One of the key areas in DORA is ICT security policies, procedures, and tools.

For BIQH, this is directly relevant. We are often seen as a critical supplier to our clients, which means that expectations around security are higher and more explicit.

This is one of the reasons why information security is a core part of how we design, operate, and improve our services. We do not only look at international standards and frameworks such as ISO 27001 and SOC 2, but also at supervisory practices such as the DNB Good Practice Information Security framework.

In this blog, we explain how these frameworks relate to each other, and how we use them in practice at BIQH.

Why DNB Good Practices matter

The DNB Good Practice provides institutions under the supervision of De Nederlandsche Bank (DNB) with practical tools and control measures to support compliance with legal requirements related to the availability, integrity, confidentiality, and authenticity of data processing.

It provides practical guidance for organisations that need a mature and well-governed approach to information security. It goes beyond high-level principles and focuses on how security controls operate in practice across areas such as governance, risk management, access control, supplier management, monitoring, continuity, and testing.

For us at BIQH, this is highly relevant. It helps ensure that security is not only documented, but also embedded in day-to-day operations and continuously improved.

Strong alignment with ISO 27001 and SOC 2

A large part of the DNB Good Practice framework overlaps with established international standards and frameworks.

• ISO 27001 provides the structure for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).
• SOC 2 provides assurance that controls are designed and operate effectively over time, depending on the selected scope, across areas such as security, availability, processing integrity, confidentiality, and privacy.
• DORA is not explicitly included in the DNB Good Practice, as the RTS standards were not yet developed when the framework was last updated. However, many of its underlying principles are already reflected in the DNB approach.

By aligning our internal processes with these standards and frameworks, we strengthen both compliance and the practical effectiveness of our controls.

The BIQH security framework

When comparing the DNB Good Practices, ISO 27001, and SOC 2 with our own setup, we see that the control areas are already embedded in our security framework.

In practice, this includes:

• periodic management review of security risks, priorities, and improvements
• clearly defined roles, responsibilities, and reporting lines
• structured risk assessments and mitigation tracking
• formal change management processes
• defined access management through role-based authorisation
• continuous monitoring of systems, servers, and services
• patch and vulnerability management
• periodic supplier security assessments
• periodic penetration testing
• documented business continuity and restore testing
• continuous improvement through control reviews, findings follow-up, and corrective actions

This means our controls are not static. They are reviewed, monitored, and improved over time based on risk, changes in the threat landscape, and lessons learned.

More than compliance

For us at BIQH, security is not just about passing an audit. It is about building trust, protecting data, and ensuring continuity for our clients and partners.

By aligning not only with ISO 27001, DORA, and SOC 2, but also with national guidelines such as the DNB Good Practices, we ensure that security is part of our governance, our engineering practices, and our day-to-day operations.

Security maturity is not achieved once. It requires continuous attention, monitoring, and improvement. We continue to invest in the effectiveness of our controls, the resilience of our platform, and the transparency of our security processes.

This is how we aim to keep our services secure, reliable, and transparent for our clients.