+Reliance Third-Party Assurance and Certifications
|
1. Overview
Reliance Third-Party Assurance and Certifications
Use, where appropriate, third-party certifications, third-party or internal audit reports made available by the ICT third-party service provider, or own audit reports to confirm adherence of contractual requirements on information access, inspection, audit, and ICT testing with the third-party. Rely on third-party certifications and audit reports from ICT third-party service providers only if the following specific conditions are met: the audit plan is aligned with contractual arrangements, the audit scope is comprehensive and covers identified systems and key controls, ongoing assessment of certification/report content are performed and validated, key systems and controls are covered in future versions of the certification or audit report, there is confidence in the certifying/auditing party's capabilities, certifications/audits adhere to recognized professional standards, the right to request scope expansion is covered in the contract, and right to perform discretionary audits is retained.
1.1 References
1.2 Identified Requirements
1.2 Related Regulation
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Regulations
Regulations
| Source |
Regulation |
|
DORA
|
DORA Ch. II Sec. II Art. 6 6.
6. The ICT risk management framework of financial entities, other than microenterprises, shall be subject to internal audit by auditors on a regular basis in line with the financial entities’ audit plan. Those auditors shall possess sufficient knowledge, skills and expertise in ICT risk, as well as appropriate independence. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity.
|
|
DORA
|
DORA Ch. II Sec. II Art. 11 3.
3. As part of the ICT risk management framework referred to in Article 6(1), financial entities shall implement associated ICT response and recovery plans which, in the case of financial entities other than microenterprises, shall be subject to independent internal audit reviews.
|
|
DORA
|
DORA Ch. II Sec. II Art. 13 7.
7. Financial entities, other than microenterprises, shall monitor relevant technological developments on a continuous basis, also with a view to understanding the possible impact of the deployment of such new technologies on ICT security requirements and digital operational resilience. They shall keep uptodate with the latest ICT risk management processes, in order to effectively combat current or new forms of cyber-attacks.
|
|
DORA
|
DORA Ch. V Sec. I Art. 28 6.
6. In exercising access, inspection and audit rights over the ICT third-party service provider, financial entities shall, on the basis of a risk-based approach, pre-determine the frequency of audits and inspections as well as the areas to be audited through adhering to commonly accepted audit standards in line with any supervisory instruction on the use and incorporation of such audit standards.
Where contractual arrangements concluded with ICT third-party service providers on the use of ICT services entail high technical complexity, the financial entity shall verify that auditors, whether internal or external, or a pool of auditors, possess appropriate skills and knowledge to effectively perform the relevant audits and assessments.
|
|