Fintech
A yearly penetration test had always satisfied auditors. DORA expects a programme - and, for significant entities, threat-led testing the firm had never scoped.
DORA requires a digital operational resilience testing programme: a range of assessments and tests proportionate to the firm, on a defined cadence, with findings tracked to closure. Significant financial entities also face threat-led penetration testing. The firm treated testing as one event a year and had no view on whether threat-led testing would apply to it.
Finding 01
There was no cadence and no coverage map showing which critical systems get tested and how often.
Finding 02
The pen test covered the public-facing app, not the internal trading and client systems that actually carry the business.
Finding 03
Previous test findings had no owner and no remediation trail, so the same issues could recur unnoticed.
Finding 04
Nobody had assessed whether the firm would be in scope for threat-led penetration testing, or what that would demand.
Finding 05
Reliance on ICT providers' own testing was taken on trust, with no assurance obtained or reviewed.
The firm moved from a single annual test to a documented programme mapped to its critical functions, with a clear position on threat-led testing, ready to discuss with its supervisor. No test regime guarantees resilience; the point was a programme that covers what matters and improves over time.
DORA does not ask whether you ran a pen test. It asks whether you have a testing programme that covers what matters, tracks findings to closure, and - if you are significant - can stand up to threat-led testing.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.