ISOIEC 27031 2025.docx

《ISOIEC 27031 2025.docx》由会员分享，可在线阅读，更多相关《ISOIEC 27031 2025.docx（36页珍藏版）》请在三一文库上搜索。

1、IECInternationalStandardISO/IEC27031Secondedition2025-05CybersecurityInformationandcommunicationtechnologyreadinessforbusinesscontinuityCybersecuritePreparationdestechnologiesdeinformationetdelacommunicationpourlacontinuitedactiviteReferencenumberISO/IEC27031:2025(en)COPYRIGHTPROTECTEDDOCUMENTISO/IE

2、C2025Allrightsreserved.Unlessotherwisespecified,orrequiredinthecontextofitsimplementation,nopartofthispublicationmaybereproducedorutilizedotherwiseinanyformorbyanymeans,electronicormechanical,includingphotocopying,orpostingontheinternetoranintranet,withoutpriorwrittenpermission.Permissioncanbereques

3、tedfromeitherISOattheaddressbeloworISO,smemberbodyinthecountryoftherequester.ISOcopyrightofficeCP401Ch.deBlandonnet8CH-1214Vernier,GenevaPhone:+4122749Ol11Email:copyrightiso.orgWebsite:www.iso.orgPublishedinSwitzerlandContentsPageForewordvIntroductionvi1 Scope12 Normativereferences13 Termsanddefinit

4、ions14 Abbreviatedterms35 Structureofthisdocument35.1 General36 IntegrationofIRBCintoBCM36.1 General36.2 Enablinggovernance46.3 Businesscontinuitymanagementobjectives56.4 RiskmanagementandapplicablecontrolsforIRBC66.5 IncidentmanagementandrelationshiptoIRBC66.6 BCMstrategiesandalignmenttoIRBC67 Busi

5、nessexpectationsforIRBC77.1 Riskreview77.1.1 General77.1.2 Monitoring,detectionandanalysisofthreatsandevents87.2 Inputsfrombusinessimpactanalysis87.2.1 General87.2.2 UnderstandingcriticalICTservices87.2.3 AssessingICTreadinessagainstbusinesscontinuityrequirements97.3 Coverageandinterfaces97.3.1 Gene

6、ral97.3.2 ICTdependenciesforthescope107.3.3 Determineanycontractualaspectsofdependencies108 DefiningprerequisitesforIRBC108.1 Incidentbased-preparationbeforeincident108.1.1 General108.1.2 ICTRecoverycapabilities118.1.3 EstablishinganIRBC118.1.4 Settingobjectives118.1.5 Determiningpossibleoutcomesand

7、benefitsofIRBC128.1.6 Equipmentredundancyplanning138.1.7 DeterminingthescopeofICTservicesrelatedtotheobjectives138.2 DeterminingtargetICTRTOandRPO149 DeterminingIRBCstrategies159.1 General159.2 IRBCstrategyoptions159.2.1 General159.2.2 Skillsandknowledge169.2.3 Facilities169.2.4 Technology179.2.5 Da

8、ta179.2.6 Processes189.2.7 Suppliers1810 DeterminingtheICTcontinuityplan1910.1 Prerequisitesforthedevelopmentofplans1910.1.1 Determiningandsettingtherecoveryorganization1910.1.2 Determiningtimeframesforplandevelopment,reportingandtesting1910.1.3 Resources2010.1.4 CompetencyofIRBCstaff.2010.1.5 Techn

9、ologicalsolutions2110.2 Recoveryplanactivation2110.2.1 ICTBCPActivation2110.2.2 Escalation2110.3 ICTrecoveryplans2210.3.1 RPOandRTOplansforICT2210.3.2 Facilities2210.3.3 Technology2210.3.4 Data2210.3.5 Responseandrecoveryprocedures2310.3.6 People2310.4 Temporaryworkaroundplans2310.5 Externalcontacts

10、andprocedures2311 Testing,exercise,andauditing2311.1 Performancecriteria2311.2 Testingdependencies2411.2.1 Testandexercise2411.2.2 Testandexerciseprogram2411.2.3 Scopeofexercises2511.2.4 Planninganexercise2511.2.5 Alertbasedanddifferentrecoverystages2611.2.6 Managinganexercise2711.3 Learningfromtest

11、s2811.4 AuditingtheIRBC2811.5 Controlofdocumentedinformation2912 FinalMBCO2913 TopmanagementresponsibilitiesregardingevaluatingtheIRBC2913.1 General2913.2 Managementresponsibilities29Annex A (informative)ComparingRTOandRPOtobusinessobjectivesforICTrecovery31Annex B (informative)RiskreportingforFMEA3

