From 17 January 2025, DORA (Digital Operational Resilience Act) will, as an EU regulation, directly apply throughout the EU.
Though the Regulation is primarily concerned with the operational resilience of critical and important functions of EU financial entities, UK organisations may also be in scope – particularly if they supply ICT services to EU financial institutions.
As we conduct DORA gap analyses, we’ve noticed how the organisations with an ISO 27001 ISMS (information security management system) tend to have a higher degree of DORA compliance.
In this blog
- How ISO 27001 helps with DORA compliance
- What if we already have an ISMS that didn’t account for DORA?
- Pay attention to scope
- DORA roles and responsibilities
How ISO 27001 helps with DORA compliance
ISO 27001 provides the ‘building blocks’ to help organisations manage their information security risks.
The Standard’s structure also helps organisations comply with DORA (and similar laws), since the Regulation revolves around risk management.
But ISO 27001 certification isn’t a ‘free pass’ to DORA compliance. It comes down to how you’ve implemented the Standard.
When you establish your ISMS context and scope, include, for example:
- DORA as part of your relevant legal and contractual requirements.
- The competent authority among your interested parties.
What if we already have an ISMS that didn’t account for DORA?
If you implemented ISO 27001 without taking DORA into account, you’ll still have a head start because of the Standard’s formalised structure.
Again, ISO 27001 provides a framework for managing risk. Indeed, DORA specifically speaks of a management system in Article 6(1):
Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience. [Emphasis added.]
On top of that, DORA requires activities or actions like:
- Defining your critical and important functions – i.e. defining your scope;
- Senior management taking responsibility; and
- Setting roles and responsibilities.
These are all things typical of an ISO 27001 ISMS (and GRC – governance, risk and compliance – in general).
Finding this blog useful? To get notified of future
expert insight like this, subscribe to our free
weekly newsletter: the Security Spotlight.
Pay attention to scope
Remember that DORA focuses on critical and important functions of EU financial institutions.
So, make sure these, or the services supporting them, are covered within your ISMS scope.
When ensuring supply chain security, financial institutions (and other organisations!) will value external validation like ISO 27001 certification – provided that it covers the service(s) they’re seeking assurance for.
DORA roles and responsibilities
Coming back to the required roles and responsibilities under DORA, these largely overlap with the responsibilities required in an ISO 27001 ISMS (or an ISO 22301 BCMS – business continuity management system), with one exception: accountability for DORA compliance.
DORA accountability should lie with a senior individual in the organisation, at the executive level – potentially even at the C-level. This person would then be accountable for making sure the organisation meets its regulatory obligations around DORA.
As to other required competences around achieving and maintaining DORA compliance, these may include:
- Knowing how to manage risks;
- Incident response – knowing what action to take if an automated detection tool alerts you to potentially suspicious activity; and
- Overseeing DORA penetration testing.
These can all fold into your ISO 27001 ISMS.
Need a deeper understanding of DORA?
Our one-day Certified DORA Foundation Training Course provides an essential understanding of DORA for those involved in implementing practices to achieve and maintain DORA compliance:
- Get an overview of DORA, and where it fits with other relevant regulations and standards.
- Get a firm grasp of Regulation’s principles, and the practices you need to implement to achieve and maintain DORA compliance.
Financial institutions and their IT service suppliers need employees to support their governance, risk management and compliance framework, and use their awareness of DORA in their day-to-day work.
The post How ISO 27001 Helps You Comply With DORA appeared first on IT Governance UK Blog.