HKMA C-RAF — Cyber Resilience Assessment Framework
SmartSuite provides the system for managing controls, evidence, mappings, assessments, and reporting. Framework text may require a separate license unless explicitly provided.
Overview
The HKMA Cyber Resilience Assessment Framework (C-RAF) is a cybersecurity and risk management framework that assists authorized institutions in assessing and enhancing their cyber resilience capabilities. Its primary purpose is to strengthen organizational ability to prevent, detect, respond to, and recover from cyber threats within the Hong Kong banking sector.
Issued by the Hong Kong Monetary Authority (HKMA), the C-RAF is mandatory for banks and other authorized financial institutions operating in Hong Kong. The framework covers cybersecurity controls, risk management practices, governance structures, incident response, and operational resilience.
Organizations apply C-RAF by conducting regular cyber risk assessments, implementing controls to address identified gaps, and reviewing their incident response plans. Institutions integrate the framework into ongoing risk management, compliance programs, and regulatory reporting.
Why it Matters
HKMA C-RAF provides a structured approach for financial institutions to assess, enhance, and sustain cyber resilience in a rapidly evolving threat landscape.
Key benefits include:
Strengthen cybersecurity governance
Establish clear accountability and oversight for cybersecurity risk management through defined roles and systematic evaluation processes.
Enhance regulatory alignment
Support compliance with HKMA requirements and facilitate adherence to recognized international cybersecurity standards and frameworks.
Promote operational resilience
Improve the organization's ability to withstand, respond to, and recover from cybersecurity incidents impacting critical banking operations.
Improve threat detection and response
Bolster incident management capabilities and enable timely detection, escalation, and containment of cyber threats and breaches.
Increase audit readiness
Structure cybersecurity documentation and activities to streamline audit processes and demonstrate regulatory compliance during reviews.
How it Works
The HKMA Cyber Resilience Assessment Framework (C-RAF) structures cyber resilience into thematic control families and outcome-based assessment areas, combined with a maturity model and lifecycle processes for preparedness, response and recovery. It outlines governance requirements, risk management expectations, and measurable resilience objectives.
Organizations implement C-RAF by mapping existing security controls and operational practices to the framework, conducting risk assessments and scenario-based testing, and performing gap analyses against maturity targets. Results feed governance forums and compliance reporting, drive remediation plans and inform incident response and continuity exercises.
Key Elements
Cybersecurity Control Domains
Organizes technical and procedural controls into core areas such as access management, system security, and monitoring.
Risk Assessment Process
Details systematic evaluation steps for identifying, analyzing, and prioritizing cyber risks in institutional operations.
Governance and Oversight Mechanisms
Establishes structures for leadership responsibility, policy approval, and ongoing oversight of cyber resilience practices.
Incident Response and Recovery Planning
Describes the structure for detecting incidents, managing responses, and restoring normal operations after cyber events.
Cyber Resilience Maturity Model
Defines progressive capability levels used to assess and benchmark institutional resilience across multiple domains.
External Dependency Management
Outlines processes for evaluating and controlling cyber risks introduced by third-party vendors and service providers.
Framework Scope
HKMA Cyber Resilience Assessment Framework (C-RAF) is adopted by banks and authorized financial institutions operating in Hong Kong, covering core banking systems, risk management platforms, and supporting technology assets.
Framework Objectives
The HKMA Cyber Resilience Assessment Framework (C-RAF) sets out clear objectives to reinforce cybersecurity risk management and operational resilience within Hong Kong's banking sector.
Strengthen governance structures and oversight of cybersecurity and risk management activities
Enhance the ability to prevent, detect, and respond to cyber threats
Promote effective implementation of security controls and data protection measures
Support alignment with regulatory compliance and international security standards
Improve operational resilience and the continuity of critical banking functions
Demonstrate audit readiness through comprehensive assessment and regular reporting
Common Framework Mappings
Mapped frameworks include:
Digital Operational Resilience Act (DORA)
FFIEC Cybersecurity Assessment Tool
ISO/IEC 27001
ISO/IEC 27002
NIST Cybersecurity Framework
NIST SP 800-53
SOC 2
SWIFT Customer Security Programme (CSP)
- ClassicifationCategoryOperational ResilienceDomainOperational ResilienceFramework FamilyOther
- Regulatory ContextTypeAssessment / Maturity ModelLegal InstrumentFrameworkSectorFinancial SectorIndustryFinancial Services
- Region / PublisherRegionAsia-PacificRegion DetailHong KongPublisherHong Kong Monetary Authority (HKMA)
- VersioningVersionHKMA Cyber Resilience Assessment FrameworkEffective Date2017Issue DateMarch 2017
- AdoptionAdoption ModelRegulatory ComplianceImplementation ComplexityHigh
- Official ReferenceOpen Link in New TabSource
License included / downloadable: Yes
The Cyber Resilience Assessment Framework is published by the Hong Kong Monetary Authority and is publicly available through official HKMA resources.
