A bank or fintech in Kazakhstan, Uzbekistan, Georgia or Kyrgyzstan may not fall under DORA directly — but EU clients, payment partners and investors are increasingly asking for demonstrable digital resilience. In negotiations, the questions are not only “Do you have ISO?”, but also how you will withstand an incident, restore critical services and control cloud/outsourcing.
DORA is not only about security — it’s about resilience
DORA (often referred to as the Digital Operational Resilience Act) is designed for the financial sector: continuity of payments, availability of remote channels, management of ICT risks, transparency in working with third parties and readiness for regulatory reviews. In other words, DORA treats an organisation as a “living system”: what happens during a disruption, how quickly you return to normal, and how you can evidence this with documentation.
Where ISO 27001 helps — and where the “buts” begin
Information security under ISO usually means ISO/IEC 27001 and building an ISMS. For banks/fintechs, this is a strong foundation: risk-based management, access control, policies, monitoring, incident management and internal audits. In other words, ISO-based information security management teaches you to operate systematically.
However, DORA often requires “operational specificity” on top of the core system: regular resilience testing, stricter management of ICT suppliers (including cloud providers), measurable recovery targets, and readiness to notify and report incidents under clear, scenario-based procedures.
Typical gaps between ISO and DORA expectations in the financial sector
Below are the areas where banks and fintechs most often stumble — even if they already hold a certificate. At first these look like minor details, but they are exactly what partners and auditors tend to scrutinise.
- Incidents and notifications: formal classification, escalation triggers, a single end-to-end timeline, and reporting templates for regulators/partners.
- Resilience testing: not a one-off DR test, but an ongoing exercise programme (tabletop sessions, technical tests, and validation of provider failure scenarios).
- Third-party management: a supplier register, criticality assessments, SLA/OLA requirements, audit rights, subcontractor oversight, and an exit plan.
- Linking information security and continuity: RTO/RPO, service prioritisation (mobile banking, processing, KYC/AML flows), and evidence that the plans actually work.
- Evidence pack: exercise minutes, corrective action outcomes, monitoring records, and committee decisions — so you can “show it in practice”, not just describe it.
When you bring this together, the picture is clear: ISO 27001 implementation is an excellent framework, but for DORA it usually needs to be “built out” with resilience, measurability, and supply-chain governance.
How a bank/fintech can prepare without unnecessary bureaucracy
A practical approach is not to rewrite everything from scratch, but to do a mapping exercise: “which DORA requirements are already covered by ISO controls, and where enhancements are needed”. Often, four steps are enough:
- a DORA vs ISO 27001 gap analysis (processes + artefacts);
- strengthening ICT supplier management (contracts, oversight, exit plan);
- a resilience testing programme and regular exercises;
- preparing evidence: logs, reports, KPIs/KRIs, decisions, and improvement plans.
The System Management team across the CIS typically engages in a way that makes the outcome “sellable” to partners: a clear documentation pack, trained process owners, and readiness to respond to due diligence.
FAQ: services most commonly needed by banks and fintechs
1) How can you help if we already have ISO 27001?
We run a DORA gap analysis and fine-tune your system so it is demonstrably effective in practice: resilience testing, ICT supplier management, incident reporting, and an evidence pack for partners and auditors.
2) Do you deliver end-to-end implementation and certification readiness as a turnkey service?
Yes. The service includes ISO 27001 implementation, building/updating the ISMS, team training, internal audits, support during the certification audit, and preparation of an artefact pack tailored to financial-sector client requirements.
3) What is a project management audit, and why does fintech need it?
It is a review of how you manage change and IT initiatives: roles, schedule/risk controls, requirements quality, acceptance, and metrics. This is especially important for fintech, because a “bad release” can sometimes be an incident. The audit helps reduce chaos and make change predictable.
4) Do you work only with banks?
Our main focus in this topic is banks/fintechs and ICT suppliers to the financial sector, but we also support certification for IT companies and service centres — and, where needed, for other industries as well (including translation agencies, if they handle sensitive data and corporate clients).
5) How can we quickly assess whether there is a risk of failing a partner review?
The fastest route is an express diagnostic: we assess the key processes (incidents, suppliers, recovery, testing, evidence) and provide a prioritised improvement roadmap. System Management can run this diagnostic and prepare a work plan aligned to your scale and counterparties’ requirements.
If needed, I can tailor the text to a specific profile (bank, processing, e-wallet, BNPL, payment gateway) and add a CTA for your services page.