B_07.01 — Assessments
Purpose
This template captures risk assessments for ICT services that support critical or important functions. It is required only for functions classified as CI_1 (Critical) or CI_2 (Important) in B_06.01.
Each row records the assessment results for a specific combination of arrangement, function, and service type. Key assessment dimensions include substitutability of the provider, reintegration feasibility, discontinuation impact, availability of alternatives, and recovery objectives (RTO/RPO).
The ICT risk management team performs these assessments periodically (at least annually) and updates this template with the latest findings.
Fields Reference
| Code | Field Name | Type | Req. | Description |
|---|---|---|---|---|
| c0010 | Contractual arrangement reference number* | text | Yes | Reference to the contractual arrangement Max length: 255 |
| c0020 | Function identifier* | text | Yes | Identifier of the critical or important function Max length: 255 |
| c0030 | Type of ICT services* | select | Yes | Type of ICT services being assessed Show 13 allowed values
|
| c0040 | Date of the last audit | date | No | Date of the most recent audit or assessment |
| c0050 | Substitutability of the ICT third-party service provider | select | No | Assessment of how easily the provider can be substituted Show 3 allowed values
|
| c0060 | Possibility of reintegration of the contracted ICT service | select | No | Assessment of whether the ICT service could be reintegrated in-house Show 3 allowed values
|
| c0070 | Impact of discontinuing the ICT services | select | No | Assessment of impact if the service is discontinued Show 4 allowed values
|
| c0080 | Are there alternative ICT third-party service providers identified? | select | No | Whether alternative providers have been identified Show 2 allowed values
|
| c0090 | Recovery time objective (RTO) of the ICT service | number | No | Maximum tolerable downtime (in hours) |
| c0100 | Recovery point objective (RPO) of the ICT service | number | No | Maximum tolerable data loss period (in hours) |
Relationships
Validation Rules
- Arrangement reference must exist in B_02.01. The assessed arrangement must be registered in the general contractual arrangements template.
- Function must exist in B_06.01. The function being assessed must be defined in the functions identification template.
- Function must be critical or important. Assessments are only required (and valid) for functions with criticality
CI_1orCI_2. - RTO and RPO must be positive numbers. Recovery Time Objective and Recovery Point Objective values must be greater than zero and expressed in hours.
- Last audit date must be in the past. The date of the most recent audit or assessment cannot be in the future.
Example
| Field | Value |
|---|---|
| Arrangement Reference | CA-2025-001 |
| Function ID | FN-001 |
| Service Type | IS_1 |
| Last Audit Date | 2025-06-15 |
| Substitutability | SB_2 |
| Reintegration | RE_2 |
| Discontinuation Impact | DI_3 |
| Alternatives Available | Y |
| RTO (hours) | 4 |
| RPO (hours) | 1 |
Common Mistakes
- Forgetting assessments for critical functions. Every function classified as CI_1 or CI_2 in B_06.01 that is supported by an ICT service must have a corresponding assessment. Missing assessments are a significant compliance gap.
- Unrealistic RTO/RPO values. Setting extremely low values (e.g., RTO=0) without actual technical capability to achieve them, or setting excessively high values that do not align with business requirements.
- Stale audit dates. Not updating the last audit date after performing a new assessment. The date should reflect the most recent review.
- Assessing non-critical functions. Creating assessment rows for CI_3 (neither critical nor important) functions, which is unnecessary and may confuse the register structure.