Benefits of Adopting NIST CSF 2.0 for DORA Implementation

NIST CSF is the best approach to implement DORA - Digital Operational Resilience Act. Below are the mapping between DORA and NIST CSF.

With NIST CSF 2.0, the community profile and maturity at TIER 4, making NIST CSF 2.0 adoption is the best approach for DORA Implementation.

ICT Risk Management

A framework setting principles and requirements on ICT risk management.

GV.RM-01: Risk management objectives are established and agreed to by organizational stakeholders
GV.RM-02: Risk appetite and risk tolerance statements are established, communicated, and maintained
GV.RM-03: Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
GV.RM-04: Strategic direction that describes appropriate risk response options is established and communicated
GV.RM-05: Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties
GV.RM-06: A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
GV.RM-07: Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
GV.OV-01: Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction
GV.OV-02: The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks
GV.OV-03: Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed

ICT Third-Party Risk Management

Mitigation of ICT third-party risk; Key contractual provisions.

GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders
GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally
GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes
GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship
GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities
GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement

Digital Operational Resilience Testing

Operational resilience testing programme encompassing a range of tests, including advanced testing.

PR.IR-01: Networks and environments are protected from unauthorized logical access and usage
PR.IR-02: The organization’s technology assets are protected from environmental threats
PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations
PR.IR-04: Adequate resource capacity to ensure availability is maintained
ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties
ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities
ID.IM-04: Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved

ICT-Related Incidents

Management of ICT-related incidents, and notification of major ones and of significant cyber threats to competent authorities.
RS.MA-01: The incident response plan is executed in coordination with relevant third parties once an incident is declared
RS.MA-02: Incident reports are triaged and validated
RS.MA-03: Incidents are categorized and prioritized
RS.MA-04: Incidents are escalated or elevated as needed
RS.MA-05: The criteria for initiating incident recovery are applied
RS.AN-03: Analysis is performed to establish what has taken place during an incident and the root cause of the incident
RS.AN-06: Actions performed during an investigation are recorded, and the records’ integrity and provenance are preserved
RS.AN-07: Incident data and metadata are collected, and their integrity and provenance are preserved
RS.AN-08: An incident’s magnitude is estimated and validated
RS.CO-02: Internal and external stakeholders are notified of incidents
RS.CO-03: Information is shared with designated internal and external stakeholders
RS.MI-01: Incidents are contained
RS.MI-02: Incidents are eradicated

Information Sharing

Exchange of information and intelligence on cyber threats.

ID.RA-02: Cyber threat intelligence is received from information sharing forums and sources
ID.RA-03: Internal and external threats to the organization are identified and recorded
ID.RA-06: Risk responses are chosen, prioritized, planned, tracked, and communicated

Oversight Of Critical Third-Party Providers

Oversight framework for ICT third-party providers that are designated as critical by the ESAs for the financial sector.

GV.SC-04: Suppliers are known and prioritized by criticality
GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships