Scribd
Upload
354 views

DORA Assessment Workbook

Uploaded by

occultist95
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
354 views

DORA Assessment Workbook

Uploaded by

occultist95
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 33

DORA Assessment

Workbook
Use this workbook to map relevant controls from the NIST CSF and
ISO 27001 frameworks to the five main pillars of the DORA.
ICT Risk Management

NIST CSF

GV.OC-01: Implemented: Yes Partially No


The organizational
Implementation Details
mission is understood and
informs cybersecurity risk
management

Mitigation Actions

GV.OC-02: Implemented: Yes Partially No


ICT Risk Management

Internal and external


Implementation Details
stakeholders are
understood, and their
needs and expectations
regarding cybersecurity
Mitigation Actions
risk management
are understood and
considered

GV.OC-04: Implemented: Yes Partially No


Critical objectives,
Implementation Details
capabilities, and services
that external stakeholders
depend on or expect
from the organization
Mitigation Actions
are understood and
communicated

www.upguard.com 2
GV.RM-01: Implemented: Yes Partially No
Risk management
Implementation Details
objectives are
established and agreed
to by organizational
stakeholders
Mitigation Actions

GV.RM-02: Implemented: Yes Partially No


Risk appetite and risk
Implementation Details
tolerance statements
are established,
communicated, and
maintained
Mitigation Actions
ICT Risk Management

GV.RM-03: Implemented: Yes Partially No


Cybersecurity risk
Implementation Details
management activities
and outcomes are
included in enterprise risk
management processes
Mitigation Actions

GV.RM-04: Implemented: Yes Partially No


Strategic direction that
Implementation Details
describes appropriate
risk response options
is established and
communicated
Mitigation Actions

www.upguard.com 3
GV.RM-05: Implemented: Yes Partially No
Lines of communication
Implementation Details
across the organization
are established for
cybersecurity risks,
including risks from
Mitigation Actions
suppliers and other third
parties

GV.RM-06: Implemented: Yes Partially No


A standardized method for
Implementation Details
calculating, documenting,
categorizing, and
prioritizing cybersecurity
risks is established and
Mitigation Actions
communicated
ICT Risk Management

GV.RM-07: Implemented: Yes Partially No


Strategic opportunities
Implementation Details
(i.e., positive risks) are
characterized and are
included in organizational
cybersecurity risk
Mitigation Actions
discussions

GV.RR-01: Implemented: Yes Partially No


Organizational leadership
Implementation Details
is responsible and
accountable for
cybersecurity risk and
fosters a culture that is
Mitigation Actions
risk-aware, ethical, and
continually improving

www.upguard.com 4
GV.RR-02: Implemented: Yes Partially No
Roles, responsibilities,
Implementation Details
and authorities related
to cybersecurity
risk management
are established,
Mitigation Actions
communicated,
understood, and enforced

GV.RR-03: Implemented: Yes Partially No


Adequate resources are
Implementation Details
allocated commensurate
with the cybersecurity
risk strategy, roles,
responsibilities, and
Mitigation Actions
policies
ICT Risk Management

GV.PO-01: Implemented: Yes Partially No


Policy for managing
Implementation Details
cybersecurity risks is
established based on
organizational context,
cybersecurity strategy,
Mitigation Actions
and priorities and is
communicated and
enforced

GV.PO-02: Implemented: Yes Partially No


Policy for managing
Implementation Details
cybersecurity risks is
reviewed, updated,
communicated, and
enforced to reflect
Mitigation Actions
changes in requirements,
threats, technology, and
organizational mission

www.upguard.com 5
GV.OV-01: Implemented: Yes Partially No
Cybersecurity risk
Implementation Details
management strategy
outcomes are reviewed to
inform and adjust strategy
and direction
Mitigation Actions

GV.OV-02: Implemented: Yes Partially No


The cybersecurity risk
Implementation Details
management strategy is
reviewed and adjusted
to ensure coverage
of organizational
Mitigation Actions
requirements and risks
ICT Risk Management

GV.OV-03: Implemented: Yes Partially No


Organizational
Implementation Details
cybersecurity risk
management performance
is evaluated and reviewed
for adjustments needed
Mitigation Actions

