ISOIEC 27031 2025.docx
《ISOIEC 27031 2025.docx》由会员分享,可在线阅读,更多相关《ISOIEC 27031 2025.docx(36页珍藏版)》请在三一文库上搜索。
1、IECInternationalStandardISO/IEC27031Secondedition2025-05CybersecurityInformationandcommunicationtechnologyreadinessforbusinesscontinuityCybersecuritePreparationdestechnologiesdeinformationetdelacommunicationpourlacontinuitedactiviteReferencenumberISO/IEC27031:2025(en)COPYRIGHTPROTECTEDDOCUMENTISO/IE
2、C2025Allrightsreserved.Unlessotherwisespecified,orrequiredinthecontextofitsimplementation,nopartofthispublicationmaybereproducedorutilizedotherwiseinanyformorbyanymeans,electronicormechanical,includingphotocopying,orpostingontheinternetoranintranet,withoutpriorwrittenpermission.Permissioncanbereques
3、tedfromeitherISOattheaddressbeloworISO,smemberbodyinthecountryoftherequester.ISOcopyrightofficeCP401Ch.deBlandonnet8CH-1214Vernier,GenevaPhone:+4122749Ol11Email:copyrightiso.orgWebsite:www.iso.orgPublishedinSwitzerlandContentsPageForewordvIntroductionvi1 Scope12 Normativereferences13 Termsanddefinit
4、ions14 Abbreviatedterms35 Structureofthisdocument35.1 General36 IntegrationofIRBCintoBCM36.1 General36.2 Enablinggovernance46.3 Businesscontinuitymanagementobjectives56.4 RiskmanagementandapplicablecontrolsforIRBC66.5 IncidentmanagementandrelationshiptoIRBC66.6 BCMstrategiesandalignmenttoIRBC67 Busi
5、nessexpectationsforIRBC77.1 Riskreview77.1.1 General77.1.2 Monitoring,detectionandanalysisofthreatsandevents87.2 Inputsfrombusinessimpactanalysis87.2.1 General87.2.2 UnderstandingcriticalICTservices87.2.3 AssessingICTreadinessagainstbusinesscontinuityrequirements97.3 Coverageandinterfaces97.3.1 Gene
6、ral97.3.2 ICTdependenciesforthescope107.3.3 Determineanycontractualaspectsofdependencies108 DefiningprerequisitesforIRBC108.1 Incidentbased-preparationbeforeincident108.1.1 General108.1.2 ICTRecoverycapabilities118.1.3 EstablishinganIRBC118.1.4 Settingobjectives118.1.5 Determiningpossibleoutcomesand
7、benefitsofIRBC128.1.6 Equipmentredundancyplanning138.1.7 DeterminingthescopeofICTservicesrelatedtotheobjectives138.2 DeterminingtargetICTRTOandRPO149 DeterminingIRBCstrategies159.1 General159.2 IRBCstrategyoptions159.2.1 General159.2.2 Skillsandknowledge169.2.3 Facilities169.2.4 Technology179.2.5 Da
8、ta179.2.6 Processes189.2.7 Suppliers1810 DeterminingtheICTcontinuityplan1910.1 Prerequisitesforthedevelopmentofplans1910.1.1 Determiningandsettingtherecoveryorganization1910.1.2 Determiningtimeframesforplandevelopment,reportingandtesting1910.1.3 Resources2010.1.4 CompetencyofIRBCstaff.2010.1.5 Techn
9、ologicalsolutions2110.2 Recoveryplanactivation2110.2.1 ICTBCPActivation2110.2.2 Escalation2110.3 ICTrecoveryplans2210.3.1 RPOandRTOplansforICT2210.3.2 Facilities2210.3.3 Technology2210.3.4 Data2210.3.5 Responseandrecoveryprocedures2310.3.6 People2310.4 Temporaryworkaroundplans2310.5 Externalcontacts
10、andprocedures2311 Testing,exercise,andauditing2311.1 Performancecriteria2311.2 Testingdependencies2411.2.1 Testandexercise2411.2.2 Testandexerciseprogram2411.2.3 Scopeofexercises2511.2.4 Planninganexercise2511.2.5 Alertbasedanddifferentrecoverystages2611.2.6 Managinganexercise2711.3 Learningfromtest
11、s2811.4 AuditingtheIRBC2811.5 Controlofdocumentedinformation2912 FinalMBCO2913 TopmanagementresponsibilitiesregardingevaluatingtheIRBC2913.1 General2913.2 Managementresponsibilities29Annex A (informative)ComparingRTOandRPOtobusinessobjectivesforICTrecovery31Annex B (informative)RiskreportingforFMEA3
12、2Bibliography33ForewordISO(theInternationalOrganizationforStandardization)andIEC(theInternationalElectrotechnicalCommission)formthespecializedsystemforworldwidestandardization.NationalbodiesthataremembersofISOorIECparticipateinthedevelopmentofInternationalStandardsthroughtechnicalcommitteesestablish
