← Frameworks / FINMA Circular 2023/1 / Control Mappings

FINMA Circular 2023/1 Operational Risk and Resilience — Banks

Swiss financial market supervisory authority circular covering technology infrastructure, cyber risk, critical data management, business continuity management, and outsourcing for banks and securities dealers. References use chapter and margin number format — e.g. IV.C(65) for cyber risk management margin 65 — across 114 margin numbers in 7 sections.

Controls: 222

Total Mappings: 619

Publisher: Swiss Financial Market Supervisory Authority (FINMA) Version: 2023/1

FINMA Circular 2023/1 → SP 800-53 SP 800-53 → FINMA Circular 2023/1 Coverage Analysis

AC (20) AT (6) AU (11) CA (8) CM (11) CP (10) IA (7) IR (8) MA (7) MP (7) PE (19) PL (9) PS (9) PT (7) RA (9) SA (14) SC (34) SI (18) SR (8)

AC Access Control

Control	Name	FINMA Circular 2023/1 References
AC-01	Access Control Policies and Procedures	IV.A(23)IV.A(24)IV.B.d(59)IV.B.d(60)
AC-02	Account Management	IV.B.d(59)IV.B.d(60)IV.C(61)
AC-03	Access Enforcement	IV.B.d(59)IV.B.d(60)IV.C(61)
AC-04	Information Flow Enforcement	IV.B.d(59)IV.C(62)IV.C(63)
AC-05	Separation Of Duties	IV.B.d(59)IV.B.d(60)
AC-06	Least Privilege	IV.B.d(59)IV.B.d(60)IV.C(61)
AC-07	Unsuccessful Login Attempts	IV.B.d(59)IV.C(61)
AC-08	System Use Notification	IV.B.d(59)
AC-09	Previous Logon Notification	IV.B.d(59)
AC-10	Concurrent Session Control	IV.B.d(59)IV.C(61)
AC-11	Session Lock	IV.B.d(59)IV.C(61)
AC-12	Session Termination	IV.B.d(59)IV.C(61)
AC-13	Supervision And Review -- Access Control	IV.B.d(59)IV.B.d(60)
AC-14	Permitted Actions Without Identification Or Authentication	IV.B.d(59)
AC-15	Automated Marking	IV.D(78)IV.D(79)
AC-16	Automated Labeling	IV.D(78)IV.D(79)IV.D(80)
AC-17	Remote Access	IV.B.d(59)IV.C(62)IV.C(63)
AC-18	Wireless Access Restrictions	IV.B.d(59)IV.C(62)
AC-19	Access Control For Portable And Mobile Devices	IV.B.d(59)IV.C(64)
AC-20	Use Of External Information Systems	IV.B.d(59)IV.F(100)V(101)

AT Awareness and Training

Control	Name	FINMA Circular 2023/1 References
AT-01	Security Awareness And Training Policy And Procedures	IV.A(23)IV.B.a(48)IV.B.a(49)
AT-02	Security Awareness	IV.B.a(48)IV.B.a(49)IV.B.b(50)IV.B.b(51)
AT-03	Security Training	IV.B.a(48)IV.B.a(49)IV.B.b(50)
AT-04	Security Training Records	IV.B.a(48)IV.B.a(49)
AT-05	Contacts With Security Groups And Associations	IV.B.a(48)IV.B.b(52)IV.B.c(53)
AT-06	Training Feedback	IV.B.a(47)IV.B.a(48)IV.B.a(49)IV.B.b(50)IV.B.b(51)IV.E(92)IV.E(93)IV.F(97)

AU Audit and Accountability

Control	Name	FINMA Circular 2023/1 References
AU-01	Audit And Accountability Policy And Procedures	IV.A(23)IV.C(66)IV.C(67)
AU-02	Auditable Events	IV.C(66)IV.C(67)IV.C(68)
AU-03	Content Of Audit Records	IV.C(66)IV.C(67)
AU-04	Audit Storage Capacity	IV.A(28)IV.A(29)IV.C(66)
AU-05	Response To Audit Processing Failures	IV.A(41)IV.C(66)IV.C(67)
AU-06	Audit Monitoring, Analysis, And Reporting	IV.C(66)IV.C(67)IV.C(68)IV.C(69)
AU-07	Audit Reduction And Report Generation	IV.C(66)IV.C(67)
AU-08	Time Stamps	IV.A(28)IV.C(66)
AU-09	Protection Of Audit Information	IV.B.d(59)IV.C(66)IV.C(67)
AU-10	Non-Repudiation	IV.C(66)IV.C(67)
AU-11	Audit Record Retention	IV.C(66)IV.D(82)IV.E(83)

