DORA Compliance and ISO 27001
November 11, 2024
At a glance
- The main takeaway: A crucial step for organizations that operate in or supply critical services to financial entities in the EU is understanding how ISO 27001 can help support DORA compliance.
- Impact on your business: Obtaining an ISO 27001 certification with DORA provides organizations with an opportunity to establish a stronger system that secures, adapts, and responds effectively to digital threats and meets evolving regulations.
- Next steps: Aprio’s Managed Compliance Services (CaaS) team can help you at any stage of your ISO 27001 and DORA compliance journey.
Schedule a consultation today.
The full story:
While it may feel like the time to comply with the European Union’s (EU) Digital Operational Resilience Act (DORA) was yesterday, all is not lost. The deadline for organizations operating in or supplying critical services to financial companies within the EU to comply with DORA regulations is January 17, 2025.
What is the Digital Operational Resilience Act (DORA)?
This new cybersecurity regulation, at its core, aims to enhance the operational resilience and security of financial institutions against information and communication technology (ICT) risks. The DORA regulations apply to approximately 21 types of financial entities ranging from FinTech companies to traditional financial institutions.
Many businesses within the financial services industry are expanding well beyond the U.S. borders, and any organization working in the EU, in any capacity, must comply with the new DORA regulations.
So, how do you get there?
Key requirements of DORA for financial entities
For financial institutions to withstand, respond, and recover from malicious cyber threats, they must first comply with the following key DORA requirements:
- ICT risk management
- Reporting any major ICT-related incidents and notifying regulatory authorities on any significant cyber threats
- Digital operational resilience testing
- Information and intelligence sharing
- Comprehensive management of ICT third-party risk
Benefits of ISO 27001 in achieving DORA compliance
While there are fundamental differences between ISO 27001 and DORA — DORA focuses on operational resilience while ISO 27001 focuses on improving information security management systems (ISMS) — both share the same goal of ensuring that organizations, in this case financial service entities, stay resilient against cyber threats.
There is no requirement in DORA that enforces organizations to be ISO 27001 certified; however, companies who already maintain an ISO 27001 certification will have a substantial head start when implementing the DORA regulations by January 17, 2025.
Why? Because companies who implement the ISO 27001 standard will be nearly 90% of the way to achieving DORA compliance. An ISO 27001 certification offers several benefits for financial entities who must meet DORA compliance. The main benefits of an ISO 27001 certification and how it supports DORA compliance are:
- A focus on risk management. If your company has already implemented an ISMS based on ISO 27001, you currently have a strong foundation with processes in place to identify and address information security risks.
- Similar security controls covered. ISO 27001 directly addresses many of DORA’s requirements, such as incident response plans, user access controls and management, common security policies, and more.
- Cost and time savings. Implementing an ISMS based on ISO 27001 can help your company close gaps, ultimately reaching DORA compliance faster and less costly.
- Evidence of compliance and security. Maintaining ISO 27001 certification makes it easier to adopt new regulations because auditors and regulatory authorities are accustomed to reviewing ISO standards.
Required adaptations to ISO 27001 for full DORA compliance
While ISO 27001 provides a solid foundation for DORA compliance, the requirements under DORA are more detailed in content; thus, organizations will need to make certain adaptations to the ISO 27001 framework to comply with DORA.
The chart below provides an overview of key requirements and coverage by DORA versus ISO 27001.
Requirement | Dora Coverage | ISO 27001 Coverage |
---|---|---|
Detailed ICT Risk Assessment and Management | Requires detailed and continuous cyber risk assessments with specific impact to critical functions and services | Requires security risk assessment and treatment |
Risk Management Governance Frameworks | Requires robust governance frameworks dedicated to cyber risk management, directly involving the board and senior management | Requires holistic security risk management involving management. |
Mandatory Incident Reporting | Requires reporting on significant cyber-related incidents to regulatory authorities | Does not require detailed reporting on significant cyber-related incidents to regulatory authorities |
Incident Classification and Reporting Details | Requires detailed classification of incidents, the content of reports, and the processes for notifying authorities | General incident management processes |
Comprehensive Testing Programs | Requires continuous and comprehensive testing of technology systems, including vulnerability assessments, penetration testing, and scenario-based testing | Periodic testing recommended |
Independent Assessments | Requires a more vigorous third-party assessment to ensure objectivity | Third-party audit requirements and independent reviews |
Third-Party Due Diligence and Monitoring | Detailed due diligence processes when selecting and monitoring third-party technology service providers to ensure that third parties adhere to high standards of cyber risk management | Covers third-party supplier relationships but not at the same level of scrutiny |
Third-Party Contractual Requirements | Requires specific contractual provisions to manage cyber risks and ensure service continuity | General guidance on supplier agreements |
Information Sharing and Collaboration | Encourages actively sharing information on cyber threats and vulnerabilities within the sector to foster a collaborative approach to cybersecurity | Based on the expectations of interested parties and own communication decisions |
Information Sharing and Confidentiality Measures | Emphasizes the need for confidentiality and a structured approach to information sharing | Covers general secure information transfer procedures and rules |
Steps to prepare for DORA
Given the intricacies of DORA, organizations must follow a structured approach to successfully implement DORA by the deadline of January 17, 2025. To effectively prepare for DORA, companies should:
- Conduct a gap analysis to see if their existing measures meet the requirements
- Regularly test their ICT systems to identify vulnerabilities
- Report the results of their tests and plans to address weaknesses
- Undergo threat-led penetration testing (TLPT) every three years
- Ensure their critical ICT providers participate in penetration tests
The bottom line:
For organizations operating in or supplying critical services to financial entities in the EU, the time to start complying with DORA requirements is now. Whether you are well on your way to achieving DORA compliance or haven’t started, Aprio’s Managed Compliance Services (CaaS) team can help you verify, implement, and report on DORA compliance with confidence.
Related Resources/Assets/Aprio.com articles/pages
Recent Articles
About the Author
Shane Peden
Shane Peden has more than 10 years of experience in information security services. He works with CEOs, CFOs and CIOs, concentrating on high-growth technology companies and startups operating in a variety of industries. Shane has extensive experience helping clients successfully scope, plan, implement and obtain their information security certifications, such as PCI, HITRUST, ISO 27001 and SOC 2.
Powell Jones
Powell Jones, CISA, CCSFP, is a partner on Aprio’s Information Assurance Services team. Powell works with clients of all sizes, from startups to multinational companies. His experience in ISO certifications, SOC reporting, HITRUST CSF and third-party risk management helps clients select the right reporting options and gain efficiencies in managing multiple compliance frameworks and requirements. He uses his technical knowledge and strong understanding of business processes, IT controls, and data security to help clients safeguard and grow their businesses.
(770) 353-3157
Stay informed with Aprio.
Get industry news and leading insights delivered straight to your inbox.