How to comply with a regulation when there is no certification?
CONTROL AND ACCREDIT DUE DILIGENCE IN IT RISK MANAGEMENT
Although it is frecuenly offered, the DORA regulation is not subject to certification. Its true objective lies not so much in compliance as in improving the resilience of the financial sector as a whole, including the obligated entities and their suppliers, in order to increase market confidence in the financial system and preserve its stability.
The improvement of resilience can only be achieved by using a measurement system, such as the LEET Security Rating. Its control framework incorporates the most widely implemented standards and international best practices, and has been expanded to include and map all the contents established as requirements. DORA Passport verifies and accredits the degree of implementation of regulatory standards.
DORA Passport by LEET
the comprehensive and efficient solution to understand and accredit the level of compliance
DORA Passport provides a complete assessment of the requirements established in Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) and its development in subsequent delegated regulations.
This solution is valid for both financial entities and their suppliers, complements the LEET Security Cybersecurity Rating, and expressly shows whether the organization has implemented, and to what extent, all the technical and organizational measures included in the Regulation, as well as those practices that should be established for its achievement and/or represent an improvement in level.
A UNIQUE PROCESS
During the necessary audit process, a specialized and independent team, applying the methodology and all the experience acquired with the LEET Rating, will require:
A clear and precise description of the scope associated with the services.
Documentation (policies, regulations, and procedures) that covers all the content.
Evidence of the implementation and operational efficiency of the related controls.
Evidence of the performance of resilience tests.
Once the audit process is completed, in addition to the LEET Rating documentation attached, the following documentation is also provided:
Cyber Resilience Index: Evaluation of the degree of implementation of measures for the cyber resilience of the offered service (indicative value between 0 and 1000), and its evolution in the last 3 years. For a result between 500 and 749, the DORA Prime grade is achieved, and between 750 and 1,000, the DORA Elite grade.
Executive Summary: General opinion of the evaluation result, highlighting the main aspects and strategic directions for improvement.
Results in the five pillars: Result of the review carried out for each of the five fundamental pillars on which the regulation is based.
Evaluation against DORA requirements: Detailed evaluation of the level of implementation of each of the requirements established by DORA and the associated delegated acts.
Benchmarking: Comparison of the results obtained against the rest of the entities evaluated (in the financial sector and/or in ICT providers)
Prioritized list of areas for improvement: Measures necessary to improve the level of resilience classified by their importance.
A solution for different needs
Compliance Officers
To evaluate and accredit the degree of compliance.
CISOs and Management Bodies
As an objective evaluation mechanism to understand, control, and report the level of resilience, which allows for benchmarking with other organizations.
Procurement
As a due-diligence system prior to contracting suppliers and subsequent supervision.
Business Managers (suppliers)
A differentiation tool by demonstrating commitment to security and resilience, facilitating compliance with their own obligations with those clients.
A PROVEN AND EVOLVED SYSTEM
LEET Rating, the best option for DORA
LEET Security is a specialized agency whose sole activity is the development of an optimized model for the evaluation of cybersecurity capabilities, which has been adapted for DORA, so the evaluations are carried out homogeneously and with a total absence of conflicts of interest that could arise from a potential associated consulting activity.
In particular, the audit carried out by LEET is not to detect vulnerabilities (like TIBER-EU), but to verify that these audits are carried out in accordance with the requirements (Arts. 26 and 27 of the regulation).
The LEET Security cybersecurity rating is the best option to comply with the regulatory requirements and effectively manage cyber risks, both own and third-party, and to accredit compliance.
CERTIFICATIONS ARE NOT ENOUGH
Only provide information about minimum compliance
There are certifications and standards like ISO 27001, which address cybersecurity criteria but only provide information about the existence of a management system, not about whether the measures actually applied offer a higher or lower level of security.
There are also perimeter evaluations, or digital ratings, which are convenient but unreliable since they provide "reputational" information publicly available, and do not evaluate the processes or operational measures in the services offered.
“What is not defined cannot be measured. What is not measured cannot be improved. What is not improved always degrades.”
Lord Kelvin, British physicist and mathematician
Contact us
Request your discovery session and learn how cybersecurity ratings can help you improve your security, or ask for information about LEET Security and our services.