Back to Listing
office-scene-stock-image (1)
  • Dora
  • ISO 27001
  • 25th May 2026
  • 1 min read

DORA and ISO 27001 Compliance: One Unified Programme

Gabriel Few-Wiegratz
  • Written by
Gabriel Few-Wiegratz
View my profile on
In Short..
  • DORA and ISO 27001 overlap heavily: Most ICT risk, incident response, supplier security, and control monitoring requirements can be managed through one unified programme rather than separate compliance tracks.
  • Four major DORA gaps remain: ISO 27001-certified firms still need to address board accountability, regulatory incident reporting, TLPT testing, and mandatory ICT third-party contract clauses.
  • One control library should support both frameworks: Map ISO 27001 Annex A controls to DORA obligations, collect evidence once, and present it differently for certification audits and regulatory reviews.
  • Governance and documentation matter most: DORA is more prescriptive than ISO 27001, especially around management body accountability, operational resilience documentation, and supervisory evidence expectations.

Financial institutions already running ISO 27001 programmes do not need to rebuild their compliance model for DORA from scratch. The most effective approach is to use the existing ISO 27001 control framework as the operational foundation, then layer DORA-specific governance, reporting, testing, and third-party requirements on top. Organisations that consolidate evidence collection, risk registers, and audit activity into a single unified programme reduce duplication, improve operational resilience visibility, and avoid running parallel compliance processes that consume unnecessary time and resources.

Expert View

Matt Davies

Chief Product Officer, SureCloud

LinkedIn

What our experts say about ESA on-site inspection readiness

 

“The gap most compliance teams underestimate is documentation specificity. ISO 27001 accepts a risk-based approach to deciding what you implement and how you evidence it; DORA prescribes exact outputs, from the digital operational resilience strategy to the TLPT programme scope, with the management body personally accountable for each.”

 

KEY FACTS

  1. DORA became applicable on 17 January 2025. Enforcement sits with the EBA, EIOPA, and ESMA, with direct supervisory powers over critical ICT third-party providers.
  2. ISO 27001:2022 has 93 Annex A controls across four themes: Organisational, People, Physical, and Technological. The Technological controls theme (Annex A 8.x) provides the densest mapping to DORA's ICT risk articles.
  3. DORA incident reporting timeline: initial notification within 4 hours of classification (no later than 24 hours from first awareness); intermediate report within 72 hours; final report within one month.
  4. Financial entities identified by their competent authority must conduct TLPT at least every three years under DORA Article 26. TLPT involves live production systems and an intelligence-led red team exercise. Article 25 governs the broader general testing programme applicable to all in-scope entities.
  5. DORA Article 5(4) requires management body members to maintain sufficient ICT knowledge to understand and assess ICT risk and its impact on the organisation. ISO 27001 does not impose an equivalent personal accountability requirement.

Why These Two Frameworks Are Being Run Together

Financial institutions across the EU face a dual compliance reality. DORA became applicable on 17 January 2025, introducing binding ICT risk obligations for banks, insurers, investment firms, and their critical technology providers. ISO 27001:2022, revised from the 2013 edition, remains the most widely recognised global standard for information security management, and many regulated financial entities hold or are pursuing certification.

 

The business case for running a unified programme is clear. Both frameworks address the same underlying risk domain: the security, availability, and integrity of information systems. The cost of running two independent compliance streams with separate control libraries, separate evidence gathering, and separate audit preparation is significant and largely unnecessary given the degree of structural overlap.

 

The complexity lies in where the frameworks diverge. DORA is a binding EU regulation enforced by the European Supervisory Authorities (ESAs) (the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA)) with direct penalties for non-compliance. ISO 27001 is a voluntary standard for which organisations seek third-party certification. Their documentation models, governance expectations, and testing requirements diverge at several points, and those divergences require deliberate design decisions in a unified programme.

DORA's Five ICT Risk Pillars and ISO 27001 Annex A

DORA's core ICT risk management requirements, set out in Articles 5 to 16, organise around five functional pillars: governance, protection, detection, response and recovery, and learning and evolving. ISO 27001:2022 addresses the same domains across its management system requirements (Clauses 4 to 10) and the 93 controls in Annex A, structured across four themes: Organisational, People, Physical, and Technological.

