Use and maintain ICT systems, protocols, and tools that are up to date and:

• Tailored to the magnitude of ICT operations
• Reliable
• Equipped with sufficient capacity to accurately process data and to deal with peak orders, message or transaction volumes as needed
• Technologically resilient to deal with additional processing needs under stressed market conditions or other adverse market conditions

Keep an inventory of (ICT) assets, monitor their life-cycle and update it periodically and upon every major change in the network, the IT infrastructure, and processes and procedures supporting business functions. Keep records of the following for each ICT asset: unique identifier, location (physical or logical), asset classification, identity of asset owner, information for specific risk assessment on legacy systems, business functions or services supported, business continuity requirements (e.g., RTO, RPO), exposure to external networks, including the internet, links and interdependencies among assets and business functions using each asset, and the end dates of the ICT third-party service provider’s regular, extended and custom support services after which it is no longer supported by its supplier or by an ICT third-party service provider.

Ideally, inventory management is perfomed in an automated and continuous fashion.

Identify, classify and document all ICT-supported business functions, including the assets supporting them, and detail the roles and dependencies of these assets in relation to ICT risk. Additionally, identify and document all ICT-supported business functions dependent on ICT third-party service providers, and identify the services provided by third-party providers that support critical or important business functions. Make a mapping of critical (ICT) assets based on a criticality assessment, which must include network resources, hardware equipment, and resources on remote sites. This mapping should also incorporate the configuration of assets and their links and interdependencies with other assets. The criticality assessment should follow clear criteria to evaluate the ICT risk related to business functions, taking into account the potential impact of confidentiality, integrity, and availability losses. Review the adequacy of this classification and documentation at least on a yearly basis, ensuring it meets the requirements for maintaining accurate and up-to-date asset records.