DORA Financial Resilience

security + integrated continuity — preparation for ISO/IEC 27001 & ISO 22301

Methodology – PECB IMS2

(Integrated Implementation Methodology for Management Systems and Standards)

Objective

Build comprehensive resilience for financial institutions by integrating an ISMS (ISO/IEC 27001) and a BCMS (ISO 22301) to meet DORA requirements (ICT risk, incidents/notification, third-party ICT, resilience testing) through operational, proven, and tested measures, and structured preparation for audits and inspections.

1) Expected results (deliverable commitment)

At the end of the assignment, you will have :

An operational ISMS (ISO/IEC 27001) : governance, risks, controls, evidence, internal audits, continuous improvement.
An operational BCMS (ISO 22301) : BIA, continuity strategy, DRP/BCP, crisis management organization, drills.
A demonstrable DORA framework : ICT risk governance, incidents & notification, third-party ICT providers, resilience testing program.
Integrated governance of security + continuity + DORA : roles, committees, RACI, KPIs, reporting, and decision-making.
Mapping of critical services and dependencies (IT systems, business units, ICT service providers), including criticality, DRP/BCP, and priorities.
Unified risk management : IS risks (27001) + continuity risks (22301) + ICT risks (DORA), with response plans.
Incident and crisis playbooks : classification, response, escalation, communication, coordination, traceability.
A third-party ICT reference framework : inventory, criticality, due diligence, minimum clauses, monitoring of critical service providers.
A resilience testing program : strategy, scenarios, execution, reports, tracking of remediation.
A single evidence plan and a consolidated evidence pack (procedures + records + audit reports + exercise reports).
A readiness assessment : DORA controls/assessments + preparation for ISO/IEC 27001 and ISO 22301 audits, with a corrective action plan.

2) Scope (what the offer covers)

2.1 Scope of “ISMS ISO/IEC 27001”

Governance : leadership, roles, policies, objectives, KPIs.
ICT risk management : methodology, registers, processes, acceptance.
Statement of Applicability (SoA) : selected controls/justification.
Key measures : IAM, logging, vulnerabilities, backups, hardening, operational security.
Third-party/supply chain management : requirements, assessment, clauses, monitoring.
Incident management : response, escalation, post-mortem.
Internal audit, management review, continuous improvement.

2.2 Scope of “BCMS ISO 22301”

Definition of the continuity scope (services, sites, teams, service providers).
BIA : impacts, priorities, RTO/RPO, critical dependencies.
Continuity strategy : options, target organization, recovery capabilities.
Plans : DRP/BCP, crisis management, communication, recovery procedures.
Exercises : DRP tests, simulations, LL, improvement.
Steering and continuous improvement (reviews, KPIs, updates).

2.3 Scope of “DORA Compliance” (integrated)

ICT Risk Governance : policies, responsibilities, reporting, KPIs.
ICT Incident management & notification : classification, playbooks, traceability, reporting capabilities.
ICT third-party management : mapping, criticality, due diligence, contracting, monitoring.
Resilience testing program : strategy, scenarios, execution, remediation, lessons learned.
Evidence & audit readiness : records, reports, metrics.

The approach : DORA defines financial requirements, ISO 27001 structures cybersecurity, and ISO 22301 structures business continuity. Together, these produce evidence and tested controls.

3) Implementation Process (PECB IMS2 aligned with DORA + ISO/IEC 27001 + ISO 22301)

Phase 1 — Define & establish

Objective : define the scope of finance, implement integrated governance, and establish the foundation for risk, business continuity, and evidence.

Activities :

Leadership & approval : sponsor, project governance, objectives, milestones.
DORA Scope : critical services, entities, systems, ICT service providers, dependencies.
Roles & responsibilities : RACI (ICT Risk, CISO, BCM, IT ops, procurement, legal, business units).
Initial mapping : critical services, assets, workflows, third parties, criticality.
Evidence strategy : Evidence Pack Structure (DORA + 27001 + 22301).
Risk methods : ISO 27001 + continuity (22301) + IT risk framework (DORA).
BIA launch : methodology, interview schedule, data to be collected.
ISO/IEC 27001 SoA (v1) and initial documentation base (policies, standards).

Phase 1 Deliverables

Project charter + governance + RACI
DORA scope + initial mapping (v1)
Risk methodology + registers (v1)
BIA work plan (framework + schedule)
ISO/IEC 27001 SoA (v1)
Project plan + evidence plan (structure)

Phase 2 — Implement & operate

Objective : deploy DORA processes, establish business continuity, and launch security operations with evidence collection.

