Establish/Maintain Documentation
    Include a service description in the service catalog. CC ID 13917 Operational management Establish/Maintain Documentation
    Assign unique reference numbers to all services in the service catalog. CC ID 14424
    [The register should include at least the following information for all existing outsourcing arrangements: a reference number for each outsourcing arrangement; 4.11 54(a)]     		Operational management Establish/Maintain Documentation
    Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914
    [{outsourcing arrangements} {time sensitive operation} For the outsourcing of critical or important functions, the register should include at least the following additional information: whether the outsourced critical or important function supports business operations that are time-critical; 4.11 55(j)
    {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: an outcome of the assessment of the service provider's substitutability (as easy, difficult or impossible), the possibility of reintegrating a critical or important function into the institution or the payment institution or the impact of discontinuing the critical or important function; 4.11 55(h)]     		Operational management Establish/Maintain Documentation
    Categorize services in the service catalog. CC ID 14419 Operational management Establish/Maintain Documentation
    Refrain from categorizing services as outsourced in the service catalog, as necessary. CC ID 14426
    [As a general principle, institutions and payment institutions should not consider the following as outsourcing: a function that is legally required to be performed by a service provider, e.g. statutory audit; 4.3 28(a)
    As a general principle, institutions and payment institutions should not consider the following as outsourcing: global network infrastructures (e.g. Visa, MasterCard); 4.3 28(c)
    As a general principle, institutions and payment institutions should not consider the following as outsourcing: correspondent banking services; and 4.3 28(f)
    As a general principle, institutions and payment institutions should not consider the following as outsourcing: the acquisition of services that would otherwise not be undertaken by the institution or payment institution (e.g. advice from an architect, providing legal opinion and representation in front of the court and administrative bodies, cleaning, gardening and maintenance of the institution's or payment institution's premises, medical services, servicing of company cars, catering, vending machine services, clerical services, travel services, post-room services, receptionists, secretaries and switchboard operators), goods (e.g. plastic cards, card readers, office supplies, personal computers, furniture) or utilities (e.g. electricity, gas, water, telephone line). 4.3 28(g)
    As a general principle, institutions and payment institutions should not consider the following as outsourcing: clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members; 4.3 28(d)
    As a general principle, institutions and payment institutions should not consider the following as outsourcing: market information services (e.g. provision of data by Bloomberg, Moody's, Standard & Poor's, Fitch); 4.3 28(b)
    As a general principle, institutions and payment institutions should not consider the following as outsourcing: global financial messaging infrastructures that are subject to oversight by relevant authorities; 4.3 28(e)]     		Operational management Establish/Maintain Documentation
    Establish, implement, and maintain records management policies. CC ID 00903 Records management Establish/Maintain Documentation
    Determine how long to keep records and logs before disposing them. CC ID 11661 Records management Process or Activity
    Retain records in accordance with applicable requirements. CC ID 00968
    [{outsourcing arrangements} Taking into account Title I of these guidelines, and under the conditions set out in paragraph 23(d), for institutions and payment institutions within a group, institutions permanently affiliated to a central body or institutions that are members of the same institutional protection scheme, the register may be kept centrally. 4.11 53]     		Records management Records Management
    Establish, implement, and maintain records management procedures. CC ID 11619 Records management Establish/Maintain Documentation
    Establish, implement, and maintain authorization records. CC ID 14367 Records management Establish/Maintain Documentation
    Include the reasons for granting the authorization in the authorization records. CC ID 14371 Records management Establish/Maintain Documentation
    Include the date and time the authorization was granted in the authorization records. CC ID 14370 Records management Establish/Maintain Documentation
    Include the person's name who approved the authorization in the authorization records. CC ID 14369
    [For the outsourcing of critical or important functions, the register should include at least the following additional information: the individual or decision-making body (e.g. the management body) in the institution or the payment institution that approved the outsourcing arrangement; 4.11 55(d)]     		Records management Establish/Maintain Documentation
    Establish, implement, and maintain electronic health records. CC ID 14436 Records management Data and Information Management
    Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 Records management Data and Information Management
    Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 Records management Records Management
    Display required information automatically in electronic health records. CC ID 14442 Records management Process or Activity
    Create summary of care records in accordance with applicable standards. CC ID 14440 Records management Establish/Maintain Documentation
    Provide the patient with a summary of care record, as necessary. CC ID 14441 Records management Actionable Reports or Measurements
    Create export summaries, as necessary. CC ID 14446 Records management Process or Activity
    Import data files into a patient's electronic health record. CC ID 14448 Records management Data and Information Management
    Export requested sections of the electronic health record. CC ID 14447 Records management Data and Information Management
    Establish and maintain an implantable device list. CC ID 14444 Records management Records Management
    Display the implantable device list to authorized users. CC ID 14445 Records management Data and Information Management
    Establish, implement, and maintain decision support interventions. CC ID 14443 Records management Business Processes
    Include attributes in the decision support intervention. CC ID 16766 Records management Data and Information Management
    Establish, implement, and maintain a recordkeeping system. CC ID 15709 Records management Records Management
    Log the termination date in the recordkeeping system. CC ID 16181 Records management Records Management
    Log the name of the requestor in the recordkeeping system. CC ID 15712 Records management Records Management
    Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 Records management Records Management
    Log records as being received into the recordkeeping system. CC ID 11696 Records management Records Management
    Log the date and time each item is received into the recordkeeping system. CC ID 11709 Records management Log Management
    Log the date and time each item is made available into the recordkeeping system. CC ID 11710 Records management Log Management
    Log the number of routine items received into the recordkeeping system. CC ID 11701 Records management Establish/Maintain Documentation
    Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 Records management Log Management
    Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 Records management Log Management
    Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 Records management Log Management
    Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 Records management Log Management
    Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 Records management Log Management
    Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 Records management Log Management
    Log the number of non-routine items received into the recordkeeping system. CC ID 11706 Records management Log Management
    Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 Records management Log Management
    Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 Records management Log Management
    Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 Records management Log Management
    Log performance monitoring into the recordkeeping system. CC ID 11724 Records management Log Management
    Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 Records management Log Management
    Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 Records management Log Management
    Establish, implement, and maintain a transfer journal. CC ID 11729 Records management Records Management
    Log any notices filed by the organization into the recordkeeping system. CC ID 11725 Records management Log Management
    Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 Records management Log Management
    Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 Records management Log Management
    Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 Records management Log Management
    Provide a receipt of records logged into the recordkeeping system. CC ID 11697 Records management Records Management
    Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 Records management Log Management
    Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 Records management Log Management
    Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 Records management Log Management
    Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538
    [When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: whether the outsourcing arrangement is directly connected to the provision of banking activities or payment services for which they are authorised; 4.4 31(a)
    {critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: when they intend to outsource functions of banking activities or payment services to an extent that would require authorisation by a competent authority, as referred to in Section 12.1. 4.4 29(c)
    {supervisory authority} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the service provider is authorised or registered to provide that banking activity or payment service in the third country and is supervised by a relevant competent authority in that third country (referred to as a 'supervisory authority'); 4.12.1 63(a)
    Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in the same or another Member State takes place only if one of the following conditions is met: the service provider is authorised or registered by a competent authority to perform such banking activities or payment services; or 4.12.1 62(a)]     		Acquisition or sale of facilities, technology, and services Business Processes
    Establish, implement, and maintain expedited recredit procedures. CC ID 13574 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Establish, implement, and maintain payment systems. CC ID 13539 Acquisition or sale of facilities, technology, and services Business Processes
    Document the business need justification for payment page scripts. CC ID 15480 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Establish, implement, and maintain an inventory of payment page scripts. CC ID 15467 Acquisition or sale of facilities, technology, and services Business Processes