12、2Bibliography33ForewordISO(theInternationalOrganizationforStandardization)andIEC(theInternationalElectrotechnicalCommission)formthespecializedsystemforworldwidestandardization.NationalbodiesthataremembersofISOorIECparticipateinthedevelopmentofInternationalStandardsthroughtechnicalcommitteesestablish

13、edbytherespectiveorganizationtodealwithparticularfieldsoftechnicalactivity.ISOandIECtechnicalcommitteescollaborateinfieldsofmutualinterest.Otherinternationalorganizations,governmentalandnon-governmentabinliaisonwithISOandIEC,alsotakepartinthework.Theproceduresusedtodevelopthisdocumentandthoseintende

14、dforitsfurthermaintenancearedescribedintheISO/IECDirectives,Part1.Inparticular,thedifferentapprovalcriterianeededforthedifferenttypesofdocumentshouldbenoted.ThisdocumentwasdraftedinaccordancewiththeeditorialrulesoftheISO/IECDirectives,Part2(seeWWW.iso.org/directivesorwww.iec.ch/membersexpvrtsrefdocs

15、).ISOandIECdrawattentiontothepossibilitythattheimplementationofthisdocumentmayinvolvetheuseof（八）patent(三).ISOandIECtakenopositionconcerningtheevidence,validityorapplicabilityofanyclaimedpatentrightsinrespectthereof.Asofthedateofpublicationofthisdocument,ISOandIEChadnotreceivednoticeof（八）patent(三)whi

16、chmayberequiredtoimplementthisdocument.However,Implementersarecautionedthatthismaynotrepresentthelatestinformation,whichmaybeobtainedfromthepatentdatabaseavailableatWWW.isoorg/patentsandhttps:PatentS.iec.ch.ISOandIECshallnotbeheldresponsibleforidentifyinganyorallsuchpatentrights.Anytradenameusedinth

17、isdocumentisinformationgivenfortheconvenienceofusersanddoesnotconstituteanendorsement.Foranexplanationofthevoluntarynatureofstandards,themeaningofISOspecifictermsandexpressionsrelatedtoconformityassessment,aswellasinformationaboutISOsadherencetotheWorldTradeOrganization(WTO)principlesintheTechnicalB

18、arrierstoTrade(TBT)seeWWW.iso.org/iso/foreword.htmLIntheIEC,seeWWW.iecchundvrstanding-standards.ThisdocumentwaspreparedbyJointTechnicalCommitteeISO/IECJTC1,Informationtechnology,SubcommitteeSC27,Informationsecurity,cybersecurityandprivacyprotection.Thissecondeditioncancelsandreplacesthefirstedition(

19、ISO/IEC27031:2011),whichhasbeentechnicallyrevised.Themainchangesareasfollows:一thestructureofthedocumenthasbeenchanged;一thescopehasbeenchangedforclarification;一technicalcontenthasbeenaddedin6.4,656.6,9.2and10.1.5.Anyfeedbackorquestionsonthisdocumentshouldbedirectedtotheusersnationalstandardsbody.Acom

20、pletelistingofthesebodiescanbefoundatWWW.isoQrgmDmbers.htmlandWWW.iecchnational-committees.IntroductionOvertheyears,informationandcommunicationtechnology(ICT)hasbecomeanintegralpartofmanyoftheactivitieswithinthecriticalinfrastructuresinallorganizationalsectors,whetherpublicorprivate.Theproliferation

21、oftheinternetandotherelectronicnetworkingservices,aswellasthecapabilitiesofsystemsandapplications,hasalsoresultedinorganizationsbecomingmorereliantonreliable,safeandsecureICTinfrastructures.Meanwhile,theneedforbusinesscontinuitymanagement(BCM),includingincidentpreparedness,disasterrecoveryplanning,a

22、ndemergencyresponseandmanagement,hasbeenrecognizedandsupportedwiththedevelopmentandendorsementofspecificdomainsofknowledge,expertise,andstandards,includingISO22313.FailuresofICTservices,includingthosecausedbysecurityissuessuchassystemsintrusionandmalwareinfections,impactthecontinuityofbusinessoperat

23、ions.Thus,managingICTandrelatedcontinuity,aswellasothersecurityaspects,formakeypartofbusinesscontinuityrequirements.Furthermore,inthemajorityofcases,thecriticalprocessesandactivitiesthatrequirebusinesscontinuityareusuallydependentuponICT.ThisdependencemeansthatdisruptionstoICTcanconstitutestrategicr

