Principles for Financial Market Infrastructures
24 international principles for the design and operation of financial market infrastructures including payment systems, CCPs, CSDs, SSSs, and trade repositories. Covers general organisation, credit and liquidity risk, settlement, default management, general business and operational risk, access, efficiency, and transparency. The foundational standard referenced by all national FMI regulators.
AC (11) AT (4) AU (10) CA (8) CM (9) CP (11) IA (7) IR (9) MA (4) MP (3) PE (11) PL (5) PM (16) PS (5) RA (8) SA (8) SC (15) SI (7) SR (7)
AC Access Control
| Control | Name | CPMI-IOSCO PFMI References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | PFMI.P17PFMI.P2 |
| AC-02 | Account Management | CG.PRPFMI.P17 |
| AC-03 | Access Enforcement | CG.PRPFMI.P17 |
| AC-04 | Information Flow Enforcement | CG.PRPFMI.P17PFMI.P22 |
| AC-05 | Separation Of Duties | CG.PR |
| AC-06 | Least Privilege | CG.PRPFMI.P17 |
| AC-07 | Unsuccessful Login Attempts | CG.PR |
| AC-11 | Session Lock | CG.PR |
| AC-17 | Remote Access | CG.PRPFMI.P22 |
| AC-19 | Access Control For Portable And Mobile Devices | CG.PR |
| AC-20 | Use Of External Information Systems | CG.PR |
AT Awareness and Training
AU Audit and Accountability
| Control | Name | CPMI-IOSCO PFMI References |
|---|---|---|
| AU-02 | Auditable Events | CG.DEPFMI.P17 |
| AU-03 | Content Of Audit Records | CG.DEPFMI.P17 |
| AU-04 | Audit Storage Capacity | CG.DE |
| AU-05 | Response To Audit Processing Failures | CG.DE |
| AU-06 | Audit Monitoring, Analysis, And Reporting | CG.DEPFMI.P17 |
| AU-07 | Audit Reduction And Report Generation | CG.DE |
| AU-09 | Protection Of Audit Information | CG.DE |
| AU-12 | Audit Record Generation | CG.DEPFMI.P17 |
| AU-13 | Monitoring for Information Disclosure | CG.DECG.SA |
| AU-14 | Session Audit | CG.DE |
CA Security Assessment and Authorization
| Control | Name | CPMI-IOSCO PFMI References |
|---|---|---|
| CA-01 | Certification, Accreditation, And Security Assessment Policies And Procedures | PFMI.P2 |
| CA-02 | Security Assessments | CG.LECG.TEPFMI.P17PFMI.P3 |
| CA-03 | Information System Connections | PFMI.P22 |
| CA-04 | Security Certification | CG.TE |
| CA-05 | Plan Of Action And Milestones | CG.LEPFMI.P3 |
| CA-06 | Security Accreditation | PFMI.P3 |
| CA-07 | Continuous Monitoring | CG.DECG.LEPFMI.P17PFMI.P3 |
| CA-08 | Penetration Testing | CG.TE |
CM Configuration Management
| Control | Name | CPMI-IOSCO PFMI References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | PFMI.P17 |
| CM-02 | Baseline Configuration | CG.PRPFMI.P17 |
| CM-03 | Configuration Change Control | CG.PRPFMI.P17 |
| CM-05 | Access Restrictions For Change | CG.PR |
| CM-06 | Configuration Settings | CG.PRPFMI.P17PFMI.P22 |
| CM-07 | Least Functionality | CG.PR |
| CM-08 | Information System Component Inventory | CG.IDPFMI.P17 |
| CM-12 | Information Location | CG.ID |
| CM-13 | Data Action Mapping | CG.ID |
CP Contingency Planning
| Control | Name | CPMI-IOSCO PFMI References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | CG.RRPFMI.P17 |
| CP-02 | Contingency Plan | CG.RRPFMI.P15PFMI.P17 |
