ISO-IEC 27031 2025.docx

IECInternationalStandardISO/IEC27031Secondedition2025-05CybersecurityInformationandcommunicationtechnologyreadinessforbusinesscontinuityCybersecuritePreparationdestechnologiesdeinformationetdelacommunicationpourlacontinuited'activiteReferencenumberISO/IEC27031:2025(en)COPYRIGHTPROTECTEDDOCUMENT©ISO/IEC2025Allrightsreserved.Unlessotherwisespecified,orrequiredinthecontextofitsimplementation,nopartofthispublicationmaybereproducedorutilizedotherwiseinanyformorbyanymeans,electronicormechanical,includingphotocopying,orpostingontheinternetoranintranet,withoutpriorwrittenpermission.PermissioncanberequestedfromeitherISOattheaddressbeloworISO,smemberbodyinthecountryoftherequester.ISOcopyrightofficeCP401Ch.deBlandonnet8CH-1214Vernier,GenevaPhone:+4122749Ol11Email:copyrightiso.orgWebsite:www.iso.orgPublishedinSwitzerlandContentsPageForewordvIntroductionvi1 Scope12 Normativereferences13 Termsanddefinitions14 Abbreviatedterms35 Structureofthisdocument35.1 General36 IntegrationofIRBCintoBCM36.1 General36.2 Enablinggovernance46.3 Businesscontinuitymanagementobjectives56.4 RiskmanagementandapplicablecontrolsforIRBC66.5 IncidentmanagementandrelationshiptoIRBC66.6 BCMstrategiesandalignmenttoIRBC67 BusinessexpectationsforIRBC77.1 Riskreview77.1.1 General77.1.2 Monitoring,detectionandanalysisofthreatsandevents87.2 Inputsfrombusinessimpactanalysis87.2.1 General87.2.2 UnderstandingcriticalICTservices87.2.3 AssessingICTreadinessagainstbusinesscontinuityrequirements97.3 Coverageandinterfaces97.3.1 General97.3.2 ICTdependenciesforthescope107.3.3 Determineanycontractualaspectsofdependencies108 DefiningprerequisitesforIRBC108.1 Incidentbased-preparationbeforeincident108.1.1 General108.1.2 ICTRecoverycapabilities118.1.3 EstablishinganIRBC118.1.4 Settingobjectives118.1.5 DeterminingpossibleoutcomesandbenefitsofIRBC128.1.6 Equipmentredundancyplanning138.1.7 DeterminingthescopeofICTservicesrelatedtotheobjectives138.2 DeterminingtargetICTRTOandRPO149 DeterminingIRBCstrategies159.1 General159.2 IRBCstrategyoptions159.2.1 General159.2.2 Skillsandknowledge169.2.3 Facilities169.2.4 Technology179.2.5 Data179.2.6 Processes189.2.7 Suppliers1810 DeterminingtheICTcontinuityplan1910.1 Prerequisitesforthedevelopmentofplans1910.1.1 Determiningandsettingtherecoveryorganization1910.1.2 Determiningtimeframesforplandevelopment,reportingandtesting1910.1.3 Resources2010.1.4 CompetencyofIRBCstaff.2010.1.5 Technologicalsolutions2110.2 Recoveryplanactivation2110.2.1 ICTBCPActivation2110.2.2 Escalation2110.3 ICTrecoveryplans2210.3.1 RPOandRTOplansforICT2210.3.2 Facilities2210.3.3 Technology2210.3.4 Data2210.3.5 Responseandrecoveryprocedures2310.3.6 People2310.4 Temporaryworkaroundplans2310.5 Externalcontactsandprocedures2311 Testing,exercise,andauditing2311.1 Performancecriteria2311.2 Testingdependencies2411.2.1 Testandexercise2411.2.2 Testandexerciseprogram2411.2.3 Scopeofexercises2511.2.4 Planninganexercise2511.2.5 Alertbasedanddifferentrecoverystages2611.2.6 Managinganexercise2711.3 Learningfromtests2811.4 AuditingtheIRBC2811.5 Controlofdocumentedinformation2912 FinalMBCO2913 TopmanagementresponsibilitiesregardingevaluatingtheIRBC2913.1 General2913.2 Managementresponsibilities29Annex A (informative)ComparingRTOandRPOtobusinessobjectivesforICTrecovery31Annex B (informative)RiskreportingforFMEA32Bibliography33ForewordISO(theInternationalOrganizationforStandardization)andIEC(theInternationalElectrotechnicalCommission)formthespecializedsystemforworldwidestandardization.NationalbodiesthataremembersofISOorIECparticipateinthedevelopmentofInternationalStandardsthroughtechnicalcommitteesestablishedbytherespectiveorganizationtodealwithparticularfieldsoftechnicalactivity.ISOandIECtechnicalcommitteescollaborateinfieldsofmutualinterest.Otherinternationalorganizations,governmentalandnon-governmentabinliaisonwithISOandIEC,alsotakepartinthework.TheproceduresusedtodevelopthisdocumentandthoseintendedforitsfurthermaintenancearedescribedintheISO/IECDirectives,Part1.Inparticular,thedifferentapprovalcriterianeededforthedifferenttypesofdocumentshouldbenoted.ThisdocumentwasdraftedinaccordancewiththeeditorialrulesoftheISO/IECDirectives,Part2(seeWWW.iso.org/directivesorwww.iec.ch/membersexpvrtsrefdocs).ISOandIECdrawattentiontothepossibilitythattheimplementationofthisdocumentmayinvolvetheuseof（八）patent(三).ISOandIECtakenopositionconcerningtheevidence,validityorapplicabilityofanyclaimedpatentrightsinrespectthereof.Asofthedateofpublicationofthisdocument,ISOandIEChadnotreceivednoticeof（八）patent(三)whichmayberequiredtoimplementthisdocument.However,Implementersarecautionedthatthismaynotrepresentthelatestinformation,whichmaybeobtainedfromthepatentd