    Establish, implement, and maintain retail payment activities supporting the retail payment system, as necessary. CC ID 13540 Acquisition or sale of facilities, technology, and services Business Processes
    Employ Remote Deposit Capture systems, as necessary. CC ID 13570 Acquisition or sale of facilities, technology, and services Configuration
    Include liquidity plans in the payment and settlement functions. CC ID 16722 Acquisition or sale of facilities, technology, and services Process or Activity
    Establish, implement, and maintain an electronic commerce program. CC ID 08617 Acquisition or sale of facilities, technology, and services Business Processes
    Define risk levels for Automated Clearing House activities, as necessary. CC ID 13542 Acquisition or sale of facilities, technology, and services Business Processes
    Determine Automated Clearing House exposure limits, as necessary. CC ID 13549 Acquisition or sale of facilities, technology, and services Business Processes
    Establish, implement, and maintain payment transaction security measures. CC ID 13088 Acquisition or sale of facilities, technology, and services Technical Security
    Establish, implement, and maintain a list of approved third parties for payment transactions. CC ID 16349 Acquisition or sale of facilities, technology, and services Business Processes
    Restrict transaction activities, as necessary. CC ID 16334 Acquisition or sale of facilities, technology, and services Business Processes
    Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687 Acquisition or sale of facilities, technology, and services Communicate
    Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683 Acquisition or sale of facilities, technology, and services Business Processes
    Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682 Acquisition or sale of facilities, technology, and services Business Processes
    Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671 Acquisition or sale of facilities, technology, and services Business Processes
    Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Obtain cardholder authorization prior to completing payment transactions. CC ID 13108 Acquisition or sale of facilities, technology, and services Business Processes
    Encrypt electronic commerce transactions and messages. CC ID 08621 Acquisition or sale of facilities, technology, and services Configuration
    Protect the integrity of application service transactions. CC ID 12017 Acquisition or sale of facilities, technology, and services Business Processes
    Include required information in electronic commerce transactions and messages. CC ID 15318 Acquisition or sale of facilities, technology, and services Data and Information Management
    Establish, implement, and maintain telephone-initiated transaction security measures. CC ID 13566 Acquisition or sale of facilities, technology, and services Business Processes
    Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571 Acquisition or sale of facilities, technology, and services Communicate
    Bill and settle electronic commerce transactions. CC ID 08622 Acquisition or sale of facilities, technology, and services Business Processes
    Notify affected parties after successful card-not-present transactions. CC ID 13668 Acquisition or sale of facilities, technology, and services Communicate
    Deliver incoming and outgoing electronic commerce transactions and messages to the correct Internet Protocol address. CC ID 08620 Acquisition or sale of facilities, technology, and services Business Processes
    Disseminate and communicate transaction exceptions to consumers. CC ID 08619 Acquisition or sale of facilities, technology, and services Business Processes
    Make electronic commerce order information available to the customer who ordered the product. CC ID 04585 Acquisition or sale of facilities, technology, and services Data and Information Management
    Withhold payment and settlement functions, as necessary. CC ID 15460 Acquisition or sale of facilities, technology, and services Business Processes
    Obtain consent from affected parties prior to changes in payment and settlement functions. CC ID 15455 Acquisition or sale of facilities, technology, and services Behavior
    Plan for acquiring facilities, technology, or services. CC ID 06892 Acquisition or sale of facilities, technology, and services Acquisition/Sale of Assets or Services
    Establish, implement, and maintain system acquisition contracts. CC ID 14758 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Include security requirements in system acquisition contracts. CC ID 01124 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Include operational requirements in system acquisition contracts. CC ID 00825
    [{critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: when operational tasks of internal control functions are outsourced, unless the assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the effectiveness of the internal control function; 4.4 29(b)]     		Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Provide suppliers with operational requirement information needed to define required service levels in system acquisition contracts. CC ID 06890 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Establish and maintain a register of approved third parties, technologies and tools. CC ID 06836
    [{not authorized} The outsourcing policy should differentiate between the following: outsourcing to service providers that are authorised by a competent authority and those that are not; 4.7 43(b)]     		Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Install software that originates from approved third parties. CC ID 12184 Acquisition or sale of facilities, technology, and services Technical Security
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data accountability program. CC ID 13432 Privacy protection for information and data Establish/Maintain Documentation
    Require data controllers to be accountable for their actions. CC ID 00470 Privacy protection for information and data Establish Roles
    Notify the supervisory authority. CC ID 00472
    [Institutions, without prejudice to Article 19(6) of Directive (EU) 2015/2366, and payment institutions should adequately inform competent authorities in a timely manner or engage in a supervisory dialogue with the competent authorities about the planned outsourcing of critical or important functions and/or where an outsourced function has become critical or important and provide at least the information specified in paragraph 54. 4.11 58
    Institutions and payment institutions should inform competent authorities in a timely manner of material changes and/or severe events regarding their outsourcing arrangements that could have a material impact on the continuing provision of the institutions' or payment institutions' business activities. 4.11 59]     		Privacy protection for information and data Behavior
    Establish, implement, and maintain approval applications. CC ID 16778 Privacy protection for information and data Establish/Maintain Documentation
    Define the requirements for approving or denying approval applications. CC ID 16780 Privacy protection for information and data Business Processes
    Submit approval applications to the supervisory authority. CC ID 16627 Privacy protection for information and data Communicate
    Include required information in the approval application. CC ID 16628 Privacy protection for information and data Establish/Maintain Documentation
    Extend the time limit for approving or denying approval applications. CC ID 16779 Privacy protection for information and data Business Processes
    Approve the approval application unless applicant has been convicted. CC ID 16603 Privacy protection for information and data Process or Activity
    Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606
    [Institutions and payment institutions should, upon request, make available to the competent authority all information necessary to enable the competent authority to execute the effective supervision of the institution or the payment institution, including, where required, a copy of the outsourcing agreement. 4.11 57]     		Privacy protection for information and data Process or Activity
    Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 Privacy protection for information and data Communicate
    Establish, implement, and maintain a data handling program. CC ID 13427
    [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)]     		Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain data handling policies. CC ID 00353 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 Privacy protection for information and data Establish/Maintain Documentation
    Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 Privacy protection for information and data Data and Information Management
    Protect electronic messaging information. CC ID 12022 Privacy protection for information and data Technical Security
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 Privacy protection for information and data Data and Information Management
    Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 Privacy protection for information and data Configuration
    Store payment card data in secure chips, if possible. CC ID 13065 Privacy protection for information and data Configuration
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 Privacy protection for information and data Configuration
    Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 Privacy protection for information and data Technical Security
    Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 Privacy protection for information and data Data and Information Management
    Log the disclosure of personal data. CC ID 06628 Privacy protection for information and data Log Management
    Log the modification of personal data. CC ID 11844 Privacy protection for information and data Log Management
    Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 Privacy protection for information and data Technical Security
    Implement security measures to protect personal data. CC ID 13606 Privacy protection for information and data Technical Security
    Implement physical controls to protect personal data. CC ID 00355 Privacy protection for information and data Testing
    Limit data leakage. CC ID 00356 Privacy protection for information and data Data and Information Management
    Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 Privacy protection for information and data Monitor and Evaluate Occurrences
    Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 Privacy protection for information and data Business Processes
    Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 Privacy protection for information and data Acquisition/Sale of Assets or Services
    Alert appropriate personnel when data leakage is detected. CC ID 14715 Privacy protection for information and data Process or Activity
    Include text about data ownership in the data handling policy. CC ID 15720 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain call metadata controls. CC ID 04790 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 Privacy protection for information and data Data and Information Management
    Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 Privacy protection for information and data Data and Information Management
    Store de-identifying code and re-identifying code separately. CC ID 16535 Privacy protection for information and data Data and Information Management
    Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 Privacy protection for information and data Data and Information Management
    Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 Privacy protection for information and data Communicate
    Establish, implement, and maintain data handling procedures. CC ID 11756 Privacy protection for information and data Establish/Maintain Documentation
