EBA Guidelines on ICT and Security Risk Management (EBA/GL/2019/04)
European Banking Authority guidelines on ICT and security risk management for credit institutions, investment firms, and payment service providers across the EU. 33 guidelines across ICT governance and strategy, ICT and security risk management framework, information security, ICT operations management, ICT project and change management, business continuity management, and payment service user relationship management. Being superseded by DORA for in-scope entities from January 2025.
Controls: 178
Total Mappings: 283
Publisher: European Banking Authority (EBA) Version: 2019 (GL/2019/04) AC (13) AT (6) AU (13) CA (7) CM (13) CP (13) IA (9) IR (9) MA (4) MP (1) PE (16) PL (7) PM (15) PS (2) PT (1) RA (7) SA (15) SC (12) SI (10) SR (5)
AC Access Control
| Control | Name | EBA ICT Guidelines References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | 3.2.13.3.13.4.13.4.2 |
| AC-02 | Account Management | 3.4.2 |
| AC-03 | Access Enforcement | 3.4.2 |
| AC-04 | Information Flow Enforcement | 3.4.2 |
| AC-05 | Separation Of Duties | 3.4.2 |
| AC-06 | Least Privilege | 3.4.2 |
| AC-07 | Unsuccessful Login Attempts | 3.4.2 |
| AC-10 | Concurrent Session Control | 3.4.2 |
| AC-11 | Session Lock | 3.4.2 |
| AC-12 | Session Termination | 3.4.2 |
| AC-17 | Remote Access | 3.4.2 |
| AC-20 | Use Of External Information Systems | 3.2.3 |
| AC-24 | Access Control Decisions | 3.4.2 |
AT Awareness and Training
| Control | Name | EBA ICT Guidelines References |
|---|---|---|
| AT-01 | Security Awareness And Training Policy And Procedures | 3.4.13.4.7 |
| AT-02 | Security Awareness | 3.4.73.8(a) |
| AT-03 | Security Training | 3.4.7 |
| AT-04 | Security Training Records | 3.4.7 |
| AT-05 | Contacts With Security Groups And Associations | 3.4.7 |
| AT-06 | Training Feedback | 3.4.7 |
AU Audit and Accountability
| Control | Name | EBA ICT Guidelines References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | 3.3.53.4.1 |
| AU-02 | Auditable Events | 3.4.53.5(c) |
| AU-03 | Content Of Audit Records | 3.4.53.5(c) |
| AU-04 | Audit Storage Capacity | 3.4.5 |
| AU-05 | Response To Audit Processing Failures | 3.4.5 |
| AU-06 | Audit Monitoring, Analysis, And Reporting | 3.4.53.5(c)3.8(c) |
| AU-07 | Audit Reduction And Report Generation | 3.4.5 |
| AU-08 | Time Stamps | 3.4.53.5(c) |
| AU-09 | Protection Of Audit Information | 3.4.53.5(c) |
| AU-11 | Audit Record Retention | 3.4.53.5(c) |
| AU-12 | Audit Record Generation | 3.4.53.5(c) |
| AU-13 | Monitoring for Information Disclosure | 3.4.5 |
| AU-14 | Session Audit | 3.4.5 |
CA Security Assessment and Authorization
| Control | Name | EBA ICT Guidelines References |
|---|---|---|
| CA-01 | Certification, Accreditation, And Security Assessment Policies And Procedures | 3.2.13.3.13.4.1 |
| CA-02 | Security Assessments | 3.3.63.4.6 |
| CA-04 | Security Certification | 3.4.6 |
| CA-05 | Plan Of Action And Milestones | 3.3.43.3.6 |
| CA-07 | Continuous Monitoring | 3.3.53.3.63.4.53.4.6 |
| CA-08 | Penetration Testing | 3.4.6 |
| CA-09 | Internal System Connections | 3.3.6 |
CM Configuration Management
| Control | Name | EBA ICT Guidelines References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | 3.4.13.6.3 |
| CM-02 | Baseline Configuration | 3.4.43.5(a) |
| CM-03 | Configuration Change Control | 3.4.43.5(b)3.6.3 |
| CM-04 | Monitoring Configuration Changes | 3.4.63.5(b)3.6.3 |
| CM-05 | Access Restrictions For Change | 3.4.43.6.3 |
| CM-06 | Configuration Settings | 3.4.43.5(a) |
| CM-07 | Least Functionality | 3.4.4 |
| CM-08 | Information System Component Inventory | 3.3.23.4.43.5(a)3.5(b) |