 

Coverage is extensive across DORA Articles 5-16, though some DORA requirements go further than what Annex A controls address on their own. The table below maps DORA's primary articles to the most directly relevant ISO 27001:2022 Annex A controls. Compliance teams should treat this as a working framework: where an ISO 27001 control satisfies the DORA requirement, document that mapping as evidence; where DORA imposes specific procedural or documentation requirements beyond what the control covers, treat that as a new control requirement.

 

DORA Article

DORA Obligation

ISO 27001:2022 Annex A Control(s)

Gap / Note

Article 5

ICT risk management framework: management body accountability

5.1 Policies for information security; 5.35 Independent review of information security

DORA Article 5(2) requires the management body to approve, oversee, and be accountable for the ICT risk framework. ISO 27001 requires top management commitment but does not prescribe the same direct board-level accountability model.

Article 6

ICT risk management framework: strategy, policy, documentation

5.1 Policies for information security; 5.37 Documented operating procedures; 8.1 Operational planning and control

Strong overlap. DORA Article 6(8) requires a standalone ICT risk management framework document. ISO 27001 requires documented policies but does not mandate a single consolidated framework document.

Article 7

ICT systems, protocols and tools: asset management

5.9 Inventory of information and other associated assets; 5.10 Acceptable use of information and assets; 8.8 Management of technical vulnerabilities

Strong overlap on asset inventory. DORA Article 7 requires classification of ICT assets supporting critical functions. ISO 27001 Annex A 5.9 and 5.12 address classification but less prescriptively.

Article 8

ICT risk identification: threat and vulnerability assessment

5.7 Threat intelligence; 8.8 Management of technical vulnerabilities; 6.1 Actions to address risks and opportunities

DORA Article 8(1) requires continuous identification of ICT risk sources. ISO 27001 Clause 6.1 requires risk assessment but is less explicit about continuous monitoring cadence.

Article 9

ICT security: protection measures

8.1 User endpoint devices; 8.2 Privileged access rights; 8.5 Secure authentication; 8.7 Protection against malware; 8.20 Networks security; 8.23 Web filtering

High overlap. DORA Article 9 maps closely to ISO 27001:2022 Technological controls. Review Annex A controls 8.1-8.34 systematically against Article 9 sub-requirements.

Article 10

Detection: anomaly and incident detection

8.16 Monitoring activities; 8.15 Logging; 5.25 Assessment and decision on information security events

Reasonable overlap. DORA Article 10 requires documented detection processes with defined triggers. ISO 27001 requires monitoring and logging but leaves detection process design to the organisation.

Articles 11-12

Response, recovery and continuity

5.29 Information security during disruption; 5.30 ICT readiness for business continuity; 8.14 Redundancy of information processing facilities

ISO 27001 Annex A 5.29 and 5.30 are the closest controls but are high-level. DORA Articles 11-12 impose specific requirements for ICT Business Continuity Plans, RTOs, and RPOs for critical functions.

Article 13

Learning and evolving: post-incident review

5.27 Learning from information security incidents; 5.28 Collection of evidence

Direct mapping. DORA Article 13 requires post-incident reviews and integration of lessons into the risk management framework. ISO 27001 Annex A 5.27 addresses this.

Article 14

Communication of ICT incidents

6.8 Information security event reporting; 5.26 Response to information security incidents

DORA Article 14 requires internal and external communication protocols for major ICT incidents. ISO 27001 Annex A addresses event reporting but does not map to DORA's specific notification chain requirements.

Articles 17-23

ICT-related incident reporting

6.8 Information security event reporting; 5.25 Assessment and decision on information security events

Significant gap. DORA mandates structured regulatory reporting to competent authorities using defined classification criteria and reporting timelines. ISO 27001 has no equivalent regulatory notification obligation.

Articles 25-27

Digital operational resilience testing: TLPT

5.36 Compliance with policies, rules and standards; 8.8 Management of technical vulnerabilities

Significant gap. DORA requires threat-led penetration testing for significant entities every three years. ISO 27001 leaves penetration test scope and methodology to the organisation.

Articles 28-30

ICT third-party risk management

5.19 Information security in supplier relationships; 5.20 Addressing information security within supplier agreements; 5.21 Managing information security in the ICT supply chain

Moderate overlap but significant gap on contractual requirements. DORA Article 30 mandates specific contractual clauses for ICT third-party providers. ISO 27001 Annex A 5.19-5.22 address supplier security at a high level, leaving the specific contractual provisions to organisational policy.

