Joint Standard 1 & 2

Service Description for an Independent Assessment Service of compliance with the

  FINANCIAL SECTOR REGULATION ACT, 2017 (ACT NO. 9 OF 2017)

Joint Standard 1 of 2023 – IT Governance and Risk Requirements 

for Financial Institutions 

and 

Joint Standard 2 of 2024 – Cybersecurity and Cyber Resilience

Requirements for Financial Institutions 

1           Introduction

The Financial Services Conduct Authority (FSCA) and South African Reserve Bank Prudential Authority have jointly published the Joint Standard 1 of 2023 for Information Technology (IT) Governance and Risk Management Requirements for Financial Institutions and Joint Standard 2 of 2024 – Cybersecurity and cyber resilience.

The Joint Standard 1 (Joint Standard) sets out the principles and minimum requirements for information technology (IT) governance and risk management that financial institutions (as defined in the Joint Standard) must adhere to in order to comply with the Joint Standard. It is the responsibility of the governing body of a financial institution falling under the FSCA to ensure that they meet the requirements set out in this Joint Standard by November 2024 and on an ongoing basis. The Joint Standard sets out the requirements for sound practices and processes relating to cybersecurity and cyber resilience for financial institutions specified in the Joint Standard.

2           Overview of the Service

In order to assist financial institutions in addressing the requirements the Joint Standard, PTC and associates have developed a compliance assessment service designed to provide education about the Joint Standard 1 & 2 and assess at a high level the extent of compliance of affected organisations with the Joint Standard.

The purpose of the Joint Standard Compliance Assessment Service (JSCAS) is to provide an independent high-level assessment of the extent of compliance with the Joint Standard and to develop an action plan to address any identified compliance gaps. The service is conducted by experienced IT governance and risk management consultants in conjunction with a specially designed JSCAS Tool in partnership with representatives from the organisation being assessed.

3           Scope of the Service

The scope of the high-level assessment service includes the following:

• ·         Establishing a project charter including identification of appropriate stakeholders and key milestones

• ·         Development of a project plan

• ·         Execution of the high-level assessment based on the project plan and the requirements of Joint Standard: 1 & 2

•  Optional executive one hour briefing, half-day or full-day workshop on the contents of the Joint Standard for affected stakeholders.

4           JSCAS Tools

The JSCAS Tools (one each for JS1 and JS2) are designed to address the areas listed in the scope above and can be tailored to cater for the size and complexity of the organisation. The tool also includes rating and effectiveness scales which enable effective and appropriate reports to be provided.  An overview of the JSCAS Tools is available in conjunction with this service description.

5        Deliverables

An Independent Assessment Report will be provided which will include:

• ·         An independent and objective review of the current state of compliance with the Joint Standard;

• ·         A list of observation and findings;

• ·         Recommendations for addressing any compliance gaps identified during the assessment.

6           Consultancy effort and duration of a JSCAS project

The typical consultancy effort required for conducting the assessment service is from 1 to 5 billable days per Standard.  The duration is dependent on the size and complexity of the organisation, the availability of stakeholders and information required for responding to assessment which is conducted at a high-level (accepting evidence provided without detailed review of the evidence) but will typically only take place over 1 to 3 weeks.

A more detailed evaluation which would include validating every piece of evidence of compliance individually is available subject to negotiation.

7           Benefits of the Assessment Service

The benefits of the service and assessment tool include:

• ·         The incorporation of subject matter knowledge relating to IT governance and risk management as covered in the Joint Standard 1 & 2 into a concise, purpose-built assessment service which enables organisations to identify their current status of alignment in a much shorter time than it would take using a non-integrated approach;

• ·         A cost-effective approach to identifying shortfalls against the Joint Standard, thereby enabling financial institutions to implement measures for complying with the JS1 standard by the required date of November 2024 and JS2 by June 2025..  

8            Costs

The costs for an assessment are based on the following:

• ·         Consultancy fees based on the size and complexity of the organisation, from under 1 day to 5 days of billable services delivered;

• ·         Optional Licence Fee for use of the Joint Standard 1 Compliance Assessment Tool on an ongoing basis.

9           Next steps

Please contact Dr Peter Tobin (peter@p-t-c.co.za) of PTC or a PTC associate to discuss your specific needs or to receive a formal service proposal. 

DOCUMENT ENDS

Document correct as at 1 February 2025