| CM-09 | Configuration Management Plan | 3.6.3 |
| CM-11 | User-Installed Software | 3.4.4 |
| CM-12 | Information Location | 3.3.2 |
| CM-13 | Data Action Mapping | 3.3.2 |
| CM-14 | Signed Components | 3.6.3 |
CP Contingency Planning
| Control | Name | EBA ICT Guidelines References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | 3.7.2 |
| CP-02 | Contingency Plan | 3.5(a)3.7.13.7.23.7.33.7.5 |
| CP-03 | Contingency Training | 3.7.4 |
| CP-04 | Contingency Plan Testing And Exercises | 3.7.4 |
| CP-05 | Contingency Plan Update | 3.7.4 |
| CP-06 | Alternate Storage Site | 3.7.2 |
| CP-07 | Alternate Processing Site | 3.7.2 |
| CP-08 | Telecommunications Services | 3.7.2 |
| CP-09 | Information System Backup | 3.7.2 |
| CP-10 | Information System Recovery And Reconstitution | 3.7.23.7.3 |
| CP-11 | Alternate Communications Protocols | 3.7.2 |
| CP-12 | Safe Mode | 3.7.2 |
| CP-13 | Alternative Security Mechanisms | 3.7.2 |
IA Identification and Authentication
| Control | Name | EBA ICT Guidelines References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | 3.4.13.4.2 |
| IA-02 | User Identification And Authentication | 3.4.23.8(b) |
| IA-03 | Device Identification And Authentication | 3.4.2 |
| IA-04 | Identifier Management | 3.4.2 |
| IA-05 | Authenticator Management | 3.4.23.8(b) |
| IA-06 | Authenticator Feedback | 3.4.2 |
| IA-08 | Identification and Authentication (Non-Organizational Users) | 3.4.23.8(b) |
| IA-11 | Re-authentication | 3.8(b) |
| IA-12 | Identity Proofing | 3.4.2 |
IR Incident Response
| Control | Name | EBA ICT Guidelines References |
|---|---|---|
| IR-01 | Incident Response Policy And Procedures | 3.4.13.5(d)3.7.3 |
| IR-02 | Incident Response Training | 3.5(d) |
| IR-03 | Incident Response Testing And Exercises | 3.5(d)3.7.4 |
| IR-04 | Incident Handling | 3.5(d)3.7.3 |
| IR-05 | Incident Monitoring | 3.5(d) |
| IR-06 | Incident Reporting | 3.5(d)3.7.53.8(d) |
| IR-07 | Incident Response Assistance | 3.5(d)3.7.53.8(d) |
| IR-08 | Incident Response Plan | 3.5(d)3.7.3 |
| IR-09 | Information Spillage Response | 3.5(d) |
MA Maintenance
MP Media Protection
| Control | Name | EBA ICT Guidelines References |
|---|---|---|
| MP-01 | Media Protection Policy And Procedures | 3.4.1 |
PE Physical and Environmental Protection
| Control | Name | EBA ICT Guidelines References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | 3.4.13.4.3 |
| PE-02 | Physical Access Authorizations | 3.4.3 |
| PE-03 | Physical Access Control | 3.4.3 |
| PE-04 | Access Control For Transmission Medium | 3.4.3 |
| PE-05 | Access Control For Display Medium | 3.4.3 |
| PE-06 | Monitoring Physical Access | 3.4.3 |
| PE-08 | Access Records | 3.4.3 |
| PE-09 | Power Equipment And Power Cabling | 3.4.3 |
| PE-10 | Emergency Shutoff | 3.4.3 |
| PE-11 | Emergency Power | 3.4.3 |
| PE-12 | Emergency Lighting | 3.4.3 |
| PE-13 | Fire Protection | 3.4.3 |
| PE-14 | Temperature And Humidity Controls | 3.4.3 |
| PE-15 | Water Damage Protection | 3.4.3 |
| PE-17 | Alternate Work Site | 3.4.3 |
| PE-18 | Location Of Information System Components | 3.4.3 |
PL Planning
| Control | Name | EBA ICT Guidelines References |
|---|---|---|
| PL-01 | Security Planning Policy And Procedures | 3.2.13.2.23.3.13.4.13.6.1 |
| PL-02 | System Security Plan | 3.2.23.6.1 |
| PL-04 | Rules Of Behavior | 3.4.7 |
| PL-07 | Concept of Operations | 3.6.1 |
| PL-09 | Central Management | 3.2.13.2.23.3.1 |
| PL-10 | Baseline Selection | 3.13.3.13.3.4 |
| PL-11 | Baseline Tailoring | 3.13.3.13.3.4 |
PM Program Management
| Control | Name | EBA ICT Guidelines References |
|---|---|---|
| PM-01 | Information Security Program Plan | 3.13.2.13.2.23.3.13.4.13.6.1 |
