DORA | Article 27 | Requirements for testers for the carrying out of TLPT

Requirement description

1. Financial entities shall only use testers for the carrying out of TLPT, that:
(a) are of the highest suitability and reputability;
(b) possess technical and organisational capabilities and demonstrate specific expertise in threat intelligence, penetration testing and red team testing;
(c) are certified by an accreditation body in a Member State or adhere to formal codes of conduct or ethical frameworks;
(d) provide an independent assurance, or an audit report, in relation to the sound management of risks associated with the carrying out of TLPT, including the due protection of the financial entity’s confidential information and redress for the business risks of the financial entity;
(e) are duly and fully covered by relevant professional indemnity insurances, including against risks of misconduct and negligence.
2. When using internal testers, financial entities shall ensure that, in addition to the requirements in paragraph 1, the following conditions are met:
(a) such use has been approved by the relevant competent authority or by the single public authority designated in accordance with Article 26(9) and (10);
(b) the relevant competent authority has verified that the financial entity has sufficient dedicated resources and ensured that conflicts of interest are avoided throughout the design and execution phases of the test; and
(c) the threat intelligence provider is external to the financial entity.
3. Financial entities shall ensure that contracts concluded with external testers require a sound management of the TLPT results and that any data processing thereof, including any generation, store, aggregation, draft, report, communication or destruction, do not create risks to the financial entity

How to fill the requirement

Digital Operational Resilience Act (DORA)

Article 27: Requirements for testers for the carrying out of TLPT

Task name

Priority

Status

Theme

Policy

Other requirements

TLPT tester requirements

Critical

High

Normal

Low

Fully done

Mostly done

Partly done

Not done

Development and cloud

Technical vulnerability management

requirements

Examples of other requirements this task affects

Article 27: Requirements for testers for the carrying out of TLPT

DORA

See all related requirements and other information from tasks own page.

Go to >

TLPT tester requirements

1. Task description

The testing organisation used for threat-led penetration testing should meet at least the following requirements:

Highest suitability and reputability for the task
Have technical and organisatory capabilities especially in threat intelligence, penetration testing and red teaming
Are certified in a EU member state
They provice an audit report in relation to management of risks related to carrying out the testing
They are fully covered by relevant insurances including against risks of misconduct and negligence

In the case of using internal testers along with the list above they should be:

Approved by competent authority
Authority has confirmed the organisation has sufficient resources to perform the testing and conflicts of interest are avoided
Threat intelligence provider must be external from the entity

In contracts with the tester management of results and any data processing do not create risks to the organisation.

Tasks included in the policy

Task name

Priority

Status

Theme

Policy

Other requirements

No items found.

1.1 (MIL2): Manage IT and OT Asset Inventory

C2M2: MIL1

1.1 (MIL3): Manage IT and OT Asset Inventory

C2M2: MIL1

1.1.1: Availability of information security policies

TISAX

1.1.1: Identify the organisation’s strategy and priorities

NSM ICT-SP

1.1.2: Identify the organisation’s structures and processes for security management

NSM ICT-SP

1.1.3: Identify the organisation’s processes for ICT risk management

NSM ICT-SP

1.1.4: Identify the organisation’s tolerances for ICT risk

NSM ICT-SP

1.1.5: Identify the organisation’s deliverables, information systems and supporting ICT functions

NSM ICT-SP

1.1.6: Identify information processing and data flow

NSM ICT-SP

1.2 (MIL2): Manage Information Asset Inventory

C2M2: MIL1

1.2 (MIL3): Manage Information Asset Inventory

C2M2: MIL1

1.2.1: Establish a process to identify devices and software in use at the organisation

