Quadprime

NEWS & INSIGHTS

DORA Within the Nest of ISO 27001:
A Complementary Relationship

The Digital Operational Resilience Act (DORA) marks a significant step forward in safeguarding the financial sector against cyber threats. Its comprehensive requirements, ranging from incident management to third-party risk assessment, aim to ensure that financial entities can withstand disruptions and maintain their important business services. However, demonstrating compliance with DORA can be complex, requiring a robust and systematic approach to Cybersecurity. This short guide explores how ISO 27001, a globally recognized standard for information security management, can provide a solid foundation for financial entities to meet DORA’s requirements and effectively demonstrate their commitment to operational resilience. By aligning their information security practices with ISO 27001, financial institutions can establish a strong framework for identifying, assessing, and mitigating risks, ensuring the continuity of their business services, and building trust with regulators, customers, and stakeholders.

Key Considerations
While many financial entities have developed over the years their own internal cybersecurity and operational resilience frameworks based on EBA or other bodies’ guidelines, pursuing ISO 27001 certification offers several distinct advantages especially in the context of DORA compliance.

Global Recognition and Credibility
Third-Party assurance: ISO 27001 certification is a globally recognized standard that provides independent assurance of an organization’s information security practices. This can enhance the credibility and trust of the financial entity among customers, investors, and regulators. This can be particularly valuable in demonstrating compliance with DORA’s stringent requirements.

Furthermore, in today’s competitive landscape, demonstrating a commitment to information security through ISO 27001 certification can differentiate financial entities and provide a competitive edge.

Proportionality
Both DORA and ISO 27001 emphasize proportionality in implementation. The level of detail and complexity should align with the organisation’s size, risk profile, and the criticality of the services and information assets.

Enhanced focus on information security
DORA emphasises the security and resilience of network and information systems used by financial entities. ISO 27001, as an internationally recognised standard for information security management, directly addresses this need. Implementing ISO 27001 demonstrates a commitment to information security best practices, which are foundational to achieving digital operational resilience.

Establishment of a comprehensive ICT risk management framework
DORA mandates a robust ICT risk management framework as part of a financial entity’s overall risk management system. ISO 27001 requires a systematic approach to risk assessment and management, which is essential for identifying and addressing potential vulnerabilities in line with DORA’s requirements. It provides also a robust approach to developing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS) that address DORA’s requirement for a documented, reviewed, and auditable ICT risk management framework.

Regulatory Compliance
While DORA may not explicitly require ISO 27001 certification, demonstrating compliance with this globally recognized standard can serve as strong evidence of an organization’s commitment to operational resilience and regulatory requirements. DORA requires financial entities to demonstrate compliance through various reporting mechanisms, including internal audits. ISO 27001 with its emphasis on documentation, monitoring, and internal audits, provides a structure for generating the necessary evidence and reports required by DORA. This structured approach can simplify the process of demonstrating compliance and will reduce the uncertainty with DORA’s reporting obligations.

Supplier and Partner Relationships:

ISO 27001 certification can help build trust and confidence with suppliers and partners, ensuring that they meet the same high standards of information security, which is crucial for DORA compliance. Having in place a common framework like ISO 27001 can facilitate collaboration and information sharing between organizations, improving their ability to manage risks and comply with DORA.

Continuous improvement in digital operational resilience
Both DORA and ISO 27001 advocate for continuous improvement. The Plan-Do-Check-Act (PDCA) cycle of ISO 27001 promotes ongoing review, adaptation, and enhancement of the ISMS. This aligns perfectly with DORA’s objective of fostering a proactive and evolving approach to managing ICT risk, ensuring that financial entities continually adapt their digital operational resilience capabilities to address emerging threats and evolving regulatory expectations.

