Simplifying DORA compliance with ISO 27001: Executive summary
ISO 27001 provides a sound foundation for complying to DORA regulations. But achieving full DORA compliance requires several additional more rigid measures beyond what the flexible ISO 27001 standard covers including a comprehensive analysis in the specific organization of whether there are.
DORA-specific requirements not directly addressed by ISO 27001.
This could include:
-
- – Requirements for incident reporting, third-party subcontractors’ handling of their risk management procedures, or operational recovery tests.
- – A process for regular checks/gap analyses and assessments to evaluate the current situation in relation to DORA.
- – Analyzing and incorporating DORA-specific controls and processes into the company’s ISMS (Information Security Management System).
- – Developing and implementing additional documentation prescribed by DORA, such as procedures for incident reporting and recovery testing.
What is ISO 27001?
ISO 27001 is an international standard that sets requirements for an Information Security Management System (ISMS). The standard does not, however, directly specify specific security measures. Companies vary, and an ISMS is always constructed individually to address the specific IT security needs of the organization.
Content of ISO 27001: Each regulatory section explianed
Content in ISO 27001 in short, follows the usual ISO practice where sections 0 (!), 1, 2, and 3 are respectively introduction, scope, references, and terms.
| Section | Description |
|---|---|
| Section 4 | Describes the scope of ISMS based on the organization’s and stakeholders’ requirements |
| Section 5 | Describes “Leadership,” outlining the tasks that leadership holds within ISMS |
| Section 6 | Focuses on setting objectives for information security, risk appetite, risk analysis, and risk treatment/handling. The concept of a “risk owner” is introduced as a novelty. There’s no requirement for an actual “system ownership”, which is a common role description (RACI) in many organizations |
| Section 7 | Outlines the need for relevant competencies in information security within companies, as well as requirements for awareness and internal and external communication about information security |
| Section 8 | Describes the ongoing operation of ISMS, including executing agreedupon action plans. Action plans are based on a risk treatment process, which stems from regular assessmentsi |
| Section 9 | Deals with evaluating and measuring the performance of ISMS processes and IT controls, internal audits, and management reviews |
| Section 10 | This section discusses deviation management and continuous improvement of ISMS. Although a Plan-Do-Check-Act (PDCA) process hasn’t been required since 2013, it’s still a way to implement a process for continuous improvements |
| Appendix | The sections explained above only occupy 9 pages out of the total 23 pages of the standard. Appendix A reproduces the security measures detailed in the 2022 edition of ISO 27002 |
What is DORA? (the EU Digital Operational Resilience Act)
The purpose of DORA is to harmonize the requirements for the financial sector’s ability to build, enhance, and monitor digital operational resilience supporting its delivery of financial services:
DORA aims to establish consistent requirements for all EU member states.
DORA encourages financial services to test their systems based on associated risks. DORA introduces penetration testing (TLPT) for critical actors. DORA’s focus on knowledge sharing will help the entire sector become more aware and proactive in preparing against the growing number of cyberattacks.
DORA is like a rulebook for cybersecurity in the financial world, especially for those companies handling banking, financial services, and insurance in the EU. With the main goal of stopping cyber-attacks, reduce risks in day-to-day operations, and prevent chaos in financial systems it puts a spotlight on Information and Communications Technology (ICT) providers within the financial sector, making sure they’re up to scratch with security measures.
And DORA isn’t just a suggestion. It is the law. Businesses that do not meet its standards might face fines, penalties, or even damage to their reputation if they get hit by an attack.
What companies are covered by DORA regulation?
In short: all companies in what is commonly referred to as the “Financial Services Industry” together with IT service providers delivering critical services to or on behalf of Financial Services companies (IT operations, Managed Services, Cloud vendors etc…).
The 5 pillars of DORA: ISO 27001 vs DORA mapping
In this section, we map DORA requirements to ISO 27001 controls.
DORA compliance can according to analysts* definitely be achieved through adhering to the ISO 27001 standard, because the standard is so flexible and pragmatic thanks to its risk-based approach. It provides the structure and culture paving the way for DORA compliance.
Organizations, however, need to see DORA as a somewhat more rigid extension to the flexibility of ISO 27001 not at least when it comes to requirements on standard procedures and processes on resilience/penetration testing, documentation, business continuity planning, cyber incident response planning and execution.
Key challenges using ISO 27001 to comply with DORA regulations
-
- – Scope of your ISMS platform. You may have to expand your ISMS to be able to comply.
- – Top leadership attention. It will be increasingly important that the support from top stakeholders in the organization is transparent and visible in all parts of the organization. Culture and daily operational security behaviors are key elements in implementing a resilient solution.
- – For the business to understand that the organization must dedicate resources and funding for continuous deep cyber-resilience and penetration testing activities.
- – The organization has to deal with the fact that DORA has more precise and rigid requirements, where ISO 27001 is much more flexible.
If you already now have an ISO 27001 certified ISMS and the system is regularly audited by a 3rd party auditor, you are 85% on the way to becoming DORA compliant. What you need to cover for the last 15% is running a diligent gap analysis to identify the gaps and find suitable solutions for your organization to close the gaps.
*ref. Allan Calder, IT Governance, Ltd, Febr. 21. 2024
