Contents
ICT asset management procedure
Requirement to Establish an ICT Asset Management Procedure (Article 5(1) RTS RMF)
Financial entities must:
- develop,
- document, and
- implement
a procedure for the management of ICT assets.
This procedure forms a mandatory operational component of the ICT risk management framework under Article 6 DORA and complements the ICT asset management policy required under Article 4 RTS RMF.
Scope of the ICT Asset Management Procedure (Article 5(2) RTS RMF)
The procedure must specify the criteria for performing a criticality assessment of:
- information assets, and
- ICT assets,
that support business functions.
This assessment must enable the financial entity to determine the relative importance of assets for digital operational resilience.
Mandatory Components of the Criticality Assessment (Article 5(2) RTS RMF)
The assessment must take into account both of the following factors:
ICT Risk Related to Supported Business Functions
Including:
- the ICT risks arising from dependencies of business functions on specific information assets or ICT assets;
- the role of assets in the overall ICT risk profile.
Impact of Loss of Confidentiality, Integrity or Availability
The assessment must analyse how the loss of confidentiality, integrity, or availability of the relevant information assets or ICT assets would impact:
- business processes, and
- the financial entity’s operational activities.
This includes the full spectrum of operational impacts, covering service disruption, data compromise, and degradation of critical or important functions.