CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures
International guidance establishing cybersecurity and operational resilience expectations for financial market infrastructures (FMIs) including CCPs, CSDs, payment systems, and trade repositories. 5 risk categories covering governance, identification, protection, detection, and response/recovery with 3 maturity levels (evolving, advancing, innovating). Builds on CPMI-IOSCO PFMI Principle 17 and complements national supervisory frameworks.
AC (17) AT (6) AU (14) CA (9) CM (11) CP (10) IA (8) IR (9) MA (2) MP (1) PE (16) PL (7) PM (11) PS (9) PT (2) RA (9) SA (12) SC (16) SI (14) SR (12)
AC Access Control
| Control | Name | IOSCO Cyber Resilience References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | GOV-1PROT-1 |
| AC-02 | Account Management | PROT-1 |
| AC-03 | Access Enforcement | PROT-1 |
| AC-04 | Information Flow Enforcement | PFMI-20PROT-2 |
| AC-05 | Separation Of Duties | PROT-1 |
| AC-06 | Least Privilege | PROT-1 |
| AC-07 | Unsuccessful Login Attempts | PROT-1 |
| AC-08 | System Use Notification | PROT-1 |
| AC-09 | Previous Logon Notification | PROT-1 |
| AC-10 | Concurrent Session Control | PROT-1 |
| AC-11 | Session Lock | PROT-1 |
| AC-12 | Session Termination | PROT-1 |
| AC-16 | Automated Labeling | ID-4 |
| AC-17 | Remote Access | PROT-1 |
| AC-20 | Use Of External Information Systems | PFMI-20 |
| AC-24 | Access Control Decisions | PROT-1 |
| AC-25 | Reference Monitor | PROT-1 |
AT Awareness and Training
| Control | Name | IOSCO Cyber Resilience References |
|---|---|---|
| AT-01 | Security Awareness And Training Policy And Procedures | GOV-1PROT-4 |
| AT-02 | Security Awareness | PROT-4 |
| AT-03 | Security Training | PROT-4 |
| AT-04 | Security Training Records | PROT-4 |
| AT-05 | Contacts With Security Groups And Associations | PROT-4SA-1SA-2 |
| AT-06 | Training Feedback | PROT-4 |
AU Audit and Accountability
| Control | Name | IOSCO Cyber Resilience References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | GOV-1 |
| AU-02 | Auditable Events | DET-1 |
| AU-03 | Content Of Audit Records | DET-1 |
| AU-04 | Audit Storage Capacity | DET-1 |
| AU-05 | Response To Audit Processing Failures | DET-1 |
| AU-06 | Audit Monitoring, Analysis, And Reporting | DET-1DET-2DET-4 |
| AU-07 | Audit Reduction And Report Generation | DET-1 |
| AU-08 | Time Stamps | DET-1 |
| AU-09 | Protection Of Audit Information | DET-1 |
| AU-10 | Non-Repudiation | DET-1 |
| AU-11 | Audit Record Retention | DET-1 |
| AU-12 | Audit Record Generation | DET-1DET-4 |
| AU-13 | Monitoring for Information Disclosure | DET-1 |
| AU-14 | Session Audit | DET-1 |
CA Security Assessment and Authorization
| Control | Name | IOSCO Cyber Resilience References |
|---|---|---|
| CA-01 | Certification, Accreditation, And Security Assessment Policies And Procedures | GOV-1 |
| CA-02 | Security Assessments | LE-2SA-3TEST-1TEST-3TEST-4 |
| CA-03 | Information System Connections | GOV-5ID-2PFMI-20PROT-2 |
| CA-04 | Security Certification | TEST-1 |
| CA-05 | Plan Of Action And Milestones | LE-1LE-2 |
| CA-06 | Security Accreditation | GOV-2 |
