《ISO-IEC 27031 2025.docx》由会员分享,可在线阅读,更多相关《ISO-IEC 27031 2025.docx(36页珍藏版)》请在第壹文秘上搜索。
1、IECInternationalStandardISO/IEC27031Secondedition2025-05CybersecurityInformationandcommunicationtechnologyreadinessforbusinesscontinuityCybersecuritePreparationdestechnologiesdeinformationetdelacommunicationpourlacontinuitedactiviteReferencenumberISO/IEC27031:2025(en)COPYRIGHTPROTECTEDDOCUMENTISO/IE
2、C2025Allrightsreserved.Unlessotherwisespecified,orrequiredinthecontextofitsimplementation,nopartofthispublicationmaybereproducedorutilizedotherwiseinanyformorbyanymeans,electronicormechanical,includingphotocopying,orpostingontheinternetoranintranet,withoutpriorwrittenpermission.Permissioncanbereques
3、tedfromeitherISOattheaddressbeloworISO,smemberbodyinthecountryoftherequester.ISOcopyrightofficeCP401Ch.deBlandonnet8CH-1214Vernier,GenevaPhone:+4122749Ol11Email:copyrightiso.orgWebsite:www.iso.orgPublishedinSwitzerlandContentsPageForewordvIntroductionvi1 Scope12 Normativereferences13 Termsanddefinit
4、ions14 Abbreviatedterms35 Structureofthisdocument35.1 General36 IntegrationofIRBCintoBCM36.1 General36.2 Enablinggovernance46.3 Businesscontinuitymanagementobjectives56.4 RiskmanagementandapplicablecontrolsforIRBC66.5 IncidentmanagementandrelationshiptoIRBC66.6 BCMstrategiesandalignmenttoIRBC67 Busi
5、nessexpectationsforIRBC77.1 Riskreview77.1.1 General77.1.2 Monitoring,detectionandanalysisofthreatsandevents87.2 Inputsfrombusinessimpactanalysis87.2.1 General87.2.2 UnderstandingcriticalICTservices87.2.3 AssessingICTreadinessagainstbusinesscontinuityrequirements97.3 Coverageandinterfaces97.3.1 Gene
6、ral97.3.2 ICTdependenciesforthescope107.3.3 Determineanycontractualaspectsofdependencies108 DefiningprerequisitesforIRBC108.1 Incidentbased-preparationbeforeincident108.1.1 General108.1.2 ICTRecoverycapabilities118.1.3 EstablishinganIRBC118.1.4 Settingobjectives118.1.5 Determiningpossibleoutcomesand
7、benefitsofIRBC128.1.6 Equipmentredundancyplanning138.1.7 DeterminingthescopeofICTservicesrelatedtotheobjectives138.2 DeterminingtargetICTRTOandRPO149 DeterminingIRBCstrategies159.1 General159.2 IRBCstrategyoptions159.2.1 General159.2.2 Skillsandknowledge169.2.3 Facilities169.2.4 Technology179.2.5 Da
8、ta179.2.6 Processes189.2.7 Suppliers1810 DeterminingtheICTcontinuityplan1910.1 Prerequisitesforthedevelopmentofplans1910.1.1 Determiningandsettingtherecoveryorganization1910.1.2 Determiningtimeframesforplandevelopment,reportingandtesting1910.1.3 Resources2010.1.4 CompetencyofIRBCstaff.2010.1.5 Techn
9、ologicalsolutions2110.2 Recoveryplanactivation2110.2.1 ICTBCPActivation2110.2.2 Escalation2110.3 ICTrecoveryplans2210.3.1 RPOandRTOplansforICT2210.3.2 Facilities2210.3.3 Technology2210.3.4 Data2210.3.5 Responseandrecoveryprocedures2310.3.6 People2310.4 Temporaryworkaroundplans2310.5 Externalcontacts
10、andprocedures2311 Testing,exercise,andauditing2311.1 Performancecriteria2311.2 Testingdependencies2411.2.1 Testandexercise2411.2.2 Testandexerciseprogram2411.2.3 Scopeofexercises2511.2.4 Planninganexercise2511.2.5 Alertbasedanddifferentrecoverystages2611.2.6 Managinganexercise2711.3 Learningfromtest
11、s2811.4 AuditingtheIRBC2811.5 Controlofdocumentedinformation2912 FinalMBCO2913 TopmanagementresponsibilitiesregardingevaluatingtheIRBC2913.1 General2913.2 Managementresponsibilities29Annex A (informative)ComparingRTOandRPOtobusinessobjectivesforICTrecovery31Annex B (informative)RiskreportingforFMEA3
12、2Bibliography33ForewordISO(theInternationalOrganizationforStandardization)andIEC(theInternationalElectrotechnicalCommission)formthespecializedsystemforworldwidestandardization.NationalbodiesthataremembersofISOorIECparticipateinthedevelopmentofInternationalStandardsthroughtechnicalcommitteesestablish
13、edbytherespectiveorganizationtodealwithparticularfieldsoftechnicalactivity.ISOandIECtechnicalcommitteescollaborateinfieldsofmutualinterest.Otherinternationalorganizations,governmentalandnon-governmentabinliaisonwithISOandIEC,alsotakepartinthework.Theproceduresusedtodevelopthisdocumentandthoseintende
14、dforitsfurthermaintenancearedescribedintheISO/IECDirectives,Part1.Inparticular,thedifferentapprovalcriterianeededforthedifferenttypesofdocumentshouldbenoted.ThisdocumentwasdraftedinaccordancewiththeeditorialrulesoftheISO/IECDirectives,Part2(seeWWW.iso.org/directivesorwww.iec.ch/membersexpvrtsrefdocs
15、).ISOandIECdrawattentiontothepossibilitythattheimplementationofthisdocumentmayinvolvetheuseof(八)patent(三).ISOandIECtakenopositionconcerningtheevidence,validityorapplicabilityofanyclaimedpatentrightsinrespectthereof.Asofthedateofpublicationofthisdocument,ISOandIEChadnotreceivednoticeof(八)patent(三)whichmayberequiredtoimplementthisdocument.However,Implementersarecautionedthatthismaynotrepresentthelatestinformation,whichmaybeobtainedfromthepatentd
