1、IECInternationalStandardISO/IEC27031Secondedition2025-05CybersecurityInformationandcommunicationtechnologyreadinessforbusinesscontinuityCybersecuritePreparationdestechnologiesdeinformationetdelacommunicationpourlacontinuitedactiviteReferencenumberISO/IEC27031:2025(en)COPYRIGHTPROTECTEDDOCUMENTISO/IE
2、C2025Allrightsreserved.Unlessotherwisespecified,orrequiredinthecontextofitsimplementation,nopartofthispublicationmaybereproducedorutilizedotherwiseinanyformorbyanymeans,electronicormechanical,includingphotocopying,orpostingontheinternetoranintranet,withoutpriorwrittenpermission.Permissioncanbereques
3、tedfromeitherISOattheaddressbeloworISO,smemberbodyinthecountryoftherequester.ISOcopyrightofficeCP401Ch.deBlandonnet8CH-1214Vernier,GenevaPhone:+4122749Ol11Email:copyrightiso.orgWebsite:www.iso.orgPublishedinSwitzerlandContentsPageForewordvIntroductionvi1 Scope12 Normativereferences13 Termsanddefinit
4、ions14 Abbreviatedterms35 Structureofthisdocument35.1 General36 IntegrationofIRBCintoBCM36.1 General36.2 Enablinggovernance46.3 Businesscontinuitymanagementobjectives56.4 RiskmanagementandapplicablecontrolsforIRBC66.5 IncidentmanagementandrelationshiptoIRBC66.6 BCMstrategiesandalignmenttoIRBC67 Busi
5、nessexpectationsforIRBC77.1 Riskreview77.1.1 General77.1.2 Monitoring,detectionandanalysisofthreatsandevents87.2 Inputsfrombusinessimpactanalysis87.2.1 General87.2.2 UnderstandingcriticalICTservices87.2.3 AssessingICTreadinessagainstbusinesscontinuityrequirements97.3 Coverageandinterfaces97.3.1 Gene
6、ral97.3.2 ICTdependenciesforthescope107.3.3 Determineanycontractualaspectsofdependencies108 DefiningprerequisitesforIRBC108.1 Incidentbased-preparationbeforeincident108.1.1 General108.1.2 ICTRecoverycapabilities118.1.3 EstablishinganIRBC118.1.4 Settingobjectives118.1.5 Determiningpossibleoutcomesand
7、benefitsofIRBC128.1.6 Equipmentredundancyplanning138.1.7 DeterminingthescopeofICTservicesrelatedtotheobjectives138.2 DeterminingtargetICTRTOandRPO149 DeterminingIRBCstrategies159.1 General159.2 IRBCstrategyoptions159.2.1 General159.2.2 Skillsandknowledge169.2.3 Facilities169.2.4 Technology179.2.5 Da
8、ta179.2.6 Processes189.2.7 Suppliers1810 DeterminingtheICTcontinuityplan1910.1 Prerequisitesforthedevelopmentofplans1910.1.1 Determiningandsettingtherecoveryorganization1910.1.2 Determiningtimeframesforplandevelopment,reportingandtesting1910.1.3 Resources2010.1.4 CompetencyofIRBCstaff.2010.1.5 Techn
9、ologicalsolutions2110.2 Recoveryplanactivation2110.2.1 ICTBCPActivation2110.2.2 Escalation2110.3 ICTrecoveryplans2210.3.1 RPOandRTOplansforICT2210.3.2 Facilities2210.3.3 Technology2210.3.4 Data2210.3.5 Responseandrecoveryprocedures2310.3.6 People2310.4 Temporaryworkaroundplans2310.5 Externalcontacts
10、andprocedures2311 Testing,exercise,andauditing2311.1 Performancecriteria2311.2 Testingdependencies2411.2.1 Testandexercise2411.2.2 Testandexerciseprogram2411.2.3 Scopeofexercises2511.2.4 Planninganexercise2511.2.5 Alertbasedanddifferentrecoverystages2611.2.6 Managinganexercise2711.3 Learningfromtest
11、s2811.4 AuditingtheIRBC2811.5 Controlofdocumentedinformation2912 FinalMBCO2913 TopmanagementresponsibilitiesregardingevaluatingtheIRBC2913.1 General2913.2 Managementresponsibilities29Annex A (informative)ComparingRTOandRPOtobusinessobjectivesforICTrecovery31Annex B (informative)RiskreportingforFMEA3
12、2Bibliography33ForewordISO(theInternationalOrganizationforStandardization)andIEC(theInternationalElectrotechnicalCommission)formthespecializedsystemforworldwidestandardization.NationalbodiesthataremembersofISOorIECparticipateinthedevelopmentofInternationalStandardsthroughtechnicalcommitteesestablish
13、edbytherespectiveorganizationtodealwithparticularfieldsoftechnicalactivity.ISOandIECtechnicalcommitteescollaborateinfieldsofmutualinterest.Otherinternationalorganizations,governmentalandnon-governmentabinliaisonwithISOandIEC,alsotakepartinthework.Theproceduresusedtodevelopthisdocumentandthoseintende
14、dforitsfurthermaintenancearedescribedintheISO/IECDirectives,Part1.Inparticular,thedifferentapprovalcriterianeededforthedifferenttypesofdocumentshouldbenoted.ThisdocumentwasdraftedinaccordancewiththeeditorialrulesoftheISO/IECDirectives,Part2(seeWWW.iso.org/directivesorwww.iec.ch/membersexpvrtsrefdocs
15、).ISOandIECdrawattentiontothepossibilitythattheimplementationofthisdocumentmayinvolvetheuseof(八)patent(三).ISOandIECtakenopositionconcerningtheevidence,validityorapplicabilityofanyclaimedpatentrightsinrespectthereof.Asofthedateofpublicationofthisdocument,ISOandIEChadnotreceivednoticeof(八)patent(三)whi
16、chmayberequiredtoimplementthisdocument.However,Implementersarecautionedthatthismaynotrepresentthelatestinformation,whichmaybeobtainedfromthepatentdatabaseavailableatWWW.isoorg/patentsandhttps:PatentS.iec.ch.ISOandIECshallnotbeheldresponsibleforidentifyinganyorallsuchpatentrights.Anytradenameusedinth
17、isdocumentisinformationgivenfortheconvenienceofusersanddoesnotconstituteanendorsement.Foranexplanationofthevoluntarynatureofstandards,themeaningofISOspecifictermsandexpressionsrelatedtoconformityassessment,aswellasinformationaboutISOsadherencetotheWorldTradeOrganization(WTO)principlesintheTechnicalB
18、arrierstoTrade(TBT)seeWWW.iso.org/iso/foreword.htmLIntheIEC,seeWWW.iecchundvrstanding-standards.ThisdocumentwaspreparedbyJointTechnicalCommitteeISO/IECJTC1,Informationtechnology,SubcommitteeSC27,Informationsecurity,cybersecurityandprivacyprotection.Thissecondeditioncancelsandreplacesthefirstedition(
19、ISO/IEC27031:2011),whichhasbeentechnicallyrevised.Themainchangesareasfollows:一thestructureofthedocumenthasbeenchanged;一thescopehasbeenchangedforclarification;一technicalcontenthasbeenaddedin6.4,656.6,9.2and10.1.5.Anyfeedbackorquestionsonthisdocumentshouldbedirectedtotheusersnationalstandardsbody.Acom
20、pletelistingofthesebodiescanbefoundatWWW.isoQrgmDmbers.htmlandWWW.iecchnational-committees.IntroductionOvertheyears,informationandcommunicationtechnology(ICT)hasbecomeanintegralpartofmanyoftheactivitieswithinthecriticalinfrastructuresinallorganizationalsectors,whetherpublicorprivate.Theproliferation
21、oftheinternetandotherelectronicnetworkingservices,aswellasthecapabilitiesofsystemsandapplications,hasalsoresultedinorganizationsbecomingmorereliantonreliable,safeandsecureICTinfrastructures.Meanwhile,theneedforbusinesscontinuitymanagement(BCM),includingincidentpreparedness,disasterrecoveryplanning,a
22、ndemergencyresponseandmanagement,hasbeenrecognizedandsupportedwiththedevelopmentandendorsementofspecificdomainsofknowledge,expertise,andstandards,includingISO22313.FailuresofICTservices,includingthosecausedbysecurityissuessuchassystemsintrusionandmalwareinfections,impactthecontinuityofbusinessoperat
23、ions.Thus,managingICTandrelatedcontinuity,aswellasothersecurityaspects,formakeypartofbusinesscontinuityrequirements.Furthermore,inthemajorityofcases,thecriticalprocessesandactivitiesthatrequirebusinesscontinuityareusuallydependentuponICT.ThisdependencemeansthatdisruptionstoICTcanconstitutestrategicr
24、iskstothereputationoftheorganizationanditsabilitytooperate.TheadventandincreasingdominanceofInternet-basedICTservices(cloudICTservices)hascausedthenatureofpreparednesstochangefromrelyingoninternalprocessestoarelianceonthequalityandrobustnessofservicesfromotherorganizationsandtheassociatedbusinessrel
25、ationshipswithsuchorganizations.ICTreadinessisanessentialcomponentformanyorganizationsintheimplementationOfbusinesscontinuitymanagementandinformationsecuritymanagement.Asaresult,effectiveBCMisfrequentlydependentuponeffectiveICTreadinesstoensurethattheorganizationsobjectivescancontinuetobemetduringdi
26、sruptions.ThisisparticularlyimportantastheconsequencesofdisruptionstoICToftenhavetheaddedcomplicationofbeinginvisibleordifficulttodetect.ForanorganizationtoachieveICTreadinessforbusinesscontinuity(IRBC),itshouldputinplaceasystematicprocesstoprevent,predictandmanageICTdisruptionsandincidentswhichhave
27、thepotentialtodisruptICTservices.ThiscanbeachievedbycoordinatingIRBCwiththeinformationsecurityandBCMprocesses.Inthisway,IRBCsupportsBCMbyensuringthattheICTservicescanberecoveredtopredeterminedlevelswithintimescalesrequiredandagreedbytheorganization.Ifanorganizationisusingrelevantinformationsecuritya
28、ndbusinesscontinuitystandards,theestablishmentofIRBCshouldpreferablytakeintoconsiderationexistingorintendedprocesseslinkedtothesestandards.ThislinkagecansupporttheestablishmentofIRBCandalsoavoidanydualprocessesfortheorganization.ThisdocumentdescribestheconceptsandprinciplesofICTreadinessforbusinessc
29、ontinuity(IRBC)andprovidesaframeworkofmethodsandprocessestoidentifyandspecifyaspectsforimprovinganorganizationsICTreadinesstoensurebusinesscontinuity.ThisdocumentcomplementstheinformationsecuritycontrolsrelatingtobusinesscontinuityinISO/IEC27002.Italsosupportstheinformationsecurityriskmanagementproc
30、essspecifiedinISO/IEC27005.BaseduponICTreadinessobjectives,thisdocumentalsoextendsthepracticesofinformationsecurityincidentmanagementintoICTreadinessplanning,trainingandoperation.CybersecurityInformationandcommunicationtechnologyreadinessforbusinesscontinuity1 ScopeThisdocumentdescribestheconceptsan
31、dprinciplesofinformationandcommunicationtechnology(ICT)readinessforbusinesscontinuity(IRBC).ItprovidesaframeworkofmethodsandprocessestoidentifyandspecifyaspectsforimprovinganorganizationsICTreadinesstoensurebusinesscontinuity.ThisdocumentservesthefollowingbusinesscontinuityobjectivesforICT:一minimumb
32、usinesscontinuityobjective(MBCO),一recoverypointobjective(RPO),recoverytimeobjective(RTo)aspartoftheICTbusinesscontinuityplanning.Thisdocumentisapplicabletoalltypesandsizesoforganizations.ThisdocumentdescribeshowICTdepartmentsplanandpreparetocontributetotheresilienceobjectivesoftheorganization.2 Norm
33、ativereferencesThefollowingdocumentsarereferredtointhetextinsuchawaythatsomeoralloftheircontentconstitutesrequirementsofthisdocument.Fordatedreferences,onlytheeditioncitedapplies.Forundatedreferences,thelatesteditionofthereferenceddocument(includinganyamendments)applies.ISO/IEC27000,Informationtechn
34、ologySecuritytechniquesInformationsecuritymanagementsystemsOverviewandvocabularyISO/IEC27002,Informationsecurity,cybersecurityandprivacyprotectionInformationsecuritycontrolsISO/IEC27005,Informationsecurity,cybersecurityandprivacyprotectionGuidanceonmanaginginformationsecurityrisksISO/IEC27035-1:2023
35、InformationtechnologyInformationsecurityincidentmanagementPart1:PrinciplesandprocessISO22300,SecurityandresilienceVocabularyISO22301,SecurityandresilienceBusinesscontinuitymanagementsystemsRequirements3 TermsanddefinitionsForthepurposesofthisdocument,thetermsanddefinitionsgiveninISO/IEC27000,ISO/IE
36、C27002,ISO/IEC27005JSOIEC27035-LISO22300JSO223OLandthefollowingapply.ISOandIECmaintainterminologydatabasesforuseinstandardizationatthefollowingaddresses:一ISOOnlinebrowsingplatform:availableathttps:WWW.iso.org/obp一IECElectropedia:availableathttps:WWW.electropedia.org/3.1failuremodemannerbywhichafailu
37、reisobservedNote1toentry:Thisgenerallydescribesthewayfailureoccursanditsimpactontheoperationofthesystem.3.2informationandcommunicationtechnologydisasterrecoveryabilityoftheinformationandcommunicationtechnologyelementsofanorganizationtosupportitscriticalprocessesandactivitiestoanacceptablelevelwithin
38、apredeterminedperiodoftimefollowingadisruption3.3informationandcommunicationtechnologyreadinessstateofaninformationandcommunicationtechnology(ICT)functioninwhichithastheknowledge,skills,processes,architecture,infrastructureandtherelatedtechnologiesinpreparationforapotentialeventthatwouldleadtoeither
39、anintolerabledisruptionofICToranintolerabledatalossNote1toentry:ThisdoesnotmeanthattheICTfunctionisallknowingandabletodoeverything,butratheritisfitforpurposeandinreadinessforthepreparation,theresponseandtherecoveryathand,ifsuchacontingencyoccurs.3.4minimumbusinesscontinuityobjectiveMBCOminimumlevelo
40、fservicesand/orproductsthatisacceptabletotheorganizationtoachieveitsbusinessobjectivesduringadisruption3.5recoverypointobjectiveRPOpointtowhichinformationusedbyanactivityisrestoredtoenabletheactivitytooperateonresumptionNote1toentry:Canalsobereferredtoas“maximumdataloss.3.6recoverytimeobjectiveRTOpe
41、riodoftimefollowinganincidentwithinwhichaproductandserviceoranactivityisresumed,orresourcesarerecovered3.7restorationlevelofrecoveryofdata,ICTsystemsandbusinessoperationstothenormalstateafteradisruptionwithaminimalloss,ifany3.8triggereventthatcausesthesystemtoinitiatearesponseNote1toentry:Alsoknowna
42、striggeringevent.4 AbbreviatedtermsBCPbusinesscontinuityplanBIAbusinessimpactanalysisHVACheating,ventilationandair-conditioningICTinformationandcommunicationtechnologyIRBCICTreadinessforbusinesscontinuityMBCOminimumbusinesscontinuityobjectiveRPOrecoverypointobjectiveRTOrecoverytimeobjective5 Structu
43、reofthisdocument5.1 GeneralTheintentionofeachclauseofthisdocumentisasfollows:一ClaUSe6explainshowIRBCislinkedtoBCMandotherorganizationalprocessesthatarerelatedtoIRBC;一ClaUSe7explainshowthebusinesscontinuityfortheorganizationsetsobjectivesthatIRBCshouldtrytomeet;一ClaUSe8providesguidanceonwhatisneededt
44、odefinetheICTcurrentcharacteristicsthataffecttheIRBC;一ClaUSe9providesguidanceondifferentstrategiesthatcanbeusedandshouldbedeterminedforIRBCpendingtheobjectivesandcurrentcharacteristicsofICTthatICTcontinuityplansshouldfollow;一ClaUSe10providesguidanceonhowtodesignICTcontinuityplansbasedondeterminedstr
45、ategiesandhowtoaddressdifferenttypesofadversesituationstomeetthecontinuityobjectivesforICT;一ClaUSe11providesguidanceonhowtotestandfinalizetheICTcontinuityplans;一ClaUSe12providesguidanceonhowtoestablishfinalRPOsandRTOsbasedontheICTcontinuityplansanddeterminetheabilitytomeetthebusinessrequirements;一Cl
46、aUSe13providesguidanceonthefeedbackofIRBCtotopmanagementtoapprovetheplansorrisktreatmentdecisions,ifthebusinessobjectiveshavenotbeenmet.SpecificplanningandverificationsofICTareinstrumentaltobuildandensurethatICTcanfaceevents.Withoutsuchreadiness,theorganizationwouldsufferintolerabledisruptionsofprio
47、ritisedactivitiesordatalosses.Suchevents,potentiallycomingfromtechnicalfailuresorcybersecurityincidents,shouldmotivatetheICTfunctiontointerfaceitsgovernance,planningandoperationwithrequirementscomingfromthedecisionmakingactivityofbusinesscontinuitymanagementandinformationsecuritymanagement.6 Integra
48、tionofIRBCintoBCM6.1 GeneralDisruptionrelatedriskwithininformationsecurityandICTprimarilyrelatestoavailabilitywhenanadversesituationoccursthatdisruptstheavailabilityofICTservicestobusinessactivities.Therelatedriskshavethecharacteristicsofverylowlikelihood,meaningthattheycanhappenveryrarelyorevennever,but
