DORA-Art8-P1

ICT Risk Assessment Report COMMON

Periodic risk assessment report identifying ICT risk sources, threat landscape, vulnerability analysis, and risk exposure levels as required by DORA Article 8.

Formats

PDF

Evidence Class

ict-risk-assessment

Availability

COMMON

Update Frequency

annual

Typical Author

Risk Manager

Approval Chain

Risk Manager → CISO → CRO

Content Sections

• Executive Summary
• Scope and Methodology
• Threat Landscape
• Vulnerability Analysis
• Risk Exposure Assessment
• Risk Heat Map
• Recommended Mitigations
• Appendices

Expected Fields

• assessment_id
• assessment_date
• scope
• methodology
• risk_count_by_severity
• top_risks
• next_assessment_date

Common Quality Issues

• Risk assessment scope excludes third-party dependencies
• Qualitative-only assessment without quantitative risk scoring
• Threat landscape section based on generic industry data rather than institution-specific intelligence
• Missing linkage between identified risks and existing controls

ICT Dependency Mapping Document PARTIAL

XML-structured mapping of dependencies between ICT systems, business functions, and third-party services, identifying critical paths and single points of failure.

Formats

XML JSON

Evidence Class

ict-dependency-mapping

Availability

PARTIAL

Update Frequency

quarterly

Typical Author

Enterprise Architect

Approval Chain

Enterprise Architect → CIO

Content Sections

• System Dependencies
• Business Function Mappings
• Third-Party Dependencies
• Critical Path Analysis

Expected Fields

• mapping_version
• last_updated
• systems
• dependencies
• critical_paths
• single_points_of_failure

Common Quality Issues

• Dependency mapping incomplete for recently deployed systems
• Missing third-party service dependencies
• No automated discovery — relies on manual documentation
• Critical path analysis not updated after infrastructure changes

ict_risk_assessment_status

Schema ID

fs-ict-risk-assessment

Control

DORA-Art8-P1

Valid Ranges

assessment_date

within last 12 months

next_assessment_date

within 12 months of assessment_date

Related Schemas

• fs-ict-dependency-mapping

JSON Schema

{
  "properties": {
    "assessment_date": {
      "format": "date",
      "type": "string"
    },
    "high_risks_count": {
      "minimum": 0,
      "type": "integer"
    },
    "includes_third_party_risks": {
      "type": "boolean"
    },
    "low_risks_count": {
      "minimum": 0,
      "type": "integer"
    },
    "medium_risks_count": {
      "minimum": 0,
      "type": "integer"
    },
    "methodology": {
      "minLength": 1,
      "type": "string"
    },
    "next_assessment_date": {
      "format": "date",
      "type": "string"
    },
    "scope_complete": {
      "type": "boolean"
    },
    "total_risks_identified": {
      "minimum": 0,
      "type": "integer"
    }
  },
  "required": [
    "assessment_date",
    "scope_complete",
    "methodology",
    "total_risks_identified",
    "high_risks_count"
  ],
  "type": "object"
}

ict_dependency_mapping_status

Schema ID

fs-ict-dependency-mapping

Control

DORA-Art8-P1

Valid Ranges

mapping_date

within last 6 months

systems_mapped

should cover all critical and important ICT systems

Related Schemas

• fs-ict-asset-inventory
• fs-ict-risk-assessment

JSON Schema

{
  "properties": {
    "dependencies_documented": {
      "minimum": 0,
      "type": "integer"
    },
    "has_critical_path_analysis": {
      "type": "boolean"
    },
    "mapping_date": {
      "format": "date",
      "type": "string"
    },
    "single_points_of_failure_identified": {
      "minimum": 0,
      "type": "integer"
    },
    "systems_mapped": {
      "minimum": 0,
      "type": "integer"
    },
    "third_party_dependencies_mapped": {
      "type": "boolean"
    }
  },
  "required": [
    "mapping_date",
    "systems_mapped",
    "has_critical_path_analysis",
    "single_points_of_failure_identified"
  ],
  "type": "object"
}