Close Sidebar
COPYRIGHT © PROFESSIONAL EVALUATION AND CERTIFICATION BOARD 2021 ALL RIGHTS RESERVED
Now Reading
Q&A from the Webinar “The Role of ISO/IEC 27034 in Achieving DORA Compliance”
Search for content, post, videos
Search for content, post, videos

Q&A from the Webinar “The Role of ISO/IEC 27034 in Achieving DORA Compliance”

May 21, 2025

The Digital Operational Resilience Act (DORA) compliance deadline has passed, yet many organizations continue to struggle with meeting its requirements—leaving them vulnerable to fines and increased scrutiny from EU regulators. This webinar explored how ISO/IEC 27034 can support DORA compliance and enhance regulatory readiness. It also addressed why ISO/IEC 27034 remains underutilized, how organizations can unlock its full potential, and the role of certification in strengthening security postures.

In the article below, the speaker, Bevan Lane, addressed some questions regarding the topic.

Q: Related to ISO/IEC 27034, during the webinar, you mentioned the fact that we should “Do it properly once and re-use.” Isn’t this statement a “threat” to continual improvement?

A: Yes, it’s what I said during the webinar, as I knew that would need to be addressed. It’s about creating the most secure/efficient version and then only having to tweak it when you do your regular reviews, rather than creating a new code each time, which could have more risks of new issues being found in the code.

Q: Will DORA be extended beyond the financial sector in the near future? Is there any capital worth threshold for what can be considered “critical”?

A: No, there are no plans to extend it beyond the financial sector and key ICT providers (sometimes forgotten that it includes them). A critical system is defined as a system whose disruption could significantly impact a financial institution’s financial performance, stability, or the continuity of its services and operations. This means values can be different, but their importance is aligned with this.

Q: Is DORA legally binding? Are there deadlines? What are the penalties for non-compliance?

A: Yes, it’s legally binding across the EU. The deadline was January 17th, 2025. Non-compliance with the EU’s Digital Operational Resilience Act (DORA) can result in significant penalties, including fines of up to 2% of total annual worldwide turnover, or 1% of average daily turnover, and in some cases, fines up to €5 million for critical third-party ICT providers. 

Q: Is Incident Identification part of Risk Management or Incident Reporting in the context of being proactive?

A: Yes, both aspects are a critical part of DORA and incident response in general. Risk Management is the umbrella for all areas of how you achieve these goals, and incident identification is part of incident management, which includes incident reporting as an area.

Q: When a bank asks for a DORA assessment, should the bank do it as one organization or ask all the suppliers who developed the system to provide an audit of each system they deployed?

A: The Bank needs to do it as one organization, but it must identify all the critical ICT providers and ensure that they are part of the review and assessment.

Q: We have developed a Blockchain platform for the seafood supply chain between Tunisia and Sicily within a cross-border program. Given that we are diagnosed as a vulnerable entity to cyber-attacks, how can we apply DORA (Digital Operational Resilience Act) or at least ISO/IEC 27034 to ensure the credibility and transparency of seafood auctions while enhancing cybersecurity resilience?

A: Applying the pillars of DORA will make your operations more resilient and less vulnerable to attacks. Using ISO/IEC 27034 to develop and maintain secure applications will help you be more secure and, therefore, resilient so that the seafood auctions can withstand attacks and operate more efficiently as well as recover quicker.

Q: With this explanation in mind, how does information sharing differ from incident reporting?

A: Information sharing can be in many forms; you can share information across industries about unsuccessful and successful attacks in a wider context than incident reporting, and generally, the information is shared in a limited manner, excluding specific confidential details but giving enough information to help the other parties.

Q: What recommendations would you give to an organization that is a non-critical ICT provider but wants to prove compliance with DORA in Europe?                                                                                    

A: IT and cyber resilience are growing in importance, and there is always value in using the pillars no matter what type of company/industry, as you can protect yourself and improve identification and recovery processes. First, look at the pillars and work out how to apply them and then how to improve them to make you more resilient.

Q: What are the comparative advantages of DORA over other ISO standards?

A: The advantages of DORA are like many other laws and regulations: they are more specific than most ISO standards, and the specific tests relate to proving how you have applied the controls and how resilient to attacks you are. However, DORA is not as wide-ranging as ISO/IEC 27001, so you may miss critical security areas that are not referred to in DORA.

Q: ICT Risk Management is tightly related to third-party risk management; why are they separate?

A: Because many companies focus strongly on internal risk management and not as well on third parties. The strong reliance on third parties, together with the amount of significant breaches due to third parties over the last 5 years, shows that this area is often not managed effectively.

Q: If a financial company is PCI DSS certified in addition to ISO/IEC 27001, how much more effort is required to be certified with DORA?