ID.RA-05: Implemented: Yes Partially No


Threats, vulnerabilities,
Implementation Details
likelihoods, and impacts
are used to understand
inherent risk and inform
risk response prioritization
Mitigation Actions

www.upguard.com 6
ID.RA-06: Implemented: Yes Partially No
Risk responses are
Implementation Details
chosen, prioritized,
planned, tracked, and
communicated

Mitigation Actions

ID.RA-07: Implemented: Yes Partially No


Changes and exceptions
Implementation Details
are managed, assessed
for risk impact, recorded,
and tracked

Mitigation Actions
ICT Risk Management

PR.AT-01: Implemented: Yes Partially No


Personnel are provided
Implementation Details
with awareness and
training so that they
possess the knowledge
and skills to perform
Mitigation Actions
general tasks with
cybersecurity risks in mind

PR.AT-02: Implemented: Yes Partially No


Individuals in specialized
Implementation Details
roles are provided with
awareness and training
so that they possess the
knowledge and skills to
Mitigation Actions
perform relevant tasks
with cybersecurity risks in
mind

www.upguard.com 7
ISO 27001

Clause 6.1: Implemented: Yes Partially No


Actions to address
Implementation Details
risks and opportunities
(including all sub-clauses)
ICT Risk Management

Mitigation Actions

Clause 8: Implemented: Yes Partially No


Operation (including all
Implementation Details
sub-clauses)

Mitigation Actions

www.upguard.com 8
ICT-Related Incident Response

NIST CSF

GV.OC-03: Implemented: Yes Partially No


Legal, regulatory, and
Implementation Details
contractual requirements
regarding cybersecurity —
including privacy and civil
liberties obligations — are
Mitigation Actions
understood and managed

GV.PO-01: Implemented: Yes Partially No


Policy for managing
Implementation Details
cybersecurity risks is
established based on
ICT-Related Incident Response

organizational context,
cybersecurity strategy,
Mitigation Actions
and priorities and is
communicated and
enforced

GV.PO-02: Implemented: Yes Partially No


Policy for managing
Implementation Details
cybersecurity risks is
reviewed, updated,
communicated, and
enforced to reflect
Mitigation Actions
changes in requirements,
threats, technology, and
organizational mission

www.upguard.com 9
GV.SC-08: Implemented: Yes Partially No
Relevant suppliers and
Implementation Details
other third parties are
included in incident
planning, response, and
recovery activities
Mitigation Actions

ID.IM-04: Implemented: Yes Partially No


Incident response
Implementation Details
plans and other
cybersecurity plans
that affect operations
are established,
Mitigation Actions
ICT-Related Incident Response

communicated,
maintained, and improved

DE.AE-08: Implemented: Yes Partially No


Incidents are declared
Implementation Details
when adverse events
meet the defined incident
criteria

Mitigation Actions

RS.MA-01: Implemented: Yes Partially No


The incident response
Implementation Details
plan is executed in
coordination with relevant
third parties once an
incident is declared
Mitigation Actions

www.upguard.com 10
RS.MA-02: Implemented: Yes Partially No
Incident reports are
Implementation Details
triaged and validated.

Mitigation Actions

RS.MA-03: Implemented: Yes Partially No


Incidents are categorized
Implementation Details
and prioritized

Mitigation Actions
ICT-Related Incident Response

RS.MA-04: Implemented: Yes Partially No


Incidents are escalated or
Implementation Details
elevated as needed

Mitigation Actions

RS.MA-05: Implemented: Yes Partially No


The criteria for initiating
Implementation Details
incident recovery are
applied

Mitigation Actions

www.upguard.com 11
RS.AN-03: Implemented: Yes Partially No
Analysis is performed to
Implementation Details
establish what has taken
place during an incident
and the root cause of the
incident
Mitigation Actions

RS.AN-06: Implemented: Yes Partially No


Actions performed during
Implementation Details
an investigation are
recorded, and the records’
integrity and provenance
are preserved
Mitigation Actions
ICT-Related Incident Response

RS.AN-07: Implemented: Yes Partially No


Incident data and
Implementation Details
metadata are collected,
and their integrity and
provenance are preserved

