From 17 January 2025, the Digital Operational Resilience Act (DORA) will apply across the EU, impacting financial entities and potentially UK organisations supplying ICT services to them.
As we conduct DORA gap analysis', we’ve noticed how the organisations with an ISO 27001 ISMS (information security management system) usually have a higher degree of DORA compliance.
ISO27001 & DORA Compliance
Organisations with an ISO27001 ISMS align well with DORA due to it's risk management structure. However, certification alone isn’t enough—implementation matters.
Key Consideration for ISO 27001 ISMS
Include DORA in your legal & contractual requirements and identify the competent authority as an interested party.
If you implemented ISO27001 without thinking about DORA, you’re still in a good position because the standard already follows a structured approach.
ISO27001 helps manage risks, and DORA also requires a formal risk management system.
DORA & Risk Management
DORA requires activities or actions like:
Defining critical functions (scope definition)
Senior management accountability
Clear, defined roles and responsibilities.
Scope
DORA applies to key operations and essential functions of financial institutions in the EU. So, ensure these functions, or the services that support them, are included in your ISMS scope.
Roles and Responsibilities with DORA
While ISO27001 roles align with DORA, compliance accountability must be at a senior executive level. Key competences include:
Risk management
Incident response
Penetration testing oversight
By integrating these elements, organisations can streamline DORA compliance using ISO 27001 as a foundation.
Comments