Beta

Source: OJ L, 2024/1774, 25.6.2024

EN

Recital 17 ICT change management policies and procedures

Changes, regardless of their scale, carry inherent risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; and may pose significant risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of loss of confidentiality, integrity, and availability of data, and could thus lead to severe business disruptions. To safeguard financial entitiesas defined in Article 2, points (a) to (t) from potential ICT vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and weaknesses that could expose them to significant risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, a rigorous verification process is necessary to confirm that all changes meet the necessary ICT security requirements. Financial entitiesas defined in Article 2, points (a) to (t) referred to in Title II of this Regulation should therefore, as an essential element of their ICT security policies and procedures, have in place sound ICT change management policies and procedures. To uphold the objectivity and effectiveness of the ICT change management process, to prevent conflicts of interest, and to ensure that ICT changes are evaluated objectively, it is necessary to separate the functions responsible for approving those changes from the functions that request and implement those changes. To achieve effective transitions, controlled ICT change implementation, and minimal disruptions to the operation of the ICT systems, financial entitiesas defined in Article 2, points (a) to (t) should assign clear roles and responsibilities that ensure that ICT changes are planned, adequately tested, and that quality is ensured. To ensure that ICT systems continue to operate effectively, and to provide a safety net for financial entitiesas defined in Article 2, points (a) to (t), financial entitiesas defined in Article 2, points (a) to (t) should also develop and implement fall-back procedures. Financial entitiesas defined in Article 2, points (a) to (t) should clearly identify those fall-back procedures and assign responsibilities to ensure a swift and effective response in the event of unsuccessful ICT changes.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod