DORA Compliance

ICT resilience supported by ISO/IEC 27001 compliance

Methodology – PECB IMS2

(Integrated Implementation Methodology for Management Systems and Standards)

Objective

Build an operational and demonstrable DORA framework (ICT risk governance, incident management/reporting, ICT vendor management, resilience testing program) structured around the ISO/IEC 27001 ISMS framework (steering, risks, controls, evidence, continuous improvement), in order to be prepared for audits and assessments.
1) Expected results (deliverable commitment)
At the end of the assignment, you will have :
  • An ICT risk governance framework : responsibilities, committees, policies, objectives, KPIs, and reporting.
  • A mapping of the ICT scope (critical services, assets, dependencies, suppliers) and associated criticality levels.
  • A comprehensive ICT incident management system : classification, response playbooks, escalation, traceability, and notification capabilities.
  • An ICT third-party reference framework : inventory, criticality, due diligence, minimum clauses, monitoring, and action plans for critical suppliers.
  • An ICT resilience testing program : strategy, scenarios, planning, execution, and tracking of remediation.
  • An evidence pack to demonstrate DORA operationality : procedures, records, reports, and KPIs.
  • An ISO/IEC 27001 roadmap : ISMS governance, risk analysis, SoA, internal audits, and continuous improvement, used as a framework for management and evidence.
  • A readiness assessment with a list of gaps, a remediation plan, and prioritization.
2) Scope (what the offer covers)
2.1 Scope of “DORA Compliance” (ICT Resilience)
  • ICT Risk governance and management : policy, responsibilities, reporting, KPIs.
  • ICT Risk management : identification, analysis, mitigation, monitoring.
  • ICT Incident management & notification : classification, response, escalation, communication, reporting.
  • ICT Vendor management : mapping, criticality, due diligence, contracting, monitoring.
  • Resilience testing : strategy, scenarios, testing, tracking of remediation, lessons learned.
  • Evidence & audit preparation : records, reports, dashboards.
2.2 Scope of the “ISO/IEC 27001 Roadmap” (management framework)
  • ISMS Governance : scope, objectives, KPIs, oversight.
  • ISO 27001 risk analysis : methodology, register, treatment plan.
  • Statement of Applicability (SoA) : selected controls and justification.
  • Document Management : policies/procedures/records.
  • Internal audit and management review : verification, decisions, continuous improvement.

 

The approach : DORA establishes ICT resilience requirements, and ISO 27001 provides the management and evidence framework (risks, controls, audit, improvement) to make the system sustainable and verifiable.

3) Implementation Process (PECB IMS2 aligned with ISO/IEC 42001)
Phase 1 — Define & establish

Objective : define the scope of DORA, establish ICT risk governance, and build the risk and evidence framework in accordance with ISO 27001.

 

Activities :

 

  1. Leadership & approval : sponsor, project governance, objectives, milestones.
  2. DORA scope : ICT services covered, dependencies, subsidiaries, suppliers.
  3. Roles & responsibilities : RACI (ICT risk, IT ops, security, procurement, legal, business units).
  4. Initial ICT mapping : critical assets/services, dependencies, third parties, criticality.
  5. Risk methodology : integration of ICT risks (DORA) + ISO 27001.
  6. Core policies : ICT risk policy, incident and third-party principles.
  7. Evidence strategy : DORA evidence pack structure + document repository.
  8. ISO 27001 SoA (v1) : initial structural controls aligned with DORA requirements.

 

Phase 1 Deliverables

 

  • Project charter + governance + RACI
  • DORA scope + IT mapping (v1)
  • Risk methodology + risk register (v1)
  • Policies (v1): IT risk / incidents / third parties
  • ISO 27001 SoA (v1)
  • Project plan + evidence plan (structure)
Phase 2 — Implement & operate

Objective : deploy DORA processes (incidents, third parties, testing) and begin collecting evidence.

 

Activities :

 

  1. ICT Risk Governance : KPIs, reporting, periodic reviews, committee.
  2. ICT Incidents : classification, playbooks, escalation, traceability, reporting capabilities.
  3. ICT Third Parties : comprehensive inventory, criticality, due diligence, clauses, monitoring of critical suppliers.
  4. Resilience testing : strategy, scenarios, test plan, tracking of remediation.
  5. Support Controls (ISO 27001) : access, logs, vulnerabilities, changes, backups, operational security.
  6. Establishment of records : reports, tickets, reviews, proof of execution.

 

Phase 2 Deliverables

 

  • ICT Risk Governance Framework (KPIs + reporting + review schedule)
  • Incident & notification procedures + playbooks + report templates
  • ICT third-party repository : registry, criticality, due diligence grid, minimum clauses, monitoring plan
  • Testing strategy + test plan + scenarios + success criteria
  • Evidence catalog + record templates
  • ISO 27001 roadmap (DORA-aligned)
Phase 3 — Monitor & review

Objective : demonstrate system management, test the system, and prepare for an evaluation.

 

Activities :

 

  1. Monitoring & KPIs : incidents, third parties, tests, vulnerabilities, availability, actions.
  2. ISO 27001 internal audit focused on DORA requirements : plan, checklists, findings.
  3. Executive review : decisions, trade-offs, residual risks, budgets, priorities.

 

Phase 3 Deliverables

 

  • KPI dashboard + review reports
  • Internal audit report + remediation plan
  • Executive review report + decisions + action plan
  • Update of SoA, risks, evidence
Phase 4 — Maintain & improve

Objective : close gaps, consolidate evidence, and finalize preparations for audits and assessments.


Activities :

 

  1. Non-conformity resolution : corrective actions, verification of effectiveness.
  2. DORA readiness : assessment simulation, evidence pack review, final preparations.
  3. Sustainability : internal audit schedule, reviews, recurring tests, continuous improvement.


Phase 4 Deliverables

 

  • Non-conformity log + corrective actions + closure evidence
  • “DORA Readiness” package: final evidence file + assessment checklist
  • “ISO 27001 Readiness” package (if desired) : final Statement of Approach (SoA) + audit plan + schedule
4) “Evaluations & Tests” section (integrated throughout the course)
4.1 Evidence & testing workshops
  • Definition of expected evidence (incidents, third parties, tests, reporting).
  • Definition of test scenarios, success criteria, and organization.
  • Collection and consolidation of reports (evidence) and tracking of corrective actions.
4.2 Deliverables, proofs, and tests
  • Evidence catalog (owner, frequency, location)
  • Test reports + LL + improvement plan
5) Project organization
Workshops (typical)
  • Kick-off + scope definition for DORA
  • Workshops on ICT mapping, criticality, and dependencies
  • ICT risk governance workshop (KPIs, reporting, timeline)
  • Incident & notification workshop (playbooks + templates)
  • ICT third-party workshop (due diligence + contract clauses + monitoring)
  • Resilience testing strategy & plan workshop
  • Risks & ISO 27001 SoA workshop
  • Internal audit + management review + readiness
Client-side roles (minimum)
  • Sponsor (management)
  • ICT Risk officer / CISO (owner)
  • IT Operations / Production lead
  • Procurement / Vendor management lead (third parties)
  • Legal / Compliance lead
  • Business unit Lead (critical services)
6) Duration (to be adjusted based on the scope)
  • Standard : 8 to 14 weeks, depending on maturity and the number of critical vendors.
  • Extended : 14+ weeks if the scope includes multiple subsidiaries, a heterogeneous IT, or significant reliance on vendors.
7) What determines value (compliance + ISO trajectory)
  • Demonstrable ICT resilience : incident management, third-party oversight, and operational testing + supporting evidence.
  • Audit readiness : evidence pack prepared, structured reporting, traceability.
  • Sustainable management : ISO 27001 provides a framework for risks, controls, audits, and continuous improvement.
  • Reduced operational risk : improved management of incidents and critical service providers.
8) Options
  • “Crisis drill & notification” package : major incident simulation + test reporting + LL.
  • “Critical supplier due diligence” package : third-party audits, security reviews, remediation plans.
  • “Penetration testing & remediation” package : penetration testing + fixes + evidence.
  • “Scale” package : expansion to other entities / scopes / ICT services.