| PM-02 | Information Security Program Leadership Role | 3.2.13.3.1 |
| PM-03 | Information Security and Privacy Resources | 3.2.23.6.1 |
| PM-04 | Plan of Action and Milestones Process | 3.3.4 |
| PM-05 | System Inventory | 3.3.23.5(a) |
| PM-06 | Measures of Performance | 3.3.5 |
| PM-09 | Risk Management Strategy | 3.3.33.4.13.7.1 |
| PM-10 | Authorization Process | 3.6.1 |
| PM-11 | Mission and Business Process Definition | 3.3.23.7.1 |
| PM-13 | Security and Privacy Workforce | 3.4.7 |
| PM-14 | Testing, Training, and Monitoring | 3.4.7 |
| PM-20 | Dissemination of Privacy Program Information | 3.8(a) |
| PM-21 | Accounting of Disclosures | 3.8(a) |
| PM-28 | Risk Framing | 3.3.13.3.3 |
| PM-29 | Risk Management Program Leadership Roles | 3.2.13.3.1 |
PS Personnel Security
PT Personally Identifiable Information Processing and Transparency
| Control | Name | EBA ICT Guidelines References |
|---|---|---|
| PT-01 | Policy and Procedures | 3.4.1 |
RA Risk Assessment
| Control | Name | EBA ICT Guidelines References |
|---|---|---|
| RA-01 | Risk Assessment Policy And Procedures | 3.13.3.13.3.33.4.1 |
| RA-02 | Security Categorization | 3.3.23.3.3 |
| RA-03 | Risk Assessment | 3.3.33.3.53.7.1 |
| RA-04 | Risk Assessment Update | 3.3.5 |
| RA-05 | Vulnerability Scanning | 3.4.6 |
| RA-07 | Risk Response | 3.3.33.3.43.3.5 |
| RA-09 | Criticality Analysis | 3.3.23.3.33.7.1 |
SA System and Services Acquisition
| Control | Name | EBA ICT Guidelines References |
|---|---|---|
| SA-01 | System And Services Acquisition Policy And Procedures | 3.4.13.6.1 |
| SA-02 | Allocation Of Resources | 3.2.23.6.1 |
| SA-03 | Life Cycle Support | 3.5(a)3.5(b)3.6.13.6.2 |
| SA-04 | Acquisitions | 3.2.33.6.13.6.2 |
| SA-05 | Information System Documentation | 3.3.2 |
| SA-08 | Security Engineering Principles | 3.4.43.6.13.6.2 |
| SA-09 | External Information System Services | 3.2.3 |
| SA-10 | Developer Configuration Management | 3.6.23.6.3 |
| SA-11 | Developer Security Testing | 3.4.63.6.2 |
| SA-15 | Development Process, Standards, and Tools | 3.4.63.6.2 |
| SA-16 | Developer-Provided Training | 3.6.2 |
| SA-17 | Developer Security and Privacy Architecture and Design | 3.6.2 |
| SA-20 | Customized Development of Critical Components | 3.6.2 |
| SA-21 | Developer Screening | 3.6.2 |
| SA-22 | Unsupported System Components | 3.5(b) |
SC System and Communications Protection
| Control | Name | EBA ICT Guidelines References |
|---|---|---|
| SC-01 | System And Communications Protection Policy And Procedures | 3.4.1 |
| SC-05 | Denial Of Service Protection | 3.5(a) |
| SC-06 | Resource Priority | 3.5(a) |
| SC-07 | Boundary Protection | 3.4.4 |
| SC-08 | Transmission Integrity | 3.8(b) |
| SC-10 | Network Disconnect | 3.4.2 |
| SC-12 | Cryptographic Key Establishment And Management | 3.8(b) |
| SC-13 | Use Of Cryptography | 3.8(b) |
| SC-15 | Collaborative Computing | 3.8(a) |
| SC-23 | Session Authenticity | 3.8(b) |
| SC-24 | Fail in Known State | 3.7.3 |
| SC-28 | Protection of Information at Rest | 3.4.4 |
SI System and Information Integrity
| Control | Name | EBA ICT Guidelines References |
|---|---|---|
| SI-01 | System And Information Integrity Policy And Procedures | 3.4.1 |
| SI-02 | Flaw Remediation | 3.4.43.5(b) |
| SI-03 | Malicious Code Protection | 3.4.4 |
| SI-04 | Information System Monitoring Tools And Techniques | 3.4.53.5(c)3.8(c) |
| SI-05 | Security Alerts And Advisories | 3.4.53.8(d) |
| SI-06 | Security Functionality Verification | 3.4.6 |
| SI-07 | Software And Information Integrity | 3.4.4 |
| SI-11 | Error Handling | 3.5(c) |
| SI-13 | Predictable Failure Prevention | 3.5(a) |
| SI-20 | Tainting | 3.8(c) |