    Define personal data that falls under breach notification rules. CC ID 00800 Privacy protection for information and data Establish/Maintain Documentation
    Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 Privacy protection for information and data Data and Information Management
    Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 Privacy protection for information and data Data and Information Management
    Define an out of scope privacy breach. CC ID 04677 Privacy protection for information and data Establish/Maintain Documentation
    Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 Privacy protection for information and data Business Processes
    Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 Privacy protection for information and data Monitor and Evaluate Occurrences
    Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 Privacy protection for information and data Monitor and Evaluate Occurrences
    Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 Privacy protection for information and data Monitor and Evaluate Occurrences
    Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 Privacy protection for information and data Communicate
    Establish, implement, and maintain a supply chain management program. CC ID 11742
    [With regard to the outsourcing process, the internal audit function should at least ascertain: the appropriate monitoring and management of outsourcing arrangements. 4.10 51(e)
    When outsourcing, institutions and payment institutions should at least ensure that: they can take and implement decisions related to their business activities and critical or important functions, including with regard to those that have been outsourced; 4.6 40(a)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796
    [{ensure} where those institutions and payment institutions rely on an exit plan for a critical or important function that has been established at group level, within the institutional protection scheme or by the central body, all institutions and payment institutions should receive a summary of the plan and be satisfied that the plan can be effectively executed. 4.2 23(e)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the approval process of new outsourcing arrangements; 4.7 42(c)(vii)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the renewal processes; 4.7 42(d)(iv)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the exit strategies and termination processes, including a requirement for a documented exit plan for each critical or important function to be outsourced where such an exit is considered possible taking into account possible service interruptions or the unexpected termination of an outsourcing agreement. 4.7 42(f)
    Institutions and payment institutions should ensure that the service provider appropriately oversees the sub-service providers, in line with the policy defined by the institution or payment institution. If the sub-outsourcing proposed could have material adverse effects on the outsourcing arrangement of a critical or important function or would lead to a material increase of risk, including where the conditions in paragraph 79 would not be met, the institution or payment institution should exercise its right to object to the sub-outsourcing, if such a right was agreed, and/or terminate the contract. 4.13.1 80
    {be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42
    {substitutability} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the ability to transfer the proposed outsourcing arrangement to another service provider, if necessary or desirable, both contractually and in practice, including the estimated risks, impediments to business continuity, costs and time frame for doing so ('substitutability'); 4.4 31(h)
    The outsourcing agreement for critical or important functions should set out at least: the start date and end date, where applicable, of the agreement and the notice periods for the service provider and the institution or payment institution; 4.13 75(b)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Review and update all contracts, as necessary. CC ID 11612 Third Party and supply chain oversight Establish/Maintain Documentation
    Document and maintain supply chain processes. CC ID 08816
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain an exit plan. CC ID 15492 Third Party and supply chain oversight Establish/Maintain Documentation
    Include roles and responsibilities in the exit plan. CC ID 15497 Third Party and supply chain oversight Establish/Maintain Documentation
    Test the exit plan, as necessary. CC ID 15495 Third Party and supply chain oversight Testing
    Include contingency plans in the third party management plan. CC ID 10030
    [{ensure} where those institutions and payment institutions rely on an exit plan for a critical or important function that has been established at group level, within the institutional protection scheme or by the central body, all institutions and payment institutions should receive a summary of the plan and be satisfied that the plan can be effectively executed. 4.2 23(e)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the exit strategies and termination processes, including a requirement for a documented exit plan for each critical or important function to be outsourced where such an exit is considered possible taking into account possible service interruptions or the unexpected termination of an outsourcing agreement. 4.7 42(f)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: business continuity planning in accordance with Section 9; 4.7 42(c)(vi)
    develop and implement exit plans that are comprehensive, documented and, where appropriate, sufficiently tested (e.g. by carrying out an analysis of the potential costs, impacts, resources and timing implications of transferring an outsourced service to an alternative provider); and 4.15 107(a)
    Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: 4.15 106
    {be able} {timely manner} When outsourcing, institutions and payment institutions should at least ensure that: with regard to the outsourcing of critical or important functions, they are able to undertake at least one of the following actions, within an appropriate time frame: reintegrate the function; or 4.6 40(f)(ii)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 Third Party and supply chain oversight Systems Continuity
    Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a description of the product or service to be provided in third party contracts. CC ID 06509
    [The outsourcing agreement for critical or important functions should set out at least: a clear description of the outsourced function to be provided; 4.13 75(a)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include a description of the products or services fees in third party contracts. CC ID 10018 Third Party and supply chain oversight Establish/Maintain Documentation
    Include which parties are responsible for which fees in third party contracts. CC ID 10019 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543
    [Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach and with the main focus being on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function in line with Section 4. 4.14 100
    When outsourcing, institutions and payment institutions should at least ensure that: an appropriate flow of relevant information with service providers is maintained; 4.6 40(e)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include the type of information being transmitted in the information flow agreement. CC ID 14245 Third Party and supply chain oversight Establish/Maintain Documentation
    Include the security requirements in the information flow agreement. CC ID 14244 Third Party and supply chain oversight Establish/Maintain Documentation
    Include the interface characteristics in the information flow agreement. CC ID 14240 Third Party and supply chain oversight Establish/Maintain Documentation
    Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528
    [Where an arrangement with a service provider covers multiple functions, institutions and payment institutions should consider all aspects of the arrangement within their assessment, e.g. if the service provided includes the provision of data storage hardware and the backup of data, both aspects should be considered together. 4.3 27]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a description of the data or information to be covered in third party contracts. CC ID 06510 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610
    [The outsourcing agreement for critical or important functions should set out at least: the location(s) (i.e. regions or countries) where the critical or important function will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the institution or payment institution if the service provider proposes to change the location(s); 4.13 75(f)
    The outsourcing agreement for critical or important functions should set out at least: provisions that ensure that the data that are owned by the institution or payment institution can be accessed in the case of the insolvency, resolution or discontinuation of business operations of the service provider; 4.13 75(m)
    With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider's external auditors ('access and information rights'); and 4.13.3 87(a)
    When outsourcing, institutions and payment institutions should at least ensure that: where personal data are processed by service providers located in the EU and/or third countries, appropriate measures are implemented and data are processed in accordance with Regulation (EU) 2016/679. 4.6 40(g)
    {be able} {be necessary} {supervise} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: obtain, upon request, the information necessary to carry out their supervisory tasks pursuant to Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive (EU) 2015/2366 and Directive 2009/110/EC; 4.12.1 63(c)(i)
    {be able} {supervise} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: obtain appropriate access to any data, documents, premises or personnel in the third country that are relevant for the performance of their supervisory powers; 4.12.1 63(c)(ii)]     		Third Party and supply chain oversight Business Processes
    Include text about data ownership in third party contracts. CC ID 06502 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 Third Party and supply chain oversight Establish/Maintain Documentation
    Include the contract duration in third party contracts. CC ID 16221 Third Party and supply chain oversight Establish/Maintain Documentation
    Include roles and responsibilities in third party contracts. CC ID 13487
    [{data treatment} The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: clearly set out the obligations of the existing service provider, in the case of a transfer of the outsourced function to another service provider or back to the institution or payment institution, including the treatment of data; 4.13.4 99(a)
    {be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include cryptographic keys in third party contracts. CC ID 16179 Third Party and supply chain oversight Establish/Maintain Documentation
    Include bankruptcy provisions in third party contracts. CC ID 16519 Third Party and supply chain oversight Establish/Maintain Documentation
    Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506
    [{third party relationship} Institutions and payment institutions should ensure that they comply with all requirements under Regulation (EU) 2016/679, including for their third-party and outsourcing arrangements. 4.5 34
