Transition from
ISO27001 to DORA

ISO 27001 is a widely recognized standard for information security management systems (ISMS), and its adoption is significant among ICT companies in Europe. As of the most recent updates, a substantial number of organizations across various sectors have achieved ISO 27001 certification. This trend reflects the increasing prioritization of information security amidst rising cyber threats and regulatory demands. Reports indicate that thousands of organizations in Europe are certified to ISO 27001, contributing to a robust framework for managing and mitigating cyber risks.

The adoption of ISO 27001 among European ICT companies has been driven by the need to protect sensitive information, ensure regulatory compliance, and meet client expectations for data security. The certification helps organizations avoid penalties associated with data breaches, enhance their reputation, and demonstrate a commitment to best practices in information security. Furthermore, the structured approach of ISO 27001 aligns well with other regulatory requirements such as the General Data Protection Regulation (GDPR) and the upcoming Digital Operational Resilience Act (DORA), making it a foundational element in an organization's cybersecurity strategy.

To transition from ISO 27001:2002 compliance to fulfilling the requirements of the Digital Operational Resilience Act (DORA), the company will need to address several significant differences and enhancements.

Here are the main areas of focus with corresponding DORA article references:

ICT Risk Management and Governance (Article 5, 6, 9)

Enhanced ICT Risk Management: DORA requires a comprehensive ICT risk management framework that includes continuous risk assessments, detailed mapping of ICT systems, identification of critical assets and dependencies, and documentation of these dependencies
Board Accountability: Unlike ISO 27001, DORA mandates that the management body (e.g., board members and senior managers) must be actively involved in defining and executing ICT risk management strategies. They are also required to stay updated on the ICT risk landscape and can be held personally accountable for compliance failures.
How Spirity can help: Our Cynomi Virtual CISO Platform offers continuous assessment of your client's cybersecurity and compliance posture. This includes automated security assessments, vulnerability and exploit gap analysis, and the creation of tailored security policies. Our dashboard provides real-time gap analysis and prioritized remediation plans, ensuring that your clients stay ahead of potential risks.

Incident Response and Reporting (Article 15, 16)

Structured Incident Management: DORA imposes specific requirements for logging, classifying, and reporting ICT-related incidents. Entities must submit initial, intermediate, and final reports for major incidents. The criteria for classifying and reporting incidents are clearly defined to ensure uniformity across the financial sector.

Centralized Reporting: The establishment of a central hub and common templates for incident reporting is encouraged to streamline processes and improve efficiency.

How Spirity can help: Our Incident Response Retainer services include forensic examination, log review, and email analysis to identify and mitigate threats quickly. We also support clients with real-time alerts and notifications for any critical incidents.

Digital Operational Resilience Testing (Article 22, 23)

Regular and Advanced Testing: DORA requires entities to conduct regular testing of their ICT systems. This includes basic annual vulnerability assessments and advanced threat-led penetration tests every three years for critical systems.

Regulatory Validation: The results of these tests, along with plans to address identified vulnerabilities, must be reported to and validated by competent authorities.

How Spirity can help: Spirity provides regular testing of ICT systems through vulnerability assessments, scenario-based testing, and advanced threat-led penetration tests (TLPT). Our tests are designed to uncover vulnerabilities and validate the strength of security measures.

Third-Party Risk Management (Article 28, 30)

Detailed Oversight: Financial entities must actively manage ICT third-party risks. This involves ensuring that contracts with third-party providers include specific provisions for exit strategies, audits, and performance targets related to security and availability. An updated register of third-party service providers must be maintained.

Direct Supervision of Critical Providers: Critical ICT providers will be supervised directly by lead overseers from the European Supervisory Authorities (ESAs). These overseers can enforce compliance and impose penalties for non-compliance.

How Spirity can help: Our Supply Chain Defense Platform enables comprehensive third-party risk management by providing detailed oversight of third-party service providers. We help your clients manage third-party risks by providing continuous assessments, maintaining updated registers, and ensuring all third-party relationships comply with DORA requirements. Our platform integrates seamlessly with other systems to provide a holistic view of third-party risks.

Information Sharing (Article 40)

Encouraged Information Sharing: While DORA encourages the sharing of information and intelligence on cyber threats among entities, it is not a mandatory requirement. This is intended to foster a collaborative approach to managing ICT risks across the financial sector.

How Spirity can help: While information sharing is encouraged, under our Incident Response Retainer service, we provide tools that facilitate secure and effective sharing of intelligence on cyber threats among entities. Our platform supports collaboration and secure data exchange.

Compliance and Enforcement (Article 34, 35, 36)

Regulatory Oversight and Penalties: Enforcement of DORA will be handled by designated regulators in each EU member state. These regulators have the authority to impose administrative and criminal penalties for non-compliance. The ESAs will supervise critical ICT providers and can levy fines based on their turnover.

How Spirity can help: (Spirity cannot help you at this stage, this is already too late… :)