Skip to content
Privacy & Security Hub
Privacy and Security Hub
GRC Hub
World of Privacy
CISO Zone
About
Mappings

icon picker
DORA to ISO 27001

info
References:
EU Digital Operational Resilience Act
iso
ISO/IEC 27001:2022
Information security, cybersecurity and privacy protection — Information security management systems — Requirements
Source of mapping:
Andrey Prozorov on LinkedIn: ISO 27001 and DORA | 15 comments
Search
Chapter
Article
DORA Article number
ISO 27001 Controls
ISO 27001 Control name
ISO 27001 Chapter
1
1
Art. 4
4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties
A5.31 Legal, statutory, regulatory and contractual requirements
6.1.3 Information security risk treatment
82
13
Art. 5.1
4.4 Information security management system
5.1 Leadership and commitment
5.2 Policy
Art. 5.2
A5.4 Management responsibilities
5.1 Leadership and commitment
Art. 5.3
A5.22 Monitoring, review and change management of supplier services
Art. 5.4
7.2 Competence
7.3 Awareness
18
Art. 6.1
A5.1 Policies for information security
6.1.3 Information security risk treatment
7.5 Documented information
Art. 6.2
4.4 Information security management system
A5.1 Policies for information security
A5.37 Documented operating procedures
6.1.3 Information security risk treatment
Art. 6.3
A5.5 Contact with authorities
6.1.3 Information security risk treatment
7.4 Communication
8.1 Operational planning and control
Art. 6.4
A5.2 Information security roles and responsibilities
A5.3 Segregation of duties
A5.4 Management responsibilities
5.1 Leadership and commitment
5.3 Organizational roles, responsibilities and authorities
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
Art. 6.5
A5.1 Policies for information security
A5.5 Contact with authorities
7.4 Communication
7.5 Documented information
10.1 Continual improvement
Art. 6.6
A5.36 Compliance with policies, rules and standards for information security
9.2 Internal audit
Art. 6.7
10.2 Nonconformity and corrective action
Art. 6.8
A5.29 Information security during disruption
A5.30 ICT readiness for business continuity
A8.14 Redundancy of information processing facilities
Art. 6.9
A5.19 Information security in supplier relationships
A5.30 ICT readiness for business continuity
A8.14 Redundancy of information processing facilities
Art. 6.10
A5.35 Independent review of information security
1
Art. 7
6.1.1 General
6.1.3 Information security risk treatment
7
Art. 8.1
A5.9 Inventory of information and other associated assets
A5.12 Classification of information
Art. 8.2
6.1.2 Information security risk assessment
Art. 8.3
8.1 Operational planning and control
8.2 Information security risk assessment
Art. 8.4
A5.9 Inventory of information and other associated assets
Art. 8.5
A5.9 Inventory of information and other associated assets
A5.22 Monitoring, review and change management of supplier services
8.1 Operational planning and control
Art. 8.6
A5.9 Inventory of information and other associated assets
A5.22 Monitoring, review and change management of supplier services
8.1 Operational planning and control
Art. 8.7
A8.9 Configuration management
A8.29 Security testing in development and acceptance
6.1.2 Information security risk assessment
8.2 Information security risk assessment
12
Art. 9.1
A8.16 Monitoring activities
6.1.3 Information security risk treatment
8.1 Operational planning and control
8.3 Information security risk treatment
9.1 Monitoring, measurement, analysis and evaluation
Art. 9.2
6.1.3 Information security risk treatment
8.3 Information security risk treatment
Art. 9.3
A5.14 Information transfer
A8.1 User end point devices
A8.2 Privileged access rights
A8.3 Information access restriction
A8.4 Access to source code
A8.5 Secure authentication
A8.12 Data leakage prevention
6.1.3 Information security risk treatment
8.3 Information security risk treatment
Art. 9.4

Art. 9.4(a)
A5.1 Policies for information security
5.2 Policy
Art. 9.4(b)
A5.24 Information security incident management planning and preparation
A5.26 Response to information security incidents
A8.16 Monitoring activities
A8.20 Networks security
A8.21 Security of network services
A8.22 Segregation of networks
6.1.3 Information security risk treatment
Art. 9.4(c)
A5.15 Access control
A5.18 Access rights
A7.2 Physical entry
A7.3 Securing offices, rooms and facilities
A7.4 Physical security monitoring
A8.2 Privileged access rights
A8.3 Information access restriction
A8.4 Access to source code
Art. 9.4(d)
A5.12 Classification of information
A5.17 Authentication information
A8.5 Secure authentication
A8.24 Use of cryptography
Art. 9.4(e)
A8.32 Change management
8.1 Operational planning and control
8.2 Information security risk assessment
Art. 9.4(f)
A8.8 Management of technical vulnerabilities
A8.9 Configuration management
Art. 9.4
A8.22 Segregation of networks
Art. 9.4
A8.32 Change management
4
Art. 10.1
A8.16 Monitoring activities
Art. 10.2
A5.25 Assessment and decision on information security events
A5.26 Response to information security incidents
A8.16 Monitoring activities
Art. 10.3
A5.24 Information security incident management planning and preparation
A8.16 Monitoring activities
7.1 Resources
Art. 10.4
A5.6 Contact with special interest groups
A5.7 Threat intelligence
10
Art. 11.1
A5.30 ICT readiness for business continuity
Art. 11.2
A5.29 Information security during disruption
A5.30 ICT readiness for business continuity
Art. 11.3
A5.29 Information security during disruption
A5.30 ICT readiness for business continuity
9.2 Internal audit
Art. 11.4
A5.20 Addressing information security within supplier agreements
A5.22 Monitoring, review and change management of supplier services
A5.29 Information security during disruption
A5.30 ICT readiness for business continuity
Art. 11.5
A5.9 Inventory of information and other associated assets
A5.30 ICT readiness for business continuity
Art. 11.6
A5.29 Information security during disruption
A5.30 ICT readiness for business continuity
A8.13 Information backup
7.4 Communication
Art. 11.7
A5.5 Contact with authorities
A5.6 Contact with special interest groups
A5.26 Response to information security incidents
A5.30 ICT readiness for business continuity
7.4 Communication
Art. 11.8
A5.28 Collection of evidence
Art. 11.9
A5.5 Contact with authorities
A5.30 ICT readiness for business continuity
7.4 Communication
Art. 11.10
A5.5 Contact with authorities
7.4 Communication
7
Art. 12.1
A8.13 Information backup
Art. 12.2
A8.13 Information backup
Art. 12.3
A5.29 Information security during disruption
A5.30 ICT readiness for business continuity
A8.13 Information backup
Art. 12.4
A8.14 Redundancy of information processing facilities
Art. 12.5
A8.14 Redundancy of information processing facilities
Art. 12.6
A5.9 Inventory of information and other associated assets
A5.30 ICT readiness for business continuity
8.1 Operational planning and control
Art. 12.7
A5.26 Response to information security incidents
A8.13 Information backup
7
Art. 13.1
A5.24 Information security incident management planning and preparation
7.1 Resources
Art. 13.2
A5.5 Contact with authorities
A5.27 Learning from information security incidents
7.4 Communication
Art. 13.3
8.2 Information security risk assessment
10.1 Continual improvement
10.2 Nonconformity and corrective action
Art. 13.4
8.2 Information security risk assessment
10.1 Continual improvement
Art. 13.5
9.3 Management review
10.2 Nonconformity and corrective action
Art. 13.6
A6.3 Information security awareness, education and training
7.3 Awareness
Art. 13.7
4.1 Understanding the organization and its context
6.1.2 Information security risk assessment
8.2 Information security risk assessment
3
Art. 14.1
A5.26 Response to information security incidents
7.4 Communication
Art. 14.2
A5.26 Response to information security incidents
7.4 Communication
Art. 14.3
A5.26 Response to information security incidents
7.4 Communication
12
3
Art. 17.1
A5.24 Information security incident management planning and preparation
Art. 17.2
A5.24 Information security incident management planning and preparation
A5.25 Assessment and decision on information security events
A5.26 Response to information security incidents
A5.27 Learning from information security incidents
A5.28 Collection of evidence
Art. 17.3
A5.24 Information security incident management planning and preparation
A5.25 Assessment and decision on information security events
A5.26 Response to information security incidents
7.4 Communication
2
Art. 18.1
A5.24 Information security incident management planning and preparation
A5.25 Assessment and decision on information security events
Art. 18.2
6.1.2 Information security risk assessment
5
Art. 19.1
A5.5 Contact with authorities
A5.24 Information security incident management planning and preparation
A5.25 Assessment and decision on information security events
A5.26 Response to information security incidents
A5.27 Learning from information security incidents
A5.28 Collection of evidence
7.4 Communication
Art. 19.2
A5.5 Contact with authorities
A5.7 Threat intelligence
Art. 19.3
A5.25 Assessment and decision on information security events
A5.26 Response to information security incidents
7.4 Communication
Art. 19.4
A5.5 Contact with authorities
A5.24 Information security incident management planning and preparation
A5.25 Assessment and decision on information security events
A5.26 Response to information security incidents
A5.27 Learning from information security incidents
A5.28 Collection of evidence
7.4 Communication
Art. 19.5
A5.24 Information security incident management planning and preparation
1
Art. 22.1
A5.5 Contact with authorities
7.4 Communication
1
Art. 23
A5.24 Information security incident management planning and preparation
20
6
Art. 24.1
A5.30 ICT readiness for business continuity
A5.35 Independent review of information security
A8.29 Security testing in development and acceptance
A8.31 Separation of development, test and production environments
A8.33 Test information
9.2 Internal audit
Art. 24.2
A5.30 ICT readiness for business continuity
A5.35 Independent review of information security
A8.29 Security testing in development and acceptance
A8.31 Separation of development, test and production environments
A8.33 Test information
9.2 Internal audit
Art. 24.3
4.1 Understanding the organization and its context
A5.30 ICT readiness for business continuity
A5.35 Independent review of information security
9.2 Internal audit
Art. 24.4
A5.30 ICT readiness for business continuity
A5.35 Independent review of information security
9.2 Internal audit
Art. 24.5
10.1 Continual improvement
10.2 Nonconformity and corrective action
Art. 24.6
A5.30 ICT readiness for business continuity
A5.35 Independent review of information security
9.2 Internal audit
3
Art. 25.1
A5.30 ICT readiness for business continuity
A5.35 Independent review of information security
A8.8 Management of technical vulnerabilities
9.2 Internal audit
Art. 25.2
A8.4 Access to source code
A8.8 Management of technical vulnerabilities
A8.9 Configuration management
A8.19 Installation of software on operational systems
A8.25 Secure development life cycle
A8.26 Application security requirements
A8.27 Secure system architecture and engineering principles
A8.28 Secure coding
A8.29 Security testing in development and acceptance
A8.30 Outsourced development
Art. 25.3
A5.30 ICT readiness for business continuity
A5.35 Independent review of information security
6.1.2 Information security risk assessment
9.2 Internal audit
8
Art. 26.1
A5.35 Independent review of information security
7.4 Communication
Art. 26.2
A5.5 Contact with authorities
A5.9 Inventory of information and other associated assets
A5.20 Addressing information security within supplier agreements
A5.35 Independent review of information security
7.4 Communication
Art. 26.3
A5.19 Information security in supplier relationships
A5.20 Addressing information security within supplier agreements
A5.21 Managing information security in the information and communication technology (ICT) supply chain
A5.22 Monitoring, review and change management of supplier services
A5.23 Information security for use of cloud services
Art. 26.4
A5.19 Information security in supplier relationships
A5.20 Addressing information security within supplier agreements
Art. 26.5
A5.21 Managing information security in the information and communication technology (ICT) supply chain
A5.22 Monitoring, review and change management of supplier services
A5.23 Information security for use of cloud services
6.1.3 Information security risk treatment
8.3 Information security risk treatment
Art. 26.6
A5.5 Contact with authorities
7.4 Communication
10.1 Continual improvement
10.2 Nonconformity and corrective action
Art. 26.7
A5.5 Contact with authorities
A5.35 Independent review of information security
7.4 Communication
10.1 Continual improvement
10.2 Nonconformity and corrective action
Art. 26.8
A5.35 Independent review of information security
3
Art. 27.1
A5.35 Independent review of information security
Art. 27.2
A5.35 Independent review of information security
Art. 27.3
A5.20 Addressing information security within supplier agreements
A5.35 Independent review of information security
14
8
Art. 28.1
A5.19 Information security in supplier relationships
A5.20 Addressing information security within supplier agreements
A5.21 Managing information security in the information and communication technology (ICT) supply chain
6.1 Actions to address risks and opportunities
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment
Art. 28.2
A5.19 Information security in supplier relationships
A5.20 Addressing information security within supplier agreements
A5.21 Managing information security in the information and communication technology (ICT) supply chain
6.1.2 Information security risk assessment
8.1 Operational planning and control
8.2 Information security risk assessment
Art. 28.3
A5.5 Contact with authorities
A5.9 Inventory of information and other associated assets
A5.20 Addressing information security within supplier agreements
7.4 Communication
Art. 28.4
A5.20 Addressing information security within supplier agreements
6.1.2 Information security risk assessment
8.2 Information security risk assessment
Art. 28.5
A5.19 Information security in supplier relationships
A5.20 Addressing information security within supplier agreements
Art. 28.6
A5.19 Information security in supplier relationships
A5.20 Addressing information security within supplier agreements
A5.21 Managing information security in the information and communication technology (ICT) supply chain
A5.22 Monitoring, review and change management of supplier services
Art. 28.7
A5.20 Addressing information security within supplier agreements
Art. 28.8
A5.19 Information security in supplier relationships
A5.20 Addressing information security within supplier agreements
A5.22 Monitoring, review and change management of supplier services
A5.23 Information security for use of cloud services
2
Art. 29.1
A5.19 Information security in supplier relationships
A5.20 Addressing information security within supplier agreements
A5.21 Managing information security in the information and communication technology (ICT) supply chain
Art. 29.2
A5.19 Information security in supplier relationships
A5.20 Addressing information security within supplier agreements
A5.21 Managing information security in the information and communication technology (ICT) supply chain
A5.34 Privacy and protection of personal identifiable information (PII)
4
Art. 30.1
A5.20 Addressing information security within supplier agreements
Art. 30.2
A5.20 Addressing information security within supplier agreements
Art. 30.3
A5.20 Addressing information security within supplier agreements
Art. 30.4
A5.20 Addressing information security within supplier agreements






Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.