ICT Resilience Testing

What does resilience testing mean? Article 21 defines this as "assessing preparedness for ICT-related incidents, of identifying weaknesses, deficiencies or gaps in the digital operational resilience and of promptly implementing corrective measures, financial entities shall establish, maintain and review, with due consideration to their size, business and risk profiles, a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk management framework referred to in Article 5".

ICT Resilience Testing - DORA consultancy helping financial institutions across the UK and Europe.
Anni Roenkae, Multicolored Abstract Illustration

In layperson's terms it means that financial entity must learn lessons derived from the digital operation resilience testing carried from real-life ICT-related incidents, in particular cyber-attacks, along with challenges faced upon the activation of business continuity or recovery plans.

The testing methodology must include full range of appropriate tests and be broadly split into security and continuity testing.

Security testing

Security testing is the same across all organisations and should be in place without any regulatory requirements as follows:

  • vulnerability assessments and scans
  • open source analyses
  • network security assessments
  • gap analyses
  • physical security reviews
  • source code reviews where feasible
  • penetration testing, etc.

Business continuity testing

Business Continuity scenarios, however, must be organisation's specific and must address the company's testing focusing on critical systems and processes.

Testing must be conducted annually for ALL critical ICT systems and applications. The testing must be performed on the basis of realistic test scenarios that simulate potential disruption, including an adequate set of severe but plausible scenarios and ICT services provided by ICT third-parties service providers, where applicable.

Defining the digital operational resilience testing programme

How do you define the digital operational resilience testing programme?

Considering the evolving landscape of ICT risks, a risk-based approach is recommended. Any specific threats to which financial entity is or might be exposed, the criticality of information assets and services provided, and any other factor financial entity deems appropriate must be considered.

Following testing, financial entity should establish procedures and policies to prioritise, classify and remedy all issues acknowledged throughout the performance of the tests and shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed.

By the way, financial entities shall ensure that independent parties undertake internal or external tests, which will challenge small and medium size organisations as their internal staffing is limited.

Need help establishing the Resilience Testing programme? We can help and drive this activity.

Ready to discuss your DORA compliance challenges?

Our team of experienced consultants is here to help.

Get in Touch