 

Where DORA Requires More Than ISO 27001 Provides

Board-Level Accountability (Article 5)

This is the most significant governance gap. DORA Article 5 places direct legal accountability on the management body itself for the ICT risk management framework, its implementation, and its review. Under Article 5(4), management body members are required to keep their ICT knowledge and skills up to date to understand and assess ICT risk and its impact on the organisation.

ISO 27001 requires top management commitment and leadership (Clause 5.1), but it does not establish the same direct liability model. For ISO 27001-certified firms approaching DORA compliance, the primary governance gap is documentation of board engagement, decision-making, and personal accountability rather than the underlying controls, which are often already in place.

Regulatory Reporting (Articles 17-23)

DORA's incident reporting regime introduces a structured three-stage process that sits entirely outside ISO 27001's scope. Under Articles 17-23, financial entities must submit: an initial notification to the competent authority within 4 hours of classification (no later than 24 hours from first awareness); an intermediate report within 72 hours; and a final report within one month. These obligations apply regardless of whether the incident also triggers notification under NIS2 or GDPR.

Compliance teams building a unified programme should maintain a single incident log that feeds all reporting obligations, but should assess each incident against DORA's specific classification criteria (set out in the ESA Regulatory Technical Standards on incident classification) separately from the ISO 27001 event classification process. The thresholds are different and must be applied independently.

Threat-Led Penetration Testing (Articles 25-27)

DORA requires financial entities identified by their competent authority to carry out TLPT (threat-led penetration testing) at least every three years under Articles 25-27. TLPT involves live production systems, an intelligence-led red team exercise, and structured remediation. ISO 27001 leaves penetration test scope and methodology to the organisation: its technical vulnerability management control (Annex A 8.8) falls well short of TLPT in both scope and method. Significant financial entities should treat TLPT as a standalone programme requirement, separate from the ISO 27001 internal audit and technical testing cycle.

Contractual Requirements for ICT Third Parties (Article 30)

DORA Article 30 specifies minimum contractual provisions that financial entities must include in agreements with ICT third-party service providers: audit rights, SLA obligations, data portability provisions, and, for critical ICT third-party providers, alignment to the ESA direct oversight framework under Article 28. ISO 27001 Annex A controls 5.19 to 5.22 address supplier security requirements at a high level, leaving the specific contractual provisions to organisational policy. Compliance teams should maintain a contract review process specifically mapped to Article 30 requirements, separate from the ISO 27001 supplier assessment process.

Building the Unified Control Framework

Start With the ISO 27001 Control Library as Your Foundation

For organisations already certified to ISO 27001:2022, the most efficient approach is to treat the existing control library as the base and layer DORA requirements on top. Begin with a structured gap analysis mapping each DORA article requirement to its corresponding ISO 27001 control(s) using the table above. Where an ISO 27001 control satisfies the DORA requirement, document that mapping as evidence. Where DORA requires more (on contractual terms, reporting, board accountability, or testing) treat that as a new control requirement to be added to the programme.

Use a Single Risk Register

ISO 27001 Clause 6.1 requires a risk assessment and treatment process. DORA Article 8 requires ongoing identification and assessment of ICT risk sources. These are substantively the same activity, and one risk register can satisfy both sets of documentation requirements.

Apply DORA's classification language (distinguishing between ICT risk affecting critical or important functions and ICT risk with broader scope) as a tagging layer on the ISO 27001 risk register, rather than maintaining two separate registers. This keeps evidence consolidated while supporting separate reporting for ISO 27001 certification auditors and DORA supervisory review.

 

Consolidate Evidence, Separate Audit Packs

Unified evidence collection is efficient. Presenting that evidence separately for each audience is a different matter: ISO 27001 certification audits and DORA regulatory examinations require different presentations of evidence, different levels of technical detail, and different demonstration of management engagement. Collect once, present twice. Build your control evidence library so that each item can be tagged to both its ISO 27001 clause reference and its DORA article reference, then generate separate views for each audience.

Assign Ownership at the Programme Level

A unified programme requires a single owner with visibility across both compliance tracks. In practice, this is most often the CISO or Head of Information Security. DORA's explicit board accountability requirements mean the management body must be formally assigned oversight of the ICT risk management framework, and that assignment must be documented. The compliance programme owner and the management body overseer are two distinct roles, and both must be defined in the unified programme governance structure.

Managing Two Certification and Compliance Tracks With One Team

The operational challenge is calendar management. ISO 27001 certification audits (Stage 1, Stage 2, and annual surveillance audits) run on a fixed cycle tied to your certification body. DORA compliance is continuous and subject to regulatory examination at any time, with supervisory review intensifying in the first years of DORA enforcement.

