FX & Trading
An ICT outage was handled competently on the technical side. Then compliance realised nobody knew whether it was a major incident, or when the regulator had to be told.
ISO 27001 asks you to manage and learn from incidents. DORA goes further: you classify ICT-related incidents against defined criteria and, for major ones, notify your competent authority and follow up with intermediate and final reports, each on a regulated deadline. The broker had strong incident response and none of the classification or reporting machinery.
Finding 01
The criteria that decide whether an incident is major - clients affected, duration, data losses, economic impact, geographic spread - were not built into the process.
Finding 02
Nobody owned the decision to notify the regulator, or the clock that starts when an incident is classified.
Finding 03
The team did not know an initial notification, an intermediate report and a final report are each expected on a defined timeline.
Finding 04
Logs captured how the outage was fixed, not the information a regulator report actually requires.
Finding 05
A PSP or cloud incident that hits the broker was outside the incident process, even though that is exactly what happened here.
The broker could now classify an ICT incident and, if major, report it to the competent authority within the required timeline, with the evidence a report needs. Whether a given incident is reportable, and how a supervisor responds, remains a live judgement; the machinery to make it was finally there.
Good incident response is not DORA incident reporting. The gap is not the fix - it is the classification test and the regulator's clock, and it is discovered at the worst possible moment: during a live incident.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.