Mitigation Actions

RS.AN-08: Implemented: Yes Partially No


An incident’s magnitude is
Implementation Details
estimated and validated

Mitigation Actions

www.upguard.com 12
RS.CO-02: Implemented: Yes Partially No
Internal and external
Implementation Details
stakeholders are notified
of incidents

Mitigation Actions

RS.CO-03: Implemented: Yes Partially No


Information is shared with
Implementation Details
designated internal and
external stakeholders

Mitigation Actions
ICT-Related Incident Response

RS.MI-01: Implemented: Yes Partially No


Incidents are contained
Implementation Details

Mitigation Actions

RS.MI-02: Implemented: Yes Partially No


Incidents are eradicated
Implementation Details

Mitigation Actions

www.upguard.com 13
RC.RP-01: Implemented: Yes Partially No
The recovery portion of
Implementation Details
the incident response plan
is executed once initiated
from the incident response
process
Mitigation Actions

RC.RP-02: Implemented: Yes Partially No


Recovery actions are
Implementation Details
selected, scoped,
prioritized, and performed

Mitigation Actions
ICT-Related Incident Response

RC.RP-03: Implemented: Yes Partially No


The integrity of backups
Implementation Details
and other restoration
assets is verified before
using them for restoration

Mitigation Actions

RC.RP-04: Implemented: Yes Partially No


Critical mission functions
Implementation Details
and cybersecurity
risk management are
considered to establish
post-incident operational
Mitigation Actions
norms

www.upguard.com 14
RC.RP-05: Implemented: Yes Partially No
The integrity of restored
Implementation Details
assets is verified, systems
and services are restored,
and normal operating
status is confirmed
Mitigation Actions

RC.RP-06: Implemented: Yes Partially No


The end of incident
Implementation Details
recovery is declared
based on criteria,
and incidentrelated
documentation is
Mitigation Actions
ICT-Related Incident Response

completed

RC.CO-03: Implemented: Yes Partially No


Recovery activities and
Implementation Details
progress in restoring
operational capabilities
are communicated to
designated internal and
Mitigation Actions
external stakeholders

RC.CO-04: Implemented: Yes Partially No


Public updates on incident
Implementation Details
recovery are shared using
approved methods and
messaging

Mitigation Actions

www.upguard.com 15
ISO 27001

A.5.24: Implemented: Yes Partially No


Information security
Implementation Details
incident management
planning and preparation

Mitigation Actions

A.5.25: Implemented: Yes Partially No


Assessment and decision
Implementation Details
on information security
events
ICT-Related Incident Response

Mitigation Actions

A.5.26: Implemented: Yes Partially No


Response to information
Implementation Details
security incidents

Mitigation Actions

A.5.27: Implemented: Yes Partially No


Learning from information
Implementation Details
security incidents

Mitigation Actions

www.upguard.com 16
A.5.28: Implemented: Yes Partially No
Collection of evidence
Implementation Details

Mitigation Actions

www.upguard.com 17
Digital Operational
Resilience Testing

NIST CSF

ID.AM-05: Implemented: Yes Partially No


Assets are prioritized
Implementation Details
based on classification,
criticality, resources, and
impact on the mission

Mitigation Actions
Digital Operational Resilience Testing

ID.RA-02: Implemented: Yes Partially No


Cyber threat intelligence is
Implementation Details
received from information
sharing forums and
sources

Mitigation Actions

ID.RA-08: Implemented: Yes Partially No


Processes for receiving,
Implementation Details
analyzing, and responding
to vulnerability disclosures
are established

Mitigation Actions

www.upguard.com 18
ID.RA-03: Implemented: Yes Partially No
Internal and external
Implementation Details
threats to the organization
are identified and
recorded

Mitigation Actions

ID.IM-04: Implemented: Yes Partially No


Incident response
Implementation Details
plans and other
cybersecurity plans
that affect operations
Digital Operational Resilience Testing

are established,
Mitigation Actions
communicated,
maintained, and improved

PR.IR-02: Implemented: Yes Partially No


The organization’s
Implementation Details
technology assets
are protected from
environmental threats

Mitigation Actions

PR.IR-03: Implemented: Yes Partially No


Mechanisms are
Implementation Details
implemented to achieve
resilience requirements
in normal and adverse
situations
Mitigation Actions

www.upguard.com 19
PR.IR-04: Implemented: Yes Partially No
Adequate resource
Implementation Details
capacity to ensure
availability is maintained