A: If a financial company is already certified under PCI DSS and ISO/IEC 27001, much of the groundwork for DORA compliance is already in place. The mapping suggests that you are close, and PCI DSS adds further alignment. However, achieving full compliance will require a thorough review of your controls to ensure they meet DORA’s specific requirements.

DORA emphasizes continuous security testing and ongoing risk management, which may exceed the practices implemented for PCI DSS and ISO/IEC 27001. The key is to assess and adjust your existing frameworks to ensure they align with DORA’s regulatory expectations.

Q: Supposing a financial service company in the EU has a branch in Latin America; for example, if my company provides services to that branch in Latin America, is my company reached by DORA?

A: In most cases, your company would be outside of the direct brief of DORA, but it may be classified as a critical service provider, and then you would fall under. We have received requests from companies across the globe who are looking at whether their relationships could be identified as critical.

Q: DORA is focusing on the financial sector. What is done with respect to other sectors being critical for our society?

A: Other standards such as PCI-DSS, GDPR, NIS2, and a multitude of standards in various industries (shipping, automotive, etc.) exist, and ISO/IEC 27001:2022 has focused more on ICT resilience. 

Q: What is your opinion on DORA – Implementing and delegating acts?

A: Yes, these are additional documents with more information on specific areas and seem to be more developed, so this will give additional details to align with what the standard wants. On the whole, they seem to make sense and are positive, but there may be areas where they may be asking for things that are more than you are currently doing, so they will need to be reviewed carefully.

Q: How do the incident notification rules of DORA interconnect with NIS2?

A: Most of the key standards have similar processes around the rules with differences about where to report and timelines. As soon as an NIS2 entity is reasonably aware that it is facing a significant incident, it must notify the national CSIRT (the CCB). Online search summarises the differences as NIS2 has stricter timelines for reporting cybersecurity incidents, emphasizing timely and efficient communication across sectors. In contrast, DORA focuses more on standardizing how incidents affecting financial systems are responded to and reported.

Q: Will DORA supersede the ISO/IEC 27001 series in the future?

A: No, being a law that is only for a part of the industries (financial sector), it’s very specific, and ISO is a framework with a much wider range. So this is very unlikely and doesn’t make sense to do. They can work together.

Q: Any key advice for compliance managers who would like to create genuine interest in ISO/IEC 27034 in their already overworked development teams? What’s the right entry point?

A: My advice is to find aspects of the standards that can help the developers/application people and sell the concepts aligned with other standards like OWASP to create a clear, practical approach and then see how you can add these areas into your development program and ISO/IEC 27001 framework if it’s being followed.

Q: Dora requires a digital resilience strategy. Could we build a document explaining how business activity, incident management, ICT third party, and ICT risk are managed by referencing related policies?

A: Yes, that’s a great idea. For other compliance services, we have often created one document with links to a few key policies that cover most of the requirements.

Q: Is DORA to finance what HIPAA is to the health sector?

A: Finance has so many requirements and regulatory requirements, so I think DORA is partially that as GDPR and many other similar regulations cover other parts of what HIPAA has as well.

Q: Concerning the third DORA pillar. I have worked with companies that test to tick a box and not to test if they are resilient. What are the financial implications should all go wrong and the company cannot recover its system or processes as stipulated on its test reports?

A: As above. Non-compliance with the EU’s Digital Operational Resilience Act (DORA) can result in significant penalties, including fines of up to 2% of total annual worldwide turnover, or 1% of average daily turnover, and in some cases, fines up to €5 million for critical third-party ICT providers. 

Q: What is the difference between information sharing and information reporting?

A: Information sharing can be in many forms; you can share information across industries about unsuccessful and successful attacks in a wider context than incident reporting, and generally, the information is shared in a limited manner, excluding specific confidential details but giving enough information to help the other parties.

Q: From a data privacy perspective, what should we focus on when performing a third-party risk assessment?

A: There is a lot of guidance from GDPR controller/processor requirements, and ISO/IEC 27701 has a list of controls related to this, but basically, they have privacy policies/frameworks in place and meet those requirements in a secure manner.

Q: Is part 2 not about the application security governance and management of all organization’s applications to make sure that all of them have their own targeted level of trust and reach it with their actual level of trust? 

A: Yes, it’s summarized similarly to this, and that’s correct in terms of it

Q: Does DORA apply if a South American bank has a correspondent banking relationship with a European bank?

A: Not in general, but they might expect aspects of this to be applied and, in many cases, more requirements.

Q: As a Central Bank in Africa, should we be concerned about DORA? If yes, what can we start doing? Where do we start?

A: Not in general, but it would be great to apply aspects or all of this, if possible, to improve how you do things.

