Skip to main content
Image coming soon

DORA Control Evidence for Security Analysts

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

DORA Control Evidence for Security Analysts

Build the DORA register, classify incidents to standard, and produce control evidence that satisfies your regulator in one submission.

Your DORA register of information is annotated with exceptions every time a review touches it. New ICT providers are added to scope, contracts amend and shift a provider from standard to important tier, and each change requires re-validation before the next supervisory submission window. Meanwhile, your incident classification taxonomy does not cleanly map to the DORA tiering criteria, so every severity determination involves a cross-referencing discussion with legal and compliance before the entry can be logged.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Information Security Analysts at global banks sit at the intersection of three competing demands: the operational security team needs fast, pragmatic triage decisions; the compliance and regulatory reporting team needs formally documented, taxonomy-compliant records; and the internal audit team needs evidence trails that demonstrate control effectiveness, not just control existence.

DORA puts all three demands into direct tension. The register of information requires you to think like a service dependency mapper rather than a threat analyst. Incident classification under DORA uses categories that do not align with your SIEM alert severity levels. TLPT requires coordinating with your red team, your critical ICT system owners, and an approved external testing provider, none of whom necessarily understand each other's operating language.

Most security analysts at large banks manage this complexity with spreadsheets, shared drives, and ad-hoc cross-functional meetings. The course replaces that fragmentation with a repeatable methodology: a RoI build approach that keeps pace with contract changes, an incident classification decision tree that legal and compliance will sign off on, and a control evidence framework that generates multi-framework approval from a single evidence collection.

What you walk away with

  • Build a register of information that passes supervisory scrutiny, including the service dependency mapping and contractual documentation DORA requires for ICT providers supporting critical or important functions.
  • Apply the DORA incident classification taxonomy correctly and write the initial notification, intermediate report, and final report within the required submission windows.
  • Scope and document a TLPT engagement, including provider selection criteria, system scoping, and closed-finding documentation in a format your competent authority will review.
  • Conduct third-party ICT risk assessments that satisfy DORA's contractual requirements, with due diligence templates calibrated to critical, important, and standard provider tiers.
  • Build a control evidence set that maps to ISO 27001, NIST CSF, and DORA simultaneously, so one evidence collection satisfies three frameworks without duplication.

The 12 modules

Module 1. The DORA Framework in Practice for Security Teams
DORA's five pillars produce different operational demands for a security analyst than for a CRO or a compliance manager. This module maps each pillar to the specific artefacts an Information Security Analyst is accountable for: the register of information, the incident classification decision, the TLPT scope document, the third-party ICT due diligence questionnaire, and the multi-framework control evidence file. You finish with a clear accountability map for your specific role and seniority level.
Module 2. Building the Register of Information from the First Entry
Most first-attempt RoI builds treat the register as an asset inventory and fail at supervisory review. This module teaches the correct methodology: start with critical or important functions, map ICT service providers to each function, document technical and contractual interconnections, assign risk tiers, and validate your classification rationale. Covers the most common first-submission errors, including missing intra-group arrangements, unclear function-to-provider linkage, and misapplied criticality thresholds.
Module 3. Keeping the Register Current as Contracts and Providers Change
A register of information is out of date the moment a contract amends. This module builds a maintenance workflow for your RoI: triggers that flag contract amendments requiring re-assessment, a provider onboarding checklist that captures DORA-relevant information at the point of procurement, and a versioning system that creates an auditable change trail. You produce a RoI maintenance procedure document your supervisor and internal audit team can both rely on.
Module 4. Incident Classification Under DORA: The Decision Framework
DORA requires classifying incidents as major, significant, or standard using criteria your SIEM alert taxonomy was not built for. This module builds a classification decision framework that maps your internal severity levels to the DORA criteria: impact on critical services, duration thresholds, number of counterparties affected, and reputational harm indicators. The output is a decision tree your analysts can apply in the first hour of an incident without waiting for legal or compliance sign-off.
Module 5. Writing the DORA Incident Reports: Initial, Intermediate, and Final
The four-hour initial notification and the one-month final report have different audiences and different information requirements. This module walks through each report type: what the initial notification must contain to satisfy the competent authority's first-triage needs, what additional analysis the intermediate report requires, and how the final report documents root cause, remediation, and preventive controls in a format regulators and internal auditors will both accept.
Module 6. TLPT Scoping and Coordination for the Security Analyst
Threat-Led Penetration Testing under DORA requires the security analyst to coordinate between internal system owners, the red team, and a DORA-compliant testing provider. This module covers selecting and onboarding an approved provider, scoping the systems in scope for testing, communicating scope to system owners without alerting defenders, and documenting closed remediation findings in the format the competent authority will review after testing concludes.
Module 7. Third-Party ICT Risk: Tiering Providers and Running Due Diligence
Not every ICT provider needs the same due diligence depth. This module builds a tiering methodology aligned to DORA's critical vs. important vs. standard classifications, then produces a due diligence questionnaire template calibrated to each tier. Covers the contractual provisions DORA requires in all agreements with providers supporting critical or important functions, and how to negotiate those provisions with vendors who have not previously received a DORA-specific contract amendment request.
Module 8. Multi-Framework Control Evidence: One Collection for Three Regulators
An Information Security Analyst at a global bank typically answers to three or more frameworks simultaneously. This module builds a control evidence mapping approach that produces one collection satisfying ISO 27001 Annex A, NIST CSF subcategories, and the relevant DORA ICT risk management requirements at the same time. The mapping table becomes your living control library, updated once and queried by three different reporting streams without duplication.
Module 9. The ICT Risk Management Framework Document
DORA requires a comprehensive, documented ICT risk management framework that is distinct from but consistent with your ISO 27001 ISMS. This module identifies what the DORA framework document must contain that your existing ISMS does not cover: the ICT risk tolerance statement aligned to your business continuity objectives, the governance structure for ICT risk decisions at the board and management level, and the annual review and approval cycle a competent authority will check in a supervisory examination.
Module 10. Business Continuity, ICT BCP, and ICT DRP Under DORA
DORA treats the Business Continuity Policy, the ICT Business Continuity Plan, and the ICT Disaster Recovery Plan as three separate required artefacts with distinct content requirements. This module drafts each document to the minimum viable standard DORA specifies, identifies the overlap with your existing BC and DR documentation, and establishes a testing and review cadence that keeps all three current without creating three parallel maintenance streams.
Module 11. Navigating Multi-Jurisdiction Regulatory Overlap
A bank with operations across EU, UK, and APAC jurisdictions receives DORA compliance requirements from the ECB or national competent authority, FCA operational resilience requirements under SYSC 15A, and BCBS operational resilience guidance from local prudential regulators. This module identifies where these frameworks align, where they diverge, and how to structure your control evidence and reporting so one set of documentation satisfies all three regulators without creating contradictory records across jurisdictions.
Module 12. Preparing for the First DORA Supervisory Examination
The first supervisory examination under DORA typically focuses on RoI completeness, incident classification maturity, and evidence that TLPT has been scoped or qualified for exemption. This module builds a pre-examination evidence file structure: what to gather, how to organise it, which gaps national competent authority examiners typically flag in first-year reviews, and how to communicate status to your CISO and legal team before the examination letter arrives.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

You are building your DORA register of information for the first time and the methodology is unclear beyond listing ICT providers.
You had an incident and the DORA classification criteria do not match your internal severity taxonomy, creating a dispute between security, compliance, and legal over the correct tier.
Your TLPT is due and you need to scope it, select a provider, and document the process without a prior example to follow.
Your internal audit found that your DORA control evidence is siloed across separate ISO 27001, NIST, and DORA documentation sets and wants you to consolidate without losing the audit trail.

What you get with this course

  • 12 written modules covering the full DORA compliance lifecycle, from register of information build through to supervisory examination readiness.
  • Downloadable templates for every module: RoI build template, incident classification decision tree, TLPT scope document, third-party due diligence questionnaire by provider tier, and multi-framework control evidence mapping table.
  • The hand-built implementation playbook: a step-by-step DORA compliance workplan tailored to a security analyst's accountability scope, with recommended sequencing and effort estimates for each workstream.
  • Access to the Art of Service learning environment within 24 hours of purchase.

What you will have in hand by Day 1, Week 1, Month 1

Course access and implementation playbook provisioned within 24 hours of purchase.

First three modules completable in a half-day focused session.

Full 12-module curriculum completable in two to three focused weeks alongside a live DORA compliance workstream.

Before and after

Before

Your DORA compliance work is spread across spreadsheets, email threads, and ad-hoc meetings. The register of information is out of date within weeks of each submission. Incident classification is a manual judgment call that takes longer than the initial notification window allows. Third-party ICT due diligence varies by individual analyst rather than by provider tier.

After

You have a repeatable methodology for every DORA workstream: a register maintenance process that stays current when contracts change, an incident classification decision tree your team applies within the hour, due diligence templates calibrated to provider criticality, and a control evidence library that satisfies ISO 27001, NIST CSF, and your supervisory authority simultaneously.

What happens if you do not address this

The first supervisory examination will surface the same documentation gaps most security teams discover only when the examination request arrives: an incomplete register, an undocumented classification process, and evidence that TLPT was scoped informally rather than under the required methodology. Building the documentation infrastructure before the examination is faster and less costly than rebuilding it under examination pressure with a live regulatory finding on the table.

Who it is for

Information Security Analysts at regulated financial institutions who are accountable for part or all of their organisation's DORA compliance workstream. Practitioners who have information security operational experience, including vulnerability management, incident response, and control testing, but who need a structured approach to translating that operational knowledge into the formal regulatory artefacts DORA requires. Specifically useful for analysts who are drafting or maintaining the register of information for the first time, leading the internal DORA gap assessment, coordinating TLPT with an external provider, or preparing an evidence file for the first supervisory examination.

Who this is NOT for. Security architects focused purely on technical design who have no regulatory reporting accountability. Compliance managers looking for a high-level DORA policy overview rather than practitioner-level implementation methodology. IT professionals with no information security role or cross-functional regulatory interface.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Approximately eight to twelve hours of focused reading and template completion across the 12 modules, with additional time for applying the frameworks to your specific ICT environment and provider inventory.

Why $199 is the right number

Free DORA guidance is available from the European Banking Authority and from your competent authority. That guidance tells you what DORA requires. This course shows you how to produce the specific artefacts DORA requires in the sequence a security analyst with a live compliance workstream would build them, including the edge cases and classification decisions the regulatory guidance leaves unresolved.

FAQ

Does this course apply to non-EU banks that have DORA obligations through an EU subsidiary or branch?
Yes. The methodology applies to any financial institution with DORA obligations, including non-EU banks with significant EU operations subject to DORA via their EU subsidiary or branch. The multi-jurisdiction module specifically addresses how DORA obligations interact with FCA operational resilience requirements and BCBS guidance for institutions operating across multiple regulatory perimeters.
Do I need a prior compliance qualification to get value from this course?
No. The course is written for practitioners with information security operational experience but limited formal regulatory compliance training. It assumes you understand threat management, control testing, and incident response at a working level, and builds from there into the DORA-specific documentation and reporting requirements.
How does the course stay current as DORA technical standards continue to be finalised?
The course content reflects DORA requirements as published in the core Regulation and the associated Regulatory Technical Standards and Implementing Technical Standards from the ESAs. The implementation playbook notes where standards are still being refined and how to structure your documentation to accommodate updates without a full rework of completed artefacts.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.