Identification

Article 8 establishes the foundational identification requirements that underpin the entire ICT risk management framework. The premise is straightforward: you cannot protect what you do not know you have. Financial entities must identify, classify, and document all ICT-related assets, functions, and dependencies.

The asset identification scope is deliberately broad. It covers not just hardware and software but also information assets, network configurations, data flows, and the business functions they support. Entities must maintain a living inventory that captures assets across all locations, including remote sites, cloud environments, and outsourced infrastructure.

Dependency mapping is a critical requirement. Financial entities must understand how their ICT assets interconnect — which applications depend on which databases, which networks carry which data flows, and how third-party services integrate with internal systems. This mapping must include both technical dependencies and business dependencies, creating a holistic view of the entity's ICT topology.

Classification must address both criticality (how important the asset is to business operations) and sensitivity (the classification of data it processes or stores). This dual classification drives the application of proportionate protection measures. Critical assets supporting important business functions receive enhanced monitoring, more frequent testing, and stricter change management controls.