Expert insight from Andrew Pattison
Andrew Pattison has 30 years’ experience in information security and risk management, having worked in GRC (governance, risk and compliance) since 1994. He also holds an MSc in Information Systems Management, as well as CISM® and CRISC® certifications.
Now, he’s the head of GRC consultancy at IT Governance Europe, where, among other responsibilities, he leads product development relating to DORA (Digital Operational Resilience Act), as well as the organisation’s ISO 27001 training courses.
We sat down to chat to him.
What are the key principles that underpin the DORA Regulation?
Technically, DORA has five pillars:
- Risk management
- Incident response and reporting
- Digital operational resilience testing
- ICT third-party risk management
- Information and intelligence sharing
Each of these pillars has a dedicated chapter in my new book, DORA – A Guide to the EU Digital Operational Resilience Act. You could, however, argue that there’s only one pillar: risk management. Though it’s important to consider this pillar alongside the proportionality principle.
What is the proportionality principle of DORA?
The proportionality principle is so short that it’s easy to gloss over, but it’s fundamental to DORA. It basically says that organisations need to implement reasonable measures only – measures that are proportionate to the organisation’s size, business activities, and so on.
How can organisations determine whether what they’re doing is ‘reasonable’ or ‘proportionate’ under the law?
Good question – and one that is difficult to answer right now. The key is that the organisation’s measures mitigate its risks, but the details are down to the competent authority’s interpretation of this principle. And since there are 27 authorities – 1 for each jurisdiction – there’s every chance that we’re going to see 27 different interpretations.
Furthermore, we won’t really know how this principle is going to be interpreted by any authority until organisations start getting things wrong. Even if authorities publish guidance on this before they start taking enforcement action, it’s that enforcement action that’ll really tell us how they’re interpreting the proportionality principle.
Whether or not you like it, it’s simply the way these things work. So, for the time being, the best thing organisations can do is document their decisions and decision-making processes so that they can justify them later, should they be subject to an audit or investigation.
ISO 27001, the international standard for information security management, also has risk management and proportionality at its core. Can this standard be used to comply with DORA, and if so, how?
Definitely! ISO 27001 gives organisations the structure and the building blocks to enable them to comply with DORA, while taking that risk-based approach so fundamental to the Regulation.
However, ISO 27001 certification isn’t a ‘free pass’ to DORA compliance – it comes down to how you implement the Standard.
It’s vital that the organisation accounts for DORA as it establishes the context and scope of its ISMS [information security management system]. So, for example, as you identify your relevant legal and contractual requirements, be sure to include DORA. And when you identify interested parties, include the competent authority. And so on.
DORA compliance can definitely be achieved through ISO 27001, because the Standard is so flexible and pragmatic thanks to its risk-based approach. However, you must plan and implement your ISMS with DORA in mind.
Of course, DORA doesn’t map perfectly against ISO 27001 – the Standard lacks, for example, a penetration testing requirement, which is a DORA pillar. How can organisations address such shortcomings, without overcomplicating things?
That’s true – although ISO 27001 contains controls around threat intelligence and vulnerability management, there’s no explicit requirement for penetration testing. However, organisations could simply add their own controls where those in Annex A fall short of their needs.
I can’t emphasise enough that the real value of ISO 27001 lies in the structure it provides. It gives the building blocks that organisations can shape to fit their specific requirements.
To give you a real-life example, one of my clients – a medium-sized organisation, but with a relatively complex structure – conducts an annual management review, as required by the Standard. But this client’s ISMS team also holds monthly reviews, with agenda items like change control and security of new projects. This is not an ISO 27001 requirement, but this client determined that it needed those extra reviews to be able to maintain its ISMS effectively and make sure that the management system is meeting its objectives.
For the purposes of DORA compliance, organisations can take a similar approach. They can use the structure that ISO 27001 provides as their starting point, then make changes to it such that the ISMS enables them to achieve their objectives. The point that you raised – introducing penetration testing to the ISMS – is a good example of that.