Alignment with core DORA principles and requirements
The following matrix maps key DORA requirements to corresponding clauses in ISO 27001:2022. Keep in mind that this is not an exhaustive list and the specific controls and implementation details may vary depending on the nature and size of the financial entity. This matrix showcases how ISO 27001:2022 provides a foundational framework that can be leveraged to meet many of the requirements outlined in DORA. By adhering to ISO 27001 principles and implementing its controls, financial entities can significantly strengthen their digital operational resilience and better align with the regulatory expectations of DORA

Matrix of DORA Requirements and Matching ISO 27001 Clauses

DORA Requirement

ISO 27001:2022 Clause

Explanation

ICT Risk Management Framework12

4. Context of the organisation; 6. Planning; 7. Support; 8. Operation; 9. Performance evaluation; 10. Improvement

DORA mandates a comprehensive ICT risk management framework. ISO 27001 provides the structure and processes to establish, implement, maintain, and continually improve an ISMS, encompassing risk assessment, treatment, monitoring, and review, all essential for robust ICT risk management.

ICT Governance and Organisation13

5. Leadership; 6.1. Actions to address risks and opportunities; 7.1 Resources; 7.2 Competence

DORA emphasizes strong governance for ICT risk, aligning with ISO 27001’s requirements for leadership commitment, resource allocation, competence management, and planning actions to address risks and opportunities.

ICT Systems, Protocols, and Tools4

6.1.3 Information security risk treatment; 8.1 Operational planning and control; Annex A controls

DORA stipulates the use of updated and appropriate ICT systems to manage risk. ISO 27001, through its risk treatment process, operational planning and control requirements, and Annex A controls (e.g., access control, vulnerability management, configuration management) supports this objective.

Identification of ICT Assets and Processes5

4.3 Determining the scope of the information security management system; 6.1.2 Information security risk assessment

DORA requires the identification and documentation of ICT assets and processes. ISO 27001 aids this through scope determination and risk assessment, which necessitate identifying information assets, systems, and processes relevant to the ISMS.

Protection and Prevention67

6.1.2 Information security risk assessment; 6.1.3 Information security risk treatment; 8.1 Operational planning and control; Annex A controls

DORA focuses on protecting ICT systems through security tools and policies. ISO 27001 echoes this through risk assessment and treatment, operational planning and control, and various Annex A controls, addressing areas like network security, physical security, and data protection.

Detection of ICT-related Incidents8

9. Performance evaluation; Annex A controls (e.g., security monitoring, logging)

DORA necessitates mechanisms to detect ICT-related incidents. ISO 27001 supports this through its monitoring and measurement requirements and Annex A controls focused on security monitoring and event logging, enabling the detection and analysis of security events.

Response and Recovery910

6.1.3 Information security risk treatment; 8.1 Operational planning and control; Annex A controls (e.g., incident management, business continuity)

DORA mandates robust response and recovery capabilities. ISO 27001 addresses this through risk treatment (defining how to handle risks), operational planning and control, and Annex A controls related to incident management, business continuity, and disaster recovery.

Communication311

7.4 Communication

Both DORA and ISO 27001 recognise the importance of effective communication regarding ICT risks and incidents. ISO 27001 specifically requires establishing communication processes, ensuring information is communicated to the right people at the right time.

ICT Third-Party Risk Management12

4.1 Understanding the organization and its context; 6.1.2 Information security risk assessment; 8.1 Operational planning and control

DORA highlights managing risks from ICT third-party providers, aligning with ISO 27001’s focus on understanding organisational context, assessing risks related to external parties, and controlling externally provided processes relevant to the ISMS.

Digital Operational Resilience Testing Programme

9.1 Monitoring, measurement, analysis and evaluation; Annex A controls (e.g., system and acceptance testing, technical vulnerability management)

DORA requires a testing programme to assess the effectiveness of ICT systems and processes. ISO 27001 supports this through its monitoring and evaluation requirements, and Annex A controls relating to testing, such as system and acceptance testing and technical vulnerability management.

Threat-Led Penetration Testing (TLPT)

No direct equivalent in ISO 27001:2022, but may be considered under risk assessment and control selection

DORA, for specific financial entities, mandates advanced testing through TLPT. While not specifically addressed in ISO 27001:2022, organizations can consider TLPT within their risk assessment process to identify and address potential vulnerabilities proactively.

