← Frameworks / Solvency II / Control Mappings

Solvency II Directive (2009/138/EC) — ICT and Security Risk

EU prudential regulation for insurance and reinsurance undertakings. Pillar 2 governance and risk management requirements include ICT risk, operational resilience, outsourcing controls, and key function holder accountability. Supplemented by EIOPA Guidelines on ICT Security and Governance (EIOPA-BoS-20/600) covering information security policy, logical security, cryptography, operations security, security monitoring, business continuity, and third-party ICT risk management.

Controls: 171

Total Mappings: 347

Publisher: European Parliament and Council / EIOPA Version: 2009/138/EC (EIOPA GL 2020)

Solvency II → SP 800-53 SP 800-53 → Solvency II Coverage Analysis

AC (14) AT (3) AU (7) CA (5) CM (11) CP (11) IA (7) IR (9) MA (4) MP (5) PE (16) PL (5) PM (11) PS (6) PT (4) RA (6) SA (12) SC (16) SI (8) SR (11)

AC Access Control

Control	Name	Solvency II References
AC-01	Access Control Policies and Procedures	Art.41(1)Art.41(3)DR.258DR.266EIOPA-ICT-4.4
AC-02	Account Management	EIOPA-ICT-4.4
AC-03	Access Enforcement	DR.266-DataSecEIOPA-ICT-4.4
AC-04	Information Flow Enforcement	Art.49(3)DR.266-DataSecEIOPA-Cloud-GL9EIOPA-ICT-4.6
AC-05	Separation Of Duties	EIOPA-ICT-4.4
AC-06	Least Privilege	EIOPA-ICT-4.4
AC-07	Unsuccessful Login Attempts	EIOPA-ICT-4.4
AC-11	Session Lock	EIOPA-ICT-4.4
AC-12	Session Termination	EIOPA-ICT-4.4
AC-16	Automated Labeling	DR.266-DataSecEIOPA-ICT-4.3
AC-17	Remote Access	EIOPA-ICT-4.4EIOPA-ICT-4.6
AC-18	Wireless Access Restrictions	EIOPA-ICT-4.6
AC-19	Access Control For Portable And Mobile Devices	EIOPA-ICT-4.6
AC-20	Use Of External Information Systems	Art.49(1)DR.272EIOPA-Cloud-GL3

AT Awareness and Training

Control	Name	Solvency II References
AT-01	Security Awareness And Training Policy And Procedures	Art.41(3)DR.258DR.266
AT-02	Security Awareness	DR.266
AT-03	Security Training	DR.266

AU Audit and Accountability

Control	Name	Solvency II References
AU-01	Audit And Accountability Policy And Procedures	Art.41(3)Art.46
AU-02	Auditable Events	Pillar3-Reporting
AU-03	Content Of Audit Records	Pillar3-Reporting
AU-06	Audit Monitoring, Analysis, And Reporting	Art.46EIOPA-ICT-4.9
AU-09	Protection Of Audit Information	Pillar3-Reporting
AU-10	Non-Repudiation	Pillar3-Reporting
AU-11	Audit Record Retention	Pillar3-Reporting

CA Security Assessment and Authorization

Control	Name	Solvency II References
CA-01	Certification, Accreditation, And Security Assessment Policies And Procedures	Art.41(1)Art.41(3)DR.258DR.266
CA-02	Security Assessments	Art.45Art.46Art.47DR.266EIOPA-Cloud-GL7EIOPA-ICT-4.2
CA-03	Information System Connections	EIOPA-ICT-4.6
CA-05	Plan Of Action And Milestones	Art.45Art.46Art.47
CA-07	Continuous Monitoring	Art.45Art.46Art.47EIOPA-ICT-4.2

CM Configuration Management

Control	Name	Solvency II References
CM-01	Configuration Management Policy And Procedures	Art.41(3)DR.266
CM-02	Baseline Configuration	DR.266EIOPA-ICT-4.8
CM-03	Configuration Change Control	EIOPA-ICT-4.11EIOPA-ICT-4.8
CM-04	Monitoring Configuration Changes	EIOPA-ICT-4.11EIOPA-ICT-4.8
CM-05	Access Restrictions For Change	EIOPA-ICT-4.11EIOPA-ICT-4.8
CM-06	Configuration Settings	DR.266EIOPA-ICT-4.8
CM-07	Least Functionality	EIOPA-ICT-4.8
CM-08	Information System Component Inventory	DR.266-DataSecEIOPA-ICT-4.3
CM-12	Information Location	DR.266-DataSecEIOPA-Cloud-GL9EIOPA-ICT-4.3
CM-13	Data Action Mapping	EIOPA-ICT-4.3
CM-14	Signed Components	EIOPA-ICT-4.11EIOPA-ICT-4.8