Q: Can a bank in Europe get certified in ISO/IEC 27001 and DORA at the same time?

A: Yes, you can do it together, and the current best practices of compliance suggest we have a framework that links to all our critical compliance requirements.

Q: If we are a Business Unit of a Consultancy Company and we are an ICT Supplier, does DORA apply only to the Business Unit or to all organizations? The Business Unit, legally is an independent company.

A: Generally, the focus is on the business unit, especially if it’s an independent company. However, there may be linked components you should consider.

Q: I see Article 15 in DORA is not mapped on any of the ISO/IEC 27000 family of standards control, what is this article about?

A: Article 15 refers to the further harmonization of ICT risk management tools, methods, processes, and policies and mandates that the regulators must further define details on this. It’s something that the companies must then abide by.

Specifically, The ESAs shall, through the Joint Committee, in consultation with the European Union Agency on Cybersecurity (ENISA), develop common draft regulatory technical standards (further detail in DORA).

Q: Does ISO/IEC 27034 address the use and impact of AI in application security?

A: The new versions of ISO/IEC 27034 mention it briefly but are linked to ISO/IEC 42001 and other AI frameworks, EU AI Act, NIST, etc.

Q: What examples of good practices have you seen in the industry that could be applicable to our organization?

A: That’s a very wide question. The answers above refer to a wide variety of good practices: OWASP, NIST, ISO/IEC 42001, and the ISO/IEC 27000 family.

Q: Regarding Information Sharing: Some incidents or events may be small or irrelevant. Different organizations may also have different drivers. Is there further detail in DORA on what should be shared and what is not relevant to share?

A: No, but they generally ask to consider best practice frameworks like the NIST cyber security framework and ISO/IEC 27001 and give small details in the regulations to get you started.

Q: Is there a difference between the trust pyramid on DORA and other ISO/IEC 27034 versions?

A: Yes, they are specific to different areas but have similarities too.

Q: How does ISO/IEC 27034 relate to ISA/IEC 62443? Could ISO/IEC 27034 be applied to achieve ISA/IEC 62443 objectives?

A: Yes, OT requirements would be a component of this. They are very important in terms of resilience, and if financial services use them, they should understand how to apply resilience to them.

Q: ISO/IEC 27034 Application Security Control requires controls that include its own unit-test (verification-measurement) activity. Is it not a best security practice to include a unit test for each control to verify them and make sure it was correctly implemented and is working as expected?

A: Where possible, it can help, but some of the controls might not align with unit testing. Apply where practical.

Q: Can we relate the CIA requirements of ICT assets used to define their criticality according to DORA to the levels of trust referred to in this ISO?

A: Yes, you can merge the two approaches and come up with a trust rating that uses the CIA.

Q: How can the impact of a programmer’s inexperience in implementing ISO/IEC 27034 be mitigated without significantly increasing costs and going over budget?

A: Through practical training, having champions who understand the standard who give advice and review and manage the inexperienced programmer.

Q: What factors influence the identification of critical or important nodes in the DORA framework?

A: Start with functions that have been identified under existing regulatory frameworks, as applicable:

Consider (other) functions that meet the broad DORA definition:

Functions that, if disrupted, would materially affect:

  • The financial performance of the financial institution
  • The quality of its services and activities
  • Its ability to comply with regulatory obligations

Identify the ICT services that support those critical or important functions.

Consider the application of proportionality: The proportionality principle prescribes the implementation of DORA by taking into account the institution’s size, risk profile, and the complexity of its services, activities, and operations. Proportionality-based categorization of ICT services supporting a critical or important function.

Q: How does DORA compare with other regulations like NIS2 or GDPR?

A: DORA has similarities with NIS2 and some overlap with privacy controls with GDPR. There are mapping tools showing the overlap and differences between the standards. NIS2 is more product-related and GDPR has many additional areas wider than resilience and security.

Q: What are the key challenges organizations face when implementing DORA’s ICT risk management framework?

A: Organizations implementing DORA’s ICT risk management framework face challenges including understanding the regulatory approach, adapting governance, raising management awareness, and ensuring proper information sharing and testing of resilience capabilities. 

Q: What are the next steps organizations should take to prepare for full DORA implementation?

A: Undertake a gap analysis against the requirements, understand the gaps and what this means in terms of a practical approach, and understand how best to integrate this into the existing approach to compliance.

Check Out the Webinar

Bevan Lane

Bevan has been involved in Information Security/IT governance for over 16 years where he has gained a multitude of experience across the globe. He is known as a leader in Information Security implementation projects, assessments, policy development and has conducted more than 100 training courses, workshops and presentations at international conferences. He has conducted IT forensic investigations and solved specific IT Security problems for major clients.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts