ICT resources in the Italian finance industry: the requirements set by Bank of Italy circular 285 (GRC approach and main related standards)

25 Oct 2023 07:30 AM By itSMF Staff

Reading time: ~ 5 min.

direttiva sulla responsabilità da intelligenza artificiale itsmf blog

ICT resources in the Italian finance industry: the requirements set by Bank of Italy circular 285

In its Circular 285, Bank of Italy – the Italian central bank, member of the European System of Central Banks – defined the requirements for ICT resources in the finance industry, in regard to the companies that are subject to supervision.

In this 42th update to the original text of the Circular 285 released by the Italian central bank, we're going to dig deeper on the Title IV «corporate governance, internal controls and risk management» to figure out how to be compliant with a GRC approach (and the related ISO standards).

The circular 285 by Bank of Italy: focus on the 4th title

First of all, let's consider that these are the most relevant requirements which are applicable to ICT resources for all those finance industry companies under supervision according to the Circular 285 (chapter fourth):

Circular 285, Chapter 4: «Information systems»

✅ section I – general provisions

✅ section II – governance, organization and controls of the information system

✅ section III – ICT and security risk management

✅ section IV – the management of information security and ict operations

✅ section IV bis – the management of ict projects and changes

✅ section V – the data management system

✅ section VI – the outsourcing of the information system and the use of third parties for the provision of ICT services

✅ section VII – specific provisions on the «provision of payment services»

✅ annex A – corporate documents for the management and control of the information system.

In addition to all these requirements, according to our GRC approach we can focus on the Chapter V about business continuity too.

Circular 285, Chapter 5: «Business continuity»

In this case, we have to consider these requirements set by Bank of Italy:

✅ Annex A - business continuity requirements.

It is possible to manage the compliance to the Circular 285 requirements applicable to ICT resources with a modern approach?

GRC Approach (and related ISO standards) for the compliance to the Bank of Italy Circular 285 about requirements on ICT resources

Our answer is to manage the compliance according to a GRC approach that put together (combined management) the requirements applicable to ICT resources:
  • Information security
  • Business continuity
  • IT services.

We can match now for all these requirements the related ISO standards:

  • ISO 38500, for the Governance;
  • ISO 31000, for the Risk Management;
  • ISO 37301, for the Compliance Management.

We should remember also that a modern GRC approach allows indeed the adoption and of course the integration of the several reference standards (E.G. ISO standards and the NIST standards), as follows:

📘 ISO 27001 «information security standard», ISO 27110 «cybersecurity framework standard» and the NIST standard;

📘 ISO 22301 «business continuity standard»;

📘 ISO 20000-1 «IT services standard».

To better figure out the «big picture» about what we just described in these last lines, we can bring as usual our infographic.

By Andrea Leonardi (VP @ Minerva Group Service, MP @ Alpemi Consulting & itSMF Swizerland board member).
We end our brief overview about the BANK OF ITALYrequirements on ICT resources set by the Circular 285 inviting you to stay tuned on our blog, social media channels and newsletter, to be always updated on the next news about this topic.

Don't forget to support our effort to bring you the best content quality and sharing value: follow us on our YouTube channel too!


Need to know more about it?

Click on one of the options below to enter in the itSMF Enviroment and for being updated the way which is best for you.

Subscribe to itSMF Newsletter
Get the benefits of Membership Program

itSMF Staff