Critical Supplier Audit Methodology according to DORA

1. Audit objective

• Identification of gaps, risks, and recommendations for the financial institution.
• Assessment of the critical supplier’s compliance with DORA requirements (Articles 28–30, RTS/ITS).
• Verification of the adequacy of ICT controls, cybersecurity, business continuity, and risk management.
• Assessment of the supplier’s ability to ensure the operational resilience of critical services.

2. Audit scope

The scope should include at least:

2.1. Mandatory areas according to DORA

• Governance and accountability structure.
• ICT risk management.
• Cybersecurity and information protection.
• ICT incident management. Business continuity and contingency planning.
• Operational resilience testing.
• Subcontractor management (sub-outsourcing).
• Contract compliance with DORA requirements.
• Reporting and communication with regulated clients.

2.2. Critical services covered by the audit

• Data processing services.
• Production systems. Hosting / cloud / infrastructure.
• Software (SaaS/PaaS/IaaS).
• Maintenance and support.
• SOC/NOC services.
• Security services (IAM, SIEM, EDR, WAF, DLP).

3. Audit model

The audit is conducted in 6 stages:

Stage 1 — Audit preparation

Objective

• Defining the scope, criticality, and objectives of the audit.
• Collecting documentation from the supplier.

Key activities

• Contract and SLA analysis.
• DPIA/TRA/RAA analysis (if applicable).
• Service architecture analysis.
• Sending a list of documents to the supplier:
  • Security policies.
  • ICT procedures.
  • Incident logs.
  • DR/BCP plans. SOC 2 / ISO 27001 / ISAE 3402 reports.
  • Penetration test reports.
  • Subcontractor register.

Stage 2 – Documentation Analysis

Objective

• Assessment of formal compliance with DORA.
• Identification of areas requiring in-depth verification.

Key activities

• Mapping documentation to DORA requirements.
• Assessing completeness and currency.
• Assessing ICT process maturity.

Stage 3 – Interviews and Workshops

Objective

• Verification of practical process performance.
• Assessment of competencies and responsibilities.

Scope of interviews

• CTO / Head of IT.
• CISO / Security Manager.
• Business Continuity Manager.
• Incident Manager.
• Subcontractor Manager.
• Quality/Service Manager.

Stage 4 – Operational Testing and Verification

Objective

• Checking the actual operation of the control.

Sample tests

• ICT incident test (table-top).
• Verification of logs and security alerts.
• Verification of backups (restore test).
• Verification of RTO/RPO. Verification of access control (IAM).
• Verification of environment segregation.
• Verification of patch management. Verification of monitoring and SIEM.
• Verification of change management processes.

Step 5 – Compliance and Risk Assessment

Objective

• DORA compliance assessment.
• Supplier risk assessment (risk scoring).
• Identification of gaps and recommendations.

Results

• Risk map. Maturity assessment. List of non-compliances. Recommendations and recovery plan.

Stage 6 — Final report

Report Elements

• Contract/SLA requirements.
• Executive summary.
• DORA compliance assessment.
• Supplier risk assessment.
• List of non-compliances (major/minor/observations).
• Recommendations and priorities.
• Required corrective actions.

DORA CRITICAL SUPPLIER AUDIT CHECKLIST

1. Governance and responsibility

• Does the provider have a formal ICT security management system?
• Are roles and responsibilities clearly defined?
• Is there a CISO function?
• Is there an ICT risk committee?
• Is there a reporting process to the board?

2. ICT risk management

• Is there a formal risk assessment methodology?
• Does the provider conduct regular risk reviews?
• Is there an ICT risk register?
• Are risks mapped to the services provided to the client?
• Are there risk mitigation plans?

3. Cybersecurity

• Is there an information security policy?
• Is there an identity management system (IAM)?
• Are MFA, least privilege, and role-based access used?
• Is there security monitoring (SIEM/SOC)?
• Is there endpoint protection (EDR/XDR)?
• Is there network protection (WAF, IDS/IPS)?
• Is there a vulnerability management process?
• Is there a patch management process?

4. ICT incident management

• Is there a formal incident management procedure?
• Are incidents classified according to criticality?
• Does the supplier report incidents to the customer in a timely manner?
• Is there an incident log?
• Is post-mortem/RCA performed?

5. Business continuity and operational resilience

• Is there a BCP/DRP?
• Are plans tested at least annually?
• Does testing include cyber scenarios?
• Are there RTOs/RPOs for critical services?
• Are there backups?
• Are recovery tests documented?

6. Operational resilience tests

• Does the provider perform penetration testing?
• Does the provider perform red team/purple team testing?
• Does the provider perform table-top testing?
• Are test results shared with the client?

7. Subcontractor management

• Does the supplier maintain a register of subcontractors?
• Are subcontractors assessed for ICT risk?
• Are subcontractors in compliance with DORA?
• Is there a process for approving new subcontractors?
• Is there monitoring of subcontractors?

8. Compliance of contracts with DORA

• Does the contract include the required DORA elements:
  • SLA and KPI
  • RTO/RPO Right to Audit
  • Right to Inspect
  • Right to Terminate
  • Incident Reporting Requirements
  • Subcontractor Requirements
  • Data Localization Requirements
• Does the contract specify the supplier’s liability?

9. Data protection and privacy

• Does the provider comply with GDPR requirements?
• Does the provider have data deletion procedures?
• Is data encrypted at rest and in transit?
• Is there access control for customer data?

10. Monitoring and reporting

• Are there monthly/quarterly service reviews? Does the provider provide regular SLA reports? Does the provider report incidents in real time?