← Frameworks / Financial Regulation

EBA Guidelines on ICT and Security Risk Management (EBA/GL/2019/04)

European Banking Authority guidelines on ICT and security risk management for credit institutions, investment firms, and payment service providers across the EU. 33 guidelines across ICT governance and strategy, ICT and security risk management framework, information security, ICT operations management, ICT project and change management, business continuity management, and payment service user relationship management. Being superseded by DORA for in-scope entities from January 2025.

Clauses: 33

Avg Coverage: 75.9%

Publisher: European Banking Authority (EBA) Version: 2019 (GL/2019/04)

EBA ICT Guidelines → SP 800-53 SP 800-53 → EBA ICT Guidelines Coverage Analysis

Clause	Title	SP 800-53 Controls
3.1	Proportionality	PL-10 PL-11 PM-01 RA-01
3.2.1	Governance — management body responsibility and accountability	AC-01 CA-01 PL-01 PL-09 PM-01 PM-02 PM-29
3.2.2	Governance — ICT strategy	PL-01 PL-02 PL-09 PM-01 PM-03 SA-02
3.2.3	Governance — use of third-party providers	AC-20 PS-07 SA-04 SA-09 SR-01 SR-02 SR-03 SR-05 SR-06
3.3.1	ICT and security risk management framework — organisation and objectives	AC-01 CA-01 PL-01 PL-09 PL-10 PL-11 PM-01 PM-02 PM-28 PM-29 RA-01
3.3.2	ICT and security risk management framework — identification of functions, processes and assets	CM-08 CM-12 CM-13 PM-05 PM-11 RA-02 RA-09 SA-05
3.3.3	ICT and security risk management framework — classification and risk assessment	PM-09 PM-28 RA-01 RA-02 RA-03 RA-07 RA-09
3.3.4	ICT and security risk management framework — risk mitigation	CA-05 PL-10 PL-11 PM-04 RA-07
3.3.5	ICT and security risk management framework — reporting	AU-01 CA-07 PM-06 RA-03 RA-04 RA-07
3.3.6	ICT and security risk management framework — audit	CA-02 CA-05 CA-07 CA-09
3.4.1	Information security — information security policy	AC-01 AT-01 AU-01 CA-01 CM-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PM-01 PM-09 PS-01 PT-01 RA-01 SA-01 SC-01 SI-01 SR-01
3.4.2	Information security — logical security	AC-01 AC-02 AC-03 AC-04 AC-05 AC-06 AC-07 AC-10 AC-11 AC-12 AC-17 AC-24 IA-01 IA-02 IA-03 IA-04 IA-05 IA-06 IA-08 IA-12 SC-10
3.4.3	Information security — physical security	PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-08 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-17 PE-18
3.4.4	Information security — ICT operations security	CM-02 CM-03 CM-05 CM-06 CM-07 CM-08 CM-11 SA-08 SC-07 SC-28 SI-02 SI-03 SI-07
3.4.5	Information security — security monitoring	AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-11 AU-12 AU-13 AU-14 CA-07 SI-04 SI-05
3.4.6	Information security — information security reviews, assessment and testing	CA-02 CA-04 CA-07 CA-08 CM-04 RA-05 SA-11 SA-15 SI-06
3.4.7	Information security — information security training and awareness	AT-01 AT-02 AT-03 AT-04 AT-05 AT-06 PL-04 PM-13 PM-14
3.5(a)	ICT operations management — ICT operations procedures and capacity management	CM-02 CM-06 CM-08 CP-02 MA-01 MA-02 MA-05 MA-06 PM-05 SA-03 SC-05 SC-06 SI-13
3.5(b)	ICT operations management — asset lifecycle and patch management	CM-03 CM-04 CM-08 MA-02 MA-06 SA-03 SA-22 SI-02
3.5(c)	ICT operations management — logging and monitoring	AU-02 AU-03 AU-06 AU-08 AU-09 AU-11 AU-12 SI-04 SI-11
3.5(d)	ICT operations management — ICT incident and problem management	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09
3.6.1	ICT project and change management — ICT project management	PL-01 PL-02 PL-07 PM-01 PM-03 PM-10 SA-01 SA-02 SA-03 SA-04 SA-08
3.6.2	ICT project and change management — ICT systems acquisition and development	SA-03 SA-04 SA-08 SA-10 SA-11 SA-15 SA-16 SA-17 SA-20 SA-21
3.6.3	ICT project and change management — ICT change management	CM-01 CM-03 CM-04 CM-05 CM-09 CM-14 SA-10
3.7.1	Business continuity management — business impact analysis	CP-02 PM-09 PM-11 RA-03 RA-09
3.7.2	Business continuity management — business continuity planning	CP-01 CP-02 CP-06 CP-07 CP-08 CP-09 CP-10 CP-11 CP-12 CP-13
3.7.3	Business continuity management — response and recovery plans	CP-02 CP-10 IR-01 IR-04 IR-08 SC-24
3.7.4	Business continuity management — testing of plans	CP-03 CP-04 CP-05 IR-03
3.7.5	Business continuity management — crisis communications	CP-02 IR-06 IR-07
3.8(a)	Payment service user relationship management — PSU awareness and communication	AT-02 PM-20 PM-21 SC-15
3.8(b)	Payment service user relationship management — secure authentication and communication channels	IA-02 IA-05 IA-08 IA-11 SC-08 SC-12 SC-13 SC-23
3.8(c)	Payment service user relationship management — transaction monitoring and fraud prevention	AU-06 SI-04 SI-20
3.8(d)	Payment service user relationship management — PSU notification and incident handling	IR-06 IR-07 SI-05