Four practical steps for managing both tracks with one team:

  1. Align your ISO 27001 annual management review (required under Clause 9.3) with your DORA ICT risk framework review. These are substantively the same activity. A combined review, documented to meet both requirements simultaneously, reduces management time and produces evidence for both tracks.
  2. Schedule DORA-specific exercises (particularly incident response testing and tabletop exercises) at points in the year that do not conflict with ISO 27001 surveillance audit preparation.
  3. Use your ISO 27001 internal audit programme (Clause 9.2) to cover DORA controls. Your internal audit schedule should explicitly reference DORA article obligations alongside ISO 27001 Annex A controls so that audit findings address both.
  4. Track DORA Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) publications from the ESAs separately from ISO 27001 standard updates. DORA's technical standards are being issued in phases and may tighten requirements in specific areas, particularly incident classification criteria and third-party risk assessment methodology.

See SureCloud's Multi-Framework Compliance Platform

Multi-framework compliance requires the right tooling as much as the right process design. A GRC platform that maps controls across frameworks, automates evidence collection, and supports separate reporting views for regulatory and certification purposes significantly reduces the operational burden on compliance teams. Explore SureCloud's platform for multi-framework GRC.SureCloud supports DORA and ISO 27001 compliance within a single unified programme, with automated evidence collection, pre-built control mappings across frameworks, and audit-ready reporting views. Request a demo to see how the platform handles dual-framework evidence.
Book your Demo TODAY!
Related articles:
  • GRC
  • Agentic AI

Key Use Cases of AI for GRC

  • ISO 42001

100-Day AI Governance Plan for Private Equity - Free Template

  • GRC
  • Agentic AI

AI in GRC Explained for Risk Leaders

Share this article

FAQ’s

Does ISO 27001 certification satisfy DORA compliance?

ISO 27001 certification is a strong foundation for DORA compliance, but certification alone does not satisfy the regulation. ISO 27001 demonstrates that an organisation has implemented an information security management system meeting the requirements of the standard; DORA is a binding EU regulation with specific governance, reporting, testing, and contractual obligations (particularly management body accountability under Article 5, regulatory incident reporting under Articles 17-23, and threat-led penetration testing under Articles 25-27) that ISO 27001 addresses only in part.

How many ISO 27001 Annex A controls map to DORA obligations?

The majority of DORA's ICT risk management requirements (Articles 6-16) map to controls across ISO 27001:2022 Annex A, particularly within the Technological controls theme (Annex A 8.x) and the Organisational controls relating to supplier management (Annex A 5.19-5.22) and incident management (Annex A 5.24-5.28). Mapping coverage varies: some Annex A controls map directly to DORA articles, while others provide only partial coverage of the more prescriptive DORA requirements.

What documentation does DORA require that ISO 27001 does not?

DORA requires a standalone ICT risk management framework document (Article 6(8)), a digital operational resilience strategy, documented ICT Business Continuity Plans with specified RTOs and RPOs for critical functions (Article 11), a register of all ICT third-party contractual arrangements (Article 28(3)), and records of major ICT incidents submitted to competent authorities in the defined format. ISO 27001 requires documented policies and risk treatment plans without specifying these particular outputs.

How should we handle the DORA incident reporting obligation in our ISO 27001 incident management process?

Maintain a single incident management process but add a DORA classification step. When an ICT incident is logged, assess it against the DORA major incident classification criteria (set out in the EBA/EIOPA/ESMA RTS on incident classification) in addition to your standard ISO 27001 severity rating. Where an incident meets the major classification threshold, trigger the DORA reporting workflow: initial notification within 4 hours of classification (no later than 24 hours from first awareness), intermediate report within 72 hours, final report within one month. Run this in parallel with your standard ISO 27001 incident response process.

Can we use one risk register for both DORA and ISO 27001?

A single risk register is the recommended approach. Structure it to capture the information required under both frameworks: ISO 27001 Clause 6.1 requires risk identification, analysis, evaluation, and treatment documentation; DORA Article 8 requires identification of ICT risk sources, assessment of their potential impact on critical functions, and documentation of controls and residual risk. Tag each risk entry against both the relevant ISO 27001 Annex A control(s) and the relevant DORA article to enable reporting to different audiences without maintaining duplicate records.