Oversight Framework for Critical ICT Third-Party Service Providers

No direct equivalent in ISO 27001:2022

DORA establishes an Oversight Framework for critical ICT third-party service providers, reflecting its focus on systemic risk management within the financial sector. This framework, with its designation mechanism, oversight activities, and potential sanctions, goes beyond the scope of ISO 27001:2022, which primarily addresses internal ISMS implementation.

Information Security Objectives

6.2 Information security objectives and planning to achieve them

ISO 27001 requires organisations to define information security objectives aligned with their business needs and risk assessment results. These objectives provide a clear direction for the ISMS and contribute to achieving the desired level of information security, which is essential for digital operational resilience.

Documented Information

7.5 Documented information

Both standards emphasize the importance of documenting information related to the ISMS/ICT risk management framework. ISO 27001 specifically outlines requirements for documenting policies, procedures, risk assessments, and other relevant information, contributing to transparency, accountability, and effective management of information security.

DORA Requirements Not Covered by ISO 27001
While ISO 27001 provides a solid foundation for ICT risk management, DORA introduces several additional requirements not fully addressed by the standard, apart from the Oversight Framework. These include:

  • The Oversight Framework for critical ICT third-party service providers, a key aspect of DORA, does not have a direct equivalent in ISO 27001:2022. Furthermore, DORA outlines specific contractual provisions for managing ICT third-party risk, particularly for critical or important functions. These provisions include detailed requirements for service level descriptions, access and audit rights, exit strategies, and cooperation with competent authorities. While ISO 27001 addresses supplier relationships, it does not dictate the level of detail and specific provisions mandated by DORA.

  • Specific incident reporting requirements: DORA mandates detailed reporting procedures for major ICT-related incidents, including reporting thresholds, timelines, and specific data sets. ISO 27001 provides a general framework for incident management, but does not prescribe the detailed reporting requirements outlined in DORA.

  • Threat-led penetration testing (TLPT): DORA requires financial entities to conduct advanced testing of their ICT systems using TLPT. This framework simulates real-world cyberattacks to assess resilience. ISO 27001 requires testing but does not mandate or specify the use of TLPT, which is a distinct and sophisticated testing methodology.

  • Focus on ICT concentration risk: DORA highlights the systemic risk posed by financial entities’ dependence on a limited number of critical ICT third-party service providers. It requires financial entities to assess and manage ICT concentration risk throughout their ICT third-party risk management processes. ISO 27001 does not explicitly address concentration risk in the context of ICT third-party dependencies.

  • Reporting on costs and losses from major ICT incidents: DORA requires certain financial entities to report estimated annual costs and losses caused by major ICT incidents to competent authorities upon request. This specific financial reporting element is not directly covered by ISO 27001.

Conclusion
In conclusion, ISO 27001 offers a valuable framework and a set of globally recognised best practices that significantly contribute to achieving compliance with DORA. By leveraging ISO 27001 financial entities can streamline their efforts, demonstrate their commitment to information security and strengthen their overall digital operational resilience posture. However, they should also recognise that DORA’s sector-specific requirements will necessitate additional controls and processes beyond those addressed in ISO 27001 such as  oversight for critical ICT third-party service providers, specific incident reporting requirements, threat-led penetration testing and others for which, financial institutions must implement additional measures and controls to address these specific DORA requirements and ensure full compliance.

Seeking certification to ISO 27001?
Quadprime has been at the forefront of information security certifications for many years. Partnering with QuadPrime means leveraging our extensive experience and expertise in ISO management system standards vis a vis ISO 27001 and other highly sought standards. Furthermore, as a member of the MAP S.Platis Group, we offer bespoke information security services that help you address your cybersecurity challenges and protect your value end-to-end.

For more details on our ISO 27001 services, visit our webpage ISO 27001 Information Security Management Systems

Contact us today to discuss your DORA compliance needs.

    QuadPrime Limited needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Privacy Policy.

    Special Bundle DORA consultancy package for Microenterprises

    X