Mitigation Actions

RS.AN-06: Implemented: Yes Partially No


Actions performed during
Implementation Details
an investigation are
recorded, and the records’
integrity and provenance
Digital Operational Resilience Testing

are preserved
Mitigation Actions

RS.AN-07: Implemented: Yes Partially No


Incident data and
Implementation Details
metadata are collected,
and their integrity and
provenance are preserved

Mitigation Actions

RC.CO-03: Implemented: Yes Partially No


Recovery activities and
Implementation Details
progress in restoring
operational capabilities
are communicated to
designated internal and
Mitigation Actions
external stakeholders

www.upguard.com 20
ISO 27001

A.5.29: Implemented: Yes Partially No


Information security during
Implementation Details
disruption
Digital Operational Resilience Testing

Mitigation Actions

A.5.30: Implemented: Yes Partially No


ICT readiness for business
Implementation Details
continuity

Mitigation Actions

www.upguard.com 21
ICT Third-Party Risk

NIST CSF

GV.SC-01: Implemented: Yes Partially No


A cybersecurity supply
Implementation Details
chain risk management
program, strategy,
objectives, policies,
and processes are
Mitigation Actions
established and agreed
to by organizational
stakeholders

GV.SC-02:
ICT Third-Party Risk

Implemented: Yes Partially No


Cybersecurity roles
Implementation Details
and responsibilities for
suppliers, customers, and
partners are established,
communicated, and
Mitigation Actions
coordinated internally and
externally

GV.SC-03: Implemented: Yes Partially No


Cybersecurity supply
Implementation Details
chain risk management
is integrated into
cybersecurity and
enterprise risk
Mitigation Actions
management, risk
assessment, and
improvement processes

www.upguard.com 22
GV.SC-04: Implemented: Yes Partially No
Suppliers are known and
Implementation Details
prioritized by criticality

Mitigation Actions

GV.SC-05: Implemented: Yes Partially No


Requirements to address
Implementation Details
cybersecurity risks
in supply chains are
established, prioritized,
and integrated into
Mitigation Actions
contracts and other
types of agreements
ICT Third-Party Risk

with suppliers and other


relevant third parties

GV.SC-06: Implemented: Yes Partially No


Planning and due diligence
Implementation Details
are performed to reduce
risks before entering into
formal supplier or other
third-party relationships
Mitigation Actions

GV.SC-07: Implemented: Yes Partially No


The risks posed by a
Implementation Details
supplier, their products
and services, and
other third parties are
understood, recorded,
Mitigation Actions
prioritized, assessed,
responded to, and
monitored over the course
of the relationship

www.upguard.com 23
GV.SC-09: Implemented: Yes Partially No
Supply chain security
Implementation Details
practices are integrated
into cybersecurity
and enterprise risk
management programs,
Mitigation Actions
and their performance is
monitored throughout the
technology product and
service life cycle

GV.SC-10: Implemented: Yes Partially No


Cybersecurity supply
Implementation Details
chain risk management
plans include provisions
for activities that occur
after the conclusion of
Mitigation Actions
a partnership or service
ICT Third-Party Risk

agreement

ID.AM-03: Implemented: Yes Partially No


Representations of the
Implementation Details
organization’s authorized
network communication
and internal and external
network data flows are
Mitigation Actions
maintained

ID.AM-04: Implemented: Yes Partially No


Inventories of services
Implementation Details
provided by suppliers are
maintained

Mitigation Actions

www.upguard.com 24
ID.AM-05: Implemented: Yes Partially No
Assets are prioritized
Implementation Details
based on classification,
criticality, resources, and
impact on the mission

Mitigation Actions

ID.RA-09: Implemented: Yes Partially No


The authenticity and
Implementation Details
integrity of hardware and
software are assessed
prior to acquisition and
use
Mitigation Actions
ICT Third-Party Risk

ID.RA-10: Implemented: Yes Partially No


Critical suppliers are
Implementation Details
assessed prior to
acquisition

Mitigation Actions

PR.AA-01: Implemented: Yes Partially No


Identities and credentials
Implementation Details
for authorized users,
services, and hardware
are managed by the
organization
Mitigation Actions

www.upguard.com 25
PR.AA-02: Implemented: Yes Partially No
Identities are proofed
Implementation Details
and bound to credentials
based on the context of
interactions

Mitigation Actions

PR.AA-03: Implemented: Yes Partially No


Users, services,
Implementation Details
and hardware are
authenticated

Mitigation Actions
ICT Third-Party Risk

PR.AA-05: Implemented: Yes Partially No


Access permissions,
Implementation Details
entitlements, and
authorizations are defined
in a policy, managed,
enforced, and reviewed,
Mitigation Actions
and incorporate the
principles of least privilege
and separation of duties

PR.AA-06: Implemented: Yes Partially No


Physical access to
Implementation Details
assets is managed,
monitored, and enforced
commensurate with risk

Mitigation Actions

www.upguard.com 26
ISO 27001

A.5.19: Implemented: Yes Partially No


Information security in
Implementation Details
supplier agreements

Mitigation Actions

A.5.20: Implemented: Yes Partially No


Addressing information
Implementation Details
security within supplier
agreements
ICT Third-Party Risk

Mitigation Actions

A.5.21: Implemented: Yes Partially No


Managing information
Implementation Details
security in the information
and communication
technology (ICT) supply
chain
Mitigation Actions

A.5.22: Implemented: Yes Partially No


Monitoring, review, and
Implementation Details
change management of
supplier services

Mitigation Actions

www.upguard.com 27
A.5.23: Implemented: Yes Partially No
Information security for
Implementation Details
use of cloud services

Mitigation Actions

www.upguard.com 28
Information Sharing

NIST CSF

GV.RM-05: Implemented: Yes Partially No


Lines of communication
Implementation Details
across the organization
are established for
cybersecurity risks,
including risks from
Mitigation Actions
suppliers and other third
parties
Information Sharing

ID.RA-02: Implemented: Yes Partially No


Cyber threat intelligence is
Implementation Details
received from information
sharing forums and
sources

Mitigation Actions

ID.RA-03: Implemented: Yes Partially No


Internal and external
Implementation Details
threats to the organization
are identified and
recorded

Mitigation Actions

www.upguard.com 29
RS.CO-02: Implemented: Yes Partially No
Internal and external
Implementation Details
stakeholders are notified
of incidents

Mitigation Actions

RS.CO-03: Implemented: Yes Partially No


Information is shared with
Implementation Details
designated internal and
external stakeholders

Mitigation Actions
Information Sharing

RC.CO-03: Implemented: Yes Partially No


Recovery activities and
Implementation Details
progress in restoring
operational capabilities
are communicated to
designated internal and
Mitigation Actions
external stakeholders

RC.CO-04: Implemented: Yes Partially No


Public updates on incident
Implementation Details
recovery are shared using
approved methods and
messaging

Mitigation Actions

www.upguard.com 30
ISO 27001

A.5.5: Implemented: Yes Partially No


Contact with authorities
Implementation Details

Mitigation Actions

A.5.6: Implemented: Yes Partially No


Contact with special
Implementation Details
interest groups

Mitigation Actions
Information Sharing

A.5.7: Implemented: Yes Partially No


Threat intelligence
Implementation Details

Mitigation Actions

A.5.14: Implemented: Yes Partially No


Information transfer
Implementation Details

Mitigation Actions

www.upguard.com 31
A.5.31: Implemented: Yes Partially No
Legal, statutory,
Implementation Details
regulatory and contractual
requirements

Mitigation Actions

www.upguard.com 32
How UpGuard helps
organizations comply
with the DORA framework
UpGuard provides automatic compliance mapping and reporting against
DORA through NIST CSF and ISO 27001 for you and your vendors.
Assess your DORA compliance today.

www.upguard.com 650 Castro Street, Suite 120-387, Mountain View CA 94041 United States

+1 888-882-3223
© 2024 UpGuard, Inc. All rights reserved. UpGuard and the UpGuard
logo are registered trademarks of UpGuard, Inc. All other products or
services mentioned herein are trademarks of their respective companies.
Information subject to change without notice.

This document is for reference only and is provided without warranties of


any kind. Your use of this information is strictly at your own risk. Consult an
attorney for guidance tailored to your specific circumstances.

You might also like