HKMA Cyber Resilience Assessment Framework (C-RAF)
HKMA Cyber Resilience Assessment Framework (C-RAF) is the Hong Kong Monetary Authority (HKMA) MANDATORY cybersecurity assessment + supervisory framework for all Authorised Institutions (AIs) in Hong Kong + part of the broader HKMA CYBERSECURITY FORTIFICATION INITIATIVE (CFI) launched 2016. KEY HISTORY: (a) CFI announced May 2016; (b) C-RAF v1.0 issued December 2016; (c) C-RAF v2.0 issued 6 May 2020 (Circular 20200506e1a1) - major revision incorporating lessons learned + international best practice + iCAST framework; (d) ongoing 2024-2025 enhancements + supervisory communications + threat-landscape evolution. CFI 3 PILLARS: (1) CYBER RESILIENCE ASSESSMENT FRAMEWORK (C-RAF) - tiered + risk-based self-assessment of cybersecurity maturity against inherent risk profile; mandatory for ALL AIs (~150+ banks + RLBs + DTCs); 7 domains; produces Cyber Maturity Profile + Target Maturity Level + remediation roadmap. (2) PROFESSIONAL DEVELOPMENT PROGRAMME (PDP) - industry workforce capability building + Certified Cyber Security Officer (CCSO) + Cyber Risk Management certifications + ongoing professional development; supports Hong Kong banking sector cyber talent pipeline. (3) CYBER INTELLIGENCE SHARING PLATFORM (CISP) - HKMA-operated intelligence-sharing platform + sectoral threat-sharing + indicator-of-compromise (IOC) distribution + tactical + operational + strategic intel + integration with HKCERT + commercial threat-intel feeds. C-RAF ASSESSMENT MODEL: 2-axis maturity model - INHERENT RISK ASSESSMENT (IRA) x CYBER MATURITY ASSESSMENT (CMA). IRA SCORES AI inherent cyber risk based on (a) technology footprint + online services + customer-facing channels; (b) data + transaction volumes + sensitivity; (c) third-party + service-provider dependence + interconnectedness; (d) deposits + scale; (e) cybersecurity threat-environment + history of incidents; result: LOW + MEDIUM + HIGH inherent risk tier. CMA assesses AI cybersecurity maturity across 7 DOMAINS each scored on 5-level scale (Baseline + Evolving + Intermediate + Advanced + Innovative). 7 DOMAINS: (1) GOVERNANCE - cyber strategy + risk management + reporting + culture; (2) IDENTIFICATION - asset management + risk + threat assessment; (3) PROTECTION - access control + data security + infrastructure + application security + training + 3rd-party risk; (4) DETECTION - monitoring + threat intelligence + testing + anomaly detection; (5) RESPONSE AND RECOVERY - incident response planning + execution + recovery + resilience; (6) SITUATIONAL AWARENESS - threat landscape + information sharing; (7) ICAST - intelligence-led cyber attack simulation testing (mandatory for HIGH inherent risk AIs). TARGET MATURITY LEVEL: each AI must achieve target maturity matched to its inherent risk tier (HIGH tier requires Intermediate-to-Advanced + iCAST; MEDIUM Intermediate; LOW Evolving-to-Intermediate); gaps trigger remediation roadmap submitted to HKMA. ICAST INTELLIGENCE-LED CYBER ATTACK SIMULATION TESTING: mandatory for HIGH inherent risk AIs + optional for medium; red team + threat-intelligence + scope + threat scenarios + execution + purple team replay + findings + remediation; modeled on UK CBEST + EU TIBER-EU (separately verified) + intelligence-led red team testing. ASSESSMENT CYCLE: annual self-assessment + 3-year independent + supervisory dialogue + remediation + ongoing monitoring. SUPERVISORY DIALOGUE: HKMA reviews submissions + may impose remediation requirements + escalate findings + monitor through ongoing supervision. COORDINATION: HKMA Supervisory Policy Manual (SPM) Module TM-G-1 (General Principles for Technology Risk Management, verified separately if tracked) + GS-1 + TM-G-3 + others; Singapore MAS TRMG; UK FCA Operational Resilience + ECB TIBER-EU (verified separately) + various banking sectoral cybersecurity. 2024-2025 PIPELINE: ongoing v2.0 enhancements + threat-landscape evolution + AI cybersecurity + quantum-readiness + cloud + DORA-coordination + new SPM modules + ransomware response + post-COVID hybrid + supply chain.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (7)