CP Contingency Planning

Control	Name	Solvency II References
CP-01	Contingency Planning Policy And Procedures	Art.41(3)DR.266DR.266-BCPEIOPA-ICT-4.10
CP-02	Contingency Plan	DR.266DR.266-BCPDR.274EIOPA-Cloud-GL11EIOPA-ICT-4.10
CP-03	Contingency Training	DR.266-BCPEIOPA-ICT-4.10
CP-04	Contingency Plan Testing And Exercises	DR.266-BCPDR.274EIOPA-ICT-4.10
CP-06	Alternate Storage Site	DR.266-BCPEIOPA-ICT-4.10
CP-07	Alternate Processing Site	DR.266-BCPEIOPA-ICT-4.10
CP-08	Telecommunications Services	DR.266-BCPEIOPA-ICT-4.10
CP-09	Information System Backup	DR.266-BCPEIOPA-ICT-4.10
CP-10	Information System Recovery And Reconstitution	DR.266-BCPEIOPA-ICT-4.10
CP-12	Safe Mode	DR.266-BCPEIOPA-ICT-4.10
CP-13	Alternative Security Mechanisms	DR.266-BCPEIOPA-ICT-4.10

IA Identification and Authentication

Control	Name	Solvency II References
IA-01	Identification And Authentication Policy And Procedures	Art.41(3)DR.266EIOPA-ICT-4.4
IA-02	User Identification And Authentication	EIOPA-ICT-4.4
IA-04	Identifier Management	EIOPA-ICT-4.4
IA-05	Authenticator Management	EIOPA-ICT-4.4
IA-07	Cryptographic Module Authentication	EIOPA-ICT-4.7
IA-08	Identification and Authentication (Non-Organizational Users)	EIOPA-ICT-4.4
IA-12	Identity Proofing	EIOPA-ICT-4.4

IR Incident Response

Control	Name	Solvency II References
IR-01	Incident Response Policy And Procedures	Art.41(3)DR.266EIOPA-ICT-4.9
IR-02	Incident Response Training	EIOPA-ICT-4.9
IR-03	Incident Response Testing And Exercises	EIOPA-ICT-4.9
IR-04	Incident Handling	DR.266EIOPA-ICT-4.9
IR-05	Incident Monitoring	EIOPA-ICT-4.9
IR-06	Incident Reporting	EIOPA-ICT-4.9
IR-07	Incident Response Assistance	EIOPA-ICT-4.9
IR-08	Incident Response Plan	EIOPA-ICT-4.9
IR-09	Information Spillage Response	EIOPA-ICT-4.9

MA Maintenance

Control	Name	Solvency II References
MA-01	System Maintenance Policy And Procedures	Art.41(3)EIOPA-ICT-4.8
MA-02	Controlled Maintenance	EIOPA-ICT-4.8
MA-03	Maintenance Tools	EIOPA-ICT-4.8
MA-06	Timely Maintenance	EIOPA-ICT-4.8

MP Media Protection

Control	Name	Solvency II References
MP-01	Media Protection Policy And Procedures	Art.41(3)DR.266-DataSec
MP-02	Media Access	DR.266-DataSec
MP-03	Media Labeling	DR.266-DataSec
MP-04	Media Storage	DR.266-DataSec
MP-06	Media Sanitization And Disposal	DR.266-DataSec

PE Physical and Environmental Protection

Control	Name	Solvency II References
PE-01	Physical And Environmental Protection Policy And Procedures	Art.41(3)EIOPA-ICT-4.5
PE-02	Physical Access Authorizations	EIOPA-ICT-4.5
PE-03	Physical Access Control	EIOPA-ICT-4.5
PE-04	Access Control For Transmission Medium	EIOPA-ICT-4.5
PE-05	Access Control For Display Medium	EIOPA-ICT-4.5
PE-06	Monitoring Physical Access	EIOPA-ICT-4.5
PE-08	Access Records	EIOPA-ICT-4.5
PE-09	Power Equipment And Power Cabling	EIOPA-ICT-4.5
PE-10	Emergency Shutoff	EIOPA-ICT-4.5
PE-11	Emergency Power	EIOPA-ICT-4.5
PE-12	Emergency Lighting	EIOPA-ICT-4.5
PE-13	Fire Protection	EIOPA-ICT-4.5
PE-14	Temperature And Humidity Controls	EIOPA-ICT-4.5
PE-15	Water Damage Protection	EIOPA-ICT-4.5
PE-17	Alternate Work Site	EIOPA-ICT-4.5
PE-18	Location Of Information System Components	EIOPA-ICT-4.5

