TheArtOfService
Back to Frameworks

HKMA TM-G-1

Self-Assess
Hong Kong
7 domains
8 controls

HKMA TM-G-1 is the FOUNDATIONAL HKMA Supervisory Policy Manual MODULE on Technology Risk Management + cybersecurity + IT risk for all HKMA AUTHORISED INSTITUTIONS (AIs) in Hong Kong SAR. TM-G-1 GENERAL PRINCIPLES FOR TECHNOLOGY RISK MANAGEMENT covers the comprehensive lifecycle of IT + cyber risk management. KEY STRUCTURE: 26+ subsection control areas organized in 9 sub-modules: (1) GOVERNANCE OF TECHNOLOGY RISK (TM-G-1.2.1-3) - Board + Senior Management Oversight + Technology Risk Management Framework + Roles + Responsibilities; (2) IT STRATEGY + POLICIES (TM-G-1.3.1-3) - IT Strategy + Planning + Policies + Standards + Procedures + Technology Risk Assessment; (3) IT DEVELOPMENT + CHANGE (TM-G-1.4.1-3) - Project + Programme Management + System Development + Acquisition + Change Management; (4) IT OPERATIONS (TM-G-1.5.1-3) - IT Operations Management + Capacity + Performance + Problem + Incident Management; (5) INFORMATION SECURITY (TM-G-1.6.1-8) - Information Security Programme + Access Control + Identity Management + Privileged Access Management + Network Security + Cryptographic Controls + Data Loss Prevention + Vulnerability + Patch Management + Endpoint + Mobile Security; (6) CYBER MONITORING + RESPONSE (TM-G-1.7.1-3) - Security Monitoring + SIEM + Cyber Threat Intelligence + Cyber Incident Response; (7) INDEPENDENT AUDIT (TM-G-1.8.1) - Independent Audit of Technology Risk; (8) OUTSOURCING + CLOUD (TM-G-1.9.1-2) - Outsourcing + 3rd Party Risk + Cloud Computing Risk Management. ADJACENT TM MODULES included in this framework's scope: (a) TM-G-2 Business Continuity Planning (BCG + BIA + Recovery + Backup + Testing); (b) TM-E-1 Risk Management of e-Banking (Governance + Customer Authentication + Transaction Monitoring + Customer Protection + Application Security); (c) OR-2 Operational Resilience (Framework + Severe but Plausible Scenario + 3rd Party Concentration); (d) C-RAF v2.0 (IRA + Maturity Assessment + iCAST) - separately tracked sectoral cybersecurity framework. KEY 2024-2025+ DIRECTIONS: AI + ML governance + generative AI cyber risk + quantum-resistant cryptography + cloud + ransomware + supply chain + DORA coordination + sectoral cyber evolution + recent HKMA supervisory communications + Circulars + sectoral exercises.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (7)

TM-G-1 Coordination with HKMA SPM, C-RAF v2.0, Basel III, FSB and 2024-2025 Pipeline

2 controls
Controls in the TM-G-1 Coordination with HKMA SPM, C-RAF v2.0, Basel III, FSB and 2024-2025 Pipeline domain of HKMA TM-G-12 controls
CodeTitle
HKMA-TMG1-Coord-SPM-CRAF-Basel-FSB-2024-2025-PipelineTM-G-1 Coordination with HKMA SPM, C-RAF v2.0, Basel III, FSB, ISO 27001, NIST CSF and 2024-2025 Pipeline
HKMA-TMG1-Implementation-Roles-Tooling-StatusTM-G-1 Implementation Roadmap, Roles, Tooling, Status and Future

TM-G-1 Cyber: Security Monitoring + SIEM + Threat Intel + Cyber IR + Audit + Outsourcing + Cloud

1 controls
Controls in the TM-G-1 Cyber: Security Monitoring + SIEM + Threat Intel + Cyber IR + Audit + Outsourcing + Cloud domain of HKMA TM-G-11 controls
CodeTitle
HKMA-TMG1-Cyber-Monitoring-Threat-Intel-IR-Audit-Outsource-CloudTM-G-1 Security Monitoring + SIEM + Threat Intel + Cyber IR + Audit + Outsourcing + Cloud Computing Risk

TM-G-1 Governance: Board + Senior Mgmt + Tech Risk Framework + Roles + Responsibilities

1 controls
Controls in the TM-G-1 Governance: Board + Senior Mgmt + Tech Risk Framework + Roles + Responsibilities domain of HKMA TM-G-11 controls
CodeTitle
HKMA-TMG1-Governance-Board-Framework-RolesTM-G-1 Governance - Board + Senior Mgmt Oversight + Technology Risk Management Framework + Roles

TM-G-1 IT Operations: Operations Mgmt + Capacity + Performance + Problem + Incident Management

1 controls
Controls in the TM-G-1 IT Operations: Operations Mgmt + Capacity + Performance + Problem + Incident Management domain of HKMA TM-G-11 controls
CodeTitle
HKMA-TMG1-Operations-Capacity-Problem-IncidentTM-G-1 IT Operations + Capacity + Performance + Problem + Incident Management

