Joint Standard 1 & 2

Service Description for an Independent Assessment Service of compliance with the

  FINANCIAL SECTOR REGULATION ACT, 2017 (ACT NO. 9 OF 2017)

Joint Standard 1 of 2023 – IT Governance and Risk Requirements 

for Financial Institutions 

and 

Joint Standard 2 of 2024 – Cybersecurity and Cyber Resilience

Requirements for Financial Institutions 

1           Introduction

The Financial Services Conduct Authority (FSCA) and South African Reserve Bank Prudential Authority have jointly published the Joint Standard 1 of 2023 for Information Technology (IT) Governance and Risk Management Requirements for Financial Institutions and Joint Standard 2 of 2024 – Cybersecurity and cyber resilience.

The Joint Standard 1 (Joint Standard) sets out the principles and minimum requirements for information technology (IT) governance and risk management that financial institutions (as defined in the Joint Standard) must adhere to in order to comply with the Joint Standard. It is the responsibility of the governing body of a financial institution falling under the FSCA to ensure that they meet the requirements set out in this Joint Standard by November 2024 and on an ongoing basis. The Joint Standard sets out the requirements for sound practices and processes relating to cybersecurity and cyber resilience for financial institutions specified in the Joint Standard.

2           Overview of the Service

In order to assist financial institutions in addressing the requirements the Joint Standard, PTC and associates have developed a compliance assessment service designed to provide education about the Joint Standard 1 & 2 and assess at a high level the extent of compliance of affected organisations with the Joint Standard.

 

The purpose of the Joint Standard Compliance Assessment Service (JSCAS) is to provide an independent high-level assessment of the extent of compliance with the Joint Standard and to develop an action plan to address any identified compliance gaps. The service is conducted by experienced IT governance and risk management consultants in conjunction with a specially designed JSCAS Tool in partnership with representatives from the organisation being assessed.

3           Scope of the Service

The scope of the high-level assessment service includes the following:

 


4           JSCAS Tools

The JSCAS Tools (one each for JS1 and JS2) are designed to address the areas listed in the scope above and can be tailored to cater for the size and complexity of the organisation. The tool also includes rating and effectiveness scales which enable effective and appropriate reports to be provided.  An overview of the JSCAS Tools is available in conjunction with this service description.

5        Deliverables

An Independent Assessment Report will be provided which will include:

6           Consultancy effort and duration of a JSCAS project

The typical consultancy effort required for conducting the assessment service is from 1 to 5 billable days per Standard.  The duration is dependent on the size and complexity of the organisation, the availability of stakeholders and information required for responding to assessment which is conducted at a high-level (accepting evidence provided without detailed review of the evidence) but will typically only take place over 1 to 3 weeks.

 

A more detailed evaluation which would include validating every piece of evidence of compliance individually is available subject to negotiation.

7           Benefits of the Assessment Service

The benefits of the service and assessment tool include:

8            Costs

The costs for an assessment are based on the following:

9           Next steps

Please contact Dr Peter Tobin (peter@p-t-c.co.za) of PTC or a PTC associate to discuss your specific needs or to receive a formal service proposal. 

 

DOCUMENT ENDS

Document correct as at 1 February 2025