HKMA TM-G-1

Hong Kong

5 domains

42 controls

HKMA Supervisory Policy Manual TM-G-1 General Principles for Technology Risk Management plus TM-E-1, TM-G-2, OR-2, C-RAF 2.0.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (5)

C-RAF 2.0

3 controls

Controls in the C-RAF 2.0 domain of HKMA TM-G-1 — 3 controls
Code	Title	Description
CRAF-2.0.1	Inherent Risk Assessment under C-RAF 2.0	Authorized institution completes an inherent risk assessment to determine cyber risk tier under the Cyber Resilience Ass...
CRAF-2.0.2	Maturity Assessment under C-RAF 2.0	Institution conducts a maturity assessment across seven domains and uplifts capabilities to the maturity level commensur...
CRAF-2.0.3	Intelligence-led Cyber Attack Simulation Testing (iCAST)	Institutions in higher risk tiers undertake intelligence-led red team testing using threat intelligence-derived scenario...

OR-2

3 controls

Controls in the OR-2 domain of HKMA TM-G-1 — 3 controls
Code	Title	Description
OR-2.2.1	Operational Resilience Framework	Authorized institution establishes an operational resilience framework that identifies important business services, sets...
OR-2.3.1	Severe but Plausible Scenario Testing	Institution tests its ability to remain within impact tolerances under severe but plausible scenarios including cyber, t...
OR-2.4.1	Third Party and Concentration Risk for Resilience	Concentration and substitutability risks for material third parties supporting important business services are assessed...

TM-E-1

5 controls

Controls in the TM-E-1 domain of HKMA TM-G-1 — 5 controls
Code	Title	Description
TM-E-1.2.1	Governance of E-banking	Board and senior management approve the e-banking strategy and risk management framework, including digital channels and...
TM-E-1.3.1	Customer Authentication for E-banking	Strong customer authentication is applied to login and high-risk transactions including two-factor authentication and tr...
TM-E-1.3.2	Transaction Monitoring and Fraud Detection	Real-time and near real-time monitoring detects suspicious or fraudulent transactions with rule-based and behavioural an...
TM-E-1.3.3	Customer Protection and Awareness	Customers receive guidance on safe use of e-banking, scam awareness, and channels to report incidents, supported by liab...
TM-E-1.4.1	Application Security for E-banking	E-banking applications are developed under secure SDLC with threat modelling, code review, penetration testing, and runt...

TM-G-1

26 controls

Controls in the TM-G-1 domain of HKMA TM-G-1 — 26 controls
Code	Title	Description
TM-G-1.2.1	Board and Senior Management Oversight of Technology Risk	Board and senior management are accountable for setting the strategy, risk appetite, and oversight structure for technol...
TM-G-1.2.2	Technology Risk Management Framework	Institution maintains an enterprise-wide framework that identifies, assesses, measures, monitors, and controls technolog...
TM-G-1.2.3	Roles and Responsibilities	Roles for technology risk management are clearly defined across IT, risk, audit, and business units with segregation of...
TM-G-1.3.1	IT Strategy and Planning	IT strategy aligns with business strategy and is supported by multi-year plans covering architecture, sourcing, capacity...
TM-G-1.3.2	IT Policies, Standards and Procedures	A documented suite of IT policies, standards, and procedures is approved, communicated, and reviewed regularly to ensure...
TM-G-1.3.3	Technology Risk Assessment	Technology risk assessments are performed on new systems, material changes, third party arrangements, and at periodic in...
TM-G-1.4.1	Project and Programme Management	IT projects follow a defined lifecycle covering initiation, business case, design, build, testing, deployment, and post-...
TM-G-1.4.2	System Development and Acquisition	Systems are developed or acquired under controls that address requirements, design, secure coding, testing, vendor due d...
TM-G-1.4.3	Change Management	All changes to production systems follow documented change management with assessment of risk, authorization, testing, s...
TM-G-1.5.1	IT Operations Management	Day-to-day IT operations include job scheduling, batch monitoring, problem management, and operational metrics tied to s...
TM-G-1.5.2	Capacity and Performance Management	Capacity and performance are monitored, forecasted, and managed to meet current and projected business demand with thres...
TM-G-1.5.3	Problem and Incident Management	Incidents and problems are logged, classified, escalated, resolved, and analysed for root cause with reporting to senior...
TM-G-1.6.1	Information Security Programme	Authorized institution maintains a documented information security programme covering policy, governance, technical cont...
TM-G-1.6.2	Access Control and Identity Management	Access to systems and data follows least privilege with identity lifecycle, multi-factor authentication for sensitive ac...
TM-G-1.6.3	Privileged Access Management	Privileged accounts are inventoried, vaulted, monitored with session recording, and subject to elevated approval, time-b...
TM-G-1.6.4	Network Security	Network architecture applies segmentation, secure perimeter controls, intrusion detection, and continuous monitoring pro...
TM-G-1.6.5	Cryptographic Controls	Cryptographic standards govern algorithm choice, key strength, key lifecycle, and use of hardware security modules for s...
TM-G-1.6.6	Data Loss Prevention and Data Protection	Sensitive data is classified, protected at rest and in transit, and monitored for leakage with DLP controls and incident...
TM-G-1.6.7	Vulnerability and Patch Management	Vulnerabilities are identified through scanning and threat intelligence, prioritized by risk, and remediated within docu...
TM-G-1.6.8	Endpoint and Mobile Security	Endpoints and mobile devices are hardened, monitored with EDR, managed via MDM, and protected against malware and unauth...
TM-G-1.7.1	Security Monitoring and SIEM	Centralised security monitoring collects, correlates, and analyses logs across systems with 24x7 coverage and tuned dete...
TM-G-1.7.2	Cyber Threat Intelligence	Institution consumes cyber threat intelligence from sector and government sources to inform detection, response, and ris...
TM-G-1.7.3	Cyber Incident Response	Cyber incident response programme defines roles, playbooks, communication, and regulatory notification including reporti...
TM-G-1.8.1	Independent Audit of Technology Risk	Internal and external audit independently assess technology risk and information security controls with findings reporte...
TM-G-1.9.1	Outsourcing and Third Party Risk	Outsourced technology arrangements are subject to due diligence, contractual controls, ongoing monitoring, and exit plan...
TM-G-1.9.2	Cloud Computing Risk Management	Use of cloud services is governed with attention to data residency, shared responsibility, regulator access, and concent...

TM-G-2

5 controls

Controls in the TM-G-2 domain of HKMA TM-G-1 — 5 controls
Code	Title	Description
TM-G-2.2.1	Business Continuity Governance	Board and senior management oversee business continuity planning including approval of BCP policy, RTO and RPO appetite,...
TM-G-2.3.1	Business Impact Analysis	Business impact analysis identifies critical business functions, supporting IT services, dependencies, and quantifies im...
TM-G-2.3.2	Recovery Strategy and Plans	Recovery strategies cover IT disaster recovery, alternate sites, workforce, suppliers, and communications, documented in...
TM-G-2.3.3	Backup and Restoration	Backups are protected, geographically separated, regularly tested for restorability, and resistant to corruption or rans...
TM-G-2.4.1	BCP Testing and Exercising	BCP and DRP are tested at least annually using tabletop, simulation, and full failover scenarios with lessons learned tr...

Frequently Asked Questions

What is HKMA TM-G-1?

HKMA TM-G-1 is a compliance framework from Hong Kong with 5 domains and 42 controls. HKMA Supervisory Policy Manual TM-G-1 General Principles for Technology Risk Management plus TM-E-1, TM-G-2, OR-2, C-RAF 2.0. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does HKMA TM-G-1 have?

HKMA TM-G-1 has 42 controls organised across 5 domains. The largest domains are TM-G-1 (26 controls), TM-E-1 (5 controls), TM-G-2 (5 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does HKMA TM-G-1 map to?

HKMA TM-G-1 does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with HKMA TM-G-1 compliance?

Start your HKMA TM-G-1 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about HKMA TM-G-1 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 42 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required