← Frameworks / Global Financial Standard

CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures

International guidance establishing cybersecurity and operational resilience expectations for financial market infrastructures (FMIs) including CCPs, CSDs, payment systems, and trade repositories. 5 risk categories covering governance, identification, protection, detection, and response/recovery with 3 maturity levels (evolving, advancing, innovating). Builds on CPMI-IOSCO PFMI Principle 17 and complements national supervisory frameworks.

Clauses: 41

Avg Coverage: 72.7%

Publisher: CPMI-IOSCO (BIS / IOSCO) Version: 2016

IOSCO Cyber Resilience → SP 800-53 SP 800-53 → IOSCO Cyber Resilience Coverage Analysis

Clause	Title	SP 800-53 Controls
DET-1	Detection — Comprehensive monitoring and logging	AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-10 AU-11 AU-12 AU-13 AU-14 CA-07 SI-04
DET-2	Detection — Anomaly detection and baseline profiling	AU-06 CA-07 SC-05 SI-04 SI-06 SI-16 SI-20
DET-3	Detection — Indicators of compromise and threat intelligence integration	PM-16 RA-05 RA-10 SI-03 SI-04 SI-05 SI-08
DET-4	Detection — Monitoring controls implemented to assist containment and analysis	AU-06 AU-12 IR-04 SC-07 SI-04 SI-06
GOV-1	Governance — Cyber resilience framework establishment	AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PL-02 PL-09 PM-01 PS-01 RA-01 SA-01 SC-01 SI-01 SR-01
GOV-2	Governance — Board and senior management oversight	PM-01 PM-02 PM-09 PM-13 PM-14 PL-01 PL-09 CA-06
GOV-3	Governance — Cyber risk appetite and tolerance	PM-09 RA-01 RA-03 RA-07 PL-10 PL-11
GOV-4	Governance — Roles, responsibilities, and cyber workforce	PM-02 PM-13 PS-01 PS-02 PS-03 PS-04 PS-05 PS-06 PS-07 PS-08 PS-09
GOV-5	Governance — Engagement with participants, linked FMIs, and service providers	CA-03 PM-15 PS-07 SA-09 SR-01 SR-02 SR-03 SR-06
ID-1	Identification — Critical business functions, processes, and information assets	CM-08 CM-12 CM-13 PM-11 RA-02 RA-09 SA-05
ID-2	Identification — Interconnections and dependencies mapping	CA-03 CA-09 CM-08 CM-12 PM-11 RA-09 SA-09
ID-3	Identification — Cyber threat landscape and risk assessment	PM-16 RA-01 RA-02 RA-03 RA-05 RA-07 RA-10 SI-05
ID-4	Identification — Asset inventory and classification using automated tools	AC-16 CM-02 CM-08 CM-12 CM-13 RA-02
LE-1	Learning and Evolving — Post-incident review and lessons learned	CA-05 CA-07 CP-04 IR-04 IR-05 IR-06
LE-2	Learning and Evolving — Continuous improvement of the cyber resilience framework	CA-02 CA-05 CA-07 PL-03 PM-04 RA-04
LE-3	Learning and Evolving — Adoption of emerging standards and international best practices	PM-15 PM-16 SA-08 SI-21
PFMI-2	PFMI Principle 2 — Governance arrangements for cyber resilience	PM-01 PM-02 PM-09 PL-01 PL-09
PFMI-3	PFMI Principle 3 — Comprehensive risk management framework for cyber risk	PM-01 PM-09 PL-02 PL-09 PL-10 PL-11 RA-01 RA-03 RA-07
PFMI-17	PFMI Principle 17 — Operational risk management and 2hRTO for cyber scenarios	CP-01 CP-02 CP-04 CP-06 CP-07 CP-08 CP-09 CP-10 CP-12 CP-13 IR-01 IR-04 IR-08 MA-01 MA-02 SC-24
PFMI-20	PFMI Principle 20 — FMI links and interconnection cyber risk	AC-04 AC-20 CA-03 CA-09 SA-09 SC-07
PROT-1	Protection — Access control and privileged user management	AC-01 AC-02 AC-03 AC-05 AC-06 AC-07 AC-08 AC-09 AC-10 AC-11 AC-12 AC-17 AC-24 AC-25 IA-01 IA-02 IA-03 IA-04 IA-05 IA-06 IA-08 IA-12
PROT-2	Protection — Network segmentation and boundary protection	AC-04 CA-03 SC-02 SC-03 SC-07 SC-32 SC-39 SC-46
PROT-3	Protection — Data integrity and confidentiality controls	PT-02 PT-03 SC-04 SC-08 SC-12 SC-13 SC-16 SC-28 SI-07 SI-10 SI-12 SI-19
PROT-4	Protection — Security awareness and staff training	AT-01 AT-02 AT-03 AT-04 AT-05 AT-06 PL-04
PROT-5	Protection — Physical security and environmental controls	PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-08 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-17 PE-18
PROT-6	Protection — Change management and secure development	CM-03 CM-04 CM-05 CM-06 CM-09 CM-14 SA-03 SA-04 SA-08 SA-10 SA-11 SA-15 SA-17 SI-02 SI-07
PROT-7	Protection — Supply chain and third-party risk management	SA-04 SA-09 SA-21 SA-22 SR-01 SR-02 SR-03 SR-04 SR-05 SR-06 SR-07 SR-08 SR-09 SR-10 SR-11 SR-12
REG-1	Regulatory coordination — Engagement with overseers and regulators	PM-15 PM-25 PM-26
RR-1	Response and Recovery — Incident response plan and procedures	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09
RR-2	Response and Recovery — 2-hour recovery time objective (2hRTO)	CP-02 CP-06 CP-07 CP-08 CP-09 CP-10 CP-12 CP-13 RA-09 SC-24
RR-3	Response and Recovery — Settlement finality and transaction integrity preservation	CP-09 CP-10 SC-08 SC-24 SI-07 SI-10
RR-4	Response and Recovery — Communication and coordination during incidents	IR-06 IR-07 PM-15 SC-47
RR-5	Response and Recovery — Recovery plans based on current threat intelligence and plausible scenarios	CP-02 CP-04 IR-03 IR-08 PM-16 RA-03
SA-1	Situational Awareness — Proactive threat monitoring and intelligence	AT-05 PM-15 PM-16 RA-03 RA-05 RA-10 SI-05 SI-21
SA-2	Situational Awareness — Threat intelligence sharing with the financial sector	AT-05 PM-15 PM-16 IR-06
SA-3	Situational Awareness — Vulnerability management and assessment	CA-02 CA-07 CA-08 RA-05 SA-11 SI-02 SI-05
TEST-1	Testing — Comprehensive cyber resilience testing programme	CA-02 CA-04 CA-07 CA-08 CP-04 IR-03 RA-05 SA-11
TEST-2	Testing — Threat-led penetration testing and red team exercises	CA-08 RA-06
TEST-3	Testing — Testing after significant system changes	CA-02 CM-04 SA-11 SI-06
TEST-4	Testing — Involvement of participants, linked FMIs, and critical service providers	CA-02 CA-08 CP-04 IR-03 SR-06
TEST-5	Testing — Backup data integrity verification	CP-04 CP-09 SI-07