ISO 27001 for UK Fintech: What the FCA and DORA Actually Require

UK fintechs face a problem that SaaS and general technology businesses do not. Their regulators, primarily the FCA, the PRA for dual-regulated firms, and the European Banking Authority via DORA for firms with EU customers, do not merely suggest information security controls. They require specific operational resilience and ICT risk management outcomes, and they supervise whether those outcomes are being achieved. ISO 27001 is not a legal requirement in either regime. But in practice, it is the most efficient and defensible way to demonstrate the controls the regulators expect you to have.

Three FCA instruments matter. SYSC 13 (Operational Risk) and SYSC 15A (Operational Resilience) in the FCA Handbook; PS21/3 and the operational resilience rules that came into full effect in March 2025, requiring firms to identify Important Business Services, set Impact Tolerances, map dependencies, and test their ability to remain within tolerance during disruption; and the FCA's ongoing supervisory expectations on third-party risk, cyber resilience and cloud outsourcing. In practical terms, the FCA expects a supervised fintech to demonstrate a documented ICT risk management framework with board-level ownership, identified Important Business Services with tested Impact Tolerances, evidence of third-party risk management including exit plans for critical cloud providers, incident detection, response and reporting capability aligned with FCA notification obligations, regular testing including scenario-based exercises and penetration testing, and staff training with an articulated security culture.

The EU Digital Operational Resilience Act (DORA, Regulation 2022/2554) became directly applicable on 17 January 2025. If your fintech offers services to EU customers, or processes data for EU financial entities as a third-party provider, DORA affects you even post-Brexit, either directly as a financial entity or indirectly through the DORA pass-through obligations your EU customers will flow down to you as a critical ICT third-party provider. DORA's requirements cluster into five areas that all map heavily onto ISO 27001: ICT risk management framework (Articles 5 to 15), ICT-related incident management and reporting (Articles 17 to 23), digital operational resilience testing (Articles 24 to 27), ICT third-party risk management (Articles 28 to 44), and information and intelligence sharing (Article 45).

ISO 27001 alone does not make you DORA-compliant. But an ISO 27001-certified ISMS is the fastest foundation on which to build the additional DORA-specific controls, because roughly 75% of the control work is already done. Four areas always require fintech-specific extension beyond vanilla ISO 27001: operational resilience scoping (ISO 27001 is scoped by information security while FCA operational resilience is scoped by Important Business Services), third-party risk register and exit planning (the FCA and DORA expect more detail than ISO 27001's Annex A requires in isolation), incident notification workflows (the FCA SUP 15 notification regime and DORA Article 19 have specific timelines and templates), and regulator-ready evidence packs (supervision is increasingly conducted through evidence requests including Section 166 skilled persons reviews).

The question your board should be asking is not "do we need ISO 27001?" It is: "What is the defensible minimum evidence base we need to pass an FCA supervisory review and a DORA oversight request without remediation findings?" The answer is a certified ISMS, an operational resilience framework integrated into it, a third-party risk register with tested exits, and an incident notification runbook mapped to FCA and DORA timelines. ISO 27001 is the entry point to that answer. It is not the whole answer.

For a UK fintech under FCA supervision with any EU exposure, a defensible 12-month programme looks like this: Weeks 1 to 12 for ISO 27001 implementation and Stage 2 audit; Weeks 8 to 20 (overlapping) for operational resilience framework build-out aligned with PS21/3 Important Business Services and Impact Tolerances; Weeks 13 to 24 for DORA gap assessment against ISO 27001 baseline, with incremental control build-out for the 25% of DORA requirements not already satisfied; Weeks 20 to 36 for ISO 22301 certification for business continuity if DORA testing requirements or FCA operational resilience tolerances warrant independent attestation; and a parallel workstream throughout for third-party risk register build-out and exit plan testing.

Total engagement cost for a sub-150-person fintech: typically 45,000 to 75,000 pounds across all workstreams. Compared to the cost of a Section 166 remediation exercise following a supervisory finding, routinely 250,000 to 1 million pounds in skilled persons fees alone, the proactive path is significantly cheaper. The alternative of building equivalent evidence internally without certification is perfectly legal but usually more expensive and always harder to defend to a regulator who prefers independently audited assurance over internal documentation.