Policies for ICT change management
Integration into the ICT Risk Management Framework (Article 9(4)(e) DORA)
- The policies for ICT change management form part of the ICT risk management framework referred to in Article 6(1) DORA.
- Financial entities must implement documented policies, procedures and controls governing ICT change management.
Scope of ICT Changes Covered (Article 9(4)(e) DORA)
The policies must cover changes to:
- software,
- hardware,
- firmware components,
- systems, and
- security parameters.
Risk-Based Approach (Article 9(4)(e) DORA)
- The policies, procedures and controls must be based on a risk assessment approach.
- ICT change management must form an integral part of the financial entity’s overall change management process.
Mandatory Process Requirements (Article 9(4)(e) DORA)
The policies must ensure that all changes to ICT systems are:
Recorded
- Every change must be documented and logged.
Tested
- Changes must undergo testing before implementation.
Assessed
- Changes must be assessed, including their risks and impacts.
Approved
- Implementation must only occur after formal approval.
Implemented
- Changes must be implemented in a controlled manner.
Verified
- All implemented changes must be verified, confirming correct operation and alignment with approved specifications.