Evidence pack Evidence pack to build Check items that are available or ready to be produced.
ICT governance · An owner for digital resilience or ICT governance is identified. Appointment, RACI matrix or steering committee record. ICT governance · ICT risks are regularly reviewed by management. Dashboard, risk register or executive reporting. ICT governance · Security, continuity and incident management policies are documented. Approved, versioned and accessible policies. ICT governance · Critical IT decisions are recorded and justified. Minutes, budget decisions, supplier decisions. ICT risk management · Critical assets, applications and services are inventoried. Light CMDB, application register or service map. ICT risk management · ICT risks are assessed according to business impact and likelihood. Risk matrix, scoring and risk owner. ICT risk management · Backups and restores are tested periodically. Test report, RTO/RPO and restore evidence. ICT risk management · Vulnerabilities and patches are managed with business priority. Scan results, patching plan, documented exceptions. Incidents and escalation · An ICT incident procedure exists and is known by key teams. Procedure, roles, contacts and severity levels. Incidents and escalation · Significant incidents are logged and analysed. Incident register, timeline, root causes and corrective actions. Incidents and escalation · Escalation thresholds to clients, management or authorities are defined. Decision tree, responsibilities and communication templates. Incidents and escalation · A lessons-learned review is conducted after major incidents. Post-mortem, actions, owner and deadline. Continuity and resilience · Critical processes have defined recovery objectives. RTO/RPO by service and business validation. Continuity and resilience · A continuity or recovery plan exists for essential services. BCP/DRP, runbook, contacts and failover procedures. Continuity and resilience · Crisis exercises or recovery tests are performed. Report, scenario, results and improvements. Continuity and resilience · Cloud, network and supplier dependencies are included in scenarios. Dependency map and fallback options. ICT suppliers and contracts · Critical ICT suppliers are identified and classified. Supplier register, criticality and services provided. ICT suppliers and contracts · Contracts cover SLA, security, incident, audit and exit provisions. Contract clauses, security annexes and exit plan. ICT suppliers and contracts · Subcontractors and chain dependencies are known. Supplier declaration, location and subcontracting chain. ICT suppliers and contracts · Supplier performance and risks are reviewed periodically. Supplier committee, KPIs and action plans. Evidence and 90-day roadmap · Key documents can be provided quickly to a regulated client. Evidence pack: policies, registers, tests and contracts. Evidence and 90-day roadmap · Gaps are prioritised in a 30/60/90-day roadmap. Action plan, owner, budget and deadline. Evidence and 90-day roadmap · Teams can answer a client DORA questionnaire. Standard answers, associated evidence and internal validation. Evidence and 90-day roadmap · The exact applicable DORA scope is clarified with legal or compliance advice. Scoping note, limits and responsibilities.