| CA-07 | Continuous Monitoring | DET-1DET-2LE-1LE-2SA-3TEST-1 |
| CA-08 | Penetration Testing | SA-3TEST-1TEST-2TEST-4 |
| CA-09 | Internal System Connections | ID-2PFMI-20 |
CM Configuration Management
| Control | Name | IOSCO Cyber Resilience References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | GOV-1 |
| CM-02 | Baseline Configuration | ID-4 |
| CM-03 | Configuration Change Control | PROT-6 |
| CM-04 | Monitoring Configuration Changes | PROT-6TEST-3 |
| CM-05 | Access Restrictions For Change | PROT-6 |
| CM-06 | Configuration Settings | PROT-6 |
| CM-08 | Information System Component Inventory | ID-1ID-2ID-4 |
| CM-09 | Configuration Management Plan | PROT-6 |
| CM-12 | Information Location | ID-1ID-2ID-4 |
| CM-13 | Data Action Mapping | ID-1ID-4 |
| CM-14 | Signed Components | PROT-6 |
CP Contingency Planning
| Control | Name | IOSCO Cyber Resilience References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | GOV-1PFMI-17 |
| CP-02 | Contingency Plan | PFMI-17RR-2RR-5 |
| CP-04 | Contingency Plan Testing And Exercises | LE-1PFMI-17RR-5TEST-1TEST-4TEST-5 |
| CP-06 | Alternate Storage Site | PFMI-17RR-2 |
| CP-07 | Alternate Processing Site | PFMI-17RR-2 |
| CP-08 | Telecommunications Services | PFMI-17RR-2 |
| CP-09 | Information System Backup | PFMI-17RR-2RR-3TEST-5 |
| CP-10 | Information System Recovery And Reconstitution | PFMI-17RR-2RR-3 |
| CP-12 | Safe Mode | PFMI-17RR-2 |
| CP-13 | Alternative Security Mechanisms | PFMI-17RR-2 |
IA Identification and Authentication
| Control | Name | IOSCO Cyber Resilience References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | GOV-1PROT-1 |
| IA-02 | User Identification And Authentication | PROT-1 |
| IA-03 | Device Identification And Authentication | PROT-1 |
| IA-04 | Identifier Management | PROT-1 |
| IA-05 | Authenticator Management | PROT-1 |
| IA-06 | Authenticator Feedback | PROT-1 |
| IA-08 | Identification and Authentication (Non-Organizational Users) | PROT-1 |
| IA-12 | Identity Proofing | PROT-1 |
IR Incident Response
| Control | Name | IOSCO Cyber Resilience References |
|---|---|---|
| IR-01 | Incident Response Policy And Procedures | GOV-1PFMI-17RR-1 |
| IR-02 | Incident Response Training | RR-1 |
| IR-03 | Incident Response Testing And Exercises | RR-1RR-5TEST-1TEST-4 |
| IR-04 | Incident Handling | DET-4LE-1PFMI-17RR-1 |
| IR-05 | Incident Monitoring | LE-1RR-1 |
| IR-06 | Incident Reporting | LE-1RR-1RR-4SA-2 |
| IR-07 | Incident Response Assistance | RR-1RR-4 |
| IR-08 | Incident Response Plan | PFMI-17RR-1RR-5 |
| IR-09 | Information Spillage Response | RR-1 |
MA Maintenance
MP Media Protection
| Control | Name | IOSCO Cyber Resilience References |
|---|---|---|
| MP-01 | Media Protection Policy And Procedures | GOV-1 |
PE Physical and Environmental Protection
| Control | Name | IOSCO Cyber Resilience References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | GOV-1PROT-5 |
| PE-02 | Physical Access Authorizations | PROT-5 |
| PE-03 | Physical Access Control | PROT-5 |
| PE-04 | Access Control For Transmission Medium | PROT-5 |
| PE-05 | Access Control For Display Medium | PROT-5 |