CA Security Assessment and Authorization

Control	Name	FINMA Circular 2023/1 References
CA-01	Certification, Accreditation, And Security Assessment Policies And Procedures	IV.A(23)IV.A(24)IV.D(75)
CA-02	Security Assessments	IV.D(75)IV.D(76)IV.D(77)
CA-03	Information System Connections	IV.C(62)IV.F(100)V(101)
CA-04	Security Certification	IV.D(75)IV.D(76)
CA-05	Plan Of Action And Milestones	IV.B.c(54)IV.B.c(55)IV.D(75)
CA-06	Security Accreditation	IV.A(23)IV.A(24)IV.D(75)
CA-07	Continuous Monitoring	IV.C(66)IV.C(67)IV.C(68)IV.D(75)IV.D(76)
CA-09	Internal System Connections	IV.B.d(59)IV.B.d(60)IV.C(62)IV.D(75)IV.D(76)IV.D(77)V(104)

CM Configuration Management

Control	Name	FINMA Circular 2023/1 References
CM-01	Configuration Management Policy And Procedures	IV.A(23)IV.A(28)IV.A(36)
CM-02	Baseline Configuration	IV.A(28)IV.A(29)IV.A(30)IV.A(31)
CM-03	Configuration Change Control	IV.A(36)IV.A(37)IV.A(38)IV.A(39)IV.A(40)
CM-04	Monitoring Configuration Changes	IV.A(36)IV.A(37)IV.A(38)IV.C(66)
CM-05	Access Restrictions For Change	IV.A(36)IV.A(37)IV.B.d(59)
CM-06	Configuration Settings	IV.A(28)IV.A(29)IV.C(64)
CM-07	Least Functionality	IV.A(28)IV.C(64)IV.C(65)
CM-08	Information System Component Inventory	IV.A(28)IV.A(29)IV.A(30)IV.B.c(54)IV.B.c(55)
CM-12	Information Location	IV.A(28)IV.A(30)IV.A(31)IV.D(78)IV.D(79)
CM-13	Data Action Mapping	IV.A(30)IV.A(31)IV.D(78)IV.D(79)IV.D(80)
CM-14	Signed Components	IV.A(36)IV.A(37)IV.A(39)IV.C(64)V(109)V(110)

CP Contingency Planning

Control	Name	FINMA Circular 2023/1 References
CP-01	Contingency Planning Policy And Procedures	IV.A(23)IV.E(87)IV.E(88)
CP-02	Contingency Plan	IV.E(87)IV.E(88)IV.E(89)IV.E(90)IV.E(91)
CP-03	Contingency Training	IV.E(92)IV.E(93)
CP-04	Contingency Plan Testing And Exercises	IV.E(94)IV.E(95)IV.E(96)IV.F(97)
CP-05	Contingency Plan Update	IV.E(87)IV.F(98)IV.F(99)
CP-06	Alternate Storage Site	IV.E(89)IV.E(90)IV.E(91)
CP-07	Alternate Processing Site	IV.E(89)IV.E(90)IV.E(91)
CP-08	Telecommunications Services	IV.A(28)IV.E(89)IV.E(90)
CP-09	Information System Backup	IV.D(82)IV.E(89)IV.E(90)IV.E(91)
CP-10	Information System Recovery And Reconstitution	IV.C(70)IV.D(71)IV.D(72)IV.E(89)IV.E(90)

IA Identification and Authentication

Control	Name	FINMA Circular 2023/1 References
IA-01	Identification And Authentication Policy And Procedures	IV.A(23)IV.B.d(59)IV.B.d(60)
IA-02	User Identification And Authentication	IV.B.d(59)IV.B.d(60)IV.C(61)
IA-03	Device Identification And Authentication	IV.B.d(59)IV.C(62)
IA-04	Identifier Management	IV.B.d(59)IV.B.d(60)
IA-05	Authenticator Management	IV.B.d(59)IV.B.d(60)IV.C(61)
IA-06	Authenticator Feedback	IV.B.d(59)
IA-07	Cryptographic Module Authentication	IV.B.d(59)IV.C(63)

