[ { "category": "documentary", "number": 1, "point": "Written incident classification policy signed by management (severity matrix mapped to DORA and NIS2 reporting)", "priority": "Critical", "evidence_required": "Signed PDF document by executive committee + versioned severity/reporting matrix" }, { "category": "documentary", "number": 2, "point": "Documented DORA 4-hour notification procedure, validated by the legal department, updated annually", "priority": "Critical", "evidence_required": "DORA runbook + legal department sign-off + annual review log" }, { "category": "documentary", "number": 3, "point": "Documented NIS2 24-hour notification procedure, aligned with the national portal (MonEspaceNIS2, BSI, ACN)", "priority": "Critical", "evidence_required": "NIS2 runbook + portal mapping by jurisdiction + user accounts" }, { "category": "documentary", "number": 4, "point": "Signed GDPR DPA with the status page provider, including the list of subcontractors", "priority": "High", "evidence_required": "Countersigned DPA + up-to-date subcontractors appendix" }, { "category": "documentary", "number": 5, "point": "Up-to-date ICT provider register, compliant with DORA Article 28 paragraph 3", "priority": "Critical", "evidence_required": "Excel/SaaS register + CIFA field + last review date" }, { "category": "documentary", "number": 6, "point": "Status page provider exit strategy tested annually and documented", "priority": "High", "evidence_required": "Exit plan + annual test report" }, { "category": "documentary", "number": 7, "point": "Crisis communication plan validated by the executive committee (roles, message templates, channels)", "priority": "High", "evidence_required": "Document signed by executive committee + RACI + communication templates" }, { "category": "technical", "number": 8, "point": "Status page hosted outside the application infrastructure, with proof of tested independence", "priority": "Critical", "evidence_required": "Architecture diagram + isolation test result (chaos test)" }, { "category": "technical", "number": 9, "point": "RFC 3339 UTC timestamps everywhere, without exception (interface, API, exports)", "priority": "Critical", "evidence_required": "Interface screenshot + API payload + JSON/RSS export dated UTC" }, { "category": "technical", "number": 10, "point": "Severity coded on minimum 4 levels (operational, degraded, partial outage, major outage)", "priority": "High", "evidence_required": "Product documentation + status screenshot + internal mapping table" }, { "category": "technical", "number": 11, "point": "Structured export available in JSON, RSS and Atom, supplemented by ICS for maintenance", "priority": "High", "evidence_required": "Public URLs of feeds + archived payload examples" }, { "category": "technical", "number": 12, "point": "Visible audit trail on each update, identifying the author (minimum by role)", "priority": "Critical", "evidence_required": "Interface screenshot + audit log excerpt + role policy" }, { "category": "technical", "number": 13, "point": "Versioning of incident updates, never retroactive overwriting", "priority": "Critical", "evidence_required": "Incident history demonstration + modification policy" }, { "category": "technical", "number": 14, "point": "Multi-region monitoring in place across at least 4 zones (EU, US, APAC, UK)", "priority": "High", "evidence_required": "List of probes per region + monthly coverage report" }, { "category": "technical", "number": 15, "point": "Operational cross-channel notifications: email, webhook, RSS, optional SMS", "priority": "Medium", "evidence_required": "List of active channels + quarterly send test" }, { "category": "technical", "number": 16, "point": "Immutable WORM archiving or signed registry for at least 6 years", "priority": "Critical", "evidence_required": "Archive strategy + immutability proof (hash, S3 Object Lock, Glacier)" }, { "category": "technical", "number": 17, "point": "Status domain security: active DNSSEC, strict HTTPS, HSTS, CAA, validated HSTS test", "priority": "High", "evidence_required": "DNSSEC report + HSTS preload screenshot + CAA record + TLS scan" }, { "category": "organizational", "number": 18, "point": "DORA Incident Notifier role designated in writing, with backup (equivalent to CSSF eDesk role)", "priority": "Critical", "evidence_required": "Appointment letter + backup + org chart excerpt" }, { "category": "organizational", "number": 19, "point": "24/7 on-call for the status page channel, with documented rotation and annual calendar", "priority": "Critical", "evidence_required": "On-call calendar + paging tool + rotation policy" }, { "category": "organizational", "number": 20, "point": "Quarterly 4-hour tabletop exercise drill, followed by a drill post-mortem", "priority": "High", "evidence_required": "Drill report + action plan + signed post-mortem" }, { "category": "organizational", "number": 21, "point": "Documented mapping of national authorities by jurisdiction (ACPR / BaFin / ACN / CSSF / Banca d'Italia + NIS2 CSIRT + CNIL and GDPR equivalents)", "priority": "High", "evidence_required": "Mapping table + official URLs and contacts per country" }, { "category": "organizational", "number": 22, "point": "Delay-to-publish KPI tracked continuously, with target below 15 minutes", "priority": "High", "evidence_required": "Internal dashboard + monthly report + alert thresholds" }, { "category": "organizational", "number": 23, "point": "Customer communications pre-drafted by scenario, validated by DPO and legal department", "priority": "Medium", "evidence_required": "Message template library + DPO sign-off + legal sign-off" }, { "category": "organizational", "number": 24, "point": "Annual training of SRE and communication teams on DORA and NIS2 obligations", "priority": "High", "evidence_required": "Training plan + attendance list + evaluation form" }, { "category": "organizational", "number": 25, "point": "Annual review by executive committee and board on major incidents (DORA Article 17)", "priority": "Critical", "evidence_required": "Executive committee minutes + board resolution + incident indicators" } ]