Article 15
ICT project management
The ICT project management policy referred to in paragraph 1 shall contain all of the following:
ICT project objectives;
ICT project governance, including roles and responsibilities;
ICT project planning, timeframe, and steps;
ICT project risk assessment;
relevant milestones;
change management requirements;
the testing of all requirements, including security requirements, and the respective approval process when deploying an ICT system in the production environment.
In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows:
individually or in aggregation, depending on the importance and size of the ICT projects;
periodically and, where necessary, on an event-driven basis.