HKMA C-RAF Domain 1-2: Governance + Identification (Cyber Strategy, Risk Mgmt, Asset Mgmt, Threat Assessment)
| Code | Title |
|---|---|
| HKMA-CRAF-Domain1-2-Governance-Identification | HKMA C-RAF Domain 1 (Governance) + Domain 2 (Identification) - Cyber Strategy, Risk Management, Asset Management, Threat Assessment |
HKMA C-RAF Domain 3-4: Protection + Detection (Access, Data, Infrastructure, Application, Monitoring, Testing)
| Code | Title |
|---|---|
| HKMA-CRAF-Domain3-4-Protection-Detection | HKMA C-RAF Domain 3 (Protection) + Domain 4 (Detection) - Access, Data, Infrastructure, Application, Monitoring, Testing, Threat Intel |
HKMA C-RAF Domain 5-6: Response & Recovery + Situational Awareness (IR, Recovery, Threat Intel, Info Sharing)
| Code | Title |
|---|---|
| HKMA-CRAF-Domain5-6-Response-Recovery-SitAwareness | HKMA C-RAF Domain 5 (Response and Recovery) + Domain 6 (Situational Awareness) - Incident Response, Recovery, Threat Landscape, Information Sharing |
HKMA C-RAF: Coordination with HKMA SPM TM-G-1, Sectoral Coordination, 2024-2025 Pipeline
| Code | Title |
|---|---|
| HKMA-CRAF-2024-2025-AI-Quantum-Cloud-Ransomware-DORA | HKMA C-RAF 2024-2025 Pipeline - AI, Quantum-Resistant Cryptography, Cloud Security, Ransomware, EU DORA Coordination |
| HKMA-CRAF-Coord-SPM-TM-G-1-Singapore-UK-Sectoral | HKMA C-RAF Coordination with HKMA SPM TM-G-1, Singapore MAS TRMG, UK FCA Operational Resilience and Sectoral Cybersecurity |
| HKMA-CRAF-Implementation-Roles-Tooling-Assurance | HKMA C-RAF Implementation Roadmap, Organizational Roles, Tooling and Assurance |
| HKMA-CRAF-Status-Industry-Adoption-FutureRoadmap | HKMA C-RAF Status, Industry Adoption, Hong Kong Banking Sector and Future Roadmap |
HKMA C-RAF: Cybersecurity Fortification Initiative (CFI), 3 Pillars (C-RAF + PDP + CISP), Mandatory Scope
| Code | Title |
|---|---|
| HKMA-CRAF-CFI-3Pillars-Scope-Mandatory | HKMA CFI 3 Pillars (C-RAF + PDP + CISP), Mandatory Scope and Supervisory Framework |
HKMA C-RAF: Inherent Risk Assessment (IRA), Maturity Assessment (MA), Target Maturity Level, Assessment Cycle
| Code | Title |
|---|---|
| HKMA-CRAF-IRA-Maturity-TargetLevel-Cycle | HKMA C-RAF Inherent Risk Assessment (IRA), Cyber Maturity Assessment (MA), Target Maturity Level, Assessment Cycle |
HKMA C-RAF: iCAST (Intelligence-Led Cyber Attack Simulation Testing) for HIGH Inherent Risk AIs
| Code | Title |
|---|---|
| HKMA-CRAF-Crosswalk-NIST-CSF-ISO27001-FFIEC-CBEST-TIBER | HKMA C-RAF Crosswalk to NIST CSF, ISO 27001, FFIEC CAT, CBEST, TIBER-EU and Sectoral Frameworks |
| HKMA-CRAF-iCAST-RedTeam-PurpleTeam-IntelLed | HKMA C-RAF iCAST (Intelligence-Led Cyber Attack Simulation Testing) for HIGH Inherent Risk AIs |
Your Compliance Coverage
If you comply with HKMA Cyber Resilience Assessment Framework (C-RAF), you already cover:
Ghana Cybersecurity Act
27%
3 controls mapped
Compare →GLBA
27%
3 controls mapped
Compare →ISO/IEC 27011:2024
27%
3 controls mapped
Compare →+ 167 more: FISMA (27%), ISO/IEC 30111:2019 (27%)
See all 170 mapped frameworks ↓Maps to 170 other frameworks
Frequently Asked Questions
What is HKMA Cyber Resilience Assessment Framework (C-RAF)?