13、edbytherespectiveorganizationtodealwithparticularfieldsoftechnicalactivity.ISOandIECtechnicalcommitteescollaborateinfieldsofmutualinterest.Otherinternationalorganizations,governmentalandnon-governmentabinliaisonwithISOandIEC,alsotakepartinthework.Theproceduresusedtodevelopthisdocumentandthoseintende
14、dforitsfurthermaintenancearedescribedintheISO/IECDirectives,Part1.Inparticular,thedifferentapprovalcriterianeededforthedifferenttypesofdocumentshouldbenoted.ThisdocumentwasdraftedinaccordancewiththeeditorialrulesoftheISO/IECDirectives,Part2(seeWWW.iso.org/directivesorwww.iec.ch/membersexpvrtsrefdocs
15、).ISOandIECdrawattentiontothepossibilitythattheimplementationofthisdocumentmayinvolvetheuseof(八)patent(三).ISOandIECtakenopositionconcerningtheevidence,validityorapplicabilityofanyclaimedpatentrightsinrespectthereof.Asofthedateofpublicationofthisdocument,ISOandIEChadnotreceivednoticeof(八)patent(三)whi
16、chmayberequiredtoimplementthisdocument.However,Implementersarecautionedthatthismaynotrepresentthelatestinformation,whichmaybeobtainedfromthepatentdatabaseavailableatWWW.isoorg/patentsandhttps:PatentS.iec.ch.ISOandIECshallnotbeheldresponsibleforidentifyinganyorallsuchpatentrights.Anytradenameusedinth
17、isdocumentisinformationgivenfortheconvenienceofusersanddoesnotconstituteanendorsement.Foranexplanationofthevoluntarynatureofstandards,themeaningofISOspecifictermsandexpressionsrelatedtoconformityassessment,aswellasinformationaboutISOsadherencetotheWorldTradeOrganization(WTO)principlesintheTechnicalB
18、arrierstoTrade(TBT)seeWWW.iso.org/iso/foreword.htmLIntheIEC,seeWWW.iecchundvrstanding-standards.ThisdocumentwaspreparedbyJointTechnicalCommitteeISO/IECJTC1,Informationtechnology,SubcommitteeSC27,Informationsecurity,cybersecurityandprivacyprotection.Thissecondeditioncancelsandreplacesthefirstedition(
19、ISO/IEC27031:2011),whichhasbeentechnicallyrevised.Themainchangesareasfollows:一thestructureofthedocumenthasbeenchanged;一thescopehasbeenchangedforclarification;一technicalcontenthasbeenaddedin6.4,656.6,9.2and10.1.5.Anyfeedbackorquestionsonthisdocumentshouldbedirectedtotheusersnationalstandardsbody.Acom
20、pletelistingofthesebodiescanbefoundatWWW.isoQrgmDmbers.htmlandWWW.iecchnational-committees.IntroductionOvertheyears,informationandcommunicationtechnology(ICT)hasbecomeanintegralpartofmanyoftheactivitieswithinthecriticalinfrastructuresinallorganizationalsectors,whetherpublicorprivate.Theproliferation
21、oftheinternetandotherelectronicnetworkingservices,aswellasthecapabilitiesofsystemsandapplications,hasalsoresultedinorganizationsbecomingmorereliantonreliable,safeandsecureICTinfrastructures.Meanwhile,theneedforbusinesscontinuitymanagement(BCM),includingincidentpreparedness,disasterrecoveryplanning,a
22、ndemergencyresponseandmanagement,hasbeenrecognizedandsupportedwiththedevelopmentandendorsementofspecificdomainsofknowledge,expertise,andstandards,includingISO22313.FailuresofICTservices,includingthosecausedbysecurityissuessuchassystemsintrusionandmalwareinfections,impactthecontinuityofbusinessoperat
23、ions.Thus,managingICTandrelatedcontinuity,aswellasothersecurityaspects,formakeypartofbusinesscontinuityrequirements.Furthermore,inthemajorityofcases,thecriticalprocessesandactivitiesthatrequirebusinesscontinuityareusuallydependentuponICT.ThisdependencemeansthatdisruptionstoICTcanconstitutestrategicr
24、iskstothereputationoftheorganizationanditsabilitytooperate.TheadventandincreasingdominanceofInternet-basedICTservices(cloudICTservices)hascausedthenatureofpreparednesstochangefromrelyingoninternalprocessestoarelianceonthequalityandrobustnessofservicesfromotherorganizationsandtheassociatedbusinessrel
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- ISOIEC 27031 2025
