ISO 27001, SOC2: A Response to DORA Requirements for Service Providers

The Digital Opération Resilience Act (DORA) formalizes a unique and detailed framework for digital operational resilience for financial entities. It is made up of five key pillars of requirements:

1. Formalizing a risk management framework
2. Controlling resilience
3. Monitoring service providers
4. Managing incidents
5. Sharing information

Through its third pillar, this regulation extends beyond financial sector actors by imposing requirements on ICT (Information and Communication Technology) service providers working for the sector. Financial entities must ensure not only their own operational resilience but also that of their ICT providers. This represents a considerable volume of organizations.

Indeed, according to a 2023 survey by the Prudential Supervision and Resolution Authority (ACPR), 96% of insurers outsource critical or important functions.

In this context, ICT providers working for financial entities must provide guarantees and/or assurances regarding digital operational resilience. This issue is currently one of the major concerns for 50% of Information Security Managers (CISOs).

DORA: What Compliance Levers for Service Providers? ?

ISO 27001 certification and SOC2 attestation are means of addressing this new challenge. These are two of the most rigorous security and compliance standards, designed to demonstrate to clients that their data is protected and risks are managed.

They confirm to an organization’s stakeholders that a risk management framework has been implemented, involving security control operations, service monitoring, and state-of-the-art incident management, in line with DORA’s main requirements.
 

ISO 27001 Certification: Essential for Risk Management

ISO 27001 certification guarantees the establishment of a robust management system within an organization to control risks related to data availability, integrity, and confidentiality.

The certification process is standardized but requires significant formalization work (policies, procedures, etc.), ongoing monitoring, and periodic updates. Depending on the complexity of the organization, it typically takes between six months to a year for implementation and involves several regular audits.
 

SOC2 Attestation: A Data Security Audit

On the other hand, SOC2  attestation (an American standard formalized by the AICPA - American Institute of Certified Public Accountants) is an audit report intended for a company using outsourced services. It focuses specifically on controls related to security (availability, integrity, confidentiality, and privacy) of the processes supported by the service provider.

While the formalization requirement is less stringent than for ISO 27001 certification, the need to provide auditable evidence over time is much stronger. It requires formalized and/or industrialized processes. The SOC2 audit lasts between one and three months and must be renewed annually for a Type 2 attestation (SOC2 Type 1 provides assurance on the design of the security system with unit tests, while SOC2 Type 2 provides assurance for a period of 6 to 12 months with sampling tests over the period).

ISO 27001 and SOC2: Any Differences?

These two standards are quite similar and, most importantly, complementary.

According to an AICPA mapping, there is an 80% overlap between the two standards. Additionally, the costs associated with obtaining and maintaining these certifications over a period of 3 to 5 years are quite similar. Thus, choosing between the two standards can be challenging for an organization.

DORA : Which Security Guarantee to Choose?

Given that financial entities are more aligned with Anglo-Saxon standards, SOC2 attestation will be more relevant to them. However, obtaining a SOC2 attestation requires the prior implementation of an ISMS (Information Security Management System), so ISO 27001 or another international ISMS standard (e.g., NIST - National Institute of Standards and Technology) must be in place.

Therefore, ideally, combining ISO 27001 certification and SOC2 attestation would be the best solution to meet DORA’s requirements.

However, given the significant budget required for these normative approaches, smaller organizations may find it acceptable to implement an ISMS based on ISO 27001 (without certification) and obtain SOC2 attestation.

The security experts from the IT and Risk Advisory team, dedicated to supporting you with these standards, are available for your ISO 27001 certification and/or SOC2 attestation projects.