Related pillars:I. ICT Risk Management FrameworkII. ICT-Related Incident ManagementIV. ICT Third-Party Risk ManagementV. Information Sharing
Pillar IIIArt. 24-27

Digital Operational Resilience Testing

Mandates that financial entities establish testing programmes proportionate to their size and risk profile to assess preparedness for ICT disruptions. Includes requirements for basic testing such as vulnerability assessments, as well as advanced threat-led penetration testing (TLPT) for systemically important institutions.

Key Themes

What this pillar covers

1

Testing programme design

2

Vulnerability assessments and scanning

3

Threat-led penetration testing (TLPT)

4

Tester qualification requirements

5

Remediation of findings

4 Articles

Articles in Pillar III

Explore the 4 articles that make up Digital Operational Resilience Testing, from Art. 24-27.

4 articles

24

General requirements for the performance of digital operational resilience testing

Requires financial entities to establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of their ICT risk management framework. Testing must be proportionate to the entity's size, business and risk profiles.

testingresilience-testingtesting-programme+1 moreBanksInvestmentInsurance+4
25

Testing of ICT tools and systems

Details the specific types of testing that financial entities must perform on their ICT tools and systems, including vulnerability assessments, network security assessments, scenario-based testing, and compatibility testing. Requires remediation of identified vulnerabilities and findings.

vulnerability-assessmentnetwork-securityscenario-testing+1 moreBanksInvestmentInsurance+4
26

Advanced testing of ICT tools, systems and processes based on TLPT

Establishes requirements for threat-led penetration testing (TLPT) for systemically important financial entities. TLPT simulates real-world cyber attacks using current threat intelligence to test an entity's detection and response capabilities against sophisticated adversaries. Must be conducted at least every three years.

TLPTpenetration-testingthreat-intelligence+2 moreBanksInsuranceCCPs
27

Requirements for testers for the carrying out of TLPT

Specifies the qualification, independence and certification requirements for external testers conducting TLPT. Requires testers to demonstrate appropriate expertise, adhere to ethical standards, and maintain independence from the entity being tested. Allows internal testers under certain conditions.

TLPT-testersqualificationindependence+2 moreBanksInsuranceCCPs
Test your readiness for Digital Operational Resilience Testing