DORA consultancy - helping financial institutes across the UK and Europe.

Anni Roenkae, Multicolored Abstract Illustration


ICT resilience testing

What does resilience testing mean?
Article 21 defines this as "assessing preparedness for ICT-related incidents, of identifying weaknesses, deficiencies or gaps in the digital operational resilience and of promptly implementing corrective measures, financial entities shall establish, maintain and review, with due consideration to their size, business and risk profiles, a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk management framework referred to in Article 5".

In layperson's terms it means that financial entity must learn lessons derived from the digital operation resilience testing carried from real-life ICT-related incidents, in particular cyber-attacks, along with challenges faced upon the activation of business continuity or recovery plans.
The testing methodology must include full range of appropriate tests and be broadly split into security and continuity testing.

Security testing is the same across all organisations and should be in place without any regulatory requirements as follows:
  • vulnerability assessments and scans
  • open source analyses
  • network security assessments
  • gap analyses
  • physical security reviews
  • source code reviews where feasible
  • penetration testing, etc.
Business Continuity scenarios, however, must be organisation's specific and must address the company's testing focusing on critical systems and processes.

Testing must be conducted annually for ALL critical ICT systems and applications. The testing must be performed on the basis of realistic test scenarios that simulate potential disruption, including an adequate set of severe but plausible scenarios and ICT services provided by ICT third-parties service providers, where applicable


How do you define the digital operational resilience testing programme?
Considering the evolving landscape of ICT risks, a risk-based approach is recommended. Any specific threats to which financial entity is or might be exposed, the criticality of information assets and services provided, and any other factor financial entity deems appropriate must be considered.
Following testing, financial entity should establish procedures and policies to prioritise, classify and remedy all issues acknowledged throughout the performance of the tests and shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed.

By the way, financial entities shall ensure that independent parties undertake internal or external tests, which will challenge small and medium size organisations as their internal staffing is limited.

Need help establishing the Resilience Testing programme? We can help and drive this activity.

Would you like to talk about DORA compliance? Contact us.