DORA vs ISO 27001: How They Compare and Work Together
Financial entities often ask whether their existing ISO 27001 certification helps with DORA compliance. The short answer is yes, ISO 27001 provides a strong foundation, but it does not guarantee DORA compliance on its own.
Understanding where these frameworks overlap and differ enables efficient compliance planning, avoiding duplicate effort while addressing DORA-specific requirements.
Key Takeaways
| Point | Summary |
|---|---|
| Strong overlap | Approximately 60-70% of controls overlap |
| Different types | DORA is mandatory regulation; ISO 27001 is voluntary certification |
| Foundation value | ISO 27001 provides excellent foundation for DORA compliance |
| Gaps to address | DORA has specific requirements beyond ISO 27001, particularly incident reporting timelines and TLPT |
| Both valuable | Many entities pursue both for comprehensive compliance |
Quick Answer: ISO 27001 certification provides substantial coverage of DORA requirements, particularly in ICT risk management, access control, and business continuity. However, DORA has specific requirements that go beyond ISO 27001, including detailed incident reporting timelines (4/24/72 hours/1 month), Register of Information for third parties, mandatory threat-led penetration testing (TLPT) for designated entities, and explicit management body accountability. Organizations should leverage ISO 27001 as a foundation while addressing DORA-specific gaps.
Framework Comparison
| Aspect | DORA | ISO 27001 |
|---|---|---|
| Type | EU Regulation | International Standard |
| Sector | Financial services | Any organization |
| Legal status | Mandatory law | Voluntary certification |
| Enforcement | Regulatory penalties | Loss of certification |
| Focus | Digital operational resilience | Information security management |
| Updates | Regulatory amendments | Standard revisions |
Control Mapping Overview
High Overlap Areas
These DORA requirements map well to ISO 27001:
| DORA Requirement | ISO 27001 Coverage |
|---|---|
| ICT asset inventory | A.5.9 Inventory of information assets |
| Access control | A.5.15-5.18 Access control |
| Encryption | A.8.24 Use of cryptography |
| Network security | A.8.20-8.22 Network controls |
| Vulnerability management | A.8.8 Technical vulnerability management |
| Backup procedures | A.8.13 Information backup |
| Security awareness | A.6.3 Information security awareness |
| Supplier management | A.5.19-5.22 Supplier relationships |
| Incident management | A.5.24-5.28 Incident management |
| Business continuity | A.5.29-5.30 Business continuity |
Partial Overlap Areas
These areas require supplementation:
| DORA Requirement | ISO 27001 Coverage | Gap |
|---|---|---|
| Management body accountability | Clause 5 Leadership | DORA requires more explicit board training and approval |
| Third-party risk | A.5.19-5.22 | DORA has more detailed contractual requirements |
| Incident reporting | A.5.24-5.28 | DORA has specific regulatory reporting timelines |
| Testing | A.8.8 | DORA mandates TLPT for designated entities |
| Information sharing | Not directly covered | DORA encourages threat intelligence sharing |
DORA-Specific Requirements
These have limited or no ISO 27001 equivalents:
| DORA Requirement | ISO 27001 Status |
|---|---|
| 4/24/72 hour/1 month incident reporting timeline | Not specified |
| Register of Information | Not required |
| TLPT every 3 years | Not mandated |
| Client notification of incidents | Not specified |
| CTPP oversight compliance | Not applicable |
| Annual regulatory reporting | Not required |
Detailed Mapping
ICT Risk Management Framework
| DORA Article | ISO 27001 Mapping |
|---|---|
| Art. 5 - Governance | Clause 5.1 Leadership, A.5.1 Policies |
| Art. 6 - Framework | Clause 6 Planning, 8 Operation |
| Art. 7 - Systems and tools | A.8 Technological controls |
| Art. 8 - Identification | A.5.9-5.13 Asset management |
| Art. 9 - Protection | A.5-8 Various controls |
| Art. 10 - Detection | A.8.15-8.16 Logging and monitoring |
| Art. 11 - Response | A.5.24-5.28 Incident management |
| Art. 12 - Recovery | A.5.29-5.30 Business continuity |
Gap analysis: ISO 27001 covers most ICT risk management requirements. Key gaps include the explicit management body accountability language and specific digital resilience focus.
Incident Reporting
| DORA Article | ISO 27001 Mapping |
|---|---|
| Art. 17 - Incident process | A.5.24 Incident response planning |
| Art. 18 - Classification | A.5.25 Assessment of incidents |
| Art. 19 - Reporting | A.5.26 Response to incidents |
| Art. 20 - Centralization | Not directly covered |
| Art. 23 - Significant threats | Not directly covered |
Gap analysis: ISO 27001 requires incident management but does not specify regulatory reporting timelines. DORA's 4-hour/24-hour/72-hour/1-month framework must be implemented separately.