HKMA Cyber Resilience Assessment Framework (C-RAF) is a compliance framework from Hong Kong with 7 domains and 11 controls. HKMA Cyber Resilience Assessment Framework (C-RAF) is the Hong Kong Monetary Authority (HKMA) MANDATORY cybersecurity assessment + supervisory framework for all Authorised Institutions (AIs) in Hong Kong + part of the broader HKMA CYBERSECURITY FORTIFICATION INITIATIVE (CFI) launched 2016. KEY HISTORY: (a) CFI announced May 2016; (b) C-RAF v1.0 issued December 2016; (c) C-RAF v2.0 issued 6 May 2020 (Circular 20200506e1a1) - major revision incorporating lessons learned + international best practice + iCAST framework; (d) ongoing 2024-2025 enhancements + supervisory communications + threat-landscape evolution. CFI 3 PILLARS: (1) CYBER RESILIENCE ASSESSMENT FRAMEWORK (C-RAF) - tiered + risk-based self-assessment of cybersecurity maturity against inherent risk profile; mandatory for ALL AIs (~150+ banks + RLBs + DTCs); 7 domains; produces Cyber Maturity Profile + Target Maturity Level + remediation roadmap. (2) PROFESSIONAL DEVELOPMENT PROGRAMME (PDP) - industry workforce capability building + Certified Cyber Security Officer (CCSO) + Cyber Risk Management certifications + ongoing professional development; supports Hong Kong banking sector cyber talent pipeline. (3) CYBER INTELLIGENCE SHARING PLATFORM (CISP) - HKMA-operated intelligence-sharing platform + sectoral threat-sharing + indicator-of-compromise (IOC) distribution + tactical + operational + strategic intel + integration with HKCERT + commercial threat-intel feeds. C-RAF ASSESSMENT MODEL: 2-axis maturity model - INHERENT RISK ASSESSMENT (IRA) x CYBER MATURITY ASSESSMENT (CMA). IRA SCORES AI inherent cyber risk based on (a) technology footprint + online services + customer-facing channels; (b) data + transaction volumes + sensitivity; (c) third-party + service-provider dependence + interconnectedness; (d) deposits + scale; (e) cybersecurity threat-environment + history of incidents; result: LOW + MEDIUM + HIGH inherent risk tier. CMA assesses AI cybersecurity maturity across 7 DOMAINS each scored on 5-level scale (Baseline + Evolving + Intermediate + Advanced + Innovative). 7 DOMAINS: (1) GOVERNANCE - cyber strategy + risk management + reporting + culture; (2) IDENTIFICATION - asset management + risk + threat assessment; (3) PROTECTION - access control + data security + infrastructure + application security + training + 3rd-party risk; (4) DETECTION - monitoring + threat intelligence + testing + anomaly detection; (5) RESPONSE AND RECOVERY - incident response planning + execution + recovery + resilience; (6) SITUATIONAL AWARENESS - threat landscape + information sharing; (7) ICAST - intelligence-led cyber attack simulation testing (mandatory for HIGH inherent risk AIs). TARGET MATURITY LEVEL: each AI must achieve target maturity matched to its inherent risk tier (HIGH tier requires Intermediate-to-Advanced + iCAST; MEDIUM Intermediate; LOW Evolving-to-Intermediate); gaps trigger remediation roadmap submitted to HKMA. ICAST INTELLIGENCE-LED CYBER ATTACK SIMULATION TESTING: mandatory for HIGH inherent risk AIs + optional for medium; red team + threat-intelligence + scope + threat scenarios + execution + purple team replay + findings + remediation; modeled on UK CBEST + EU TIBER-EU (separately verified) + intelligence-led red team testing. ASSESSMENT CYCLE: annual self-assessment + 3-year independent + supervisory dialogue + remediation + ongoing monitoring. SUPERVISORY DIALOGUE: HKMA reviews submissions + may impose remediation requirements + escalate findings + monitor through ongoing supervision. COORDINATION: HKMA Supervisory Policy Manual (SPM) Module TM-G-1 (General Principles for Technology Risk Management, verified separately if tracked) + GS-1 + TM-G-3 + others; Singapore MAS TRMG; UK FCA Operational Resilience + ECB TIBER-EU (verified separately) + various banking sectoral cybersecurity. 2024-2025 PIPELINE: ongoing v2.0 enhancements + threat-landscape evolution + AI cybersecurity + quantum-readiness + cloud + DORA-coordination + new SPM modules + ransomware response + post-COVID hybrid + supply chain. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does HKMA Cyber Resilience Assessment Framework (C-RAF) have?
HKMA Cyber Resilience Assessment Framework (C-RAF) has 11 controls organised across 7 domains. The largest domains are HKMA C-RAF: Coordination with HKMA SPM TM-G-1, Sectoral Coordination, 2024-2025 Pipeline (4 controls), HKMA C-RAF: iCAST (Intelligence-Led Cyber Attack Simulation Testing) for HIGH Inherent Risk AIs (2 controls), HKMA C-RAF Domain 1-2: Governance + Identification (Cyber Strategy, Risk Mgmt, Asset Mgmt, Threat Assessment) (1 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does HKMA Cyber Resilience Assessment Framework (C-RAF) map to?
HKMA Cyber Resilience Assessment Framework (C-RAF) maps to 170 other compliance frameworks. The top mapping partners are Ghana Cybersecurity Act (27% coverage), GLBA (27% coverage), ISO/IEC 27011:2024 (27% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with HKMA Cyber Resilience Assessment Framework (C-RAF) compliance?
Start your HKMA Cyber Resilience Assessment Framework (C-RAF) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about HKMA Cyber Resilience Assessment Framework (C-RAF) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 11 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.
Get Started Free →Free forever — no credit card required