How SmartSuite Supports HKMA C-RAF
Centralize controls, evidence, and audit workflows to stay continuously SOC 2–ready.
Inherent Risk and Maturity Assessments
Run assessments, capture scoring, and attach supporting evidence.
Gap Remediation Roadmap and Ownership
Turn gaps into a prioritized roadmap with owners and milestones.
Testing and Exercise Cadence
Schedule resilience testing and record outcomes and improvement actions.
Monitoring and Incident Response Workflows
Track telemetry coverage, incident timelines, and corrective actions.
Provider Dependency and Contingency Planning
Manage provider dependencies, monitoring, and contingency planning evidence.
Leadership Reporting Dashboards
Report maturity, gaps, and progress trends for governance.
Related frameworks
DORA is an EU regulation requiring financial firms to manage ICT risks, report incidents, test security, and oversee third-party providers.
The FFIEC Cybersecurity Assessment Tool helps U.S. financial institutions assess cybersecurity preparedness and manage cyber risk.
ISO/IEC 27001:2022 is an international ISMS standard that helps organizations manage information security risks and protect data.
ISO/IEC 27002:2022 provides best-practice information security controls to help organizations select, implement, and manage protections for information assets.
NIST Cybersecurity Framework (CSF) v2.0 is a risk-based framework that helps organizations manage and reduce cybersecurity risks.
NIST SP 800-53 Rev. 5 provides a catalog of security and privacy controls to manage risks to information systems.
Frequently Asked Questions For HKMA C-RAF (Cyber Resilience Assessment Framework)
The HKMA C-RAF is a structured framework designed to help banks and authorized financial institutions in Hong Kong assess, strengthen, and demonstrate their cyber resilience. It is used to identify gaps in cyber risk management, improve security controls, and enhance the ability to prevent, detect, and recover from cyber threats.
Yes, implementation of the HKMA C-RAF is mandatory for all authorized institutions regulated by the Hong Kong Monetary Authority. Organizations are required to regularly conduct cyber resilience assessments and report outcomes to the HKMA as part of ongoing regulatory compliance.
All licensed banks, restricted license banks, and deposit-taking companies operating in Hong Kong fall under the scope of C-RAF. The framework applies to both local and international banking operations managed within Hong Kong’s jurisdiction.
The C-RAF requires organizations to implement and document cybersecurity controls around governance, risk management, incident response, and operational resilience. Essential artifacts include completed risk assessments, gap analyses, incident response plans, control documentation, and evidence of periodic testing and reviews.
Implementation involves mapping current security controls to C-RAF requirements, conducting risk and maturity assessments, and performing scenario-based exercises. Organizations should document gaps, create remediation plans, and routinely update governance documentation and incident response procedures to align with regulatory expectations.
HKMA C-RAF aligns with international standards such as the NIST Cybersecurity Framework, incorporating similar control families and maturity models. This alignment helps ensure that institutions maintain compliance with both local regulatory requirements and global cybersecurity best practices.
Institutions must conduct periodic cyber resilience reviews, monitor control effectiveness, and update risk assessments in line with C-RAF’s maturity model. Results and remediation actions should be documented, reviewed by governance bodies, and reported to the HKMA as required.
SmartSuite can support HKMA C-RAF compliance by enabling organizations to manage cyber risk in a centralized platform, track and maintain security controls, and store audit-ready evidence. It facilitates risk register maintenance, automates compliance workflows, and generates configurable reports for governance and regulatory reporting, ensuring audit readiness and streamlined oversight.
Put CRI Profile into action with SmartSuite
Map controls, collect evidence, run assessments, manage remediation, and report readiness - all from a single connected system.