Third Party Risk Management (DORA compliance)

Good third-party risk management is required by the EU's Digital Operational Resilience Act (DORA). Effective third-party risk management is one of DORA's foundational pillars.

Managing Third-Party Risks at Toqio

To manage third-party risks effectively, Toqio follows a structured assessment process.

Initial Evaluation

Before integration work begins, Toqio conducts an evaluation of the integrator's security measures. This assessment involves answering a detailed questionnaire covering technical, procedural, and compliance aspects. The integrator must provide written answers and relevant compliance evidence. The risk level of the integration is determined based on these responses.

Example Questionnaire

CodeQuestionProcedureRequired Evidence
1Does the integrator have an Information Security Policy (ISP)?Develop and review an ISP outlining security guidelines.Clear ISP documentation that respects confidentiality agreements.
2Does the integrator have an Incident Management Plan/Procedure (IMP)?Implement an IMP defining incident types, roles, responsibilities, and containment procedures.IMP documentation.
3Is the integrator PCI-DSS compliant?Required for managing cardholder data.PCI-DSS compliance certificate.
4Is the integrator ISO 27001 certified?Implement an Information Security Management System (ISMS).ISO 27001 certificate.
5Is the integrator compliant with the EU DORA Act?Follow DORA requirements for ICT incident management.Documentation demonstrating DORA compliance.
6Is the integrator GDPR compliant?Implement GDPR-compliant data protection measures.Explanation and documentation of GDPR compliance.
7Does the integrator manage personal information?Must be GDPR-compliant with proper security measures.Disclosure of managed personal information categories.
8Does the integrator have servers within the EU?GDPR compliance requires EU-based servers.Disclosure of server locations.
9Are integrator communications encrypted?Use secure encryption protocols for data transmission.Encryption policy documentation.
10Is integrator data encrypted at rest?Use strong encryption standards and key management.Encryption policy documentation and audit reports.
11Does the integrator have a User Management Policy (UMP)?Secure user authentication and management practices.Documentation of user access management.
12Does the integrator have a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)?Regular testing and updating of BCP and DRP.Up-to-date BCP and DRP documentation.
13Does the integrator have a security training program?Regular training on security best practices.Training policy and completion records.
14Does the integrator perform regular penetration tests?Identify and mitigate vulnerabilities.Penetration testing reports.
15How does the integrator manage other integrators and subcontractors?Maintain high standards for third-party practices.Contracts, risk assessments, and performance monitoring.
16Does the integrator perform and securely store data backups?Regular backups and secure storage procedures.Backup policy documentation and logs.
17Does the integrator ensure secure coding practices?Implement secure coding policies and training.Secure coding policy and training records.
18Does the integrator use firewalls and intrusion detection/prevention systems (IDS/IPS)?Robust security monitoring and blocking unauthorized access.Documentation of firewall and IDS/IPS configurations.
19Does the integrator regularly conduct vulnerability scanning?Identify and remediate vulnerabilities.Vulnerability scanning policy and reports.
20Does the integrator apply security patches and updates appropriately?Effective patch management procedures.Patch management documentation.
21Does the integrator implement network segmentation?Define security zones and configure VLANs/firewalls.Documentation on network segmentation.
22Is the integrator performing an annual risk assessment?Annual risk assessment for compliance.Risk assessment documentation.
23Does the integrator have a risk management framework?Required for DORA compliance.Risk management framework documentation.

Annual Review

Once integrated, integrators must annually update their responses to the security questionnaire. Additionally, depending on the integration and legal requirements, an annual formal risk assessment using recognized frameworks (e.g., Magerit, Octave, NIST) may be required. The integrator must share the results with Toqio for compliance and auditing purposes.

Toqio maintains documentation history for audit evidence as needed.