    The outsourcing agreement for critical or important functions should set out at least: the parties' financial obligations; 4.13 75(d)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507
    [{access rights} Institutions and payment institutions should ensure that the outsourcing agreement or any other contractual arrangement does not impede or limit the effective exercise of the access and audit rights by them, competent authorities or third parties appointed by them to exercise these rights. 4.13.3 89
    {right to audit} With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: unrestricted rights of inspection and auditing related to the outsourcing arrangement ('audit rights'), to enable them to monitor the outsourcing arrangement and to ensure compliance with all applicable regulatory and contractual requirements. 4.13.3 87(b)
    With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider's external auditors ('access and information rights'); and 4.13.3 87(a)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508
    [Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: receive, as soon as possible, information from the supervisory authority in the third country for investigating apparent breaches of the requirements of Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive (EU) 2015/2366 and Directive 2009/110/EC; and 4.12.1 63(c)(iii)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513
    [The outsourcing agreement for critical or important functions should set out at least: the obligation of the service provider to cooperate with the competent authorities and resolution authorities of the institution or payment institution, including other persons appointed by them; 4.13 75(n)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b)
    {supervisory authority} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the service provider is authorised or registered to provide that banking activity or payment service in the third country and is supervised by a relevant competent authority in that third country (referred to as a 'supervisory authority'); 4.12.1 63(a)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's privacy policy in third party contracts. CC ID 06518
    [When outsourcing, institutions and payment institutions should at least ensure that: appropriate confidentiality arrangements are in place regarding data and other information; 4.6 40(d)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 Third Party and supply chain oversight Establish/Maintain Documentation
    Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's physical access policy in third party contracts. CC ID 06878
    [With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider's external auditors ('access and information rights'); and 4.13.3 87(a)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include a reporting structure in third party contracts. CC ID 06532
    [The outsourcing agreement for critical or important functions should set out at least: the reporting obligations of the service provider to the institution or payment institution, including the communication by the service provider of any development that may have a material impact on the service provider's ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider; 4.13 75(j)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include points of contact in third party contracts. CC ID 12355 Third Party and supply chain oversight Establish/Maintain Documentation
    Include financial reporting in third party contracts, as necessary. CC ID 13573 Third Party and supply chain oversight Establish/Maintain Documentation
    Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512
    [where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), institutions and payment institutions should ensure that, at least for outsourced critical or important functions, both independent monitoring of the service provider and appropriate oversight by each institution or payment institution is possible, including by receiving, at least annually and upon request from the centralised monitoring function, reports that include, at least, a summary of the risk assessment and performance monitoring. In addition, institutions and payment institutions should receive from the centralised monitoring function a summary of the relevant audit reports for critical or important outsourcing and, upon request, the full audit report; 4.2 23(a)
    The outsourcing agreement for critical or important functions should set out at least: the reporting obligations of the service provider to the institution or payment institution, including the communication by the service provider of any development that may have a material impact on the service provider's ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider; 4.13 75(j)
    The outsourcing agreement for critical or important functions should set out at least: the requirements to implement and test business contingency plans; 4.13 75(l)
    {third party audit report} Without prejudice to their final responsibility regarding outsourcing arrangements, institutions and payment institutions may use: third-party certifications and third-party or internal audit reports, made available by the service provider. 4.13.3 91(b)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514
    [The outsourcing agreement for critical or important functions should set out at least: the unrestricted right of institutions, payment institutions and competent authorities to inspect and audit the service provider with regard to, in particular, the critical or important outsourced function, as specified in Section 13.3; 4.13 75(p)
    The outsourcing agreement for critical or important functions should set out at least: the right of the institution or payment institution to monitor the service provider's performance on an ongoing basis; 4.13 75(h)
    Institutions and payment institutions should ensure within the written outsourcing arrangement that the internal audit function is able to review the outsourced function using a risk-based approach. 4.13.3 85
    {access rights} Institutions and payment institutions should ensure that the outsourcing agreement or any other contractual arrangement does not impede or limit the effective exercise of the access and audit rights by them, competent authorities or third parties appointed by them to exercise these rights. 4.13.3 89
    {right to audit} With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: unrestricted rights of inspection and auditing related to the outsourcing arrangement ('audit rights'), to enable them to monitor the outsourcing arrangement and to ensure compliance with all applicable regulatory and contractual requirements. 4.13.3 87(b)
    {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b)
    {third-party certifications} {third-party audit report} {be legitimate} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: have the contractual right to request the expansion of the scope of the certifications or audit reports to other relevant systems and controls; the number and frequency of such requests for scope modification should be reasonable and legitimate from a risk management perspective; and 4.13.3 93(g)
    {access rights} {right to audit} {operational risks} {contract duration} {be critical} For the outsourcing of functions that are not critical or important, institutions and payment institutions should ensure the access and audit rights as set out in paragraph 87 (a) and (b) and Section 13.3, on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its scalability, the potential impact on the continuous performance of its activities and the contractual period. Institutions and payment institutions should take into account that functions may become critical or important over time. 4.13.3 88
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: conduct appropriate audits regarding the outsourced function; 4.4 31(c)(iii)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516
    [The outsourcing agreement for critical or important functions should set out at least: the requirements to implement and test business contingency plans; 4.13 75(l)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include training requirements in third party contracts. CC ID 16367 Third Party and supply chain oversight Acquisition/Sale of Assets or Services
    Include an indemnification and liability clause in third party contracts. CC ID 06517 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521
    [The outsourcing agreement should specify whether or not sub-outsourcing of critical or important functions, or material parts thereof, is permitted. 4.13.1 76
    The outsourcing agreement for critical or important functions should set out at least: whether the sub-outsourcing of a critical or important function, or material parts thereof, is permitted and, if so, the conditions specified in Section 13.1 that the suboutsourcing is subject to; 4.13 75(e)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522
    [If sub-outsourcing of critical or important functions is permitted, the written agreement should: specify the conditions to be complied with in the case of sub-outsourcing; 4.13.1 78(b)
    Institutions and payment institutions should agree to sub-outsourcing only if the sub-contractor undertakes to: comply with all applicable laws, regulatory requirements and contractual obligations; and 4.13.1 79(a)
    Institutions and payment institutions should agree to sub-outsourcing only if the sub-contractor undertakes to: grant the institution, payment institution and competent authority the same contractual rights of access and audit as those granted by the service provider. 4.13.1 79(b)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include text regarding foreign-based third parties in third party contracts. CC ID 06722
    [{confidential information} {personal information} Without prejudice to the requirements under the Regulation (EU) 2016/679, institutions and payment institutions, when outsourcing (in particular to third countries), should take into account differences in national provisions regarding the protection of data. Institutions and payment institutions should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the institution or payment institution (e.g. the protection of personal data and that banking secrecy or similar legal confidentiality duties with respect to clients' information, where applicable, are observed). 4.13.2 84
    The outsourcing agreement for critical or important functions should set out at least: the governing law of the agreement; 4.13 75(c)
    Regardless of the criticality or importance of the outsourced function, the written outsourcing arrangements between institutions and service providers should refer to the information gathering and investigatory powers of competent authorities and resolution authorities under Article 63(1)(a) of Directive 2014/59/EU and Article 65(3) of Directive 2013/36/EU with regard to service providers located in a Member State and should also ensure those rights with regard to service providers located in third countries. 4.13.3 86]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include change control clauses in third party contracts, as necessary. CC ID 06523
    [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41
    The outsourcing agreement for critical or important functions should set out at least: the location(s) (i.e. regions or countries) where the critical or important function will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the institution or payment institution if the service provider proposes to change the location(s); 4.13 75(f)
    The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where there are material changes affecting the outsourcing arrangement or the service provider (e.g. sub-outsourcing or changes of sub-contractors); 4.13.4 98(c)
