Source: OJ L, 2024/1774, 25.6.2024

Current language: EN

Article 5 ICT asset management procedure

Summary What does Article 5 of the RTS on ICT risk management framework say?

Article 5 sits closely alongside Article 4, which establishes the policy on ICT asset management.

Where Article 4 sets out the policy framework and record-keeping requirements, Article 5 focuses on the operational procedure that financial entities must put in place to actually manage those assets.

The core of the article is a requirement to define the criteria for assessing how critical information assets and ICT assets are, anchored in two considerations: the ICT risk associated with the business functions that depend on those assets, and the potential business impact if the confidentiality, integrity, or availability of those assets were to be lost.

Important points:

  • Develop, document, and implement a procedure for the management of ICT assets.
  • The procedure must set out the criteria for conducting a criticality assessment of both information assets and ICT assets that support business functions.
  • That criticality assessment must account for both the ICT risk tied to dependent business functions and the potential business impact of losing confidentiality, integrity, or availability of those assets.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. Financial entities shall develop, document, and implement a procedure for the management of ICT assets.

    1. The procedure for management of ICT assets referred to in paragraph 1 shall specify the criteria to perform the criticality assessment of information assets and ICT assets supporting business functions. That assessment shall take into account:

      1. the ICT risk related to those business functions and their dependencies on the information assets or ICT assets;

      2. how the loss of confidentiality, integrity, and availability of such information assets and ICT assets would impact the business processes and activities of the financial entities.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod