Readiness Process

Sprint Timeline

The engagement follows structured phases, each building on the outputs of the previous one.

1

Intake

2–6 days
  • NDA & stakeholder map
  • Document request
  • Scoping interviews
  • System boundary draft
2

Assessment

9 days
  • TSC selection
  • Type 1/Type 2 recommendation
  • Control walkthroughs
  • Evidence sampling
3

Outputs

9 days
  • Controls matrix & gap register
  • Policy/document backlog
  • Evidence calendar
  • Executive readout & roadmap
4

Follow-on

Variable
  • Remediation implementation
  • Type 2 observation period

Phase Details

1. Intake & Scoping Week 1

We start by understanding your ICT environment and current resilience posture.

  • ICT environment mapping — catalog ICT systems, infrastructure, and dependencies that support critical business functions
  • Current resilience practices review — assess existing ICT risk management, business continuity, and disaster recovery programs
  • Critical ICT provider identification — identify all ICT third-party providers and assess criticality levels
  • Regulatory classification determination — determine entity classification and applicable DORA requirements, including TLPT

2. Assessment Week 2–3

We evaluate your readiness against all five DORA pillars and regulatory technical standards.

  • ICT risk management framework evaluation — assess current framework against DORA requirements for governance, protection, detection, and recovery
  • Incident reporting readiness assessment — evaluate ability to classify and report ICT incidents using harmonized templates
  • Resilience testing capability review — assess current testing practices against DORA testing requirements
  • Third-party ICT arrangement audit — review contractual arrangements and risk management for ICT providers

3. Outputs Week 3–4

We deliver the artifacts that establish your DORA compliance readiness.

  • ICT risk management framework updates — gap remediation plan and updated framework aligned to DORA requirements
  • Incident classification and reporting procedures — harmonized templates and procedures for reporting to competent authorities
  • Resilience testing program design — testing strategy including scope, frequency, and TLPT roadmap for significant entities
  • Third-party ICT register and risk assessment — complete register of arrangements with concentration risk analysis and exit strategies

4. Follow-on Ongoing

After the readiness sprint, ongoing activities maintain DORA compliance and operational resilience.

  • TLPT program execution — coordinate and support threat-led penetration testing for significant entities
  • Third-party ICT monitoring — ongoing assessment of ICT provider risk, concentration, and contract compliance
  • Incident reporting practice — tabletop exercises and process refinement for incident classification and reporting

Sprint Deliverables

Every readiness sprint produces these minimum deliverables:

ICT risk management framework assessment
Incident classification procedures
Resilience testing program design
Third-party ICT register
Concentration risk assessment
Exit strategy framework
Information sharing arrangements
DORA gap remediation roadmap

Start Your Readiness Sprint

Most organizations complete the readiness sprint in 3–4 weeks. The result is a clear, actionable DORA compliance roadmap aligned to regulatory technical standards.

Get in Touch