How does DORA differ to ISO 27001?

Thursday, 5 September, 2024

DORA’s backpack

Gain an understanding of your DORA compliance by taking our DORA Readiness Quiz.

The EU Digital Operational Resilience Act, commonly known as DORA, will come into force in just a few short months, so organisations within scope will have to be prepared before January 2025.

As we discussed last week, this new act will require compliance from organisations operating in or supplying critical services to the financial services sector in the EU.

But what’s all the fuss about, “isn’t DORA just another ISO?"

In short, no.

DORA vs ISO 27001

DORA is more detailed in content and more stringent in requirement, and also demands a more collaborative approach between entities in the financial sector. The new act calls for enhanced cyber risk management beyond the standards set out in ISO 27001.

ISO 27001 focuses on establishing, implementing, maintaining, and continually improving an information security management system (ISMS).

DORA goes above and beyond this, introducing a particular focus on operational resilience and adding specific requirements tailored to the financial sector’s needs.

These include detailed risk assessments, mandatory incident reporting, comprehensive resilience testing, rigorous third-party management, active information sharing, and heightened regulatory engagement.

While DORA expects additional cyber maturity from organisations within its scope, we believe the requirements are realistic and achievable. It’s a logical evolution of operational resilience, which is necessary to protect a sector that has been transformed by technology in recent years.

Where may DORA need you to make changes to your security programme?

Here are the parts of DORA that specifically require more detail or go beyond the requirements of ISO 27001.

Detailed Risk Assessment and Management

ISO 27001: Requires risk assessment and treatment.
DORA: Mandates detailed and continuous cyber risk assessments, including the specific impact on critical functions and services.

Risk Management Governance Frameworks

ISO 27001: Requires risk management.
DORA: Requires financial entities to establish robust governance frameworks dedicated to cyber risk management, directly involving the board and senior management.

Mandatory Incident Reporting

ISO 27001: Does not prescribe detailed reporting requirements to authorities.
DORA: Has specific requirements for reporting significant cyber-related incidents to regulatory authorities within a tight timeframe.

Incident Classification and Reporting Details

ISO 27001: General incident management processes.
DORA: Specifies detailed requirements on the classification of incidents, the content of reports, and the processes for notifying authorities are specified.

Comprehensive Testing Programmes

ISO 27001: Periodic testing recommended.
DORA: Requires continuous and rigorous testing of technology systems, including vulnerability assessments, penetration testing, and scenario-based testing, which must be comprehensive and frequent.

Independent Assessment

ISO 27001: Audit requirements and independent reviews.
DORA: A greater level of scrutiny, requires third-party assessments in some cases to ensure objectivity.

Third-Party Due Diligence and Monitoring

ISO 27001: Covers supplier relationships but does not prescribe the same level of scrutiny.
DORA: Demands detailed due diligence processes when selecting and monitoring third-party technology service providers, requiring financial entities to ensure that third parties adhere to high standards of cyber risk management.

Third-Party Contractual Requirements

ISO 27001: General guidance on supplier agreements.
DORA: Requires specific contractual provisions to manage cyber risks and ensure service continuity must be included.

ISO 27001: Discretionary based on the expectations of interested parties and own communication decisions.
DORA: Encourages financial entities to actively share information on cyber threats and vulnerabilities within their sector, fostering a collaborative approach to cybersecurity.

ISO 27001: Covers general information transfer procedures and rules.
DORA: Emphasises the need for measures to ensure the confidentiality of shared information, promoting a structured approach to information sharing that goes beyond the ISO 27001 framework.

Regulatory Engagement

ISO 27001: Individual determination of supervisory authority requirements.
DORA: Introduces specific requirements for ongoing engagement with regulatory authorities, including detailed reporting, periodic reviews, and regulatory audits.

The new, more demanding standards set out by the new DORA act will require additional actions for businesses connected to the financial sector. If you’re up to date with your ISO 27001 certification or compliance, it’s possible you could satisfy a DORA auditor with just a few simple adjustments. We can help you understand what level of maturity is required from your organisation, where the gaps are, and how to get to where you need to be.