Regulation on Digital Operational Resilience (DORA): Leveraging ISO 27001

As cybersecurity regulations evolve to address growing threats, organizations must align their risk management practices with multiple regulatory frameworks. One key regulation in the European landscape is the Regulation on Digital Operational Resilience (DORA)

In a continuation of our look into evolving cybersecurity regulations within the EU landscape, I’m going to provide a brief overview of the European Commission’s Regulation on Digital Operational Resilience (DORA), and how the Clauses and Annex controls defined by ISO 27001 can be leveraged to enhance your organization’s risk management processes to comply with this regulation.

About DORA and ISO 27001

DORA gives the European Commission the power to adopt delegated and implementing acts to specify how EU member states and market participants need to comply with the obligations. This legal framework is designed to ensure financial institutions – including banks, insurers, and investment firms – can effectively manage and withstand digital and cyber threats.

DORA establishes requirements for ICT risk management, incident reporting, testing, and oversight of third-party ICT service providers.

ISO/IEC 27001:2022, the globally recognized standard for information security management systems (ISMS), provides a risk-based approach to information security management that can help your organization meet the requirements of DORA. By leveraging ISO 27001 clauses to establish an effective governance function, and by applying the 93 Annex A controls specified by the standard, organizations can be confident they comply with DORA with minimal additional lift regarding certain prescriptive requirements of the regulation.

Enforcement Note: DORA officially entered into force on January 16, 2023. While it was legally binding from that date, financial institutions and related entities had a transitional period to fully implement and comply with provisions by January 17, 2025.

Prescriptive Enhancements to ISO 27001 from DORA: Clauses

Clause 4.1: Context of the Organization

DORA explicitly requires that organizations implement rules based on the principle of proportionality. Your organization’s size, overall risk profile, and the nature, scale, and complexity of services, activities, and operations need to be understood and documented.

Clause 4.3: Determining the Scope

DORA’s ICT Risk Management Framework requires a clear understanding of critical business processes, ICT assets, critical ICT services, and the dependencies that exist therein.

Clause 5.1: Leadership and Commitment

DORA explicitly defines board-level accountability and more detailed governance structures, leading to your organization’s top management bearing the ultimate responsibility for managing ICT risk.

Clause 5.2: Policy

DORA requires inclusion to your Information Security Policy to protect availability, authenticity, integrity, and confidentiality of data, information assets, and ICT assets.

Clause 5.3: Roles and Responsibilities

Defined roles to include:

(1) Role to monitor the arrangements concluded with ICT third-party service providers on the use of ICT services,

(2) [at least] One person tasked with implementing the communication strategy for ICT-related incidents and fulfil the public and media function for that purpose, and

(3) Staff responsible for response and recovery.

Clause 6.1.1 – 6.1.3 & 8.1 – 8.3: Risk Management

DORA refines your Risk Management strategy to include ICT risks, including risks associated with ICT assets, ICT services, ICT third-party services providers, and ICT-related incidents.

Risk treatment strategies are further refined through prescriptive enhancements to Vendor Management (Annex A.5.19-A.5.23), Incident Response (Annex A.5.24 – A.5.28), Business Continuity (Annex A.5.29 – A.5.30), and Digital Operational Resilience Testing (Annex A.8.8).

Clause 6.2: Objectives

Specific ICT Objectives to protect the availability, authenticity, integrity, and confidentiality of data, information assets, and ICT assets.

Clause 7.2, 7.3, and Annex A.6.3: Competence and Awareness

Compulsory ICT security awareness programs and digital operational resilience training for all employees and senior management staff, (at a level commensurate to the remit of their functions).

Clause 9.1: Monitoring, Measurement, Analysis, and Evaluation

Key performance indicators and key risk metrics to address ICT risk and attain specific ICT Objectives associated with critical business processes, ICT assets, and critical ICT services.

Clause 9.2: Internal Audit Program

Entity is subject to independent internal audits by auditors on a regular basis in line with the organizations’ audit plan.

