Skip to main content
Promotion: Promotional Banner Image

CUNA is now America’s Credit Unions.
A stronger voice to advance the credit union industry.

Learn More

NCUA ISE Requirements

March 2023
By TraceSecurity

The NCUA has developed new procedures for their risk-based Information Security Examinations (ISE) for credit unions. Your examiner will be using these new procedures for your regulatory examination this year, and TraceSecurity is here to help you navigate the new normal. TraceSecurity has taken the official NCUA regulatory statements and broken them down into the assessments and testing that your examiners will be looking for this year.

Based on your credit union’s asset size, you will fall into one of two categories:

  • Small Credit Union Examination Program (SCUEP) – less than $50M in assets
  • CORE Examination Program (with additional CORE+ requirements) – over $50M in assets

Small Credit Union Examination Program (SCUEP)

The SCUEP applies to credit unions below $50 million in assets. This is the NCUA’s lowest threshold for “small” credit unions to date. If you fall in this category, your requirements are as follows:

  • Risk Assessment
  • IT Security Audit
  • Vulnerability Assessment
  • External Penetration Test
  • Security Awareness Training
  • Remote Social Engineering – Phishing & Vishing
  • Tabletop Testing of Disaster Recovery and/or Business Continuity Plans


The CORE Examination Program applies to credit unions with over $50 million in assets. CORE represents the minimum requirements, with CORE+ additions if applicable. Credit unions that fall under CORE are required to do the following:

  • Risk Assessment
  • T Security Audit
  • Vulnerability Assessment – Annual
  • Vulnerability Management
  • External Penetration Test
  • Internal Penetration Test
  • Security Awareness Training
  • Remote Social Engineering – Phishing & Vishing
  • Onsite Social Engineering
  • Tabletop Testing of Disaster Recovery and/or Business Continuity Plans

As we get to credit unions of higher asset sizes and more complex IT environments, your examiner may have some additional requirements under CORE+. If applicable to your credit union, CORE+ could include some or all of the following requirements:

  • Vulnerability Assessment – Quarterly, Authenticated
  • Remote Social Engineering – Smishing
  • Physical Security Control Testing
  • Web Application Testing
  • Wireless Controls Testing
  • Remote Access Control Testing
  • Password Security Testing
  • Firewall Security Testing
  • Ransomware Readiness Assessment

To provide some examples, Web Application Testing is only required if your credit union has a web application, like for online banking. Remote Access Control Testing is only necessary if you have employees that remotely access company systems, like through a VPN.

The Good News

TraceSecurity has already begun preparing credit unions for their examinations under the new ISE requirements. With this being the NCUA’s most structured examination process to date, ensure your cybersecurity requirements are properly handled. 

About TraceSecurity

TraceSecurity has provided over 30,000 examiner approved reports, helping credit unions of all sizes maintain compliance year after year. A CUNA Strategic Services provider since 2006, TraceSecurity helps credit unions with a range of cybersecurity services, including risk assessments, penetration testing and IT audits. With a combination of software and services, TraceSecurity can help credit unions manage their information security program and supplement it with third-party validation.