NSM ICT-SP

1.2.1: Scope of Information Security management

TISAX

1.2.2: Establish organisational guidelines for approved devices and software

NSM ICT-SP

1.2.2: Information Security Responsibilities

TISAX

1.2.3: Identify devices in use at the organisation

NSM ICT-SP

1.2.3: Information Security requirements in projects

TISAX

1.2.4: Definition of responsibilities with service providers

TISAX

1.2.4: Identify the software in use at the organisation

NSM ICT-SP

1.2: Manage Information Asset Inventory

C2M2: MIL1

1.3 (MIL2): Manage IT and OT Asset Configuration

C2M2: MIL1

1.3 (MIL3): Manage IT and OT Asset Configuration

C2M2: MIL1

1.3.1: Identification of information assets

TISAX

1.3.1: Identify the users of the information systems

NSM ICT-SP

1.3.2: Classification of information assets

TISAX

1.3.2: Identify and define the different user categories

NSM ICT-SP

1.3.3: Identify roles and responsibilities linked especially to ICT security

NSM ICT-SP

1.3.3: Use of approved external IT services

TISAX

1.3.4: Use of approved software

TISAX

1.3: Manage IT and OT Asset Configuration

C2M2: MIL1

1.4 (MIL2): Manage Changes to IT and OT Assets

C2M2: MIL1

1.4 (MIL3): Manage Changes to IT and OT Assets

C2M2: MIL1

1.4.1: Management of Information Security Risks

TISAX

1.4: Manage Changes to IT and OT Assets

C2M2: MIL1

1.5 (MIL1): Management Activities for the ASSET domain

C2M2: MIL1

1.5 (MIL2): Management Activities for the ASSET domain

C2M2: MIL1

1.5 (MIL3): Management Activities for the ASSET domain

C2M2: MIL1

1.5.1: Assessment of policies and requirements

TISAX

1.5.2: External review of ISMS

TISAX

1.5: Management Activities for the ASSET domain

C2M2: MIL1

1.6.1: Reporting of security events

TISAX

1.6.2: Management of reported events

TISAX

1.6.3: Crisis preparedness

TISAX

10 §: Johdon vastuu

KyberTL

10. Processing of personal data relating to criminal convictions and offences

GDPR

10.1 (MIL2): Establish Cybersecurity Program Strategy

C2M2: MIL1

10.1 (MIL3): Establish Cybersecurity Program Strategy

C2M2: MIL1

10.1.1: Policy on the use of cryptographic controls

ISO27 Full

10.1.2: Key management

ISO27 Full

10.1.2: Key management

ISO 27017

10.1: Continuous improvement

ISO27k1 Full

10.1: Cryptographic controls

ISO27 Full

10.1: Cryptographic controls

ISO 27017

10.1: Establish Cybersecurity Program Strategy

C2M2: MIL1

10.2 (MIL2): Establish and Maintain Cybersecurity Program

C2M2: MIL1

10.2 (MIL3): Establish and Maintain Cybersecurity Program

C2M2: MIL1

10.2: Establish and Maintain Cybersecurity Program

C2M2: MIL1

10.2: Non-conformity and corrective action

ISO27k1 Full

10.3 (MIL1): Management Activities for the PROGRAM domain

C2M2: MIL1

10.3 (MIL2): Management Activities for the PROGRAM domain

C2M2: MIL1

10.3 (MIL3): Management Activities for the PROGRAM domain

C2M2: MIL1

10.3: Management Activities for the PROGRAM domain

C2M2: MIL1

10: Cryptography

ISO27 Full

10: Cryptography

ISO 27017

10: Cybersecurity Program Management (PROGRAM)

C2M2: MIL1

10: Prosessi väärinkäytöksiin reagoimiseksi

Sec overview

11 §: Poikkeamailmoitukset viranomaiselle

KyberTL

11. Processing which does not require identification

GDPR

11.1.1: Physical security perimeter

ISO27 Full

11.1.2: Physical entry controls

ISO27 Full

11.1.3: Securing offices, rooms and facilities

ISO27 Full

11.1.4: Protecting against external and environmental threats

ISO27 Full

11.1.5: Working in secure areas

ISO27 Full

11.1.6: Delivery and loading areas

ISO27 Full

11.1: Secure areas

ISO27 Full

11.2.1: Equipment siting and protection

ISO27 Full

11.2.2: Supporting utilities

ISO27 Full

11.2.3: Cabling security

ISO27 Full

11.2.4: Equipment maintenance

ISO27 Full

11.2.5: Removal of assets

ISO27 Full

11.2.6: Security of equipment and assets off-premises

ISO27 Full

11.2.7: Secure disposal or re-use of equipment

ISO27 Full

11.2.7: Secure disposal or re-use of equipment

ISO 27017

11.2.8: Unattended user equipment

ISO27 Full

11.2.9: Clear desk and clear screen policy

ISO27 Full

11.2: Equipment

ISO27 Full

11.2: Equipment

ISO 27017

11: Digiturvan mittarien määrittäminen

Sec overview

11: Physical and environmental security

ISO27 Full

11: Physical and environmental security

ISO 27017

12 §: Luotettavuutta edellyttävien tehtävien tunnistaminen ja luotettavuudesta varmistuminen

TiHL

12 §: Poikkeamaa koskeva väliraportti

KyberTL

12. Transparent information, communication and modalities for the exercise of the rights of the data subject

GDPR

12.1.1: Documented operating procedures

ISO27 Full

12.1.2: Change management

ISO27 Full

12.1.3: Capacity management

ISO27 Full

12.1.4: Separation of development, testing and operational environments

ISO27 Full

12.1: Operational procedures and responsibilities

ISO27 Full

12.2.1: Controls against malware

ISO27 Full

12.2: Protection from malware

ISO27 Full

Requirement description

How to fill the requirement

Digital Operational Resilience Act (DORA)

Article 27: Requirements for testers for the carrying out of TLPT

Examples of other requirements this task affects

Tasks included in the policy

Universal cyber compliance language model: Comply with confidence and least effort

Subscribe to Academy today

Webinars

Videos

Helps

Blogs

Content library