Article 5
ICT asset management procedure
1.
Financial entities shall develop, document, and implement a procedure for the management of ICT assets.
2.
The procedure for management of ICT assets referred to in paragraph 1 shall specify the criteria to perform the criticality assessment of information assets and ICT assets supporting business functions. That assessment shall take into account:
(a)
the ICT risk related to those business functions and their dependencies on the information assets or ICT assets;
(b)
how the loss of confidentiality, integrity, and availability of such information assets and ICT assets would impact the business processes and activities of the financial entities.