ISO 27001 Content Hub

ISO 27001 in the Financial Sector

DORA overlap, supervisory expectations, relevant controls, and realistic costs for FinTechs, banks, insurers, and payment providers.

Since 17 January 2025, the Digital Operational Resilience Act (DORA) has been directly applicable for banks, insurers, payment service providers, and a growing number of FinTechs. DORA prescribes what financial firms must achieve in terms of digital operational resilience. ISO 27001 prescribes how you demonstrate that in a structured and auditable way. That is exactly why ISO 27001 is no longer optional in the financial sector in 2026, but the shortest path to DORA compliance and to meeting supervisory expectations from BaFin or equivalent regulators.

This guide explains why financial institutions still need a certified ISO 27001 ISMS in addition to DORA, which controls matter most in finance, how large the overlap between DORA and ISO 27001 really is, and what supervisors actually look for.

Why ISO 27001 Despite DORA

DORA is mandatory, but DORA is not a certificate. The regulation describes requirements but not how you demonstrate their fulfilment to supervisors, customers, or partners. That is exactly the role ISO 27001 plays. An ISMS certified by an accredited body is the simplest proof that your security processes are structured, documented, and audited. BaFin examiners know ISO 27001 and typically build their review focus on exactly those structures.

For FinTechs and payment providers, a second reason applies. Banks as B2B customers almost always require either ISO 27001 or SOC 2 Type 2 during onboarding. Without one of those certificates, sales cycles get longer, and some deals fail altogether. Companies that want to work with Deutsche Bank, Commerzbank, or major insurers cannot avoid ISO 27001.

DORA and ISO 27001: the 80 Percent Rule

A detailed analysis of DORA duties against ISO 27001:2022 requirements shows an overlap of around 80 percent. The ICT risk management duties in DORA Art. 6 through 16 are covered almost entirely by Clause 6.1.2 and the risk treatment controls in Annex A. The third-party risk management rules in DORA Art. 28 through 44 correspond at their core to controls A.5.19 through A.5.23. Incident management in DORA Art. 17 through 23 is represented by A.5.24 through A.5.27.

The remaining 20 percent are DORA-specific, notably threat-led penetration testing (TLPT) for especially critical actors and tighter reporting windows for ICT-related incidents. Both fit cleanly into an existing ISMS. A full comparison is in our ISO 27001 vs. DORA comparison.

Relevant Controls for the Financial Sector

The following eight controls are particularly relevant in finance due to DORA and supervisory expectations. Getting these right covers the bulk of what examiners look for.

A.5.7

Threat Intelligence

DORA explicitly requires a documented threat intelligence function. Inputs can come from BSI, FS-ISAC, or commercial feeds. What matters is the documented processing.

A.5.19 to A.5.22

ICT Third Parties

The heart of DORA compliance. Register of Information, exit strategies, contractual security clauses. Supervisors probe this area particularly hard.

A.5.23

Cloud Service Security

AWS, Azure, GCP, and SaaS vendors need structured review. DORA requires a criticality assessment for each ICT service, not just a blanket approval.

A.5.24 to A.5.27

Incident Management

DORA tightens reporting windows noticeably. Early warning within 4 hours, interim report within 72 hours, final report within one month. That demands rehearsed processes.

A.8.28

Secure Coding

Critical for FinTechs and payment providers with in-house software development. Supervisors ask specifically about SDLC, code review, and SAST/DAST integration.

A.8.24

Cryptography

Key management, HSM usage, payment data encryption. Requirements from PCI DSS, PSD2, and DORA interlock here.

A.5.29

Business Continuity

DORA requires regular tests including extreme scenarios. Supervisors expect evidence of documented exercises, not plans in a drawer.

A.5.30

ICT Readiness for Business Continuity

New in ISO 27001:2022 and perfectly aligned with DORA. RTO, RPO, failover scenarios, and recovery drills belong squarely in scope.

Who in Finance Needs ISO 27001

FinTechs that want to win enterprise customers encounter ISO 27001 as a gate at the latest during the sales cycle. Payment providers licensed under ZAG need solid evidence for PSD2, DORA, and MaRisk. Asset managers and KVGen are bound by MaRisk and MaGo, which strongly resemble ISO 27001 in content. Insurers are committed to a structured ISMS through VAG and BaFin circulars anyway. In all these cases, ISO 27001 is the shortest route from regulatory duty to auditable proof.

Timeline and Budget

For a mid-sized financial firm, such as a FinTech with 50 to 200 employees or a fund manager with 100 to 300 employees, a realistic ISO 27001 rollout takes 9 to 14 months. The financial sector tends to have a higher starting maturity than other sectors because MaRisk, VAG, or PSD2 already require comparable structures.

On the cost side, expect EUR 30,000 to EUR 90,000 for the first year including certification, internal effort, and limited external consulting. Surveillance audits cost EUR 3,500 to EUR 6,000 per year. FinTechs under 50 employees land at the lower end, insurers and mid-sized banks at the upper. Self-service with Kopexa reduces tool costs to EUR 249 per month; internal staff remains essential. Details in the ISO 27001 cost overview.

Typical Pitfalls in the Financial Sector

  • 1.MaRisk documentation instead of ISMS operation: Many institutions have detailed MaRisk handbooks that are rarely lived in practice. ISO 27001 auditors explicitly check the lived reality. Paper alone is not enough.
  • 2.Incomplete Register of Information: DORA Art. 28 requires a structured register of all ICT third parties with a criticality assessment. A spreadsheet with 20 entries is not enough for a typical FinTech.
  • 3.TLPT requirements ignored: Especially significant financial firms must conduct threat-led penetration testing. That is not a classic pentest but a scenario-based red-team approach. Discovering this only during certification costs a quarter.
  • 4.Cloud exit strategies only on paper: DORA requires testable exit plans for each critical cloud service. Audits probe concrete scenarios, not generic statements.

FAQ: ISO 27001 in the Financial Sector

Is DORA enough, or do I still need ISO 27001?

DORA is mandatory, ISO 27001 is the auditable proof. Without a certificate, you have to justify every control yourself to supervisors and customers. With a certificate, the accredited body does that work. Direct comparison in our DORA comparison.

Can I use the SoA as DORA evidence?

Partially. The Statement of Applicability documents Annex A controls; DORA adds the Register of Information and exit strategies. In practice, you extend your SoA with a DORA mapping. See our SoA page.

How long does ISO 27001 take for a FinTech with 50 employees?

9 to 12 months with an existing MaRisk or SOC 2 foundation, 12 to 14 months from scratch. The upside in finance is that many processes from PSD2, ZAG, or BAIT already exist and can be mapped cleanly into the ISMS.

What do supervisors actually check around ISO 27001?

Supervisors do not require ISO 27001 as a certificate but use the structure as a reference. Concretely, they examine the ISMS scope document, the risk register, the documentation of critical ICT third parties, incident processes, and management review outputs. A current ISO certificate significantly reduces examination effort and follow-up questions.

Is ISO 27001 or SOC 2 the stronger proof?

For the European market and BaFin-supervised customers, ISO 27001 is stronger. For US customers, SOC 2 is often the preferred form. Many FinTechs serving both markets choose both because the control base overlaps 80 percent and the additional effort is manageable.

Next Step

Start here:

Want to implement ISO 27001 with Kopexa at your financial firm?

14-day free trial, ISMS with DORA mapping, Register of Information and audit workflow in one platform, hosted in Germany, from EUR 249 per month. Self-service or with a partner, whichever fits you.

Start for free

More ISO 27001 Topics

Let's talk about your ISO 27001 implementation

Free & non-binding

By submitting, you agree to our Privacy Policy .