The Digital Operational Resilience Act (DORA) ensures the digital resilience of EU financial entities. Utilising the ISO 27001 standard can simplify achieving DORA compliance.
ISO 27001, an internationally recognised standard for Information Security Management Systems (ISMS), focuses on creating and maintaining policies and procedures for information, cloud, and cyber security, with a core emphasis on risk management. This standard provides organisations with the necessary structure and tools to comply with DORA, emphasising a fundamental risk-based approach.
Your current operational resilience and cyber security strategies likely already align with some of the requirements of DORA, as the regulation complements established governance and operational frameworks such as ISO 27001. Achieving compliance may necessitate only minor adjustments to existing policies, procedures, and risk management strategies, coupled with targeted resilience testing procedures.
Here’s how ISO 27001 can help meet DORA requirements:
DORA is structured around five main pillars that are centred around IT risk management, reporting, and testing. Each pillar is structured to ensure that financial entities have the ability to withstand, respond to, and recover from IT incidents, you can see below where these overlap with current ISO 27001 criteria.
1. IT Risk Management
DORA Requirement:
- Implement measures to identify and manage risks related to information and communication technology
ISO 27001 Contribution:
- Risk Assessment and Treatment: ISO 27001 requires organisations to conduct regular risk assessments and apply appropriate risk treatment plans
- Risk Management Framework: ISO 27001 provides a systematic approach to managing information security risks, ensuring that risks are identified, assessed, and mitigated effectively
2. Incident Reporting
DORA Requirement:
- Develop protocols to report IT related incidents promptly and accurately to regulatory authorities
ISO 27001 Contribution:
- Incident Management: ISO 27001 mandates the establishment of incident management procedures, including identification, reporting, and response to security incidents
- Documentation and Reporting: The standard emphasises thorough documentation of incidents and corrective actions, which supports compliance with DORA’s reporting requirements
3. Operational Resilience Testing
DORA Requirement:
- Regularly test systems and processes to ensure they can withstand and recover from disruptions
ISO 27001 Contribution:
- Testing and Evaluation: ISO 27001 requires organisations to test and evaluate their information security controls regularly, including conducting business continuity and disaster recovery exercises
- Penetration Testing and Drills: Adopting ISO 27001 involves performing penetration tests and security drills to assess the resilience of IT systems, directly supporting DORA’s testing requirements
4. Third-Party Risk Management
DORA Requirement:
- Manage and monitor risks associated with third-party service providers
ISO 27001 Contribution:
- Supplier Relationships: ISO 27001 incorporates controls for managing third-party relationships, ensuring that suppliers and partners comply with security requirements
- Contractual Safeguards: The standard advocates for the inclusion of information security clauses in contracts with third-party providers, aligning with DORA’s third-party risk management mandates
5. Information Sharing
DORA Requirement:
- Share information regarding threats and incidents with other financial entities and regulatory bodies
ISO 27001 Contribution:
- Communication and Reporting Protocols: ISO 27001 promotes establishing clear communication channels and reporting protocols for sharing security information effectively with relevant stakeholders
- Collaboration and Coordination: The standard promotes collaboration with external entities to bolster overall information security posture, facilitating the necessary information sharing required by DORA
How Can We Help?
We have more than 20 years of experience delivering ISO 27001 consulting, and, in that time, we have never had a customer fail an ISO audit/ certification.
All our qualified ISO consultants are experienced in the successful implementation of security management systems and can help organisations to navigate their way through the standard to full certification.
We can also assist with all documentation needs to achieve compliance and provide technical solutions mandated under DORA, such as penetration testing and incident response.