TM-G-1 IT Strategy + Policies + Risk Assessment + Project + System Development + Change Management

1 controls
Controls in the TM-G-1 IT Strategy + Policies + Risk Assessment + Project + System Development + Change Management domain of HKMA TM-G-11 controls
CodeTitle
HKMA-TMG1-Strategy-Policies-RiskAssessment-Dev-ChangeTM-G-1 IT Strategy + Policies + Risk Assessment + Project Management + System Development + Change Management

TM-G-1 Information Security: Programme + Access + PAM + Network + Crypto + DLP + Vulnerability + Endpoint

1 controls
Controls in the TM-G-1 Information Security: Programme + Access + PAM + Network + Crypto + DLP + Vulnerability + Endpoint domain of HKMA TM-G-11 controls
CodeTitle
HKMA-TMG1-InfoSec-Access-PAM-Network-Crypto-DLP-EndpointTM-G-1 Information Security Programme + Access + PAM + Network + Crypto + DLP + Vulnerability + Endpoint

TM-G-2 BCP + TM-E-1 e-Banking + OR-2 Operational Resilience Adjacent Modules

1 controls
Controls in the TM-G-2 BCP + TM-E-1 e-Banking + OR-2 Operational Resilience Adjacent Modules domain of HKMA TM-G-11 controls
CodeTitle
HKMA-TMG1-Adjacent-TMG2-TME1-OR2-BCP-eBanking-ResilienceTM-G-2 BCP + TM-E-1 e-Banking + OR-2 Operational Resilience Adjacent Modules

Frequently Asked Questions

What is HKMA TM-G-1?

HKMA TM-G-1 is a compliance framework from Hong Kong with 7 domains and 8 controls. HKMA TM-G-1 is the FOUNDATIONAL HKMA Supervisory Policy Manual MODULE on Technology Risk Management + cybersecurity + IT risk for all HKMA AUTHORISED INSTITUTIONS (AIs) in Hong Kong SAR. TM-G-1 GENERAL PRINCIPLES FOR TECHNOLOGY RISK MANAGEMENT covers the comprehensive lifecycle of IT + cyber risk management. KEY STRUCTURE: 26+ subsection control areas organized in 9 sub-modules: (1) GOVERNANCE OF TECHNOLOGY RISK (TM-G-1.2.1-3) - Board + Senior Management Oversight + Technology Risk Management Framework + Roles + Responsibilities; (2) IT STRATEGY + POLICIES (TM-G-1.3.1-3) - IT Strategy + Planning + Policies + Standards + Procedures + Technology Risk Assessment; (3) IT DEVELOPMENT + CHANGE (TM-G-1.4.1-3) - Project + Programme Management + System Development + Acquisition + Change Management; (4) IT OPERATIONS (TM-G-1.5.1-3) - IT Operations Management + Capacity + Performance + Problem + Incident Management; (5) INFORMATION SECURITY (TM-G-1.6.1-8) - Information Security Programme + Access Control + Identity Management + Privileged Access Management + Network Security + Cryptographic Controls + Data Loss Prevention + Vulnerability + Patch Management + Endpoint + Mobile Security; (6) CYBER MONITORING + RESPONSE (TM-G-1.7.1-3) - Security Monitoring + SIEM + Cyber Threat Intelligence + Cyber Incident Response; (7) INDEPENDENT AUDIT (TM-G-1.8.1) - Independent Audit of Technology Risk; (8) OUTSOURCING + CLOUD (TM-G-1.9.1-2) - Outsourcing + 3rd Party Risk + Cloud Computing Risk Management. ADJACENT TM MODULES included in this framework's scope: (a) TM-G-2 Business Continuity Planning (BCG + BIA + Recovery + Backup + Testing); (b) TM-E-1 Risk Management of e-Banking (Governance + Customer Authentication + Transaction Monitoring + Customer Protection + Application Security); (c) OR-2 Operational Resilience (Framework + Severe but Plausible Scenario + 3rd Party Concentration); (d) C-RAF v2.0 (IRA + Maturity Assessment + iCAST) - separately tracked sectoral cybersecurity framework. KEY 2024-2025+ DIRECTIONS: AI + ML governance + generative AI cyber risk + quantum-resistant cryptography + cloud + ransomware + supply chain + DORA coordination + sectoral cyber evolution + recent HKMA supervisory communications + Circulars + sectoral exercises. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does HKMA TM-G-1 have?

HKMA TM-G-1 has 8 controls organised across 7 domains. The largest domains are TM-G-1 Coordination with HKMA SPM, C-RAF v2.0, Basel III, FSB and 2024-2025 Pipeline (2 controls), TM-G-1 Cyber: Security Monitoring + SIEM + Threat Intel + Cyber IR + Audit + Outsourcing + Cloud (1 controls), TM-G-1 Governance: Board + Senior Mgmt + Tech Risk Framework + Roles + Responsibilities (1 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does HKMA TM-G-1 map to?

HKMA TM-G-1 does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with HKMA TM-G-1 compliance?

Start your HKMA TM-G-1 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about HKMA TM-G-1 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 8 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.

Get Started Free →

Free forever — no credit card required