DORA consultancy - helping financial institutes across the UK and Europe.

Luis Quintero, Close up


Incident Management

The value of a proper process of managing incidents can not be underestimated.
After all, an ability to identify incidents on time, promptly address them and learn how to avoid them in the future is saving money. A lot of money!!
Ransomware example comes to mind, where malicious attackers use the system's misconfiguration, lack of patch management and people's mistakes to impact any modern organisation significantly.

DORA specify several requirements to include within Incedent management processes:
  • Identify incidents using early warning indicators
  • Establish incident identification, categorisation and types of classification, ensuring their priority-aligned services severity
  • Define monitoring and escalation procedures
  • Assign roles and responsibilities to be activated for different incident types and scenarios
  • Have relevant communication plans in place
Financial entity must ensure that:
  • the incidents are reported to the appropriate management level
  • incident's trends are analysed
  • the incident's root cause analysis is performed
  • appropriate remedial action taken
DORA also defines several criteria which require an organisation to have adequate asset management processes linked with company-wide ICT risk management.
The asset management, ideally as a single source of truth for the whole organisation, should include detailed documentation for asset identification, criticality criteria, dependencies and owners, among others. The process should cover any third-party suppliers and associated service providers.
The asset owner's responsibilities vary from ensuring that the asset is correctly classified to the day-to-day maintenance of the identified controls, the access controls should be defined and periodically reviewed, and vulnerabilities are identified and patched promptly.


We help assess the current processes, improve them where necessary and test them to ensure they actually work.

Would you like to talk about DORA compliance? Contact us.