| PE-06 | Monitoring Physical Access | PROT-5 |
| PE-08 | Access Records | PROT-5 |
| PE-09 | Power Equipment And Power Cabling | PROT-5 |
| PE-10 | Emergency Shutoff | PROT-5 |
| PE-11 | Emergency Power | PROT-5 |
| PE-12 | Emergency Lighting | PROT-5 |
| PE-13 | Fire Protection | PROT-5 |
| PE-14 | Temperature And Humidity Controls | PROT-5 |
| PE-15 | Water Damage Protection | PROT-5 |
| PE-17 | Alternate Work Site | PROT-5 |
| PE-18 | Location Of Information System Components | PROT-5 |
PL Planning
| Control | Name | IOSCO Cyber Resilience References |
|---|---|---|
| PL-01 | Security Planning Policy And Procedures | GOV-1GOV-2PFMI-2 |
| PL-02 | System Security Plan | GOV-1PFMI-3 |
| PL-03 | System Security Plan Update | LE-2 |
| PL-04 | Rules Of Behavior | PROT-4 |
| PL-09 | Central Management | GOV-1GOV-2PFMI-2PFMI-3 |
| PL-10 | Baseline Selection | GOV-3PFMI-3 |
| PL-11 | Baseline Tailoring | GOV-3PFMI-3 |
PM Program Management
| Control | Name | IOSCO Cyber Resilience References |
|---|---|---|
| PM-01 | Information Security Program Plan | GOV-1GOV-2PFMI-2PFMI-3 |
| PM-02 | Information Security Program Leadership Role | GOV-2GOV-4PFMI-2 |
| PM-04 | Plan of Action and Milestones Process | LE-2 |
| PM-09 | Risk Management Strategy | GOV-2GOV-3PFMI-2PFMI-3 |
| PM-11 | Mission and Business Process Definition | ID-1ID-2 |
| PM-13 | Security and Privacy Workforce | GOV-2GOV-4 |
| PM-14 | Testing, Training, and Monitoring | GOV-2 |
| PM-15 | Security and Privacy Groups and Associations | GOV-5LE-3REG-1RR-4SA-1SA-2 |
| PM-16 | Threat Awareness Program | DET-3ID-3LE-3RR-5SA-1SA-2 |
| PM-25 | Minimization of Personally Identifiable Information Used in Testing, Training, and Research | REG-1 |
| PM-26 | Complaint Management | REG-1 |
PS Personnel Security
| Control | Name | IOSCO Cyber Resilience References |
|---|---|---|
| PS-01 | Personnel Security Policy And Procedures | GOV-1GOV-4 |
| PS-02 | Position Categorization | GOV-4 |
| PS-03 | Personnel Screening | GOV-4 |
| PS-04 | Personnel Termination | GOV-4 |
| PS-05 | Personnel Transfer | GOV-4 |
| PS-06 | Access Agreements | GOV-4 |
| PS-07 | Third-Party Personnel Security | GOV-4GOV-5 |
| PS-08 | Personnel Sanctions | GOV-4 |
| PS-09 | Position Descriptions | GOV-4 |
PT Personally Identifiable Information Processing and Transparency
RA Risk Assessment
| Control | Name | IOSCO Cyber Resilience References |
|---|---|---|
| RA-01 | Risk Assessment Policy And Procedures | GOV-1GOV-3ID-3PFMI-3 |
| RA-02 | Security Categorization | ID-1ID-3ID-4 |
| RA-03 | Risk Assessment | GOV-3ID-3PFMI-3RR-5SA-1 |
| RA-04 | Risk Assessment Update | LE-2 |
| RA-05 | Vulnerability Scanning | DET-3ID-3SA-1SA-3TEST-1 |
| RA-06 | Technical Surveillance Countermeasures Survey | TEST-2 |
| RA-07 | Risk Response | GOV-3ID-3PFMI-3 |
| RA-09 | Criticality Analysis | ID-1ID-2RR-2 |
| RA-10 | Threat Hunting | DET-3ID-3SA-1 |
SA System and Services Acquisition
| Control | Name | IOSCO Cyber Resilience References |
|---|---|---|
| SA-01 | System And Services Acquisition Policy And Procedures | GOV-1 |
| SA-03 | Life Cycle Support | PROT-6 |
