+ICT Project Management Practices

1. Overview

ICT Project Management Practices

Ensure effective management of ICT projects related to acquisition, maintenance, and, where applicable, development of ICT systems, through a project management policy. The ICT project plan shall include: clear project objectives, project governance structure, roles and responsibilities, defined timeframe and steps, key project milestones, and change management requirements. Specify requirements for project team members, ensuring the inclusion of staff from business activities or functions impacted by the project. Team members must possess the knowledge to ensure the secure and successful project implementation. Establish reporting requirements, including periodic reporting on the establishment and progress of projects impacting critical or important functions, along with their associated risks. Reporting shall be done periodically and, where necessary, on an eventdriven basis, considering the importance and size of the ICT projects and the project risk assessment.

1.1 References

1.2 Identified Requirements

1.2 Related Regulation

2. Identified Requirements

Requirements

3. Related Regulations

Regulations
DORA RTS ICT Risk Management T. II Ch. I Sec. 7 Art. 15 , 1
1. As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document, and implement an ICT project management policy.
DORA RTS ICT Risk Management T. II Ch. I Sec. 7 Art. 15 , 2
2. The ICT project management policy referred to in paragraph 1 shall specify the elements that ensure the effective management of the ICT projects related to the acquisition, maintenance and, where applicable, development of the financial entity’s ICT systems.
DORA RTS ICT Risk Management T. II Ch. I Sec. 7 Art. 15 , 3

3. The ICT project management policy referred to in paragraph 1 shall contain all of the following:

  • (a) ICT project objectives;
  • (b) ICT project governance, including roles and responsibilities;
  • (c) ICT project planning, timeframe, and steps;
  • (d) ICT project risk assessment;
  • (e) relevant milestones;
  • (f) change management requirements;
  • (g) the testing of all requirements, including security requirements, and the respective approval process when deploying an ICT system in the production environment.
DORA RTS ICT Risk Management T. II Ch. I Sec. 7 Art. 15 , 4
4. The ICT project management policy referred to in paragraph 1 shall ensure the secure ICT project implementation through the provision of the necessary information and expertise from the business area or functions impacted by the ICT project.
DORA RTS ICT Risk Management T. II Ch. I Sec. 7 Art. 15 , 5

5. In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows:

  • (a) individually or in aggregation, depending on the importance and size of the ICT projects;
  • (b) periodically and, where necessary, on an event-driven basis.
Impressum