Primary tabs

iZettle AB

a. I suggest that section 4.6.1 ICT project management is erased as it is too high level and the main risks and requirements are already covered elsewhere.
The Guidelines already require institutions to assess risks in major ICT changes (see sections 4.6.3 IT change management, 4.3.1 item 15: identify and assess ICT risks resulting from major change, 4.3.3 item 21: ICT risk assessment to be performed annually or on any major changes).
Section 4.6.1 is to a large extent a repetition of those more specific and concrete requirements.

b. I suggest that item 91 in section 4.7.3 response and recovery plans, is deleted as it is unnecessary.
To require a Plan B with alternative options, undermines the requirement to have solid response and recovery plans in the first place.
Item 90 already requires short and long term recovery options, which in my opinion covers alternative options.
Lisa Edström