Use and maintain ICT systems, protocols, and tools that are up to date and:

• Tailored to the magnitude of ICT operations
• Reliable
• Equipped with sufficient capacity to accurately process data and to deal with peak orders, message or transaction volumes as needed
• Technologically resilient to deal with additional processing needs under stressed market conditions or other adverse market conditions

Keep an inventory of (ICT) assets, monitor their life-cycle and update it periodically and upon every major change in the network, the IT infrastructure, and processes and procedures supporting business functions. Keep records of the following for each ICT asset: unique identifier, location (physical or logical), asset classification, identity of asset owner, information for specific risk assessment on legacy systems, business functions or services supported, business continuity requirements (e.g., RTO, RPO), exposure to external networks, including the internet, links and interdependencies among assets and business functions using each asset, and the end dates of the ICT third-party service provider’s regular, extended and custom support services after which it is no longer supported by its supplier or by an ICT third-party service provider.

Ideally, inventory management is perfomed in an automated and continuous fashion.

Identify, classify and document all ICT-supported business functions, including the assets supporting them, and detail the roles and dependencies of these assets in relation to ICT risk. Additionally, identify and document all ICT-supported business functions dependent on ICT third-party service providers, and identify the services provided by third-party providers that support critical or important business functions. Make a mapping of critical (ICT) assets based on a criticality assessment, which must include network resources, hardware equipment, and resources on remote sites. This mapping should also incorporate the configuration of assets and their links and interdependencies with other assets. The criticality assessment should follow clear criteria to evaluate the ICT risk related to business functions, taking into account the potential impact of confidentiality, integrity, and availability losses. Review the adequacy of this classification and documentation at least on a yearly basis, ensuring it meets the requirements for maintaining accurate and up-to-date asset records.

Manage third-party risks proportionate to dependency nature, service-related risks, and impact on entity's continuity and availability in case of disruption. Implement a policy for critical function ICT services provided by third-party service providers, considering the location of the service provider (or its parent company), the level of assurance regarding the service providers' risk management framework (including risk mitigation and business continuity measures), the nature of the data shared with the service provider, the location of data processing and storage, group affiliation of the service provider, and the potential impact of the risks and disruptions on the continuity and availability on the activities of the entity. Test response and recovery of critical function-supporting services provided by third parties.

Perform pre-contract risk assessment. This assessment must assess if: the contract covers services supporting critical or important functions, a service provider is easily replaceable, the risks of sub-contracting are covered, the risks of outsourcing service to a third-country are covered, the risks of bankruptcy are covered on the side of the service provider, supervisory conditions for contracting are met, all contractual risks are identified and assessed (e.g., to cover for ICT concentration risks), the service provider is suitable, and if there are conflicts of interest. Assess service provider resources for ensuring entity compliance with all legal and regulatory requirements.

Develop and periodically test exit strategies and plans, considering risks related to third-party service providers, including potential failure, service quality deterioration, business disruption, and termination of contractual arrangements. Ensure that the exit plan is realistic, feasible, based on plausible scenarios and reasonable assumptions and shall have a planned implementation schedule compatible with the exit and termination terms established in the relevant contractual arrangements. Also, ensure smooth exit and workload migration to another service provider without business disruption, compliance loss, or service quality decline.

The DORA Taskforce has designed an exit plan template that could be of assistence, see: https://www.norea.nl/dora/dora-template-exit-plan