IR Incident Response

Control	Name	FINMA Circular 2023/1 References
IR-01	Incident Response Policy And Procedures	IV.A(23)IV.A(41)IV.C(70)
IR-02	Incident Response Training	IV.A(41)IV.A(42)IV.C(70)IV.D(71)
IR-03	Incident Response Testing And Exercises	IV.A(41)IV.D(75)IV.D(76)IV.D(77)
IR-04	Incident Handling	IV.A(41)IV.A(42)IV.A(43)IV.C(70)IV.D(71)IV.D(72)
IR-05	Incident Monitoring	IV.A(41)IV.A(44)IV.C(66)IV.C(67)
IR-06	Incident Reporting	IV.A(44)IV.A(45)IV.A(46)IV.B.a(47)IV.D(73)IV.D(74)
IR-07	Incident Response Assistance	IV.A(41)IV.C(70)IV.D(71)
IR-09	Information Spillage Response	IV.A(41)IV.A(43)IV.A(45)IV.A(46)IV.C(70)IV.D(71)IV.D(73)IV.D(74)

MA Maintenance

Control	Name	FINMA Circular 2023/1 References
MA-01	System Maintenance Policy And Procedures	IV.A(23)IV.A(28)IV.A(36)
MA-02	Controlled Maintenance	IV.A(28)IV.A(29)IV.A(36)
MA-03	Maintenance Tools	IV.A(28)IV.A(29)
MA-04	Remote Maintenance	IV.A(28)IV.B.d(59)IV.C(62)
MA-05	Maintenance Personnel	IV.A(28)IV.F(100)V(101)
MA-06	Timely Maintenance	IV.A(28)IV.A(29)IV.E(89)
MA-07	Field Maintenance	IV.A(28)

MP Media Protection

Control	Name	FINMA Circular 2023/1 References
MP-01	Media Protection Policy And Procedures	IV.A(23)IV.D(78)IV.D(79)
MP-02	Media Access	IV.B.d(59)IV.D(78)IV.D(80)
MP-03	Media Labeling	IV.D(78)IV.D(79)IV.D(80)
MP-04	Media Storage	IV.D(78)IV.D(81)IV.D(82)
MP-05	Media Transport	IV.C(63)IV.D(78)IV.D(81)
MP-06	Media Sanitization And Disposal	IV.D(78)IV.E(83)IV.E(84)
MP-08	Media Downgrading	IV.D(78)IV.D(79)IV.D(82)IV.E(83)

PE Physical and Environmental Protection

Control	Name	FINMA Circular 2023/1 References
PE-01	Physical And Environmental Protection Policy And Procedures	IV.A(23)IV.A(28)
PE-02	Physical Access Authorizations	IV.B.d(59)
PE-03	Physical Access Control	IV.B.d(59)
PE-04	Access Control For Transmission Medium	IV.C(62)
PE-06	Monitoring Physical Access	IV.C(66)
PE-08	Access Records	IV.C(66)
PE-09	Power Equipment And Power Cabling	IV.A(28)IV.E(89)
PE-10	Emergency Shutoff	IV.E(89)
PE-11	Emergency Power	IV.A(28)IV.E(89)
PE-12	Emergency Lighting	IV.E(89)
PE-13	Fire Protection	IV.E(89)
PE-14	Temperature And Humidity Controls	IV.A(28)IV.E(89)
PE-15	Water Damage Protection	IV.E(89)
PE-17	Alternate Work Site	IV.E(89)IV.E(90)
PE-18	Location Of Information System Components	IV.A(28)IV.D(81)
PE-19	Information Leakage	IV.C(63)IV.D(78)
PE-21	Electromagnetic Pulse Protection	IV.A(28)IV.E(89)
PE-22	Component Marking	IV.A(28)
PE-23	Facility Location	IV.A(28)IV.E(89)IV.E(91)

PL Planning

Control	Name	FINMA Circular 2023/1 References
PL-01	Security Planning Policy And Procedures	IV.A(23)IV.A(24)IV.B.a(48)
PL-02	System Security Plan	IV.A(23)IV.A(24)IV.A(25)IV.B.a(48)
PL-03	System Security Plan Update	IV.A(23)IV.A(25)
PL-04	Rules Of Behavior	IV.B.a(48)IV.B.a(49)
PL-05	Privacy Impact Assessment	IV.D(78)IV.D(79)
PL-06	Security-Related Activity Planning	IV.A(23)IV.A(24)IV.B.a(48)
PL-09	Central Management	IV.A(23)IV.A(24)IV.A(31)
PL-10	Baseline Selection	IV.A(23)IV.A(25)
PL-11	Baseline Tailoring	IV.A(23)IV.A(25)