Clause 9.3: Management Review

In addition to the standard items included within your organization’s management review, top management is required to approve and periodically review the financial entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers.

Reporting on those arrangements requires inclusion of the following to ensure top management is duly informed of:

(1) Arrangements concluded with ICT third-party service providers on the use of ICT services,

(2) Any relevant planned material changes regarding the ICT third-party service providers, and

(3) The potential impact of such changes on the critical or important functions subject to those arrangements, including a risk analysis summary to assess the impact of those changes, and at least major ICT-related incidents and their impact, as well as response, recovery and corrective measures.

Prescriptive Enhancements to ISO 27001 from DORA: Annex A Controls

Annex A.5.19-A.5.23: Supplier Relationships

DORA requires a more granular oversight, including specific contractual obligations and periodic reviews of ICT third-party service providers.

Annex A.5.24 – A.5.28: Incident Management

DORA requires defined timelines, formats, and content for incident notifications. Incidents must be reported within four hours of classification or no later than 24 hours after detection. Additionally, financial entities must inform their customers of incidents and significant cybersecurity threats.

NIS2 NOTE: While DORA prevails over the NIS2 Directive, the latter is also relevant to banks and financial market infrastructure companies and should be taken into consideration (see our article on NIS2 for more information on Incident Management requirements).

Annex A.5.29 – A.5.30 & A.8.13 – A.8.14: Business Continuity

It should be inferred that for the purpose of ensuring the restoration of ICT systems and data with minimum downtime, limited disruption and loss, your organization must plan, implement, maintain, and test business continuity objectives and ICT continuity requirements, and that these activities would commonly result in the creation of a Business Impact Analysis (BIA).

The BIA is a document, noted in ISO 27002, but defined by ISO 22301 (Business Continuity Management Systems).

Your BIA is designed to clearly define and document critical business processes, ICT components, ICT services, and the dependencies that exist therein. By defining these aspects of your information security management system, your organization will be better able to articulate a proper scope and implement Digital Operational Resilience Testing where required. These activities would result in your organization’s ability to provide sufficient and objective evidence to auditors and regulators.

Additionally, your organization must ensure backup and redundancy are sufficient to meet DORA requirements:

(1) Backup policies and procedures specifying the scope of the data that is subject to the backup and the minimum frequency of the backup, based on the criticality of information or the confidentiality level of the data,

(2) Restoration and recovery procedures and methods,

(3) Maintain redundant ICT capacities equipped with resources, capabilities and functions that are adequate to ensure business needs.

Annex A.8.8: Management of Technical Vulnerabilities

A.8.8: Digital Operational Resilience Testing: Threat-Led Penetration Testing (TLPT), is required to be performed at least every 3 years, covering several or all critical or important functions and be performed on live production systems supporting such functions.

As noted under previously, a BIA is strongly suggested, as your organization is required to identify all relevant underlying ICT systems, processes and technologies supporting critical or important functions and ICT services, including those supporting the critical or important functions which have been outsourced or contracted to ICT third-party service providers. This is required to determine which critical or important functions need to be covered by the TLPT.

Additionally, in accordance with criteria related to the context of your organization, aka the proportionality principle, execution of appropriate tests, such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing should be performed.

Thank you for reading our article Regulation on Digital Operational Resilience (DORA): Leveraging ISO 27001! Check us out on LinkedIn.

ARORA Solutions LLC specializes in compliance readiness and internal audits, with an emphasis on cybersecurity. We help ensure your organization is conforming to a variety of compliance frameworks, such as SOC2, ISO 27001, ISO 27701, ISO 42001, CMMC, NIS2, DORA, GDPR, EU AI Act, and more!

Subscribe to our newsletter The Cyber Ready Report to receive a weekly round-up of relevant articles!

Contact us if you have questions related to internal audits, regulatory compliance, or other management system needs!