FX & Trading
The broker was ISO 27001 certified and treated that as DORA done. When a bank and the competent authority asked for DORA evidence, the gap between 'certified' and 'compliant' was exactly the four places it always is.
ISO 27001 gives a governed ISMS, a risk process and a control set that map onto much of what DORA expects. But ISO 27001 is a voluntary standard and DORA is binding regulation with specific demands: major-incident classification and reporting on the regulator's clock, a prescribed ICT third-party register, a resilience-testing programme, and ICT risk owned by the management body. Certified was a genuine head start - it was not the finish line, and the broker could not show a supervisor where the standard stopped and the regulation began.
Finding 01
PSPs, cloud, liquidity providers and the platform vendor were not classified by criticality, with no contract, monitoring, exit or concentration-risk analysis. This was the first thing the bank asked for.
Finding 02
The ISMS managed incidents, but there was no major-incident classification test and no workflow to report to the competent authority inside DORA's deadlines.
Finding 03
An annual penetration test existed, but there was no documented programme of scenario-based resilience testing or a plan for threat-led testing.
Finding 04
DORA puts the management body accountable for the ICT risk framework. Here it sat with IT, with no oversight cadence or reporting line to the board.
Finding 05
Much of the ISMS evidence would satisfy DORA, but nobody had built the crosswalk - so the broker could show neither the reuse nor the real gaps.
The broker could answer the information request with a DORA gap analysis mapped to its ISO 27001 base, an ICT third-party register and a remediation roadmap - showing the supervisor a governed path instead of a blank. Supervisory judgement remains with the competent authority; the point was to stop failing on the obvious, structural gaps.
ISO 27001 is a head start on DORA, not a substitute for it. The gap is almost always the same four places - the ICT third-party register, incident-reporting timelines, resilience testing and board ownership. Certified proves your controls exist; DORA asks whether you can report, test and recover under supervision.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.