A focused course, tailored for you
DORA ICT Risk: The Security Practitioner's Build
Build the ICT risk register, third-party tiering, and TLPT methodology a globally supervised bank actually has to submit.
A CISSP tells you how to think about ICT risk. DORA Article 28 tells you exactly what you have to produce: a complete register of third-party ICT providers, criticality tiering for every arrangement supporting a critical or important function, exit strategy documentation, and contractual clauses meeting Article 30 minimum requirements. The gap between the risk management methodology and the actual artefacts the competent authority will open is where most security practitioners stall.
Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.
Why this course
DORA is enforceable across all EU-supervised financial entities. The competent authority is asking for the ICT risk management framework documentation, the third-party ICT register in Annex III field structure, the incident classification taxonomy mapped to DORA Annex I, and evidence that the DORA governance charter has board approval. Security professionals who hold CISSP are expected to lead this build. The problem is that the CISSP domains cover risk identification, asset management, and governance at a methodology level. DORA Annex III specifies the exact register fields. DORA Article 30 specifies the exact contractual clauses. DORA Annex I specifies the exact incident classification criteria. Translating the methodology into these specific artefacts is the work that gap analyses cannot substitute for, and the competent authority review cycle does not pause for functions still in planning mode.
What you walk away with
- Produce the ICT third-party register in Annex III field structure with criticality tiering and exit strategy documentation for every arrangement supporting a critical or important function.
- Build the contractual clause library covering Article 30 minimum requirements, including audit rights, sub-outsourcing controls, and termination provisions.
- Map the institution's incident taxonomy to DORA Annex I major incident criteria and set the classification thresholds for the 4-hour, 24-hour, and 72-hour reporting cascade.
- Document the DORA governance framework: ICT risk policy, committee charter, and the board reporting structure a competent authority examiner expects to see active.
- Design and scope the digital operational resilience testing programme, including TLPT cycle preparation and the scope document the competent authority needs to approve.
- Move the ICT risk function from gap analysis to a live compliance posture with a complete evidence pack ready for supervisory review.
The 12 modules
How this addresses your situation
Specific modules that map to what you said you are dealing with.
What you get with this course
- 12 written modules covering every DORA ICT risk artefact from the Article 8 asset register to the TLPT scope document
- Downloadable ICT third-party register schema in Annex III field structure with data collection guidance
- Criticality tiering scorecard with concentration risk mapping template
- Article 30 contractual clause library with negotiation guidance for large vendor pushback
- Incident classification matrix mapped to DORA Annex I criteria with internal threshold register
- Regulatory reporting templates for the 4-hour initial notification, 24-hour intermediate report, and 72-hour final report
- DORA governance documentation checklist and examination preparation guide
- Hand-built implementation playbook tailored to the specific ICT risk function
What you will have in hand by Day 1, Week 1, Month 1
Course access provisioned within 24 hours of purchase, hand-built implementation playbook delivered alongside it.
Before and after
The ICT risk function holds CISSP-calibre methodology and a set of gap analyses. The competent authority review is approaching. The actual artefacts are not yet complete: the Annex III register, the Article 30 clause library, the Annex I classification matrix, and the governance pack.
The function holds a complete DORA evidence pack: an Annex III-structured third-party register with documented criticality tiering, an Article 30 clause library, an Annex I incident classification matrix with set thresholds, a governance charter with board sign-off, and a TLPT programme ready for authority submission.
What happens if you do not address this
Competent authority review cycles proceed on their own calendar. An ICT risk function that arrives at a supervisory review with gap analyses and an incomplete third-party register is the pattern that generates formal supervisory findings and remediation timelines measured in quarters. The workload of responding to a formal finding is significantly higher than completing the artefact build before the review arrives.
Who it is for
Information security professionals at globally supervised financial institutions who hold CISSP and are the named owner of the DORA ICT risk compliance programme. Likely titled ICT Risk Manager, Head of Operational Resilience, CISO, or equivalent. Has strong risk methodology grounding but is encountering DORA's specific artefact requirements ahead of a competent authority review or internal audit cycle.
How it arrives
Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.
Time investment. Each module is designed for a single focused session. The full course takes 8 to 12 hours of reading and template work. Most practitioners complete the artefact build in parallel with the course over three to four weeks.
Why $199 is the right number
External consultants can build a DORA ICT risk framework, typically at a five-to-six-figure engagement cost with a delivery timeline that may not align with the supervision calendar. The EBA guidelines and DORA regulatory technical standards are publicly available but require significant interpretation to translate into a working register and clause library. This course provides the interpretation completed, the templates built, and the playbook tailored to the specific function.
FAQ
30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.