ISO 27001 and DORA: Cross-Mapping

ISO 27001 and DORA: Understanding the Overlap

Many financial entities already maintain an Information Security Management System (ISMS) certified to ISO 27001:2022. Given that DORA (EU Regulation 2022/2554) also focuses on ICT risk management, a natural question arises: how much of DORA is already covered by ISO 27001, and what additional work is needed?

The short answer: ISO 27001 provides a strong foundation that covers approximately 60-70% of DORA requirements. However, significant gaps remain in areas that are specific to financial sector regulation, including incident reporting timelines, the information register, management body accountability, and TLPT. A dual compliance strategy can leverage existing ISO 27001 controls while efficiently closing the DORA delta.

Cross-Mapping: DORA Articles to ISO 27001 Controls

The following table maps the key DORA requirements to the corresponding ISO 27001:2022 Annex A controls. Coverage is rated as high (directly addressed), medium (partially addressed), or low (minimal or no coverage).

Key Gaps: What ISO 27001 Does Not Cover

While the overlap is substantial, several DORA requirements have no or minimal equivalent in ISO 27001. These represent the delta that ISO 27001-certified entities must close:

1. Mandatory Incident Reporting (Art. 18-23)

ISO 27001 requires incident management processes (A.5.24-5.28) but does not prescribe specific reporting timelines to regulators. DORA introduces the 4h/72h/30d three-stage reporting regime with standardised templates and classification criteria. This is a significant additional obligation that requires new processes, templates, and rehearsals. See our Incident Reporting page.

2. Information Register (Art. 28(3))

ISO 27001 A.5.19-5.23 cover supplier relationships but do not require a structured register of all ICT third-party arrangements with the granularity demanded by DORA ITS. The information register is a standalone deliverable with no direct ISO 27001 equivalent. See our Information Register guide.

3. Threat-Led Penetration Testing (Art. 26-27)

ISO 27001 references penetration testing (A.8.8) but at a general level. DORA TLPT requires intelligence-led red teaming against live production systems under the TIBER-EU framework, with authority involvement and mandatory external testers. This has no ISO 27001 equivalent. See our Resilience Testing page.

4. Management Body Personal Accountability (Art. 5)

ISO 27001 Clause 5 (Leadership) requires top management commitment but does not impose the personal accountability, mandatory ICT training, and risk tolerance-setting obligations that DORA Art. 5 does. The training requirement is explicit and enforceable.

5. Concentration Risk and Exit Strategies (Art. 29-30)

ISO 27001 supplier controls address supplier risk at a general level. DORA specifically requires assessment of ICT concentration risk, mandatory contractual clauses (including data location, audit rights, exit provisions), and documented exit strategies. These go significantly beyond standard ISO 27001 supplier management. See our Third-Party Risk page.

Dual Compliance Strategy

For entities pursuing both ISO 27001 certification and DORA compliance, an integrated approach delivers the most value:

If You Already Have ISO 27001

• Use your SoA as a starting point: Take your Statement of Applicability and compare it against the DORA mapping table above. This immediately reveals your coverage and gaps.
• Extend existing controls: For areas rated "Medium," your existing controls likely need enhancement rather than replacement. Add DORA-specific requirements as extensions to your existing control documentation.
• Build new controls for gaps: For areas rated "Low" or "None," you need new controls. Focus on: incident reporting processes, the information register, management body training, TLPT readiness, and concentration risk assessment.
• Align audit cycles: Coordinate your ISO 27001 surveillance audits with DORA supervisory expectations to reduce duplication.

If You Are Starting Fresh

• Build once, comply twice: If you need both ISO 27001 and DORA, build your ISMS with both frameworks in mind from the start. This avoids retroactive adjustments and saves 30-40% of implementation effort compared to sequential implementation.
• Use a GRC tool with multi-framework support: A tool like Kopexa lets you map a single control to multiple framework requirements, ensuring that evidence collected for ISO 27001 is automatically linked to the corresponding DORA obligation.
• Consider ISO 27001 as a stepping stone: ISO 27001 certification provides independent validation of your security management system and can strengthen your position in supervisory reviews.

ROI of Dual Compliance

Entities that pursue both ISO 27001 and DORA compliance benefit from:

• Reduced total effort: 60-70% of controls serve both frameworks. The marginal effort for dual compliance is significantly less than two separate implementations.
• Stronger audit posture: ISO 27001 certification provides third-party validation that supervisors may consider favourably during DORA reviews.
• Client confidence: ISO 27001 certification is widely recognised and can differentiate your entity in the market.
• Future-proofing: As EU regulations (NIS2, DORA, AI Act) converge on common security principles, a well-structured ISMS provides a reusable foundation.