| CP-03 | Contingency Training | CG.RRPFMI.P17 |
| CP-04 | Contingency Plan Testing And Exercises | CG.RRCG.TEPFMI.P17 |
| CP-06 | Alternate Storage Site | CG.RRPFMI.P17 |
| CP-07 | Alternate Processing Site | CG.RRPFMI.P17 |
| CP-08 | Telecommunications Services | CG.RRPFMI.P17 |
| CP-09 | Information System Backup | CG.RRPFMI.P17 |
| CP-10 | Information System Recovery And Reconstitution | CG.RRPFMI.P17 |
| CP-12 | Safe Mode | CG.RR |
| CP-13 | Alternative Security Mechanisms | CG.RR |
IA Identification and Authentication
| Control | Name | CPMI-IOSCO PFMI References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | PFMI.P17 |
| IA-02 | User Identification And Authentication | CG.PRPFMI.P17 |
| IA-03 | Device Identification And Authentication | PFMI.P22 |
| IA-04 | Identifier Management | CG.PR |
| IA-05 | Authenticator Management | CG.PRPFMI.P17 |
| IA-08 | Identification and Authentication (Non-Organizational Users) | CG.PR |
| IA-12 | Identity Proofing | CG.PR |
IR Incident Response
| Control | Name | CPMI-IOSCO PFMI References |
|---|---|---|
| IR-01 | Incident Response Policy And Procedures | CG.RRPFMI.P17 |
| IR-02 | Incident Response Training | CG.RRPFMI.P17 |
| IR-03 | Incident Response Testing And Exercises | CG.RRCG.TEPFMI.P17 |
| IR-04 | Incident Handling | CG.DECG.LECG.RRPFMI.P17 |
| IR-05 | Incident Monitoring | CG.LECG.RRPFMI.P17 |
| IR-06 | Incident Reporting | CG.RRPFMI.P17 |
| IR-07 | Incident Response Assistance | CG.RR |
| IR-08 | Incident Response Plan | CG.RRPFMI.P17 |
| IR-09 | Information Spillage Response | CG.RR |
MA Maintenance
MP Media Protection
PE Physical and Environmental Protection
| Control | Name | CPMI-IOSCO PFMI References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | PFMI.P17 |
| PE-02 | Physical Access Authorizations | CG.PRPFMI.P17 |
| PE-03 | Physical Access Control | CG.PR |
| PE-06 | Monitoring Physical Access | CG.PR |
| PE-09 | Power Equipment And Power Cabling | PFMI.P17 |
| PE-10 | Emergency Shutoff | PFMI.P17 |
| PE-11 | Emergency Power | CG.RRPFMI.P17 |
| PE-12 | Emergency Lighting | PFMI.P17 |
| PE-13 | Fire Protection | PFMI.P17 |
| PE-14 | Temperature And Humidity Controls | PFMI.P17 |
| PE-17 | Alternate Work Site | CG.RRPFMI.P17 |
PL Planning
PM Program Management
| Control | Name | CPMI-IOSCO PFMI References |
|---|---|---|
| PM-01 | Information Security Program Plan | CG.GOVPFMI.P15PFMI.P2PFMI.P3 |
| PM-02 | Information Security Program Leadership Role | CG.GOVPFMI.P2 |
| PM-03 | Information Security and Privacy Resources | CG.GOVPFMI.P15PFMI.P2 |
| PM-04 | Plan of Action and Milestones Process | CG.LEPFMI.P3 |
| PM-05 | System Inventory | CG.IDPFMI.P3 |
| PM-08 | Critical Infrastructure Plan | CG.RRPFMI.P17PFMI.P3 |
| PM-09 | Risk Management Strategy | PFMI.P15PFMI.P17PFMI.P3 |
| PM-11 | Mission and Business Process Definition | CG.IDPFMI.P15PFMI.P17 |
| PM-12 | Insider Threat Program | CG.SA |
| PM-13 | Security and Privacy Workforce | CG.GOVPFMI.P2 |
| PM-14 | Testing, Training, and Monitoring | CG.DECG.GOVCG.LECG.TEPFMI.P2 |
| PM-15 | Security and Privacy Groups and Associations | CG.SA |
| PM-16 | Threat Awareness Program | CG.DECG.SACG.TE |