24、iskstothereputationoftheorganizationanditsabilitytooperate.TheadventandincreasingdominanceofInternet-basedICTservices(cloudICTservices)hascausedthenatureofpreparednesstochangefromrelyingoninternalprocessestoarelianceonthequalityandrobustnessofservicesfromotherorganizationsandtheassociatedbusinessrel

25、ationshipswithsuchorganizations.ICTreadinessisanessentialcomponentformanyorganizationsintheimplementationOfbusinesscontinuitymanagementandinformationsecuritymanagement.Asaresult,effectiveBCMisfrequentlydependentuponeffectiveICTreadinesstoensurethattheorganizationsobjectivescancontinuetobemetduringdi

26、sruptions.ThisisparticularlyimportantastheconsequencesofdisruptionstoICToftenhavetheaddedcomplicationofbeinginvisibleordifficulttodetect.ForanorganizationtoachieveICTreadinessforbusinesscontinuity(IRBC),itshouldputinplaceasystematicprocesstoprevent,predictandmanageICTdisruptionsandincidentswhichhave

27、thepotentialtodisruptICTservices.ThiscanbeachievedbycoordinatingIRBCwiththeinformationsecurityandBCMprocesses.Inthisway,IRBCsupportsBCMbyensuringthattheICTservicescanberecoveredtopredeterminedlevelswithintimescalesrequiredandagreedbytheorganization.Ifanorganizationisusingrelevantinformationsecuritya

28、ndbusinesscontinuitystandards,theestablishmentofIRBCshouldpreferablytakeintoconsiderationexistingorintendedprocesseslinkedtothesestandards.ThislinkagecansupporttheestablishmentofIRBCandalsoavoidanydualprocessesfortheorganization.ThisdocumentdescribestheconceptsandprinciplesofICTreadinessforbusinessc

29、ontinuity(IRBC)andprovidesaframeworkofmethodsandprocessestoidentifyandspecifyaspectsforimprovinganorganizationsICTreadinesstoensurebusinesscontinuity.ThisdocumentcomplementstheinformationsecuritycontrolsrelatingtobusinesscontinuityinISO/IEC27002.Italsosupportstheinformationsecurityriskmanagementproc

30、essspecifiedinISO/IEC27005.BaseduponICTreadinessobjectives,thisdocumentalsoextendsthepracticesofinformationsecurityincidentmanagementintoICTreadinessplanning,trainingandoperation.CybersecurityInformationandcommunicationtechnologyreadinessforbusinesscontinuity1 ScopeThisdocumentdescribestheconceptsan

31、dprinciplesofinformationandcommunicationtechnology(ICT)readinessforbusinesscontinuity(IRBC).ItprovidesaframeworkofmethodsandprocessestoidentifyandspecifyaspectsforimprovinganorganizationsICTreadinesstoensurebusinesscontinuity.ThisdocumentservesthefollowingbusinesscontinuityobjectivesforICT:一minimumb

32、usinesscontinuityobjective(MBCO),一recoverypointobjective(RPO),recoverytimeobjective(RTo)aspartoftheICTbusinesscontinuityplanning.Thisdocumentisapplicabletoalltypesandsizesoforganizations.ThisdocumentdescribeshowICTdepartmentsplanandpreparetocontributetotheresilienceobjectivesoftheorganization.2 Norm

33、ativereferencesThefollowingdocumentsarereferredtointhetextinsuchawaythatsomeoralloftheircontentconstitutesrequirementsofthisdocument.Fordatedreferences,onlytheeditioncitedapplies.Forundatedreferences,thelatesteditionofthereferenceddocument(includinganyamendments)applies.ISO/IEC27000,Informationtechn

34、ologySecuritytechniquesInformationsecuritymanagementsystemsOverviewandvocabularyISO/IEC27002,Informationsecurity,cybersecurityandprivacyprotectionInformationsecuritycontrolsISO/IEC27005,Informationsecurity,cybersecurityandprivacyprotectionGuidanceonmanaginginformationsecurityrisksISO/IEC27035-1:2023

35、InformationtechnologyInformationsecurityincidentmanagementPart1:PrinciplesandprocessISO22300,SecurityandresilienceVocabularyISO22301,SecurityandresilienceBusinesscontinuitymanagementsystemsRequirements3 TermsanddefinitionsForthepurposesofthisdocument,thetermsanddefinitionsgiveninISO/IEC27000,ISO/IE

36、C27002,ISO/IEC27005JSOIEC27035-LISO22300JSO223OLandthefollowingapply.ISOandIECmaintainterminologydatabasesforuseinstandardizationatthefollowingaddresses:一ISOOnlinebrowsingplatform:availableathttps:WWW.iso.org/obp一IECElectropedia:availableathttps:WWW.electropedia.org/3.1failuremodemannerbywhichafailu

37、reisobservedNote1toentry:Thisgenerallydescribesthewayfailureoccursanditsimpactontheoperationofthesystem.3.2informationandcommunicationtechnologydisasterrecoveryabilityoftheinformationandcommunicationtechnologyelementsofanorganizationtosupportitscriticalprocessesandactivitiestoanacceptablelevelwithin

38、apredeterminedperiodoftimefollowingadisruption3.3informationandcommunicationtechnologyreadinessstateofaninformationandcommunicationtechnology(ICT)functioninwhichithastheknowledge,skills,processes,architecture,infrastructureandtherelatedtechnologiesinpreparationforapotentialeventthatwouldleadtoeither

39、anintolerabledisruptionofICToranintolerabledatalossNote1toentry:ThisdoesnotmeanthattheICTfunctionisallknowingandabletodoeverything,butratheritisfitforpurposeandinreadinessforthepreparation,theresponseandtherecoveryathand,ifsuchacontingencyoccurs.3.4minimumbusinesscontinuityobjectiveMBCOminimumlevelo

40、fservicesand/orproductsthatisacceptabletotheorganizationtoachieveitsbusinessobjectivesduringadisruption3.5recoverypointobjectiveRPOpointtowhichinformationusedbyanactivityisrestoredtoenabletheactivitytooperateonresumptionNote1toentry:Canalsobereferredtoas“maximumdataloss.3.6recoverytimeobjectiveRTOpe

41、riodoftimefollowinganincidentwithinwhichaproductandserviceoranactivityisresumed,orresourcesarerecovered3.7restorationlevelofrecoveryofdata,ICTsystemsandbusinessoperationstothenormalstateafteradisruptionwithaminimalloss,ifany3.8triggereventthatcausesthesystemtoinitiatearesponseNote1toentry:Alsoknowna

42、striggeringevent.4 AbbreviatedtermsBCPbusinesscontinuityplanBIAbusinessimpactanalysisHVACheating,ventilationandair-conditioningICTinformationandcommunicationtechnologyIRBCICTreadinessforbusinesscontinuityMBCOminimumbusinesscontinuityobjectiveRPOrecoverypointobjectiveRTOrecoverytimeobjective5 Structu

43、reofthisdocument5.1 GeneralTheintentionofeachclauseofthisdocumentisasfollows:一ClaUSe6explainshowIRBCislinkedtoBCMandotherorganizationalprocessesthatarerelatedtoIRBC;一ClaUSe7explainshowthebusinesscontinuityfortheorganizationsetsobjectivesthatIRBCshouldtrytomeet;一ClaUSe8providesguidanceonwhatisneededt

44、odefinetheICTcurrentcharacteristicsthataffecttheIRBC;一ClaUSe9providesguidanceondifferentstrategiesthatcanbeusedandshouldbedeterminedforIRBCpendingtheobjectivesandcurrentcharacteristicsofICTthatICTcontinuityplansshouldfollow;一ClaUSe10providesguidanceonhowtodesignICTcontinuityplansbasedondeterminedstr

45、ategiesandhowtoaddressdifferenttypesofadversesituationstomeetthecontinuityobjectivesforICT;一ClaUSe11providesguidanceonhowtotestandfinalizetheICTcontinuityplans;一ClaUSe12providesguidanceonhowtoestablishfinalRPOsandRTOsbasedontheICTcontinuityplansanddeterminetheabilitytomeetthebusinessrequirements;一Cl

46、aUSe13providesguidanceonthefeedbackofIRBCtotopmanagementtoapprovetheplansorrisktreatmentdecisions,ifthebusinessobjectiveshavenotbeenmet.SpecificplanningandverificationsofICTareinstrumentaltobuildandensurethatICTcanfaceevents.Withoutsuchreadiness,theorganizationwouldsufferintolerabledisruptionsofprio

47、ritisedactivitiesordatalosses.Suchevents,potentiallycomingfromtechnicalfailuresorcybersecurityincidents,shouldmotivatetheICTfunctiontointerfaceitsgovernance,planningandoperationwithrequirementscomingfromthedecisionmakingactivityofbusinesscontinuitymanagementandinformationsecuritymanagement.6 Integra

48、tionofIRBCintoBCM6.1 GeneralDisruptionrelatedriskwithininformationsecurityandICTprimarilyrelatestoavailabilitywhenanadversesituationoccursthatdisruptstheavailabilityofICTservicestobusinessactivities.Therelatedriskshavethecharacteristicsofverylowlikelihood,meaningthattheycanhappenveryrarelyorevennever,but