Ensuring full compliance with DORA regulations for your company.

We outline the challenges of supplier audits and how our services guarantee security and operational compliance.

Methodology for Conducting a Small Supplier Audit According to DORA

1. Purpose of the Audit

A small‑supplier audit aims to:

• Verify that the supplier meets minimum DORA‑aligned ICT and security requirements.
• Ensure the supplier can support operational resilience appropriate to its size.
• Identify gaps, risks, and required improvements.
• Confirm that contractual arrangements meet DORA outsourcing obligations.

This methodology is suitable for:

• Freelance/contractor‑based ICT support
• Micro‑SaaS providers
• Small software houses
• Niche ICT service providers
• Small hosting/managed service providers

2. Scope of the Audit

The scope focuses on essential controls, not enterprise‑grade frameworks.

2.1 Mandatory DORA Areas (Simplified for Small Suppliers)

• Governance & accountability
• Basic ICT risk management
• Information security fundamentals
• Incident management
• Backup & recovery
• Basic resilience testing
• Sub‑outsourcing transparency
• Contractual compliance with DORA

2.2 Typical Services Covered

• Security scanning or monitoring (basic)
• Small SaaS modules
• Application development & maintenance
• Basic hosting or infrastructure
• IT support services

3. Audit Process (Proportionate Approach)

Stage 1 — Preparation

Objectives

• Define a minimal but sufficient audit scope.
• Request only essential documents.

Documents to Request

• Security policy (even short)
• Incident handling procedure (1–2 pages acceptable)
• Backup procedure or description
• List of subcontractors
• SLA and contract
• Any available test reports (optional)
• Access control overview (how accounts are created/removed)

Stage 2 — Documentation Review

Objectives

• Assess whether the supplier has basic controls in place.
• Identify missing or unclear areas.

Key Activities

• Check if policies exist and are followed.
• Verify that responsibilities are assigned.
• Confirm that basic security measures are documented.
• Identify gaps requiring interview clarification.

Stage 3 — Interviews

Objectives

• Validate that processes work in practice.
• Understand how the supplier manages ICT risks with limited resources.

Typical Interviewees

• Owner / CEO (common in small companies)
• Lead developer or IT administrator
• Person responsible for security (may be part‑time)

Focus Areas

• How incidents are detected and escalated
• How access rights are managed
• How backups are performed and tested
• How updates and patches are applied
• How subcontractors are controlled
• How data is protected

Stage 4 — Operational Verification

Testing is lightweight, focusing on evidence rather than formal processes.

Examples of Proportionate Tests

• Review backup logs or screenshots
• Check MFA activation on key systems
• Review a sample of access rights
• Verify patching on a sample system
• Review incident log (even if informal)
• Confirm subcontractor list accuracy
• Check encryption settings (basic)

Stage 5 — Reporting

Deliverables

• Short, clear report (2–5 pages)
• Summary of compliance with DORA
• Key findings and risks
• Practical recommendations
• Contractual improvement suggestions

Evaluation Criteria

• Clarity and completeness of documentation
• Proportionality to supplier size
• Evidence of basic security hygiene
• Ability to support resilience of the outsourced service

Checklist for a Small Supplier Audit According to DORA

1. Governance & Accountability

• A responsible person for ICT/security is designated
• Basic security policy exists
• Roles and responsibilities are clear
• Management is aware of ICT risks

2. ICT Risk Management (Simplified)

• Supplier identifies key ICT risks
• Risks relevant to the service are understood
• Basic mitigation measures exist (MFA, backups, patching)
• Risk review occurs at least annually

3. Information Security Basics

• MFA enabled for administrative access
• Access rights follow least‑privilege principles
• Joiner/leaver process exists (even simple)
• Antivirus/EDR installed
• Basic logging enabled
• Patching performed regularly
• Development and production environments separated (if applicable)

4. Incident Management

• Simple incident procedure exists
• Incidents are logged (spreadsheet acceptable)
• Severity levels defined
• Client notified promptly when relevant
• Lessons learned documented for major incidents

5. Backups & Continuity

• Backups performed regularly
• Backups encrypted
• Restore tests performed at least annually
• Simple continuity plan exists (1–2 pages)
• Supplier can operate during short disruptions

6. Operational Resilience Testing (Basic)

• Vulnerability scans or simple security tests performed
• Penetration tests (optional, depending on service)
• Table‑top incident exercises (even informal)
• Test results documented

7. Sub‑Outsourcing

• Supplier maintains a list of subcontractors
• Subcontractors assessed for basic security
• Client approval required for material sub‑outsourcing
• Contracts include minimal security clauses

8. Contractual Compliance with DORA

• Contract includes:
  • SLA and KPIs
  • Incident reporting obligations
  • Right to audit
  • Right to inspect
  • Data location requirements
  • Sub‑outsourcing conditions
  • Termination rights
• Responsibilities and liabilities clearly defined

9. Data Protection

• Data encrypted in transit
• Data encrypted at rest (if applicable)
• Access to client data restricted
• Supplier complies with GDPR

10. Monitoring & Reporting

• Performance metrics tracked
• Supplier provides SLA or performance reports
• Supplier reports incidents promptly
• Regular service review meetings occur