PL Planning

Control	Name	Solvency II References
PL-01	Security Planning Policy And Procedures	Art.41(1)Art.41(3)DR.258EIOPA-ICT-4.1
PL-02	System Security Plan	EIOPA-ICT-4.1
PL-09	Central Management	Art.41(1)Art.44(1)DR.258EIOPA-ICT-4.1EIOPA-ICT-4.2
PL-10	Baseline Selection	Art.44(1)EIOPA-ICT-4.2
PL-11	Baseline Tailoring	Art.44(1)EIOPA-ICT-4.2

PM Program Management

Control	Name	Solvency II References
PM-01	Information Security Program Plan	Art.41(1)Art.44(1)DR.258DR.260DR.266EIOPA-ICT-4.1EIOPA-ICT-4.2
PM-02	Information Security Program Leadership Role	Art.41(1)DR.258DR.260EIOPA-ICT-4.1
PM-03	Information Security and Privacy Resources	EIOPA-ICT-4.1
PM-04	Plan of Action and Milestones Process	Art.46
PM-06	Measures of Performance	Art.46Art.47
PM-08	Critical Infrastructure Plan	Art.44(2)DR.266
PM-09	Risk Management Strategy	Art.44(2)Art.45DR.260DR.266DR.267EIOPA-ICT-4.2
PM-11	Mission and Business Process Definition	Art.44(2)DR.266
PM-14	Testing, Training, and Monitoring	Art.46Art.47
PM-28	Risk Framing	Art.44(1)Art.44(2)Art.45DR.260EIOPA-ICT-4.2
PM-29	Risk Management Program Leadership Roles	Art.41(1)Art.44(1)DR.258DR.260EIOPA-ICT-4.1

PS Personnel Security

Control	Name	Solvency II References
PS-01	Personnel Security Policy And Procedures	Art.41(3)Art.42DR.258
PS-02	Position Categorization	Art.42
PS-03	Personnel Screening	Art.42
PS-06	Access Agreements	Art.42
PS-07	Third-Party Personnel Security	Art.49(1)DR.272
PS-09	Position Descriptions	Art.42DR.258

PT Personally Identifiable Information Processing and Transparency

Control	Name	Solvency II References
PT-01	Policy and Procedures	Art.49(3)EIOPA-Cloud-GL9
PT-02	Authority to Process Personally Identifiable Information	Art.49(3)EIOPA-Cloud-GL9
PT-03	Personally Identifiable Information Processing Purposes	Art.49(3)
PT-04	Consent	Art.49(3)EIOPA-Cloud-GL9

RA Risk Assessment

Control	Name	Solvency II References
RA-01	Risk Assessment Policy And Procedures	Art.41(3)Art.44(1)Art.44(2)DR.260DR.266EIOPA-ICT-4.2
RA-02	Security Categorization	Art.44(2)DR.266-DataSecEIOPA-ICT-4.3
RA-03	Risk Assessment	Art.44(1)Art.44(2)Art.45DR.260DR.266DR.267EIOPA-Cloud-GL3EIOPA-ICT-4.2
RA-05	Vulnerability Scanning	DR.266
RA-07	Risk Response	Art.44(1)Art.44(2)Art.45DR.260EIOPA-ICT-4.2
RA-09	Criticality Analysis	Art.44(1)Art.45Art.49(2)EIOPA-Cloud-GL3EIOPA-ICT-4.2EIOPA-ICT-4.3

SA System and Services Acquisition

Control	Name	Solvency II References
SA-01	System And Services Acquisition Policy And Procedures	Art.41(3)DR.266
SA-02	Allocation Of Resources	EIOPA-ICT-4.1
SA-03	Life Cycle Support	EIOPA-ICT-4.11
SA-04	Acquisitions	Art.49(1)Art.49(2)DR.272EIOPA-Cloud-GL3
SA-05	Information System Documentation	EIOPA-ICT-4.3
SA-08	Security Engineering Principles	EIOPA-ICT-4.11
SA-09	External Information System Services	Art.49(1)Art.49(2)Art.49(3)DR.272DR.274EIOPA-Cloud-GL11EIOPA-Cloud-GL3
SA-10	Developer Configuration Management	EIOPA-ICT-4.11
SA-11	Developer Security Testing	EIOPA-ICT-4.11
SA-15	Development Process, Standards, and Tools	EIOPA-ICT-4.11
SA-17	Developer Security and Privacy Architecture and Design	EIOPA-ICT-4.11
SA-21	Developer Screening	Art.49(1)

SC System and Communications Protection

Control	Name	Solvency II References
SC-01	System And Communications Protection Policy And Procedures	Art.41(3)DR.266
SC-02	Application Partitioning	EIOPA-ICT-4.6
SC-03	Security Function Isolation	EIOPA-ICT-4.6
SC-05	Denial Of Service Protection	EIOPA-ICT-4.6
SC-07	Boundary Protection	EIOPA-ICT-4.6
SC-08	Transmission Integrity	Art.49(3)DR.266-DataSecEIOPA-Cloud-GL9EIOPA-ICT-4.6EIOPA-ICT-4.7
SC-12	Cryptographic Key Establishment And Management	DR.266-DataSecEIOPA-ICT-4.7
SC-13	Use Of Cryptography	DR.266-DataSecEIOPA-ICT-4.7
SC-17	Public Key Infrastructure Certificates	EIOPA-ICT-4.7
SC-20	Secure Name / Address Resolution Service (Authoritative Source)	EIOPA-ICT-4.6
SC-21	Secure Name / Address Resolution Service (Recursive Or Caching Resolver)	EIOPA-ICT-4.6
SC-22	Architecture And Provisioning For Name / Address Resolution Service	EIOPA-ICT-4.6
SC-24	Fail in Known State	EIOPA-ICT-4.10
SC-28	Protection of Information at Rest	Art.49(3)DR.266-DataSecEIOPA-Cloud-GL9EIOPA-ICT-4.7
SC-46	Cross Domain Policy Enforcement	EIOPA-ICT-4.6
SC-47	Alternate Communications Paths	EIOPA-ICT-4.6

SI System and Information Integrity

Control	Name	Solvency II References
SI-01	System And Information Integrity Policy And Procedures	Art.41(3)DR.266
SI-02	Flaw Remediation	DR.266EIOPA-ICT-4.8
SI-04	Information System Monitoring Tools And Techniques	EIOPA-ICT-4.9
SI-05	Security Alerts And Advisories	EIOPA-ICT-4.9
SI-07	Software And Information Integrity	EIOPA-ICT-4.8Pillar3-Reporting
SI-10	Information Accuracy, Completeness, Validity, And Authenticity	Pillar3-Reporting
SI-12	Information Output Handling And Retention	Art.49(3)DR.266-DataSecEIOPA-Cloud-GL9Pillar3-Reporting
SI-13	Predictable Failure Prevention	EIOPA-ICT-4.8

SR Supply Chain Risk Management

Control	Name	Solvency II References
SR-01	Policy and Procedures	Art.41(3)Art.49(1)Art.49(2)DR.272DR.274EIOPA-Cloud-GL11
SR-02	Supply Chain Risk Management Plan	Art.49(1)Art.49(2)DR.272EIOPA-Cloud-GL3
SR-03	Supply Chain Controls and Processes	Art.49(1)Art.49(2)DR.272EIOPA-Cloud-GL3
SR-04	Provenance	DR.272EIOPA-Cloud-GL3
SR-05	Acquisition Strategies, Tools, and Methods	Art.49(1)DR.272EIOPA-Cloud-GL3
SR-06	Supplier Assessments and Reviews	Art.49(1)Art.49(2)DR.272EIOPA-Cloud-GL3EIOPA-Cloud-GL7
SR-07	Supply Chain Operations Security	DR.272
SR-08	Notification Agreements	DR.272
SR-10	Inspection of Systems or Components	Art.49(2)DR.272EIOPA-Cloud-GL7
SR-11	Component Authenticity	DR.272
SR-12	Component Disposal	DR.274EIOPA-Cloud-GL11