| SA-04 | Acquisitions | PROT-6PROT-7 |
| SA-05 | Information System Documentation | ID-1 |
| SA-08 | Security Engineering Principles | LE-3PROT-6 |
| SA-09 | External Information System Services | GOV-5ID-2PFMI-20PROT-7 |
| SA-10 | Developer Configuration Management | PROT-6 |
| SA-11 | Developer Security Testing | PROT-6SA-3TEST-1TEST-3 |
| SA-15 | Development Process, Standards, and Tools | PROT-6 |
| SA-17 | Developer Security and Privacy Architecture and Design | PROT-6 |
| SA-21 | Developer Screening | PROT-7 |
| SA-22 | Unsupported System Components | PROT-7 |
SC System and Communications Protection
| Control | Name | IOSCO Cyber Resilience References |
|---|---|---|
| SC-01 | System And Communications Protection Policy And Procedures | GOV-1 |
| SC-02 | Application Partitioning | PROT-2 |
| SC-03 | Security Function Isolation | PROT-2 |
| SC-04 | Information Remnance | PROT-3 |
| SC-05 | Denial Of Service Protection | DET-2 |
| SC-07 | Boundary Protection | DET-4PFMI-20PROT-2 |
| SC-08 | Transmission Integrity | PROT-3RR-3 |
| SC-12 | Cryptographic Key Establishment And Management | PROT-3 |
| SC-13 | Use Of Cryptography | PROT-3 |
| SC-16 | Transmission Of Security Parameters | PROT-3 |
| SC-24 | Fail in Known State | PFMI-17RR-2RR-3 |
| SC-28 | Protection of Information at Rest | PROT-3 |
| SC-32 | System Partitioning | PROT-2 |
| SC-39 | Process Isolation | PROT-2 |
| SC-46 | Cross Domain Policy Enforcement | PROT-2 |
| SC-47 | Alternate Communications Paths | RR-4 |
SI System and Information Integrity
| Control | Name | IOSCO Cyber Resilience References |
|---|---|---|
| SI-01 | System And Information Integrity Policy And Procedures | GOV-1 |
| SI-02 | Flaw Remediation | PROT-6SA-3 |
| SI-03 | Malicious Code Protection | DET-3 |
| SI-04 | Information System Monitoring Tools And Techniques | DET-1DET-2DET-3DET-4 |
| SI-05 | Security Alerts And Advisories | DET-3ID-3SA-1SA-3 |
| SI-06 | Security Functionality Verification | DET-2DET-4TEST-3 |
| SI-07 | Software And Information Integrity | PROT-3PROT-6RR-3TEST-5 |
| SI-08 | Spam Protection | DET-3 |
| SI-10 | Information Accuracy, Completeness, Validity, And Authenticity | PROT-3RR-3 |
| SI-12 | Information Output Handling And Retention | PROT-3 |
| SI-16 | Memory Protection | DET-2 |
| SI-19 | De-identification | PROT-3 |
| SI-20 | Tainting | DET-2 |
| SI-21 | Information Refresh | LE-3SA-1 |
SR Supply Chain Risk Management
| Control | Name | IOSCO Cyber Resilience References |
|---|---|---|
| SR-01 | Policy and Procedures | GOV-1GOV-5PROT-7 |
| SR-02 | Supply Chain Risk Management Plan | GOV-5PROT-7 |
| SR-03 | Supply Chain Controls and Processes | GOV-5PROT-7 |
| SR-04 | Provenance | PROT-7 |
| SR-05 | Acquisition Strategies, Tools, and Methods | PROT-7 |
| SR-06 | Supplier Assessments and Reviews | GOV-5PROT-7TEST-4 |
| SR-07 | Supply Chain Operations Security | PROT-7 |
| SR-08 | Notification Agreements | PROT-7 |
| SR-09 | Tamper Resistance and Detection | PROT-7 |
| SR-10 | Inspection of Systems or Components | PROT-7 |
| SR-11 | Component Authenticity | PROT-7 |
| SR-12 | Component Disposal | PROT-7 |