    {refrain from replacing} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the possibility that the proposed outsourcing arrangement might be scaled up without replacing or revising the underlying agreement; 4.4 31(g)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the procedures for being notified and responding to changes to an outsourcing arrangement or service provider (e.g. to its financial position, organisational or ownership structures, sub-outsourcing); 4.7 42(d)(ii)
    The outsourcing agreement for critical or important functions should set out at least: the reporting obligations of the service provider to the institution or payment institution, including the communication by the service provider of any development that may have a material impact on the service provider's ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider; 4.13 75(j)
    If sub-outsourcing of critical or important functions is permitted, the written agreement should: include an obligation of the service provider to inform the institution or payment institution of any planned sub-outsourcing, or material changes thereof, in particular where that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement. This includes planned significant changes of subcontractors and to the notification period; in particular, the notification period to be set should allow the outsourcing institution or payment institution at least to carry out a risk assessment of the proposed changes and to object to changes before the planned sub-outsourcing, or material changes thereof, come into effect; 4.13.1 78(e)
    The outsourcing agreement for critical or important functions should set out at least: the start date and end date, where applicable, of the agreement and the notice periods for the service provider and the institution or payment institution; 4.13 75(b)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include triggers for renegotiating the contract in third party contracts. CC ID 06527 Third Party and supply chain oversight Establish/Maintain Documentation
    Include change control notification processes in third party contracts. CC ID 06524
    [institutions and payment institutions should ensure that their management body will be duly informed of relevant planned changes regarding service providers that are monitored centrally and the potential impact of these changes on the critical or important functions provided, including a summary of the risk analysis, including legal risks, compliance with regulatory requirements and the impact on service levels, in order for them to assess the impact of these changes; 4.2 23(b)
    If sub-outsourcing of critical or important functions is permitted, the written agreement should: include an obligation of the service provider to inform the institution or payment institution of any planned sub-outsourcing, or material changes thereof, in particular where that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement. This includes planned significant changes of subcontractors and to the notification period; in particular, the notification period to be set should allow the outsourcing institution or payment institution at least to carry out a risk assessment of the proposed changes and to object to changes before the planned sub-outsourcing, or material changes thereof, come into effect; 4.13.1 78(e)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include cost structure changes in third party contracts. CC ID 10021 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a choice of venue clause in third party contracts. CC ID 06520 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a dispute resolution clause in third party contracts. CC ID 06519
    [Institutions, in line with Title IV, Section 11, of the EBA Guidelines on internal governance, and payment institutions should identify, assess and manage conflicts of interests with regard to their outsourcing arrangements. 4.8 45
    Where outsourcing creates material conflicts of interest, including between entities within the same group or institutional protection scheme, institutions and payment institutions need to take appropriate measures to manage those conflicts of interest. 4.8 46
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813
    [The outsourcing agreement for critical or important functions should set out at least: for institutions, a clear reference to the national resolution authority's powers, especially to Articles 68 and 71 of Directive 2014/59/EU (BRRD), and in particular a description of the 'substantive obligations' of the contract in the sense of Article 68 of that Directive; 4.13 75(o)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include early termination contingency plans in the third party contracts. CC ID 06526
    [{re-incorporate} The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: 4.13.4 99
    identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b)
    The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: set an appropriate transition period, during which the service provider, after the termination of the outsourcing arrangement, would continue to provide the outsourced function to reduce the risk of disruptions; and 4.13.4 99(b)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817
    [The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where the provider of the outsourced functions is in a breach of applicable law, regulations or contractual provisions; 4.13.4 98(a)
    Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the failure of the service provider; 4.15 106(b)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include termination costs in third party contracts. CC ID 10023 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text about obtaining adequate insurance in third party contracts. CC ID 06880
    [The outsourcing agreement for critical or important functions should set out at least: whether the service provider should take mandatory insurance against certain risks and, if applicable, the level of insurance cover requested; 4.13 75(k)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214
    [{be able} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: cooperate with the relevant supervisory authorities in the third country on enforcement in the case of a breach of the applicable regulatory requirements and national law in the Member State. Cooperation should include, but not necessarily be limited to, receiving information on potential breaches of the applicable regulatory requirements from the supervisory authorities in the third country as soon as is practicable. 4.12.1 63(c)(iv)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 Third Party and supply chain oversight Establish/Maintain Documentation
    Include end-of-life information in third party contracts. CC ID 15265 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 Third Party and supply chain oversight Establish/Maintain Documentation
    Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 Third Party and supply chain oversight Establish/Maintain Documentation
    Include disclosure requirements in third party contracts. CC ID 08825
    [Regardless of the criticality or importance of the outsourced function, the written outsourcing arrangements between institutions and service providers should refer to the information gathering and investigatory powers of competent authorities and resolution authorities under Article 63(1)(a) of Directive 2014/59/EU and Article 65(3) of Directive 2013/36/EU with regard to service providers located in a Member State and should also ensure those rights with regard to service providers located in third countries. 4.13.3 86]     		Third Party and supply chain oversight Business Processes
    Include requirements for alternate processing facilities in third party contracts. CC ID 13059
    [{personal data} In the case of outsourcing to cloud service providers and other outsourcing arrangements that involve the handling or transfer of personal or confidential data, institutions and payment institutions should adopt a risk-based approach to data storage and data processing location(s) (i.e. country or region) and information security considerations. 4.13.2 83]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Document the organization's supply chain in the supply chain management program. CC ID 09958 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish and maintain a Third Party Service Provider list. CC ID 12480
    [where the register of all existing outsourcing arrangements, as referred to in Section 11, is established and maintained centrally within a group or institutional protection scheme, competent authorities, all institutions and payment institutions should be able to obtain their individual register without undue delay. This register should include all outsourcing arrangements, including outsourcing arrangements with service providers inside that group or institutional protection scheme; 4.2 23(d)
    As part of their risk management framework, institutions and payment institutions should maintain an updated register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels, as set out in Section 2, and should appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. Taking into account national law, institutions should maintain the documentation of ended outsourcing arrangements within the register and the supporting documentation for an appropriate period. 4.11 52]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include required information in the Third Party Service Provider list. CC ID 14429
    [The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e)
    The register should include at least the following information for all existing outsourcing arrangements: the date of the most recent assessment of the criticality or importance of the outsourced function. 4.11 54(i)
    {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the estimated annual budget cost. 4.11 55(k)
    {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the date of the most recent risk assessment and a brief summary of the main results; 4.11 55(c)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include subcontractors in the Third Party Service Provider list. CC ID 14425
    [{outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include alternate service providers in the Third Party Service Provider list. CC ID 14420
    [{outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: identification of alternative service providers in line with point (h); 4.11 55(i)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422
    [{electronic format} Institutions and payment institutions should, upon request, make available to the competent authority either the full register of all existing outsourcing arrangements or sections specified thereof, such as information on all outsourcing arrangements falling under one of the categories referred to in point (d) of paragraph 54 of these guidelines (e.g. all IT outsourcing arrangements). Institutions and payment institutions should provide this information in a processable electronic form (e.g. a commonly used database format, comma separated values). 4.11 56
    {electronic format} Institutions and payment institutions should, upon request, make available to the competent authority either the full register of all existing outsourcing arrangements or sections specified thereof, such as information on all outsourcing arrangements falling under one of the categories referred to in point (d) of paragraph 54 of these guidelines (e.g. all IT outsourcing arrangements). Institutions and payment institutions should provide this information in a processable electronic form (e.g. a commonly used database format, comma separated values). 4.11 56]     		Third Party and supply chain oversight Communicate
    Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430
    [The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e)
    The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e)
    The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include all contract dates in the Third Party Service Provider list. CC ID 14421
    [The register should include at least the following information for all existing outsourcing arrangements: the start date and, as applicable, the next contract renewal date, the end date and/or notice periods for the service provider and for the institution or payment institution; 4.11 54(b)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481
    [where the register of all existing outsourcing arrangements, as referred to in Section 11, is established and maintained centrally within a group or institutional protection scheme, competent authorities, all institutions and payment institutions should be able to obtain their individual register without undue delay. This register should include all outsourcing arrangements, including outsourcing arrangements with service providers inside that group or institutional protection scheme; 4.2 23(d)
    The register should include at least the following information for all existing outsourcing arrangements: a brief description of the outsourced function, including the data that are outsourced and whether or not personal data (e.g. by providing a yes or no in a separate data field) have been transferred or if their processing is outsourced to a service provider; 4.11 54(c)
    The register should include at least the following information for all existing outsourcing arrangements: in the case of outsourcing to a cloud service provider, the cloud service and deployment models, i.e. public/private/hybrid/community, and the specific nature of the data to be held and the locations (i.e. countries or regions) where such data will be stored; 4.11 54(h)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include criticality of services in the Third Party Service Provider list. CC ID 14428
    [{be critical} The register should include at least the following information for all existing outsourcing arrangements: whether or not (yes/no) the outsourced function is considered critical or important, including, where applicable, a brief summary of the reasons why the outsourced function is considered critical or important; 4.11 54(g)
    {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the date of the most recent risk assessment and a brief summary of the main results; 4.11 55(c)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include a description of data used in the Third Party Service Provider list. CC ID 14427
    [The register should include at least the following information for all existing outsourcing arrangements: a brief description of the outsourced function, including the data that are outsourced and whether or not personal data (e.g. by providing a yes or no in a separate data field) have been transferred or if their processing is outsourced to a service provider; 4.11 54(c)
    The register should include at least the following information for all existing outsourcing arrangements: in the case of outsourcing to a cloud service provider, the cloud service and deployment models, i.e. public/private/hybrid/community, and the specific nature of the data to be held and the locations (i.e. countries or regions) where such data will be stored; 4.11 54(h)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include the location of services provided in the Third Party Service Provider list. CC ID 14423
    [{outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g)
    The register should include at least the following information for all existing outsourcing arrangements: a brief description of the outsourced function, including the data that are outsourced and whether or not personal data (e.g. by providing a yes or no in a separate data field) have been transferred or if their processing is outsourced to a service provider; 4.11 54(c)
    {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the governing law of the outsourcing agreement; 4.11 55(e)
    The register should include at least the following information for all existing outsourcing arrangements: the country or countries where the service is to be performed, including the location (i.e. country or region) of the data; 4.11 54(f)
    The register should include at least the following information for all existing outsourcing arrangements: the country or countries where the service is to be performed, including the location (i.e. country or region) of the data; 4.11 54(f)
    {outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g)
    {outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g)
    The register should include at least the following information for all existing outsourcing arrangements: in the case of outsourcing to a cloud service provider, the cloud service and deployment models, i.e. public/private/hybrid/community, and the specific nature of the data to be held and the locations (i.e. countries or regions) where such data will be stored; 4.11 54(h)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Document supply chain transactions in the supply chain management program. CC ID 08857 Third Party and supply chain oversight Business Processes
    Document the supply chain's critical paths in the supply chain management program. CC ID 10032 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 Third Party and supply chain oversight Establish/Maintain Documentation
    Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 Third Party and supply chain oversight Physical and Environmental Protection
    Establish, implement, and maintain Operational Level Agreements. CC ID 13637 Third Party and supply chain oversight Establish/Maintain Documentation
    Include technical processes in operational level agreements, as necessary. CC ID 13639 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838
    [The outsourcing agreement for critical or important functions should set out at least: the agreed service levels, which should include precise quantitative and qualitative performance targets for the outsourced function to allow for timely monitoring so that appropriate corrective action can be taken without undue delay if the agreed service levels are not met; 4.13 75(i)
    The rights and obligations of the institution, the payment institution and the service provider should be clearly allocated and set out in a written agreement. 4.13 74]     		Third Party and supply chain oversight Process or Activity
    Include the responsible party for managing complaints in third party contracts. CC ID 10022 Third Party and supply chain oversight Establish Roles
    Categorize all suppliers in the supply chain management program. CC ID 00792
    [The outsourcing policy should differentiate between the following: intragroup outsourcing arrangements, outsourcing arrangements within the same institutional protection scheme (including entities fully owned individually or collectively by institutions within the institutional protection scheme) and outsourcing to entities outside the group; and 4.7 43(c)
    The outsourcing policy should differentiate between the following: outsourcing to service providers located within a Member State and third countries. 4.7 43(d)
    Institutions and payment institutions should establish whether an arrangement with a third party falls under the definition of outsourcing. Within this assessment, consideration should be given to whether the function (or a part thereof) that is outsourced to a service provider is performed on a recurrent or an ongoing basis by the service provider and whether this function (or part thereof) would normally fall within the scope of functions that would or could realistically be performed by institutions or payment institutions, even if the institution or payment institution has not performed this function in the past itself. 4.3 26
    When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19
    As part of their risk management framework, institutions and payment institutions should maintain an updated register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels, as set out in Section 2, and should appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. Taking into account national law, institutions should maintain the documentation of ended outsourcing arrangements within the register and the supporting documentation for an appropriate period. 4.11 52
    {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the institutions, payment institutions and other firms within the scope of the prudential consolidation or institutional protection scheme, where applicable, that make use of the outsourcing; 4.11 55(a)
    {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: whether or not the service provider or sub-service provider is part of the group or a member of the institutional protection scheme or is owned by institutions or payment institutions within the group or is owned by members of an institutional protection scheme; 4.11 55(b)
    The register should include at least the following information for all existing outsourcing arrangements: a category assigned by the institution or payment institution that reflects the nature of the function as described under point (c) (e.g. information technology (IT), control function), which should facilitate the identification of different types of arrangements; 4.11 54(d)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include risk management procedures in the supply chain management policy. CC ID 08811
    [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32
    {outsourcing policy} {risk assessment} {risk management} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: risk identification, assessment and management in accordance with Section 12.2; 4.7 42(c)(iii)
    where operational tasks of internal control functions are outsourced (e.g. in the case of intragroup outsourcing or outsourcing within institutional protection schemes), exercise appropriate oversight and be able to manage the risks that are generated by the outsourcing of critical or important functions; and 4.6 39(c)
    When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: operational risk, including conduct, information and communication technology (ICT) and legal risks; 4.4 31(b)(iii)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024
    [{financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a)
    where those institutions and payment institutions within the group, institutions affiliated to a central body or institutions that are part of an institutional protection scheme rely on a central pre-outsourcing assessment of outsourcing arrangements, as referred to in Section 12, each institution and payment institution should receive a summary of the assessment and ensure that it takes into consideration its specific structure and risks within the decision-making process; 4.2 23(c)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced and address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced services are or may be provided and where the data are or are likely to be stored; 4.12.2 68(b)
    When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19
    {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70]     		Third Party and supply chain oversight Business Processes
    Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025
    [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: 4.12.2 66
    {critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: where a defect or failure in its performance would materially impair: their financial performance; or 4.4 29(a)(ii)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 Third Party and supply chain oversight Business Processes
    Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029
    [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain a supply chain management policy. CC ID 08808
    [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: 4.7 42(d)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397
    [Institutions and payment institutions should take appropriate steps to ensure that service providers act in a manner consistent with their values and code of conduct. In particular, with regard to service providers located in third countries and, if applicable, their sub-contractors, institutions and payment institutions should be satisfied that the service provider acts in an ethical and socially responsible manner and adheres to international standards on human rights (e.g. the European Convention on Human Rights), environmental protection and appropriate working conditions, including the prohibition of child labour. 4.12.3 73]     		Third Party and supply chain oversight Business Processes
    Require third parties to employ a Chief Information Security Officer. CC ID 12057 Third Party and supply chain oversight Human Resources Management
    Include supplier assessment principles in the supply chain management policy. CC ID 08809
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include the third party selection process in the supply chain management policy. CC ID 13132 Third Party and supply chain oversight Establish/Maintain Documentation
    Select suppliers based on their qualifications. CC ID 00795 Third Party and supply chain oversight Establish/Maintain Documentation
    Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133
    [When functions are provided by a service provider that is part of a group or a member of an institutional protection scheme or that is owned by the institution, payment institution, group or institutions that are members of an institutional protection scheme, the conditions, including financial conditions, for the outsourced service should be set at arm's length. However, within the pricing of services synergies resulting from providing the same or similar services to several institutions within a group or an institutional protection scheme may be factored in, as long as the service provider remains viable on a stand-alone basis; within a group this should be irrespective of the failure of any other group entity. 4.8 47]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include a clear management process in the supply chain management policy. CC ID 08810
    [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41
    {not carry out} {corrective action} Institutions should take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, institutions and payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirements. If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions. Such actions may include terminating the outsourcing agreement, with immediate effect, if necessary. 4.14 105
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: 4.7 42(d)
    {be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include roles and responsibilities in the supply chain management policy. CC ID 15499 Third Party and supply chain oversight Establish/Maintain Documentation
    Include third party due diligence standards in the supply chain management policy. CC ID 08812
    [Institutions and payment institutions should apply due skill, care and diligence when monitoring and managing outsourcing arrangements. 4.14 101]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 Third Party and supply chain oversight Communicate
    Require suppliers to commit to the supply chain management policy. CC ID 08813 Third Party and supply chain oversight Establish/Maintain Documentation
    Support third parties in building their capabilities. CC ID 08814 Third Party and supply chain oversight Business Processes
    Implement measurable improvement plans with all third parties. CC ID 08815 Third Party and supply chain oversight Business Processes
    Post a list of compliant third parties on the organization's website. CC ID 08817 Third Party and supply chain oversight Business Processes
    Use third parties that are compliant with the applicable requirements. CC ID 08818
    [{selection process} Before entering into an outsourcing arrangement and considering the operational risks related to the function to be outsourced, institutions and payment institutions should ensure in their selection and assessment process that the service provider is suitable. 4.12.3 69
    {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70]     		Third Party and supply chain oversight Business Processes
    Establish, implement, and maintain a conflict minerals policy. CC ID 08943 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 Third Party and supply chain oversight Establish/Maintain Documentation
    Include all in scope materials in the conflict minerals policy. CC ID 08945 Third Party and supply chain oversight Establish/Maintain Documentation
    Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 Third Party and supply chain oversight Establish/Maintain Documentation
    Include all applicable authority documents in the conflict minerals policy. CC ID 08947 Third Party and supply chain oversight Establish/Maintain Documentation
    Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 Third Party and supply chain oversight Establish/Maintain Documentation
    Make the conflict minerals policy Publicly Available Information. CC ID 08949 Third Party and supply chain oversight Data and Information Management
    Establish and maintain a conflict materials report. CC ID 08823 Third Party and supply chain oversight Establish/Maintain Documentation
    Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 Third Party and supply chain oversight Establish/Maintain Documentation
    Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 Third Party and supply chain oversight Establish/Maintain Documentation
    Identify supply sources for secondary materials. CC ID 08822 Third Party and supply chain oversight Business Processes
    Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 Third Party and supply chain oversight Business Processes
    Establish, implement, and maintain supply chain due diligence standards. CC ID 08846
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v)]     		Third Party and supply chain oversight Business Processes
    Provide management support for third party due diligence. CC ID 08847 Third Party and supply chain oversight Business Processes
    Commit to the supply chain due diligence process. CC ID 08849 Third Party and supply chain oversight Business Processes
    Structure the organization to support supply chain due diligence. CC ID 08850 Third Party and supply chain oversight Business Processes
    Schedule supply chain audits, as necessary. CC ID 10015
    [{outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the dates of the most recent and next scheduled audits, where applicable; 4.11 55(f)]     		Third Party and supply chain oversight Audits and Risk Management
    Establish, implement, and maintain internal accountability for the supply chain due diligence process. CC ID 08851
    [where those institutions or payment institutions have outsourcing arrangements with service providers within the group or the institutional protection scheme 33 , the management body of those institutions or payment institutions retains, also for these outsourcing arrangements, full responsibility for compliance with all regulatory requirements and the effective application of these guidelines; 4.2 22(a)
    {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42]     		Third Party and supply chain oversight Business Processes
    Establish, implement, and maintain supply chain due diligence requirements. CC ID 08853 Third Party and supply chain oversight Business Processes
    Document and maintain records of supply chain transactions in a transaction file. CC ID 08858 Third Party and supply chain oversight Establish/Maintain Documentation
    Cross-check the supply chain due diligence practices against the supply chain management policy. CC ID 08859 Third Party and supply chain oversight Business Processes
    Exclude suppliers that have passed the conflict-free smelter program from the conflict materials report. CC ID 10016 Third Party and supply chain oversight Business Processes
    Assign the appropriate individuals or groups to oversee and support supply chain due diligence. CC ID 08861 Third Party and supply chain oversight Business Processes
    Develop and implement supply chain due diligence capability training program. CC ID 08862 Third Party and supply chain oversight Business Processes
    Determine if additional supply chain due diligence processes are required. CC ID 08863 Third Party and supply chain oversight Business Processes
    Review transaction files for compliance with the supply chain audit standard. CC ID 08864 Third Party and supply chain oversight Establish/Maintain Documentation
    Provide additional documentation to validate and approve the use of non-compliant materials. CC ID 08865 Third Party and supply chain oversight Establish/Maintain Documentation
    Define ways a third party may be non-compliant with the organization's supply chain due diligence requirements. CC ID 08870
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v)
    Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess conflicts of interest that the outsourcing may cause in line with Section 8. 4.12 61(e)]     		Third Party and supply chain oversight Business Processes
    Calculate and report the margin of error in the supply chain due diligence report. CC ID 08871 Third Party and supply chain oversight Business Processes
    Conduct all parts of the supply chain due diligence process. CC ID 08854
    [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: due diligence checks on prospective service providers, including the measures required under Section 12.3; 4.7 42(c)(iv)
    Before entering into any outsourcing arrangement, institutions and payment institutions should: undertake appropriate due diligence on the prospective service provider in accordance with Section 12.3; 4.12 61(d)
    {financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a)]     		Third Party and supply chain oversight Business Processes
    Identify all service providers in the supply chain. CC ID 12213
    [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider whether the service provider is a subsidiary or parent undertaking of the institution, is included in the scope of accounting consolidation or is a member of or owned by institutions that are members of an institutional protection scheme and, if so, the extent to which the institution controls it or has the ability to influence its actions in line with Section 2. 4.12.2 68(f)]     		Third Party and supply chain oversight Business Processes
    Disallow engaging service providers that are restricted from performing their duties. CC ID 12214 Third Party and supply chain oversight Business Processes
    Collect evidence of each supplier's supply chain due diligence processes. CC ID 08855 Third Party and supply chain oversight Business Processes
    Conduct spot checks of the supplier's supply chain due diligence processes as necessary. CC ID 08860 Third Party and supply chain oversight Business Processes
    Determine if suppliers can meet the organization's production requirements. CC ID 11559 Third Party and supply chain oversight Business Processes
    Require suppliers to meet the organization's manufacturing and integration requirements. CC ID 11560 Third Party and supply chain oversight Business Processes