Remember that an auditor isn’t just checking your ISMS against ISO 27001’s requirements, but also against the organisation’s requirements for the ISMS. In other words, they’re establishing whether the ISMS is achieving its stated requirements or objectives – which can include compliance with DORA. Contrary to common belief, ISO 27001 is not prescriptive – it is pragmatic.
Nonetheless, ISO 27001 is an information security standard, whereas DORA is about operational resilience. Is ISO 27001 really enough to achieve DORA compliance?
Ideally, I’d also bring in ISO 22301, the business continuity management standard. This follows the same structure as ISO 27001 so, once again, gives you the building blocks for compliance. Together, these two standards give you a solid base.
And actually, I’ve stopped looking at business continuity in isolation. Instead, I now look at incident management, disaster recovery and business continuity as a whole. And operational resilience is bigger than the three disciplines together. I like to describe it as ‘turning up the volume’. It’s about making sure that, as a business, you can continue to operate no matter what else is going on.
DORA comes from the point of view that financial services must assume that they’re going to get attacked, because they have money and are critical to a functioning society. The incentives are simply too strong, and the statistics back this up: globally, the finance sector suffered the most incidents last December. In Europe, it was the second-most breached sector.
With that in mind, it’s important for financial institutions to be operationally resilient. They have to be able to continue to function, even when attacked.
How is operational resilience different from business continuity?
Let me explain with an analogy. Penetration testing looks at standard scenarios – so taking a standard approach, running standard scans, and so on. However, threat-based penetration testing looks at what that specific organisation does and, by extension, who would want to attack it. It gives a significantly more realistic representation of the threats and risks that organisation faces by first looking at the bigger picture.
Business continuity and operational resilience have a similar relationship. Operational resilience takes the principles of business continuity – risk assessment, business impact analysis, and so on – but with a much broader and proactive approach.
Where business continuity tends to be reactive and looking at individual risks, operational resilience looks at the bigger picture – what space the organisation operates in, that sort of thing – and proactively implements operational capabilities that allow the organisation to be unaffected by disruptions.
So, as an example, if organisation A, having implemented business continuity measures, suffered incident X, it’d move to a reduced service to keep its critical functions going while it remediated the situation. Whereas organisation B, having implemented operational resilience, would carry on as normal if it suffered that same incident X.
So, to sum things up, you’d recommend achieving DORA compliance – and, by extension, operational resilience – by implementing ISO 27001 and ISO 22301?
I would, yes. I’d certainly say that implementing these standards is a really sensible thing to do if you need to comply with DORA. Because, again, they give you that structure, that framework to approaching DORA, with identifying the context, bringing in management reviews, focusing on risk management, and so on.
Better still, these standards can help you comply – via that same structure – with a host of other security-related requirements, legal and otherwise.
Considering my profession, I can’t deny some self-interest here, but I’m genuinely a big fan of ISO 27001 and ISO 22301. The Standards are so sensible – while they give you that structure, they’re also flexible, only telling you where you need to go and not how you must get there. What’s more, they concentrate on risk, on taking proportionate action.
I honestly believe that organisations would see a good return on investment if they implemented ISO 27001 and ISO 22301.
Here at IT Governance, we want to make compliance easy for our customers, so you can stay focused on your core business while meeting your security and privacy requirements.
CyberComply, our Cloud-based solution, makes compliance simple and affordable.
Covering an impressive range of requirements – including ISO 27001, ISO 22301, DORA, NIS 2, the GDPR, and more – with this end-to-end solution, you can manage all your cyber security and data privacy obligations in one place.
Start your free trial today to find out how CyberComply*:
- Gives you immediate visibility of critical data and key performance indicators;
- Helps you identify and treat data security risks before they become critical concerns;
- Reduces errors in, and improves the completeness of, your risk management processes;
- Accelerates certification and supercharges project effectiveness; and
- Helps you stay ahead of regulatory changes.
We hope you enjoyed this week’s edition of our ‘Expert Insight’ series. We’ll be back next week, chatting to another expert within the Group.
In the meantime, if you missed it, check out our special edition of Expert Insight from earlier this week, where senior penetration tester Leon Teale gave us his expert insight into a historic data breach of 26 billion records.
*To start your free trial, contact our sales team at email@example.com.