Activities :

Comprehensive BIA : impacts, priorities, RTO/RPO, dependencies.
Continuity strategy : scenarios, options, target organization.
DRP/BCP plans : recovery procedures, success criteria, testing.
ICT incidents : classification, playbooks, escalation, notification capabilities, traceability.
ICT third parties : inventory, criticality, due diligence, clauses, monitoring of critical service providers.
Resilience tests : strategy, scenarios, planning, tracking of remediation.
Support controls (ISO 27001) : access, logs, vulnerabilities, changes, backups, operational security.
Establishment of records : reports, tickets, reviews, evidence.

Phase 2 Deliverables

BIA (report) + RTO/RPO + dependencies
Continuity strategy + DRP/BCP (v1)
ICT incident playbooks + notification/reporting templates
ICT third-party repository (register, criticality, due diligence, clauses, monitoring)
Testing strategy + test plan + scenarios + success criteria
Evidence catalog + record templates

Phase 3 — Monitor & review

Objective : demonstrate effectiveness through KPIs, internal audits, and resilience testing exercises.

Activities :

Monitoring & KPIs : incidents, third parties, tests, vulnerabilities, availability, actions.
DORA-oriented ISO 27001 internal audit + consistency and continuity.
Exercises : tabletop (major incident + notification), DRP/BCP test, crisis exercise.
Executive review : decisions, trade-offs, resources, improvement plan.

Phase 3 Deliverables

KPI dashboard + review reports
Internal audit reports + action plan
Exercise reports (table-top / DRP / crisis) + LL
Update of SoA, risks, plans, evidence

Phase 4 — Maintain & improve

Objective : close gaps, consolidate evidence, and finalize preparations for inspections/audits.

Activities :

Corrective actions : non-conformities, effectiveness verification.
DORA readiness : assessment simulation, evidence pack review, last-mile checks.
ISO readiness : preparation for ISO/IEC 27001 & ISO 22301 audits, if required.
Sustainability : audit schedule, reviews, recurring tests, continuous improvement.

Phase 4 Deliverables

Non-conformity register + corrective actions + closure evidence
“DORA Readiness” package : final evidence file + assessment checklist
“ISO Readiness” package : audit walkthrough plan + checklist (27001 + 22301)

4) “Tests & evidence” component (integrated as work progresses)

4.1 Test workshops

Definition of scenarios (major incident, service provider outage, system failure, cyberattack).
Success criteria (RTO/RPO), responsibilities, communications.
Collection and consolidation of reports (evidence) and tracking of corrective actions.

4.2 Test deliverables

Test Plan (DRP/BCP + Crisis Drills/Notification)
Test Reports + Lessons Learned + Improvement Plan

5) Project organization

Workshops (typical)

Kick-off + DORA Scope definition
Workshops on mapping critical services, dependencies, and third parties
Risks workshops on + ISO/IEC 27001 SoA
BIA workshops + continuity strategy
DRP/BCP workshops + crisis management + communication
ICT workshops incidents & notification (playbooks + testing)
ICT third parties workshops (due diligence + contract clauses + monitoring)
Strategy & testing plan workshop
Internal audit + management review + readiness

Client-side roles (minimum)

Sponsor (management)
ICT Risk officer / CISO (owner)
Business Continuity officer (BCM owner)
IT Operations / Production officer
Procurement / Vendor management officer (third parties)
Legal / Compliance officer
Business unit officer (critical services)

6) Duration (to be adjusted based on the scope)

Standard : 12 to 20 weeks, depending on maturity, the number of critical vendors, and the complexity of the DRP/BCP.
Extended : 20+ weeks if there are multiple entities, a heterogeneous IT infrastructure, or significant vendor dependencies.

7) What drives value (certification + compliance)

Demonstrable resilience : security + continuity + DORA, tested and proven.
Audit readiness : evidence pack ready, structured reporting, traceability.
Sustainable management : ISO 27001/22301 provide auditing, measurement, and continuous improvement.
Reduced business impact : improved service continuity and crisis management.

8) Options

“Regulatory compliance” package : compliance simulation + major incident response + communication + lessons learned.
“Critical service provider due diligence” package : third-party audits, remediation plans.
“Penetration testing & remediation” package : penetration testing + remediation + evidence.
“Scale” package : expansion to other entities / departments / subsidiaries.