Most large companies have their own risk management process, often developed through trial and error. However, these processes can vary between teams within an organization. Now is a good time to make your risk management more efficient.
With the implementation of the NIS2 Directive, which covers many sectors of the economy, as well as more detailed regulations such as DORA, there is a strong emphasis on risk management. One basic tool that enables high-quality risk management is a risk assessment methodology.
For this reason, consider implementing a methodology that complies with the ISO 27001 standard.
Understanding the requirements of DORA and NIS2
The NIS2 Directive and the DORA Regulation are based on five pillars. One of the key elements is ICT risk management framework, which includes identifying, assessing, and monitoring risks related to information and communication technologies. Organizations must systematically assess the risks and likelihood of threats related to ICT use and implement appropriate countermeasures. Another important requirement of both NIS2 and DORA is incident response and management. Companies must have procedures in place to respond quickly and effectively to cyber incidents to minimize damage and restore normal operations.
The third pillar is regular operational resilience testing, such as penetration tests and incident simulations. These tests verify the effectiveness of security measures, identify system vulnerabilities, and assess the organization’s readiness for potential threats.
Both regulations emphasize the importance of third-party risk management. DORA focuses on risks related to ICT providers, and NIS2 focuses on supply chain risks. Organizations must assess and monitor the risks arising from their cooperation with third parties, including ICT third-party service providers.
The final aspect is sharing information about threats and best practices with other entities. This enables better coordination of activities and increases security throughout the economy. As can be seen, both regulations have similar objectives. Furthermore, DORA is a more specific document than NIS2 because it is tailored to the financial sector. Therefore, implementing one of the risk assessment methods is sufficient to comply with both regulations.
Why are supporting assets important in ISO 27001?
ISO/IEC 27001 is a recognized information security management standard developed by the International Organization for Standardization (ISO). The purpose of this standard is to help organizations effectively manage information security risks, including the protection of personal data, confidential information, and other sensitive information. The standard outlines the requirements for setting up, implementing, maintaining, and continually improving an information security management system.
The ISO 27001 methodology is based on an asset-oriented approach. This means that an organization’s risk management process begins with identifying and classifying information assets, such as data, systems, software, and infrastructure. Each asset is then assessed for potential threats, vulnerabilities, and the potential impact of incidents on the organization. Based on these assessments, the organization selects appropriate protective measures to minimize the risk of loss, breach, or unauthorized access to these assets.
ISO 27001 certification confirms an organization’s compliance with information security management best practices, which can increase customer, partner, and stakeholder trust.
Is ISO 27001 important for compliance with DORA and NIS2?
Asset-based risk assessment methodologies, like ISO 27001, align with DORA and NIS2 requirements because they focus on identifying, assessing, and managing risks related to assets essential for an organization’s operational continuity. DORA requires financial entities to implement robust mechanisms to ensure operational resilience, including IT risk management. Article 6(2) of DORA explicitly states that the objective of protection is all relevant information assets and ICT resources, including software and hardware, servers, and all relevant physical components and infrastructure, such as facilities, data processing centers, and designated sensitive areas. These methodologies allow for precise identification of critical assets and potential threats to their security. This enables the application of adequate security measures and the implementation of business continuity plans, which contribute directly to meeting DORA’s requirements.
Similarly, NIS2 imposes an obligation on operators of essential services and digital service providers to protect against cyber threats and fully supports a risk-based approach to assets. Article 21(2) of the Directive lists measures based on an approach that considers all threats and aims to protect network and information systems, as well as their physical environments, against incidents.
ISO 27001 allows the risk management approach to be adapted according to the proportionality principle required by DORA in Article 4(1). This principle requires taking into account the size, overall risk profile, and the nature, scale, and complexity of services, activities, and operations when performing tasks. NIS2 also indicates this task in Article 21(1), which refers to the implementation of appropriate and proportionate technical, operational, and organizational measures to manage risks to the security of network and information systems.
How can DORA and NIS2 be mapped to ISO 27001?
Some entities covered by DORA or NIS2 were already subject to regulations requiring them to have a risk management policy and specific risk analysis methods. For this reason, when starting an implementation project, it is worth analyzing the gap between the current and expected states. Based on this analysis, it may be determined that the required adjustments will not necessitate starting from scratch to comply with ISO 27001. Conversely, many entities have not yet been required to perform risk analysis, resulting in an absence of developed risk management and risk assessment methodologies. In this case, consider planning the process of implementing a risk assessment methodology based on ISO 27001 and related documentation.
Practical steps for introducing an ISO 207001-based methodology into an organization
The first step is planning the ISO 27001 implementation process. Identify the team responsible for implementation and assign roles and responsibilities. At this stage, work with the team to develop an action plan. The success of this step determines the success of the entire implementation process.
Next, define the scope of the information security management system (ISMS). Specify the areas of the organization covered by the ISMS, as well as the types of data and business processes included in its scope.
Once you have established this foundation, the next task is to take inventory of the information resources, i.e., the aforementioned assets. At this stage, compile a list of information resources, including systems, system documentation, devices, and data. Each resource must have an assigned owner.
Once you have identified which assets need to be secured, the next step is to conduct a risk assessment of business, system, or operational risks. At this point, identify threats and security gaps related to your assets. Once you have identified the threats, you can assess their likelihood of occurrence and possible impact. Then, your team needs to determine the level of risk for each asset.
An important next step is to develop a risk management plan. This involves creating a strategy for how the organization will address risks. There are four possible approaches to risk: elimination, mitigation, acceptance, or transfer. You should also assign responsibility for implementing risk mitigation measures to specific individuals or departments at this stage.
The final stage of risk assessment is preparing and implementing appropriate documentation. Based on the conclusions of the risk assessment, necessary policies should be developed, and procedures related to risk management, security incidents, and business continuity should be implemented.
You must also prepare and complete the Statement of Applicability (SoA) and review the controls in Annex A of ISO 27001. Your tasks also include selecting and implementing appropriate controls, as well as justifying their application or exclusion.
Within the ISO 27001-based methodology, it is crucial that staff understand and know how to implement the policies and procedures. Employees should undergo continuous training to strengthen their risk assessment skills and implementation of risk-based measures.
Management reviews, internal audits, and supervisory audits are also important because they allow for the continuous improvement of the ISMS in line with review results and changing threats.
To obtain ISO 27001 certification, you must also collect the required documentation and conduct an audit. To obtain certification, you must commission an external ISMS audit of your organization and resolve any nonconformities. Periodically auditing the risk management process is essential for quickly identifying threats to the methodology’s effectiveness.
What are the benefits of mapping ISO 27001 to the legal requirements of DORA and NIS2?
Building an effective risk assessment methodology and implementing a risk management policy is challenging, but the potential return on investment is high. A high-quality risk management process reduces the risk of costly incidents. Standardizing the methodology at the European level can also facilitate establishing new business relationships securely and compliantly.
In the context of risk assessment, ISO 27001 places a strong emphasis on identifying and managing supporting assets, as do DORA and NIS2 regulations. Understanding the asset-based risk assessment methodology is essential for meeting ISO 27001 and European legal standards requirements. If you are considering implementing a new risk assessment methodology due to changes in the legal and business environments, it is worth consulting specialists. RED INTO GREEN has developed a methodology and technology that enable practical implementation. The RIG methodology is based on risk assessment of supporting assets and aligns with the requirements of NIS2, DORA, and GDPR, while also complying with ISO 27001.
Below, you can compare the implementation stages of the ISO 27001 and RIG DORA methodologies. The RIG DORA methodology uses the principles of ISO 27001, adapting and developing them to meet DORA requirements.
