← Frameworks / Financial Regulation

South Africa Joint Standard 2 of 2024 — Cybersecurity and Cyber Resilience

Mandatory cybersecurity and cyber resilience requirements for all South African financial institutions including banks, insurers, market infrastructure, pension funds, and fund managers. Issued jointly by FSCA and Prudential Authority. 21 requirements covering governance, strategy, asset classification, risk assessment, access control, network security, monitoring, incident response, resilience, threat intelligence, testing, MFA, data protection, cryptography, patching, personnel security, third-party management, and regulatory reporting. Effective June 2025.

Clauses: 21

Avg Coverage: 80.9%

Publisher: FSCA / Prudential Authority (SARB) Version: 2024

SA JS2 → SP 800-53 SP 800-53 → SA JS2 Coverage Analysis

Clause	Title	SP 800-53 Controls
JS2-4	Governance of Cybersecurity and Cyber Resilience	PM-01 PM-02 PM-03 PM-09 PM-13 PM-28 PM-29 PS-09 PL-01 PL-04 PL-08 PL-09
JS2-5	Cybersecurity Strategy and Framework	PM-01 PM-04 PM-06 PM-09 PM-10 PM-11 PM-28 PL-01 PL-02 PL-08 PL-09 PL-10 PL-11 RA-01 RA-03
JS2-6.1	Information Asset Classification and Inventory	RA-02 RA-09 CM-08 CM-12 CM-13 AC-16 MP-01 MP-02 PM-05 SC-16
JS2-6.2	Security Risk Assessment	RA-01 RA-02 RA-03 RA-04 RA-05 RA-06 RA-07 RA-09 PM-09 PM-28 CA-02 CA-05
JS2-7.1	Access Control and Identity Management	AC-01 AC-02 AC-03 AC-04 AC-05 AC-06 AC-07 AC-10 AC-11 AC-12 AC-17 AC-19 AC-20 AC-24 IA-01 IA-02 IA-03 IA-04 IA-05 IA-06 IA-08 IA-11 IA-12
JS2-7.2	Network and Infrastructure Security	SC-07 SC-05 SC-08 SC-20 SC-21 SC-22 SC-39 SC-41 CM-01 CM-02 CM-03 CM-05 CM-06 CM-07 CM-08 SI-02 SI-03 SI-04 SI-07 SI-16 RA-05
JS2-7.3	Security Monitoring and Detection	SI-04 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-12 CA-07 PM-16 RA-10 SC-26 SC-44 IR-04
JS2-7.4	Incident Response and Management	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09 PM-14
JS2-7.5	Cyber Resilience and Recovery	CP-01 CP-02 CP-03 CP-04 CP-06 CP-07 CP-08 CP-09 CP-10 CP-12 CP-13 SC-24 SI-13 SI-17 PM-08 PM-11
JS2-7.6	Threat Intelligence and External Monitoring	PM-15 PM-16 RA-03 RA-10 SI-04 SI-05 CA-07 SC-07
JS2-7.7	Testing and Assurance	CA-02 CA-07 CA-08 CA-09 RA-05 RA-06 PM-14 RA-09 SA-11
JS2-8.1	Multi-Factor Authentication	IA-02 IA-05 IA-06 IA-08 IA-11 AC-07 AC-11 AC-17
JS2-8.2	Data Protection and Loss Prevention	MP-01 MP-02 MP-03 MP-04 MP-05 MP-06 SC-08 SC-28 CM-12 AC-04 AC-23 SI-12 PT-01 PT-02 PT-03 PT-04 PT-05 PT-06
JS2-8.3	Cryptographic Controls and Key Management	SC-12 SC-13 SC-08 SC-17 SC-28 SC-40
JS2-8.4	Malware Protection and Endpoint Security	SI-03 SI-04 SI-07 SI-08 SI-16 CM-06 CM-07 CM-11 SC-41 SC-44
JS2-8.5	Patch and Vulnerability Management	SI-02 RA-05 CM-03 CM-04 SA-22 SI-07
JS2-8.6	Personnel Security and Awareness	AT-01 AT-02 AT-03 AT-04 AT-06 PS-01 PS-02 PS-03 PS-04 PS-05 PS-06 PS-07 PS-08 PM-13
JS2-8.7	Third-Party and Outsourcing Security	SA-04 SA-09 SA-21 SA-22 SR-01 SR-02 SR-03 SR-05 SR-06 PM-30 PM-31 PM-32 PS-07
JS2-9	Notifications and Regulatory Reporting	IR-06 CA-01 CA-02 CA-05 CA-07 PM-04 PM-06 PM-10 AU-06 PL-02
JS2-PE	Physical and Environmental Security	PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-08 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-17 PE-18
JS2-SA	Secure Software Development and Application Security	SA-03 SA-04 SA-08 SA-10 SA-11 SA-15 SA-17 SA-20 CM-14 SI-10 SI-11 SI-15