Contents
- ICT project management policy (incl. ICT project risk assessment)
- Development, Documentation and Implementation (Article 15(1) RTS RMF)
- Purpose of the Policy (Article 15(2) RTS RMF)
- Mandatory Content Elements (Article 15(3)(a)–(g) RTS RMF)
- Secure Implementation Requirements (Article 15(4) RTS RMF)
- Reporting Requirements to the Management Body (Article 15(5) RTS RMF)
- Article 15 RTS RMF
ICT project management policy (incl. ICT project risk assessment)
Development, Documentation and Implementation (Article 15(1) RTS RMF)
- Financial entities must develop, document, and implement an ICT project management policy.
- This policy forms part of the safeguards necessary to preserve the availability, authenticity, integrity, and confidentiality of data.
Purpose of the Policy (Article 15(2) RTS RMF)
- The policy must specify the elements that ensure the effective management of ICT projects relating to the:
– acquisition,
– maintenance, and
– where applicable, development
of the financial entity’s ICT systems.
Mandatory Content Elements (Article 15(3)(a)–(g) RTS RMF)
The ICT project management policy must contain all of the following:
(a) ICT Project Objectives
- Clear objectives guiding the purpose and expected outcomes of the ICT project.
(b) ICT Project Governance
- Governance structure, including roles and responsibilities for all parties involved.
(c) ICT Project Planning
- Project planning, timeframes, and steps, covering the full project lifecycle.
(d) ICT Project Risk Assessment
- A formal ICT project risk assessment, identifying, analysing and evaluating risks associated with the ICT project.
(e) Relevant Milestones
- The definition of milestones relevant to project tracking and oversight.
(f) Change Management Requirements
- Requirements governing changes affecting the ICT project, aligned with the broader change management framework.
(g) Testing and Approval for Deployment
- Requirements for the testing of all requirements, including security requirements, and
- the respective approval process before an ICT system is deployed into the production environment.
Secure Implementation Requirements (Article 15(4) RTS RMF)
- The policy must ensure the secure implementation of ICT projects by requiring the provision of necessary information and expertise from the business areas or functions impacted by the ICT project.
Reporting Requirements to the Management Body (Article 15(5) RTS RMF)
Based on the ICT project risk assessment described in Article 15(3)(d), the policy must provide that:
(a) Reporting Scope
- The establishment and progress of ICT projects impacting critical or important functions, and their associated risks, must be reported to the management body:
– individually, or
– in aggregation,
depending on the project’s importance and size.
(b) Reporting Frequency
- Reporting must occur:
– periodically, and
– where necessary, on an event-driven basis.