PS Personnel Security

Control	Name	FINMA Circular 2023/1 References
PS-01	Personnel Security Policy And Procedures	IV.A(23)IV.B.a(48)
PS-02	Position Categorization	IV.B.a(48)IV.B.c(54)
PS-03	Personnel Screening	IV.B.a(48)IV.F(100)
PS-04	Personnel Termination	IV.B.d(59)IV.B.d(60)
PS-05	Personnel Transfer	IV.B.d(59)IV.B.d(60)
PS-06	Access Agreements	IV.B.a(48)IV.B.d(59)
PS-07	Third-Party Personnel Security	IV.F(100)V(101)V(102)
PS-08	Personnel Sanctions	IV.B.a(48)
PS-09	Position Descriptions	IV.B.a(48)IV.B.d(60)

PT Personally Identifiable Information Processing and Transparency

Control	Name	FINMA Circular 2023/1 References
PT-01	Policy and Procedures	IV.D(78)IV.D(79)
PT-02	Authority to Process Personally Identifiable Information	IV.D(78)IV.D(79)
PT-03	Personally Identifiable Information Processing Purposes	IV.D(78)IV.D(79)IV.D(80)
PT-04	Consent	IV.D(78)
PT-05	Privacy Notice	IV.D(78)
PT-06	System of Records Notice	IV.D(78)IV.D(82)
PT-07	Specific Categories of Personally Identifiable Information	IV.D(78)IV.D(79)IV.D(80)

RA Risk Assessment

Control	Name	FINMA Circular 2023/1 References
RA-01	Risk Assessment Policy And Procedures	IV.A(23)IV.B.a(48)IV.B.c(54)
RA-02	Security Categorization	IV.B.c(54)IV.B.c(55)IV.D(78)
RA-03	Risk Assessment	IV.B.c(54)IV.B.c(55)IV.B.c(56)IV.B.c(57)IV.B.d(58)
RA-04	Risk Assessment Update	IV.B.c(54)IV.B.c(55)
RA-05	Vulnerability Scanning	IV.B.c(54)IV.B.c(56)IV.B.c(57)IV.D(75)IV.D(76)
RA-06	Technical Surveillance Countermeasures Survey	IV.B.c(54)IV.B.c(56)IV.B.c(57)IV.D(75)IV.D(76)
RA-07	Risk Response	IV.A(38)IV.A(40)IV.A(42)IV.B.b(52)IV.B.c(53)IV.B.c(54)IV.B.c(55)IV.B.c(56)IV.B.d(58)V(101)V(107)
RA-08	Privacy Impact Assessments	IV.B.c(54)IV.D(78)
RA-09	Criticality Analysis	IV.A(42)IV.B.c(54)IV.B.c(55)IV.B.d(58)IV.E(88)IV.E(94)IV.E(95)IV.E(96)V(101)

SA System and Services Acquisition

Control	Name	FINMA Circular 2023/1 References
SA-01	System And Services Acquisition Policy And Procedures	IV.A(23)IV.A(36)IV.F(100)
SA-02	Allocation Of Resources	IV.A(23)IV.A(24)IV.A(25)
SA-03	Life Cycle Support	IV.A(28)IV.A(36)IV.A(37)
SA-04	Acquisitions	IV.F(100)V(101)V(102)V(103)
SA-05	Information System Documentation	IV.A(28)IV.A(36)
SA-06	Software Usage Restrictions	IV.A(28)IV.A(36)
SA-07	User Installed Software	IV.A(36)IV.C(64)
SA-08	Security Engineering Principles	IV.A(28)IV.A(29)IV.B.d(59)
SA-09	External Information System Services	IV.F(100)V(101)V(102)V(103)V(104)
SA-10	Developer Configuration Management	IV.A(36)IV.A(37)IV.A(38)IV.A(39)
SA-11	Developer Security Testing	IV.A(36)IV.A(37)IV.D(75)IV.D(76)
SA-20	Customized Development of Critical Components	V(111)VI(112)
SA-21	Developer Screening	IV.F(100)V(101)V(103)VII.A(113)
SA-23	Specialization	IV.F(100)V(102)V(103)

