Skip to main content
Image coming soon

Security Project Delivery for Financial Services Regulation

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

Security Project Delivery for Financial Services Regulation

Run DORA, ISO 27001, and ICT risk projects that pass steering committee scrutiny and land on time.

Security Project Managers at asset managers and investment firms carry a double accountability: deliver the technical control implementation AND produce the regulatory artefacts that satisfy the CISO, the audit committee, and the prudential supervisor. Most project management training covers neither.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

DORA came into force for financial entities including asset managers. The ICT risk management chapter (Articles 5-16) requires documented ICT risk registers, tested business continuity arrangements, third-party ICT provider registers with contractual clauses, and incident classification logs. Each of these is a project deliverable, not just a compliance checkbox. When steering committees ask for gate-review confidence, they need to see artefacts they can defend to the ACPR or AMF examiner, not a Gantt chart. Security Project Managers who can build those artefacts and run the project to deliver them on schedule are the ones who get the next programme.

What you walk away with

  • Build an ICT risk register that satisfies DORA Article 6 requirements and doubles as the ISO 27001 risk assessment input.
  • Structure a steering committee gate pack that answers delivery confidence questions with evidence, not RAG status alone.
  • Produce a third-party ICT provider register with the contractual clause checklist DORA Article 28 requires.
  • Map security project milestones to regulatory submission timelines so slippage surfaces four weeks early, not four days before.
  • Write incident classification logs in the format DORA Article 17 specifies, ready for regulator inspection without rewriting.
  • Deliver the ISO 27001 Annex A control implementation evidence package alongside the project close report.

The 12 modules

Module 1. The Regulatory Landscape a Security PM Must Own
Maps the specific DORA chapters (5-16), ISO 27001:2022 clauses, and AMF/ACPR supervisory expectations that land on the Security Project Manager's desk rather than the CISO's. Explains which artefacts the project must produce, who owns them, and how they connect to the project delivery schedule. Establishes the difference between implementation evidence and regulatory submission artefacts.
Module 2. Building the ICT Risk Register the Right Way
Walks through the structure of an ICT risk register that satisfies DORA Article 6 (identification, classification, and documentation of ICT risks) and simultaneously feeds the ISO 27001 risk assessment. Covers asset inventory linkage, threat-scenario naming conventions that align with ENISA taxonomy, and the residual risk acceptance sign-off workflow. Includes a downloadable register template with worked examples from a fund administration context.
Module 3. Project Planning Against Regulatory Milestones
Teaches how to build a project schedule where regulatory submission dates drive workstream sequencing, not the reverse. Covers the specific DORA phased implementation timeline, ISO 27001 Stage 1 and Stage 2 audit preparation windows, and how to map internal steering gate reviews to external regulatory inspection cycles. Shows how to surface schedule risk four weeks before it becomes a crisis.
Module 4. The Steering Committee Gate Pack
Explains what a CISO, CRO, and audit committee chair need to see at a gate review: delivery confidence evidence, open risk register with mitigations, controls already tested versus planned, and regulatory exposure if the programme slips. Covers the one-page executive summary format that answers the delivery confidence question with artefacts. Includes a worked gate pack template aligned to a DORA ICT programme.
Module 5. Third-Party ICT Provider Register and DORA Article 28
Builds the contractual and operational register DORA Article 28 requires for ICT third-party risk. Covers how to categorise providers (critical versus non-critical), what contractual clauses must be present, how to conduct the annual review, and how to document exit strategies. Includes a provider assessment questionnaire and a clause checklist mapped to Article 28 sub-requirements, usable directly in vendor negotiations.
Module 6. ISO 27001 Annex A Controls: What a PM Needs to Track
Covers the 93 ISO 27001:2022 Annex A controls from a project delivery perspective: which controls require documented implementation evidence, which are audit-tested versus process-verified, and how to build a controls implementation tracker that the external auditor can walk through at Stage 2. Explains the Statement of Applicability and who in the project team owns each section. Removes the confusion between controls that are implemented and controls that are evidenced.
Module 7. Incident Classification and the DORA Article 17 Log
Explains DORA Article 17 major incident classification criteria: the thresholds (number of clients affected, transaction value, duration, geographic spread) and the required notification timelines to the competent authority. Builds the incident log structure that satisfies both DORA and the internal audit requirement. Covers the initial notification draft, the intermediate report, and the final root-cause report, with templates for each stage.
Module 8. Business Continuity and Digital Operational Resilience Testing
Covers DORA Chapter IV (digital operational resilience testing): basic testing requirements versus advanced threat-led penetration testing (TLPT) and which financial entities are in scope for TLPT. Explains how to build the annual testing programme, document test results in the format DORA requires, and incorporate findings into the ICT risk register and project remediation backlog. Includes a testing schedule template and a findings-to-remediation workflow.
Module 9. Managing Workstream Dependencies Across DORA and ISO 27001
Many security project managers run DORA and ISO 27001 simultaneously. This module maps the overlaps (both require risk assessments, both require third-party management, both require incident response) and the divergences (DORA has specific financial-services notification timelines; ISO 27001 has a broader ISMS scope). Shows how to structure a single project plan that produces shared artefacts for both programmes without duplicating effort or creating artefact conflicts.
Module 10. Stakeholder Communication for Security Compliance Projects
Covers how to translate technical control implementation status into language that risk committees, legal teams, and non-technical senior managers can act on. Explains the difference between a project status update and a regulatory risk disclosure. Includes formats for the monthly CISO briefing, the board risk committee summary, and the external auditor progress call. Addresses the common failure: security PMs who can implement controls but cannot communicate programme risk upward.
Module 11. Budget Justification and Resource Planning for Compliance Programmes
Builds the business case format for security compliance programme budgets: how to frame DORA and ISO 27001 investment in terms of regulatory penalty exposure, reputational risk, and competitive positioning (certifications as client trust signals). Covers resource planning for peak audit preparation periods, how to negotiate scope with budget constraints, and how to document deferred controls as accepted risks with the appropriate sign-off chain.
Module 12. Project Close: Handover to Operations and Ongoing Compliance
Covers the transition from project delivery to business-as-usual compliance maintenance: what the operations team needs to own after the project closes, how to document the control environment in a form that survives personnel turnover, and what the annual DORA review and ISO 27001 surveillance audit require from the programme documentation. Produces a project close report and a BAU compliance calendar as the final deliverables.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Modules 1-3: foundation for any security PM entering a DORA or ISO 27001 programme, covering the regulatory landscape, risk register build, and project scheduling.
Modules 4-5: steering committee and third-party management, the two areas where asset management security PMs most often face pushback from senior stakeholders.
Modules 6-9: implementation depth, covering controls tracking, incident logging, resilience testing, and multi-framework workstream management.
Modules 10-12: programme management skills, covering stakeholder communication, budget justification, and project close, the areas that determine whether the PM runs the next programme.

What you get with this course

  • 12 written modules covering DORA Articles 5-28, ISO 27001:2022 Annex A, and security project delivery methodology.
  • Downloadable ICT risk register template with worked examples.
  • DORA Article 28 third-party provider register and contractual clause checklist.
  • Steering committee gate pack template with delivery confidence evidence framework.
  • DORA Article 17 incident classification log with notification timeline guide.
  • ISO 27001 controls implementation tracker and Statement of Applicability structure.
  • Hand-built implementation playbook delivered alongside course access, scoped to the learner's specific programme.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Before and after

Before

Managing a DORA ICT compliance programme with separate tracking spreadsheets for technical controls, regulatory artefacts, and project milestones. Steering committee questions about delivery confidence answered with RAG status and verbal explanation. Third-party provider register incomplete because the Article 28 requirements were interpreted differently by each workstream owner.

After

Single project framework that produces DORA and ISO 27001 artefacts in parallel, with a gate pack format the steering committee can read in five minutes. Third-party register complete and contractual clauses verified against Article 28. Incident classification log ready for regulator inspection without rewriting.

What happens if you do not address this

DORA compliance deadlines passed for in-scope financial entities. An incomplete ICT risk register or missing third-party provider register is an examiner finding, not a project gap. Security PMs who cannot produce the required artefacts on schedule lose credibility with the CISO and audit committee, and the programme budget for the next cycle.

Who it is for

Security Project Managers in financial services firms (asset managers, investment banks, fund administrators) who lead ICT compliance and cybersecurity implementation programmes. Typically managing workstreams across DORA, ISO 27001, or SOC 2 simultaneously. Accountable for both technical delivery and regulatory artefact production.

Who this is NOT for. Security engineers focused purely on technical implementation without regulatory reporting responsibility. GRC analysts who do not run project workstreams. IT project managers in non-financial-services industries where DORA and ACPR/AMF oversight do not apply.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. 12 modules, each designed to be completed in 45-60 minutes. Full course completable in a standard working week, structured to be taken in parallel with an active compliance programme.

Why $199 is the right number

External DORA consulting engagements typically cost $15,000-40,000 and deliver a generic gap assessment rather than a project manager's toolkit. ISO 27001 training courses focus on auditor knowledge rather than project delivery. This course is the only one focused on the Security Project Manager role in a financial services firm, producing artefacts rather than awareness.

FAQ

Does this cover DORA for asset managers specifically, or just banks?
The course covers DORA as it applies to all in-scope financial entities including asset management companies, fund administrators, and investment firms. Where the requirements differ by entity type, the module notes the distinction.
What if my firm is running ISO 27001 but not yet formally scoped for DORA?
Module 9 maps the overlap between ISO 27001 and DORA requirements directly. If your firm has not yet determined DORA scope, the course explains the scoping criteria so you can make that determination as part of the programme.
Is the implementation playbook the same for every buyer?
No. The implementation playbook is hand-built for each buyer based on their role and programme context. You receive it within 24 hours of course access alongside the course materials.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!