    Evaluate the impact of the authentication element of the anti-counterfeit measures on the manufacturing process. CC ID 11557 Third Party and supply chain oversight Business Processes
    Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353
    [{data requirement} Where relevant (e.g. in the context of cloud or other ICT outsourcing), institutions and payment institutions should define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis. 4.13.2 82
    {confidential information} {personal information} Without prejudice to the requirements under the Regulation (EU) 2016/679, institutions and payment institutions, when outsourcing (in particular to third countries), should take into account differences in national provisions regarding the protection of data. Institutions and payment institutions should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the institution or payment institution (e.g. the protection of personal data and that banking secrecy or similar legal confidentiality duties with respect to clients' information, where applicable, are observed). 4.13.2 84
    {confidentiality, integrity, security and availability} The outsourcing agreement for critical or important functions should set out at least: where relevant, provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data, as specified in Section 13.2; 4.13 75(g)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 Third Party and supply chain oversight Communicate
    Include the audit scope in the third party external audit report. CC ID 13138
    [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the institution or payment institution and the compliance with relevant regulatory requirements; 4.13.3 93(b)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Require individual attestations of compliance from each location a third party operates in. CC ID 12228 Third Party and supply chain oversight Business Processes
    Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819
    [{third party relationship} Institutions and payment institutions should ensure that they comply with all requirements under Regulation (EU) 2016/679, including for their third-party and outsourcing arrangements. 4.5 34
    {data requirement} Where relevant (e.g. in the context of cloud or other ICT outsourcing), institutions and payment institutions should define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis. 4.13.2 82
    {third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the institution or payment institution and the compliance with relevant regulatory requirements; 4.13.3 93(b)
    {third-party certifications} {third-party audit report} {are current} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: thoroughly assess the content of the certifications or audit reports on an ongoing basis and verify that the reports or certifications are not obsolete; 4.13.3 93(c)]     		Third Party and supply chain oversight Business Processes
    Determine third party compliance with third party contracts. CC ID 08866 Third Party and supply chain oversight Business Processes
    Quarantine non-compliant material. CC ID 08867 Third Party and supply chain oversight Business Processes
    Refrain from quarantining conflict-free materials. CC ID 08868 Third Party and supply chain oversight Business Processes
    Establish, implement, and maintain disposition processes for non-compliant material. CC ID 08869 Third Party and supply chain oversight Business Processes
    Review the information collected about each supplier for the supply chain due diligence report. CC ID 08856
    [where those institutions and payment institutions within the group, institutions affiliated to a central body or institutions that are part of an institutional protection scheme rely on a central pre-outsourcing assessment of outsourcing arrangements, as referred to in Section 12, each institution and payment institution should receive a summary of the assessment and ensure that it takes into consideration its specific structure and risks within the decision-making process; 4.2 23(c)
    Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements. 4.12.2 64]     		Third Party and supply chain oversight Business Processes
    Establish and maintain a supply chain due diligence report. CC ID 08824 Third Party and supply chain oversight Business Processes
    Submit the supply chain due diligence report. CC ID 08828 Third Party and supply chain oversight Business Processes
    Include supply chain risk assessment reports in the supply chain due diligence report. CC ID 08835
    [Institutions should regularly update their risk assessment in accordance with Section 12.2and should periodically report to the management body on the risks identified in respect of the outsourcing of critical or important functions. 4.14 102]     		Third Party and supply chain oversight Business Processes
    Include monitoring and tracking risk mitigation performance in the supply chain due diligence report. CC ID 08837
    [When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: identify, monitor and manage all risks; 4.4 31(c)(i)]     		Third Party and supply chain oversight Business Processes
    Include supplier agreement terminations in the supply chain due diligence report. CC ID 08845
    [As part of their risk management framework, institutions and payment institutions should maintain an updated register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels, as set out in Section 2, and should appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. Taking into account national law, institutions should maintain the documentation of ended outsourcing arrangements within the register and the supporting documentation for an appropriate period. 4.11 52]     		Third Party and supply chain oversight Business Processes
    Establish, implement, and maintain third party reporting requirements. CC ID 13289
    [where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), institutions and payment institutions should ensure that, at least for outsourced critical or important functions, both independent monitoring of the service provider and appropriate oversight by each institution or payment institution is possible, including by receiving, at least annually and upon request from the centralised monitoring function, reports that include, at least, a summary of the risk assessment and performance monitoring. In addition, institutions and payment institutions should receive from the centralised monitoring function a summary of the relevant audit reports for critical or important outsourcing and, upon request, the full audit report; 4.2 23(a)
    ensuring that they receive appropriate reports from service providers; 4.14 104(a)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Define timeliness factors for third party reporting requirements. CC ID 13304 Third Party and supply chain oversight Establish/Maintain Documentation
    Review the supply chain's service delivery on a regular basis. CC ID 12010 Third Party and supply chain oversight Business Processes
    Identify red flags in the supply chain. CC ID 08873 Third Party and supply chain oversight Business Processes
    Detect red flags in the supply chain. CC ID 08874 Third Party and supply chain oversight Business Processes
    Notify interested personnel and affected parties when critical components or materials are not obtained from an authorized source. CC ID 11516 Third Party and supply chain oversight Business Processes
    Review third party red flag locations to identify facts for the supply chain risk assessment. CC ID 08875 Third Party and supply chain oversight Business Processes
    Establish and maintain an interactive map of third party red flag locations. CC ID 08876 Third Party and supply chain oversight Business Processes
    Collect information on red-flagged supply chains. CC ID 08877 Third Party and supply chain oversight Business Processes
    Establish, implement, and maintain outsourcing contracts. CC ID 13124 Third Party and supply chain oversight Establish/Maintain Documentation
    Include performance standards in outsourcing contracts. CC ID 13140
    [{be capable} The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where impediments capable of altering the performance of the outsourced function are identified; 4.13.4 98(b)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include the organization approving subcontractors in the outsourcing contract. CC ID 13131
    [{specific written authorisation} If sub-outsourcing of critical or important functions is permitted, the written agreement should: require the service provider to obtain prior specific or general written authorisation from the institution or payment institution before sub-outsourcing data; 4.13.1 78(d)
    If sub-outsourcing of critical or important functions is permitted, the written agreement should: ensure, where appropriate, that the institution or payment institution has the right to object to intended sub-outsourcing, or material changes thereof, or that explicit approval is required; 4.13.1 78(f)
    If sub-outsourcing of critical or important functions is permitted, the written agreement should: specify any types of activities that are excluded from sub-outsourcing; 4.13.1 78(a)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130
    [If sub-outsourcing of critical or important functions is permitted, the written agreement should: specify that the service provider is obliged to oversee those services that it has subcontracted to ensure that all contractual obligations between the service provider and the institution or payment institution are continuously met; 4.13.1 78(c)]     		Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 Third Party and supply chain oversight Business Processes
    Establish, implement, and maintain a system of transparency and controls over the entire supply chain. CC ID 08879
    [Where the outsourcing arrangement includes the possibility that the service provider sub-outsources critical or important functions to other service providers, institutions and payment institutions should take into account: the risk that long and complex chains of sub-outsourcing reduce the ability of institutions or payment institutions to oversee the outsourced critical or important function and the ability of competent authorities to effectively supervise them. 4.12.2 67(b)
    When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)]     		Third Party and supply chain oversight Business Processes
    Establish, implement, and maintain supply chain onsite investigation procedures. CC ID 08919
    [{site visit} Before a planned on-site visit, institutions, payment institutions, competent authorities and auditors or third parties acting on behalf of the institution, payment institution or competent authorities should provide reasonable notice to the service provider, unless this is not possible due to an emergency or crisis situation or would lead to a situation where the audit would no longer be effective. 4.13.3 95]     		Third Party and supply chain oversight Business Processes
    Assist with local logistics in support of supply chain onsite investigations. CC ID 08920 Third Party and supply chain oversight Behavior
    Create an on-site mine visit report. CC ID 08921 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain information security controls for the supply chain. CC ID 13109
    [{personal data} In the case of outsourcing to cloud service providers and other outsourcing arrangements that involve the handling or transfer of personal or confidential data, institutions and payment institutions should adopt a risk-based approach to data storage and data processing location(s) (i.e. country or region) and information security considerations. 4.13.2 83]     		Third Party and supply chain oversight Establish/Maintain Documentation