SC System and Communications Protection

Control	Name	FINMA Circular 2023/1 References
SC-01	System And Communications Protection Policy And Procedures	IV.A(23)IV.B.d(59)IV.D(78)
SC-02	Application Partitioning	IV.C(62)IV.C(63)
SC-03	Security Function Isolation	IV.C(62)IV.C(63)
SC-04	Information Remnance	IV.D(78)IV.E(83)
SC-05	Denial Of Service Protection	IV.B.d(59)IV.C(62)IV.C(65)
SC-06	Resource Priority	IV.A(28)IV.A(29)
SC-07	Boundary Protection	IV.B.d(59)IV.C(62)IV.C(63)
SC-08	Transmission Integrity	IV.C(63)IV.D(78)IV.D(81)
SC-09	Transmission Confidentiality	IV.C(63)IV.D(78)IV.D(81)
SC-10	Network Disconnect	IV.B.d(59)IV.C(61)
SC-11	Trusted Path	IV.B.d(59)IV.C(63)
SC-12	Cryptographic Key Establishment And Management	IV.C(63)IV.C(64)
SC-13	Use Of Cryptography	IV.C(63)IV.C(64)
SC-14	Public Access Protections	IV.B.d(59)IV.C(62)
SC-15	Collaborative Computing	IV.B.d(59)IV.C(62)
SC-16	Transmission Of Security Parameters	IV.C(63)
SC-17	Public Key Infrastructure Certificates	IV.C(63)IV.C(64)
SC-18	Mobile Code	IV.B.d(59)IV.C(64)
SC-19	Voice Over Internet Protocol	IV.C(62)IV.C(63)
SC-20	Secure Name / Address Resolution Service (Authoritative Source)	IV.A(28)IV.C(62)
SC-21	Secure Name / Address Resolution Service (Recursive Or Caching Resolver)	IV.A(28)IV.C(62)
SC-22	Architecture And Provisioning For Name / Address Resolution Service	IV.A(28)IV.C(62)
SC-23	Session Authenticity	IV.B.d(59)IV.C(63)
SC-24	Fail in Known State	IV.B.d(59)IV.C(61)IV.C(70)IV.D(71)IV.E(87)IV.E(89)IV.E(90)
SC-25	Thin Nodes	IV.D(81)
SC-34	Non-modifiable Executable Programs	IV.C(64)IV.D(72)
SC-37	Out-of-band Channels	IV.C(63)
SC-38	Operations Security	IV.D(81)
SC-40	Wireless Link Protection	IV.C(63)
SC-42	Sensor Capability and Data	IV.D(78)
SC-44	Detonation Chambers	IV.C(64)IV.C(65)
SC-46	Cross Domain Policy Enforcement	IV.B.d(59)IV.C(62)
SC-47	Alternate Communications Paths	IV.C(62)IV.E(90)
SC-48	Sensor Relocation	IV.B.d(59)IV.C(62)IV.C(66)IV.C(67)IV.C(68)IV.C(69)

SI System and Information Integrity

Control	Name	FINMA Circular 2023/1 References
SI-01	System And Information Integrity Policy And Procedures	IV.A(23)IV.B.d(59)IV.C(66)
SI-02	Flaw Remediation	IV.A(36)IV.B.c(56)IV.B.d(59)IV.C(64)
SI-03	Malicious Code Protection	IV.B.d(59)IV.C(64)IV.C(65)
SI-04	Information System Monitoring Tools And Techniques	IV.C(66)IV.C(67)IV.C(68)IV.C(69)
SI-05	Security Alerts And Advisories	IV.B.b(52)IV.B.c(53)IV.B.c(56)
SI-06	Security Functionality Verification	IV.D(75)IV.D(76)
SI-07	Software And Information Integrity	IV.B.d(59)IV.C(64)IV.D(78)
SI-08	Spam Protection	IV.B.d(59)IV.C(64)
SI-09	Information Input Restrictions	IV.D(78)IV.D(80)
SI-10	Information Accuracy, Completeness, Validity, And Authenticity	IV.D(78)IV.D(80)IV.E(84)
SI-11	Error Handling	IV.A(41)IV.C(66)
SI-12	Information Output Handling And Retention	IV.D(78)IV.D(82)IV.E(83)
SI-13	Predictable Failure Prevention	IV.A(28)IV.A(29)IV.E(89)
SI-14	Non-persistence	IV.D(71)IV.D(72)
SI-16	Memory Protection	IV.C(64)IV.C(65)
SI-18	Personally Identifiable Information Quality Operations	IV.E(84)
SI-20	Tainting	IV.D(80)
SI-21	Information Refresh	IV.E(84)

SR Supply Chain Risk Management

Control	Name	FINMA Circular 2023/1 References
SR-01	Policy and Procedures	IV.A(23)IV.F(100)V(101)
SR-02	Supply Chain Risk Management Plan	IV.F(100)V(101)V(102)V(103)
SR-03	Supply Chain Controls and Processes	V(104)V(105)V(106)V(107)V(108)
SR-04	Provenance	V(109)V(110)
SR-05	Acquisition Strategies, Tools, and Methods	IV.F(100)V(101)V(111)VI(112)
SR-06	Supplier Assessments and Reviews	VII.A(113)VII.B(114)
SR-10	Inspection of Systems or Components	VII.A(113)VII.B(114)
SR-12	Component Disposal	IV.E(83)