In this guide, we will examine how Eramba facilitates compliance with DORA. We will review each requirement and highlight the various modules and functionalities within Eramba that address these needs.
Some DORA requirements are expected to be fulfilled by member state agencies and not end organisations, those items have not been considered in this document. We have also excluded requirements that are for the most part technical, such as the need for backups.
Section 2. Article 6. Req 2-4,8,9
- Use our GRC templates public at www.eramba.org and access already written Risk Policies that you can leverage for your organisation.
Section 2. Article 6. Req 5
- After you create your Policies in Eramba, you will use the Review functionality to make sure your policies are reviewed every year.
- We recommend you make reports in eramba that automatically send weekly notifications to you.
Section 2. Article 6. Req 6
- The outcome of your audits will be documented in eramba on the Compliance Analysis Findings module.
Section 2. Article 6. Req 7
- You will use notification on the Compliance Analysis Findings Module to make sure all those accountable follow up on any finding.
Section 2. Article 8. Req 1
- You will use eramba’s Business Unit, Asset, and Process modules to document these items and their responsible owners.
- On the Asset module you will most likely define a criticality classification.
- In the Asset module you will use the built-in Review functionality to make sure these assets are reviewed every year, you will of course use notifications and reports to make sure you don’t miss them.
Section 2. Article 8. Req 2
- You will use the Asset Risk Management module in eramba to identify, and classify, etc your Risks.
- In the Risk module you will use the built-in Review functionality to make sure these assets are reviewed every year, you will of course use notifications and reports to make sure you don’t miss them.
Section 2. Article 8. Req 3, Section 2. Article 8. Req 6-7
- You could set a notification when an Asset, Process, Etc is created or modified because that could be the trigger for a new Risk Assessment.
Section 2. Article 8. Req 4
- As explained before, the Asset module is the place for documenting all your assets.
Section 2. Article 8. Req 5
- You will have to define your Processes in the BU module and then link them to your Third Parties in the Third Party module.
- This will later help you send Questionnaires to these suppliers to facilitate the task of identifying Risks around them.
Section 2. Article 9. Req 1
- You will be using eramba’s audit capabilities of internal controls with built-in notification to ensure no system is left without test.
Section 2. Article 9. Req 2, 4a, 4c, 4d, 4e, 4f
- Use our GRC templates public at www.eramba.org and access already written Policies that you can leverage for your organisation.
Section 2. Article 11. Req 1-2
- Use our GRC templates public at www.eramba.org and access already written Business Continuity Policies that you can leverage for your organisation.
- You can leverage as well the Business Continuity Module in eramba which lets you document your continuity plans and regularly audit them.
Section 2. Article 11. Req 3-4,6,9
- The Business Continuity Module comes with a built-in audit functionality that allows you to test plans.
Section 2. Article 11. Req 5
- The Business Impact Analysis module (Business Risk) will help you identify key processes, their continuity aspects and treatment options.
Section 2. Article 12. Req 1
- Use our GRC templates public at www.eramba.org and access already written Policies that you can leverage for your organisation.
Section 2. Article 13. Req 2-3
- The incident module in eramba could help document incidents and their mandatory analysis stages, one of which could be “Lessons Learned”.
Section 2. Article 13. Req 6
- The Awareness module in eramba could help develop an awareness program.
Section 2. Article 17. Req 1
- Use our GRC templates public at www.eramba.org and access already written Policies that you can leverage for your organisation.
Section 2. Article 17. Req 2
- The incident module in eramba could help document incidents and their mandatory analysis stages, one of which could be “Lessons Learned”.
Section 2. Article 18. Req 1
- A custom field could be used on the Incident module to build the classification criteria required by this item.
Section 2. Article 28. Req 1,2
- The Third Party Risk Management will help you identify and document key Third Party Risks.
Section 2. Article 28. Req 4
- We recommend using the Online Assessment module to perform Vendor Assessments against your suppliers.
Section 2. Article 29. Req 1
- We recommend using the Online Assessment module to perform Vendor Assessments against your suppliers.
Section 2. Article 30. Req 2-3
- Use our GRC templates public at www.eramba.org and access already written Policies that you can leverage for your organisation.
This article is published in our official documentation: DORA, ISO, NIST, Etc | Eramba learning portal