← Frameworks / Financial Regulation

Bank of Mauritius Guideline on Cyber and Technology Risk Management

Comprehensive technology risk management guideline for all banks and non-bank deposit-taking institutions licensed by the Bank of Mauritius. 5 parts (governance, identification, protection, detection, response and recovery) across 26 sections covering board oversight, CISO, technology strategy, risk framework, control functions, network and infrastructure security, logical security, encryption, physical security, change management, technology refresh, people, third-party management, data hosting, secure coding, threat intelligence, monitoring, vulnerability testing, incident management, BCP/DRP, and technology audit. Structured around NIST CSF five-function model.

Clauses: 26

Avg Coverage: 77.7%

Publisher: Bank of Mauritius (BoM) Version: 2023

BoM CTRM → SP 800-53 SP 800-53 → BoM CTRM Coverage Analysis

Clause	Title	SP 800-53 Controls
1.1	Board and Senior Management Oversight	PM-01 PM-02 PM-03 PM-09 PM-13 PM-28 PM-29 PS-09 PL-09
1.2	Roles and Responsibilities of the CISO	PM-02 PM-13 PS-01 PS-02 PS-06 PS-07 PS-09 PM-29
1.3	Technology Strategy	PM-01 PM-07 PM-11 PL-01 PL-02 PL-08 SA-02 SA-03
1.4	Cyber and Technology Risk Management Strategy and Framework	PM-01 PM-09 PM-28 RA-01 RA-02 RA-03 RA-04 RA-07 RA-09 PL-09 PL-10 PL-11 CA-05
1.5	Control Functions (Three Lines of Defence)	PM-14 CA-01 CA-02 CA-06 CA-07 CA-09 PM-04 PM-06 AU-01 AU-06 PM-30
2.1	Identification of Cyber and Technology Risks	RA-01 RA-02 RA-03 RA-04 RA-05 RA-06 RA-07 RA-08 RA-09 PM-09 PM-11 PM-16 CM-08 CM-12 PM-05
3.1	Control Implementation and Design	PL-01 PL-02 PL-08 PL-10 PL-11 SA-04 SA-08 SA-17 CM-01 CM-02 CM-06 CA-02 CA-07
3.2	Network and Infrastructure Management	SC-07 SC-08 SC-20 SC-21 SC-22 SC-32 SC-39 SC-46 CM-02 CM-06 CM-07 CM-08 AC-04 AC-17 AC-18 AC-20 SI-04
3.3	Logical Security Management	AC-01 AC-02 AC-03 AC-05 AC-06 AC-07 AC-08 AC-09 AC-10 AC-11 AC-12 AC-24 IA-01 IA-02 IA-03 IA-04 IA-05 IA-06 IA-07 IA-08 IA-09 IA-10 IA-11 IA-12
3.4	Encryption and Cryptographic Materials	SC-12 SC-13 SC-08 SC-28 SC-17 SC-40
3.5	Physical Security Management	PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-07 PE-08 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-17 PE-18
3.6	Change and Patch Management	CM-03 CM-04 CM-05 CM-09 CM-11 SI-02 SI-07 SA-10 CM-14
3.7	Technology Refresh Management	SA-22 CM-08 PM-07 RA-09 PL-08 SA-02 SA-03
3.8	People Management	AT-01 AT-02 AT-03 AT-04 AT-05 AT-06 PS-01 PS-02 PS-03 PS-04 PS-05 PS-06 PS-07 PS-08 PM-13 PM-15
3.9	Third-Party Service Providers	SA-04 SA-09 SR-01 SR-02 SR-03 SR-05 SR-06 SR-08 SA-21 PM-30 PS-07 CA-03
3.10	Hosting of Customer Information Outside Mauritius	SA-09 PM-09 PT-01 PT-02 PT-03 PT-05 SC-08 SC-28 AC-04
3.11	Secure Coding in Application Development	SA-03 SA-04 SA-08 SA-10 SA-11 SA-15 SA-16 SA-17 SA-20 SA-21 CM-14
3.12	End-User Computing	CM-11 CM-07 AC-19 SC-42 SC-43 MP-07 SC-28
3.13	Online Financial Services Security	SC-07 SC-08 SC-13 SC-23 SC-45 IA-02 IA-08 AC-17 AU-02 AU-03 SI-10
4.1	Cyber and Technology Threat Intelligence	PM-16 RA-03 RA-05 RA-10 SI-04 SI-05 PM-15 SR-08
4.2	Detection of Cyber Events and Monitoring	SI-04 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-10 AU-12 AU-13 AU-14 CA-07 SC-26 SC-44 IR-04
4.3	Vulnerability Assessment and Penetration Testing	CA-02 CA-08 RA-05 RA-06 RA-09 PM-14 CA-05
5.1	Cyber Incident Management	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09 AU-06 SI-04 SI-05 PM-31
5.2	Business Continuity and Response and Recovery Planning	CP-01 CP-02 CP-03 CP-04 CP-06 CP-07 CP-08 CP-09 CP-10 CP-11 CP-12 CP-13 SC-24 SI-17
5.3	Situational Awareness, Learning and Evolving	PM-15 PM-16 IR-05 CA-07 PM-14 AT-02 AT-05 RA-07 SI-05
5.4	Technology Audit	AU-01 CA-01 CA-02 CA-06 CA-07 CA-09 PM-04 PM-06 PM-14