| PM-28 | Risk Framing | PFMI.P3 |
| PM-29 | Risk Management Program Leadership Roles | CG.GOVPFMI.P2 |
| PM-31 | Continuous Monitoring Strategy | CG.LE |
PS Personnel Security
RA Risk Assessment
| Control | Name | CPMI-IOSCO PFMI References |
|---|---|---|
| RA-01 | Risk Assessment Policy And Procedures | PFMI.P2PFMI.P3 |
| RA-02 | Security Categorization | CG.IDPFMI.P3 |
| RA-03 | Risk Assessment | CG.IDCG.SAPFMI.P15PFMI.P17PFMI.P3 |
| RA-05 | Vulnerability Scanning | CG.DECG.IDCG.SACG.TEPFMI.P17 |
| RA-06 | Technical Surveillance Countermeasures Survey | CG.IDCG.TE |
| RA-07 | Risk Response | CG.LEPFMI.P3 |
| RA-09 | Criticality Analysis | CG.IDPFMI.P3 |
| RA-10 | Threat Hunting | CG.DECG.IDCG.SA |
SA System and Services Acquisition
| Control | Name | CPMI-IOSCO PFMI References |
|---|---|---|
| SA-01 | System And Services Acquisition Policy And Procedures | PFMI.P2 |
| SA-02 | Allocation Of Resources | PFMI.P15 |
| SA-04 | Acquisitions | PFMI.P17PFMI.P22 |
| SA-05 | Information System Documentation | PFMI.P17 |
| SA-08 | Security Engineering Principles | PFMI.P17PFMI.P3 |
| SA-09 | External Information System Services | CG.IDPFMI.P17PFMI.P22PFMI.P3 |
| SA-11 | Developer Security Testing | CG.TEPFMI.P17 |
| SA-15 | Development Process, Standards, and Tools | CG.IDCG.TE |
SC System and Communications Protection
| Control | Name | CPMI-IOSCO PFMI References |
|---|---|---|
| SC-02 | Application Partitioning | CG.PR |
| SC-03 | Security Function Isolation | CG.PR |
| SC-04 | Information Remnance | CG.PR |
| SC-05 | Denial Of Service Protection | CG.DEPFMI.P17 |
| SC-07 | Boundary Protection | CG.DECG.PRPFMI.P17PFMI.P22 |
| SC-08 | Transmission Integrity | CG.PRPFMI.P17PFMI.P22 |
| SC-12 | Cryptographic Key Establishment And Management | CG.PR |
| SC-13 | Use Of Cryptography | CG.PRPFMI.P22 |
| SC-16 | Transmission Of Security Parameters | PFMI.P22 |
| SC-23 | Session Authenticity | PFMI.P22 |
| SC-24 | Fail in Known State | CG.RR |
| SC-26 | Decoys | CG.DECG.TE |
| SC-28 | Protection of Information at Rest | CG.PRPFMI.P17 |
| SC-36 | Distributed Processing and Storage | CG.RR |
| SC-39 | Process Isolation | CG.PR |
SI System and Information Integrity
| Control | Name | CPMI-IOSCO PFMI References |
|---|---|---|
| SI-02 | Flaw Remediation | CG.LECG.PRPFMI.P17 |
| SI-03 | Malicious Code Protection | CG.DECG.PR |
| SI-04 | Information System Monitoring Tools And Techniques | CG.DEPFMI.P17 |
| SI-05 | Security Alerts And Advisories | CG.DECG.SA |
| SI-06 | Security Functionality Verification | CG.TE |
| SI-07 | Software And Information Integrity | CG.DECG.PRPFMI.P17 |
| SI-16 | Memory Protection | CG.PR |
SR Supply Chain Risk Management
| Control | Name | CPMI-IOSCO PFMI References |
|---|---|---|
| SR-01 | Policy and Procedures | CG.IDPFMI.P17 |
| SR-02 | Supply Chain Risk Management Plan | CG.ID |
| SR-03 | Supply Chain Controls and Processes | CG.PRPFMI.P17 |
| SR-05 | Acquisition Strategies, Tools, and Methods | CG.PRPFMI.P17 |
| SR-06 | Supplier Assessments and Reviews | CG.IDCG.SA |
| SR-08 | Notification Agreements | CG.SA |
| SR-11 | Component Authenticity | CG.PR |