← Frameworks / Financial Regulation

DNB Good Practice Information Security 2023

De Nederlandsche Bank's mandatory information security framework for Dutch financial institutions including banks, insurers, pension funds, and payment institutions. 58 controls across 7 elements (governance, organisation, people, processes, technology, facilities, testing) with COBIT 4.1 maturity model assessment. DORA supersedes for in-scope entities from January 2025, but continues for pension funds. Self-assessment tool available.

Clauses: 58

Avg Coverage: 82.5%

Publisher: De Nederlandsche Bank (DNB) Version: 2023

DNB Good Practice → SP 800-53 SP 800-53 → DNB Good Practice Coverage Analysis

Clause	Title	SP 800-53 Controls
DNB.1.1	Information security plan	PL-01 PL-02 PM-01 PM-09 PM-11 RA-01 SA-02
DNB.1.2	IT policies management	PL-01 AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PS-01 RA-01 SA-01 SC-01 SI-01 SR-01
DNB.2.1	Enterprise Information architecture model	PL-08 PM-07 SA-08 SA-17
DNB.2.2	Data classification scheme	RA-02 AC-16 MP-04 SC-16
DNB.3.1	Monitor future trends and regulations	PM-15 PM-16 SI-05 RA-03
DNB.3.2	Technology standards	CM-02 CM-06 CM-07 SA-04 SA-08 PL-08
DNB.4.1	IT risk management framework	PM-09 PM-28 RA-01 RA-02 RA-03 PM-08 PM-11
DNB.4.2	Risk assessment	RA-03 RA-05 RA-07 RA-09 PM-09 PM-28
DNB.4.3	Maintenance and monitoring of a risk action plan	PM-04 PM-09 RA-07 CA-05 PM-03
DNB.5.1	Responsibility for risk, security and compliance	PM-02 PM-01 PM-29 PS-01 PS-07 PL-01
DNB.5.2	Management of information security	PM-01 PM-02 PM-03 PM-05 PM-06 PL-01 PM-14
DNB.6.1	Data and system ownership	PM-05 AC-16 RA-02 CM-08 PL-02
DNB.7.1	Segregation of duties	AC-05 AC-06 CM-05 PS-02
DNB.8.1	Personnel recruitment and retention	PS-02 PS-03 PS-01 PM-12
DNB.8.2	Personnel competences	AT-02 AT-03 PM-13 PM-14 PM-12
DNB.8.3	Dependence upon individuals	CP-02 PM-12 PM-13 PS-02
DNB.8.4	Personnel clearance procedures	PS-03 PS-06 PS-07 PS-01
DNB.8.5	Job change and termination	PS-04 PS-05 AC-02 PE-02
DNB.9.1	Knowledge transfer to end users	AT-02 AT-06 PL-04
DNB.9.2	Knowledge transfer to operations and support staff	AT-03 AT-04 PM-13 PM-14
DNB.9.3	Employee awareness	AT-02 AT-06 PM-12 PM-14
DNB.10.1	Change standards and procedures	CM-01 CM-03 CM-04 CM-05 SA-10
DNB.10.2	Impact assessment, prioritisation and authorisation	CM-04 CM-03 RA-03 RA-07
DNB.10.3	Test environment	CM-04 SA-11 SC-32 CM-02
DNB.10.4	Testing of changes	CM-04 SA-11 CA-02 SA-15
DNB.10.5	Promotion to production	CM-03 CM-05 CM-02 SA-10
DNB.11.1	IT continuity plans	CP-01 CP-02 CP-07 CP-08 CP-10 PM-08 PM-11
DNB.11.2	Testing of the IT continuity plan	CP-03 CP-04 IR-03 PM-14
DNB.11.3	Offsite backup storage	CP-06 CP-09 MP-04 PE-17
DNB.11.4	Backup and restoration	CP-09 CP-10 CP-02 SI-13
DNB.12.1	Storage and retention arrangements	SI-12 AU-11 MP-04 MP-02
DNB.12.2	Disposal	MP-06 MP-08 MP-01 SI-12
DNB.12.3	Security requirements for data management	AC-03 AC-04 AC-16 SC-08 SC-28 MP-04 SI-12
DNB.13.1	Configuration repository and baseline	CM-02 CM-06 CM-08 CM-01
DNB.13.2	Identification and maintenance of configuration items	CM-08 CM-03 CM-02 CM-07
DNB.14.1	Monitoring and reporting of SLAs	SA-09 SA-04 PM-06 CA-07
DNB.14.2	Supplier risk management	SR-01 SR-02 SR-03 SR-05 SR-06 SA-04 SA-09
DNB.15.1	Security incident definition	IR-01 IR-02 IR-08 SI-05
DNB.15.2	Incident escalation	IR-04 IR-05 IR-06 IR-01 PM-12
DNB.16.1	Security testing, surveillance and monitoring	CA-02 CA-07 CA-08 SI-04 AU-06 RA-05
DNB.16.2	Monitoring of internal control framework	CA-02 CA-05 CA-07 PM-06 PM-14
DNB.16.3	Internal control of third parties	SA-09 SR-06 SR-03 CA-02 PS-07
DNB.16.4	Evaluation of compliance with external requirements	CA-02 CA-06 PM-06 PM-01 PM-15
DNB.16.5	Independent assurance	CA-02 CA-06 CA-08 PM-14
DNB.17.1	Identity management	IA-01 IA-02 IA-04 IA-05 IA-08 IA-12
DNB.17.2	User account management	AC-02 AC-03 AC-05 AC-06 AC-07 IA-04 IA-05
DNB.18.1	Infrastructure resource protection and availability	SC-05 SC-07 CP-07 CP-08 AU-04 PE-09 PE-10 PE-11
DNB.18.2	Infrastructure maintenance	MA-01 MA-02 MA-03 MA-04 MA-05 MA-06
DNB.18.3	Cryptographic key management	SC-12 SC-13 SC-17 IA-07
DNB.18.4	Network security	SC-07 SC-08 AC-04 AC-17 SC-20 SC-21 SC-22 SC-23
DNB.18.5	Exchange of sensitive data	SC-08 SC-12 SC-13 AC-04 AC-21 SC-16
DNB.19.1	Malicious software prevention, detection and correction	SI-03 SI-04 SI-08 SC-44 SC-18
DNB.19.2	Vulnerability management	RA-05 SI-02 SI-05 RA-07 CM-06
DNB.19.3	Life cycle management	SA-22 SA-03 CM-08 PM-05 PL-02
DNB.20.1	Protection of security technology	SC-07 CM-06 CM-07 AC-03 AU-09 SC-42
DNB.21.1	Physical security measures	PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-08 PE-09
DNB.21.2	Physical access	PE-02 PE-03 PE-06 PE-07 PE-08
DNB.22.1	Penetration testing and ethical hacking	CA-08 CA-02 RA-05 SA-11