The Digital Operational Resilience Act (DORA) is a new regulation in the European Union that aims to strengthen the operational resilience of the financial sector against ICT-related disruptions.
The regulation came into force in January 2023. Institutions have until January 2025 to comply.
Ensuring compliance means that financial institutions will have to review their supply chains to identify risks. Suppliers seeking to win new business or retain existing contracts will need to demonstrate how they:
- Assess and manage the risks posed by their ICT services to the financial institutions they serve
- Implement appropriate security measures to protect against ICT threats.
- Report to financial institutions on any incidents or vulnerabilities that could affect their services.
- Cooperate with financial institutions in the event of an ICT incident.
How does ISO 27001 support DORA?
Suppliers who already have an information security management system that has been independently audited against an internationally recognised standard such as ISO 27001 will be in a better position to support their clients’ DORA compliance.
ISO 27001 and DORA both emphasise the importance of:
- A risk-based approach to security
- The need to implement appropriate controls to mitigate risks
- The need to continuously monitor and improve the ISMS
In addition, both frameworks require organisations to:
- Have a documented ISMS
- Appoint a management representative for ISMS
- Conduct regular risk assessments
- Implement appropriate security controls
- Monitor and improve the ISMS
Whilst DORA is specifically designed for the financial sector, ISO 27001 is a general standard that can be applied to any organisation of any size. This means that the standard can be implemented by any organisation in the supply chain of a financial institution.
ISO 27001:2022 is the latest version of the standard and supports the DORA requirements to:
- Communicate security risks and controls to employees
- Test and maintain security controls
- Have a plan for responding to ICT-related incidents
The table below captures the key DORA requirements and the corresponding, supporting clauses in ISO 27001.
- DORA Requirement
- Risk based approach
- Implement appropriate controls to mitigate risk
- Continuous monitoring and improvement
- Documented ISMS
- Management commitment to ISMS
- Regular risk assessments
- Communication of security risks and controls to staff
- Testing and maintenance of security controls
- Plan for responding to ICT-related incidents
- ISO 27001:2022 clause
- 6.1, 8.2
- 8.1, 8.3, A.5.1, A.5.37
- 9.1, 9.2, 9.3, 10.1, A.8.16
- 4.4, 5.2
- 5.1, 5.3, 9.3
- 6.1.2, 8.2
- 7.3, 7.5.1, A.6.3
- A.5.24, A.5.29
A key requirement of ISO 27001 (and of all ISO management standards) is identification of the needs and expectations of interested parties (customers, investors, staff, regulators, etc). Additionally, ISO 27001 requires organisations to identify, and act upon their legal, regulatory, and contractual obligations.
Understanding your regulatory requirements and ensuring that your ISMS addresses these will support your achievement and retention of ISO 27001 certification. Being able to demonstrate how your organisation can support the DORA compliance regime will be essential in winning and retaining customers in the financial services sector.
Morton McCann helps organisations to achieve and retain the ISO certifications that will support their growth. If you’d like to discuss how to align your information security management to support DORA or other regulations, or would like to know more about ISO standards, just complete the contact form and we’ll call you back.