Methodology for Conducting a Mid‑Sized Supplier Audit According to DORA

1. Purpose of the Audit

• Provide recommendations to reduce outsourcing‑related risks.
• Assess the supplier’s compliance with DORA requirements relevant to ICT services of medium criticality.
• Evaluate the adequacy of ICT risk management, security controls, incident handling, and continuity arrangements.
• Identify operational, contractual, and regulatory gaps.

2. Scope of the Audit

The scope should be proportionate to the supplier’s size, service criticality, and risk exposure.

2.1 Mandatory DORA Areas

• Governance and accountability.
• ICT risk management.
• Information security and cyber controls.
• Incident management.
• ICT business continuity and backup processes.
• Operational resilience testing (simplified).
• Sub‑outsourcing management.
• Contractual compliance with DORA.

2.2 Typical Services Provided by Mid‑Sized Suppliers

• IT operations and helpdesk.
• SaaS platforms of moderate importance.
• Hosting, private cloud, or managed infrastructure.
• Application maintenance and support.
• Basic security services (monitoring, vulnerability scanning).

3. Audit Process

The audit consists of five proportional stages.

Stage 1 — Audit Preparation

Objectives

• Define scope, depth, and audit criteria.
• Collect essential documentation.

Key Activities

• Review the outsourcing agreement and SLA.
• Request documentation such as:
  • Information security policy.
  • Incident management procedure.
  • Backup and recovery procedures.
  • Risk assessment (if available).
  • List of subcontractors.
  • Penetration test reports (if applicable).
  • Business continuity plan (simplified).
  • Change management procedure.

Stage 2 — Documentation Review

Objectives

• Assess formal compliance with DORA.
• Identify areas requiring deeper verification.

Key Activities

• Map documentation to DORA requirements.
• Evaluate completeness, maturity, and proportionality.
• Identify missing or outdated elements.
• Prepare interview questions based on gaps.

Stage 3 — Operational Interviews

Objectives

• Validate how processes work in practice.
• Assess competence and ownership.

Typical Interviewees

• Head of IT / CTO.
• Security Officer or responsible person.
• Incident Manager.
• Backup/Operations Manager.
• Service Delivery Manager.

Focus Areas

• How controls are implemented day‑to‑day.
• How incidents are detected, escalated, and reported.
• How access rights are managed.
• How backups are verified.
• How changes are approved and documented.

Stage 4 — Operational Testing and Verification

Testing is lighter than for critical suppliers but still essential.

Examples of Tests

• Verify backup execution logs and at least one restore test.
• Review incident logs for the last 12 months.
• Check access rights for key systems (sample‑based).
• Verify MFA enforcement.
• Review patching cadence and vulnerability scan results.
• Check segregation of environments (dev/test/prod).
• Review monitoring alerts and escalation paths.
• Validate subcontractor list and approval process.

Stage 5 — Reporting and Risk Assessment

Deliverables

• Executive summary.
• Compliance assessment against DORA.
• List of findings (major, minor, observations).
• Risk rating (low/medium/high).
• Recommended remediation actions.
• Contractual improvement suggestions (if needed).

Evaluation Criteria

• Ability to support resilience and continuity.
• Proportionality to service criticality.
• Maturity of processes.
• Evidence of operational discipline.

Checklist for a Mid‑Sized Supplier Audit According to DORA

1. Governance & Accountability

• Supplier has a designated person responsible for ICT security.
• Roles and responsibilities are documented.
• Security policies are approved and reviewed periodically.
• Management receives reports on incidents and risks.

2. ICT Risk Management

• Supplier performs ICT risk assessments.
• A risk register exists and is updated at least annually.
• Risks relevant to the outsourced service are identified.
• Mitigation measures are documented and implemented.

3. Information Security & Cybersecurity

• MFA is implemented for administrative and remote access.
• Access rights follow least‑privilege and role‑based principles.
• Joiner‑mover‑leaver process is documented and followed.
• Logging and basic monitoring are in place.
• Antivirus/EDR is deployed and monitored.
• Vulnerability management process exists.
• Patching is performed regularly and documented.
• Network segmentation or environment separation is implemented.

4. Incident Management

• Incident management procedure exists and is followed.
• Incidents are classified by severity.
• Incident register is maintained.
• Root cause analysis is performed for major incidents.
• Client is notified within agreed timelines.
• Evidence of incident response exercises exists.

5. Business Continuity & Backups

• Backup policy and schedule exist.
• Backups are encrypted.
• Restore tests are performed and documented.
• A simplified business continuity plan exists.
• RTO/RPO values are defined and realistic.
• Supplier can continue operations during disruptions.

6. Operational Resilience Testing

• Penetration tests are conducted (if relevant).
• Vulnerability scans are performed regularly.
• Table‑top exercises for incident response are conducted.
• Test results are documented and shared upon request.

7. Sub‑Outsourcing Management

• Supplier maintains a list of subcontractors.
• Subcontractors are assessed for ICT risk.
• Contracts with subcontractors include security requirements.
• Client approval is required for material sub‑outsourcing.

8. Contractual Compliance with DORA

• Contract includes:
  • SLA and KPI definitions.
  • Incident reporting obligations.
  • Right to audit.
  • Right to inspect.
  • Data location requirements.
  • Sub‑outsourcing conditions.
  • Termination rights.
• Responsibilities and liabilities are clearly defined.

9. Data Protection

• Data is encrypted in transit.
• Data is encrypted at rest (if applicable).
• Access to client data is restricted and logged.
• Supplier complies with GDPR requirements.

10. Monitoring & Reporting

• Performance metrics are tracked and documented.
• Supplier provides SLA reports.
• Supplier reports incidents promptly.
• Regular service review meetings are held.