Third-Party Risk
| DORA Article | ISO 27001 Mapping |
|---|---|
| Art. 28 - General principles | A.5.19-5.22 Supplier relationships |
| Art. 29 - Preliminary assessment | A.5.19 Supplier policy |
| Art. 30 - Contractual provisions | A.5.20 Addressing security in agreements |
| Art. 31 - Register of Information | Not required |
Gap analysis: ISO 27001 addresses supplier relationships but lacks DORA's prescriptive contractual requirements and Register of Information obligation.
Resilience Testing
| DORA Article | ISO 27001 Mapping |
|---|---|
| Art. 24 - General testing | A.8.8 Technical vulnerability management |
| Art. 25 - Testing ICT tools | A.8.29 Security testing |
| Art. 26 - TLPT | Not mandated |
| Art. 27 - TLPT testers | Not applicable |
Gap analysis: ISO 27001 supports testing activities but does not mandate the specific TLPT requirements for designated entities.
Implementation Approaches
Approach 1: ISO 27001 First
For organizations without existing certification:
| Phase | Activity |
|---|---|
| 1 | Implement ISO 27001 ISMS |
| 2 | Map ISO controls to DORA requirements |
| 3 | Address DORA-specific gaps |
| 4 | Achieve ISO 27001 certification |
| 5 | Maintain integrated compliance |
Advantages:
- Structured approach to security
- Certification provides broad market recognition
- Foundation supports DORA and other requirements
Approach 2: DORA First
For organizations prioritizing regulatory compliance:
| Phase | Activity |
|---|---|
| 1 | Implement DORA requirements |
| 2 | Document controls comprehensively |
| 3 | Extend to ISO 27001 scope |
| 4 | Pursue ISO 27001 certification |
| 5 | Maintain integrated compliance |
Advantages:
- Directly addresses regulatory obligations
- No certification timeline pressure
- Can add ISO certification later
Approach 3: Integrated Implementation
For organizations pursuing both simultaneously:
| Phase | Activity |
|---|---|
| 1 | Map all requirements (DORA + ISO 27001) |
| 2 | Design integrated control framework |
| 3 | Implement unified controls |
| 4 | Address unique requirements separately |
| 5 | Achieve certification while meeting DORA |
Advantages:
- Efficient use of resources
- Single integrated framework
- Avoids duplicate documentation
Using ISO 27001 to Support DORA
Documentation
ISO 27001 documentation can serve DORA purposes:
| ISO 27001 Document | DORA Use |
|---|---|
| ISMS policy | Foundation for ICT risk management strategy |
| Risk assessment methodology | Supports DORA risk identification |
| Statement of Applicability | Maps to DORA control requirements |
| Business continuity plan | Meets DORA continuity requirements |
| Supplier agreements | Foundation for DORA contractual updates |
Controls
ISO 27001 Annex A controls provide operational substance for DORA requirements, reducing implementation effort.
Certification Evidence
ISO 27001 certification demonstrates:
- Systematic approach to information security
- Third-party validation of controls
- Ongoing commitment to improvement
Regulators may view certification favorably when assessing DORA compliance.
Common Questions
Does ISO 27001 certification mean we are DORA compliant?
No. ISO 27001 provides substantial coverage but does not address all DORA-specific requirements. You must still implement DORA incident reporting timelines, Register of Information, and TLPT (if designated), among other requirements.
Should we get ISO 27001 certified for DORA?
ISO 27001 certification is not required for DORA compliance but provides significant benefits: structured approach, third-party validation, and market recognition. Many financial entities pursue both.
Which should we prioritize?
For EU financial entities, DORA compliance is legally required. ISO 27001 is valuable but voluntary. If resources are limited, ensure DORA compliance first, then consider ISO 27001 certification.
How much overlap exists in practice?
Estimates vary, but approximately 60-70% of DORA requirements can be addressed through ISO 27001 controls. The remaining 30-40% requires DORA-specific implementation, particularly in incident reporting, third-party documentation, and testing.
Can the same team manage both?
Yes. The skills and processes overlap significantly. A security team managing ISO 27001 can typically extend their scope to cover DORA-specific requirements with appropriate training and resources.
How Bastion Helps
Bastion supports organizations leveraging ISO 27001 for DORA compliance:
- Gap analysis: Map existing ISO 27001 controls to DORA requirements
- Integrated implementation: Design frameworks meeting both sets of requirements
- ISO 27001 certification: Guide organizations through certification
- DORA-specific requirements: Address gaps beyond ISO 27001
- Ongoing maintenance: Maintain integrated compliance over time
Ready to align your ISO 27001 and DORA compliance? Talk to our team
Sources
- ISO/IEC 27001:2022 - Information security management systems standard
- DORA Regulation - Digital Operational Resilience Act
- ESA DORA Technical Standards - Implementation requirements