Back to blog

DORA deliverables map: governance → operations → evidence

A systemic view of DORA deliverables in three levels: steering & governance, operational execution, and evidence — with article references.

·Read time : 10 min·For Management, compliance, CISO, internal control
DORA deliverables map

Many entities accumulate policies without articulating who decides, who executes, who proves. This map organises DORA deliverables in three levels: Steering & Governance → Operational → Evidence.

Level 1 — Steering & governance

DORA strategy · ICT Risk Committee · Resilience Committee · Major Incident Committee · Critical Third-Party Committee · RACI (Board / CISO / compliance / IT) · risk-acceptance arbitration mechanisms.

Without this level, the rest produces documents — not demonstrable governance.

Level 2 — Operational

Foundational inventories

Critical business functions · third-party-dependent processes · critical ICT assets · inventory owners and update rules. See register guide.

Resilience chain

Protection → Detection → ICT incident management (incl. major-incident criteria) → Response & recovery → Learning (awareness, RCA). See incident cheat sheet.

Strategic pillar: ICT third-party risk

Third-party risk strategy · critical/important ICT services policy · register of information · exit plans. See TPRM and exit plan.

Level 3 — Evidence

Regulatory: ICT incident register, RoI, logging, major-incident notifications, risk-framework review, ICT audit plan.
Steering: committee minutes, policy reviews after tests/incidents, risk-acceptance decisions, ICT BCP test documentation.

How to read the map

Governance first → inventories next → operational chain → continuous evidence (not rebuilt the day before an inspection).

Axenia’s role. Axenia links requirements, controls, evidence, third parties and incidents on one foundation — so the deliverables map is a living framework, not a slide deck.