Topic-specific policies
ISO/IEC 27031

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27031:2011 < Click to purchase via Amazon — Information technology — Security techniques — Guidelines for information and communications technology readiness for business continuity



“ISO/IEC 27031:2011 describes the concepts and principles of  information and comunication technology (ICT) readiness for business  continuity, and provides a framework of methods and processes to  identify and specify all aspects (such as performance criteria, design,  and implementation) for improving an organisation's ICT readiness to  ensure business continuity. It applies to any organisation (private,  governmental, and non-governmental, irrespective of size) developing its ICT readiness for business continuity program (IRBC), and requiring its ICT services/infrastructures to be ready to support business operations in the event of emerging events and incidents, and related disruptions, that could affect continuity (including security) of critical business  functions. It also enables an organisation to measure performance  parameters that correlate to its IRBC in a consistent and recognized  manner. The scope of ISO/IEC 27031:2011 encompasses all events and incidents  (including security related) that could have an impact on ICT  infrastructure and systems. It includes and extends the practices of  information security incident handling and management and ICT readiness  planning and services.”
[Source: ISO/IEC 27031:2011]


ISO/IEC 27031 provides guidance on the concepts and principles behind the role of Information and Communication Technology in ensuring business continuity.

The standard:

  • Suggests a structure or framework (a coherent set or suite of methods and processes) for any organisation – private, governmental, and non-governmental;
  • Identifies and specifies all relevant aspects including performance criteria, design, and implementation details, for improving ICT readiness as part of the organisation’s ISMS, helping to ensure business continuity;
  • Enables an organisation to measure its ICT continuity, security and hence readiness to survive a disaster in a consistent and recognized manner.


Scope and purpose

The standard encompasses all events and incidents (not just information security related) that could have an impact on ICT infrastructure and systems. It therefore extends the practices of information security incident handling and management, ICT readiness planning and services.

ICT Readiness for Business Continuity [a general term for the processes described in the standard] supports Business Continuity Management “by ensuring that the ICT services are as resilient as appropriate and can be recovered to pre-determined levels within timescales required and agreed by the organisation.”

ICT readiness is important for business continuity purposes because:

  • ICT is prevalent and many organisations are highly dependent on ICT supporting critical business processes;
  • ICT also supports incident, business continuity, disaster and emergency response, and related management processes;
  • Business continuity planning is incomplete without adequately considering and protecting ICT availability and continuity.

ICT readiness encompasses:

  • Preparing the organisation’s ICT (i.e. the IT infrastructure, operations and applications), plus the associated processes and people, against unforeseeable events that could change the risk environment and impact ICT and business continuity;
  • Leveraging and streamlining resources among business continuity, disaster recovery, emergency response and ICT security incident response and management activities.

ICT readiness should of course reduce the impact (meaning the extent, duration and/or consequences) of information security incidents on the organisation.

The standard incorporates the cyclical Plan-Do-Check-Act Deming-style approach, extending the conventional business continuity planning process to take greater account of ICT. It incorporates ‘failure scenario assessment methods’ such as Failure Modes and Effects Analysis, with a focus on identifying ‘triggering events’ that could precipitate more or less serious incidents.

The SC 27 team responsible for ISO/IEC 27031 liaised with ISO Technical Committee 233 on business continuity, to ensure alignment and avoid overlap or conflict. The FCD advised:

“If an organisation is using ISO/IEC 27001 to establish Information Security Management System (ISMS), and/or using ISO 2239PAS or ISO 23301 to establish Business Continuity Management System (BCMS), the establishment of IRBC should preferably take into consideration existing or intended processes linked to these standards. This linkage may support the establishment of IRBC and also avoid any dual processes for the organisation.”


Status of the standard

ISO/IEC 27031 was originally intended to be a multi-part standard but changed to two parts (a formal specification plus a guideline) and finally produced a single part (just the guideline) which was published in 2011.

The routine standard revision project was cancelled in 2020, having reached the 6th Working Draft stage (!) without achieving consensus among the participants. It ran off the rails. It was put out of its misery. It is no more. It has ceased to be.

A new project is once again revising the standard to cover the need for business continuity arising from both deliberate and accidental incidents.

The second edition at 3rd Working Draft stage. The title is to become “Information technology — Cybersecurity — Information and communication technology readiness for business continuity”.

It is due to be published towards the end of 2023.

April update A more succinct scope is under consideration.


Personal comments

The value of this standard is unclear, given that ISO 22301 does such a good job in this general area while ISO/IEC 24762:2008 covers ICT Disaster Recovery.

If it is to remain a part of ISO27k, I personally feel it at least ought to be properly aligned with the current version of ISO 22301, and ideally extended beyond the ICT domain since ISO27k is about information risk and security, not just “ICT” (a clumsy and unnecessary amplification of good old “IT” which in common usage has included comms for, oh at least 50 years). However, the revised project terms of reference re-emphasises that the scope remains tightly focused on ICT:

“The scope of this document is clearly delimited on information and communication technology (ICT) readiness for business continuity. Readiness of ICT for business continuity means that ICT and its operational capabilities demonstrate the ability to achieve desired business continuity objectives in case of a disruption affecting ICT.”

Furthermore, to avoid any hint of overlap/conflict with the ISO 22300 standards, the revised ToR clearly states that ‘27031 will not replace a Business Continuity Management System.

Although the issued standard mentions resilience to as well as recovery from disastrous situations, the coverage on resilience is quite light, perhaps because of the strange definition: “Resilience: ability to transform, renew, and recover, in timely response to events”. That’s just odd! Resilience in the information risk and security context is about the organisation’s information processes, systems and networks bending rather than breaking when under intense pressure. It’s about toughness and determination, keeping the essential core business activities going despite adversity. It involves taking an engineering approach, deliberately and competently designing things for continuity. Common examples for high-availability IT systems are load balancing between redundant servers and comms links, and automated failover. Sound engineering concepts such as more-than-merely-adequate capacity, redundancy, robustness and flexibility ensure that vital business operations are not materially degraded or halted by most incidents. Preventive maintenance and proactive monitoring, extra-cautious change management and slick high-priority incident responses are further controls that help maintain critical services.

The revised standard may adopt ISO 22300:2018’s definition of resilience as “ability to absorb and adapt in a changing environment” with a note about urban resilience (irrelevant to the present context). That vague, off-topic and unhelpful definition belies the standard’s very weak coverage of resilience as a concept that complements conventional incident management, IT disaster recovery and true contingency thinking.

Meanwhile, the draft standard’s lack of coverage of cloud computing is a clear indication of its seriously outdated approach. Cloud is barely even mentioned - little more than a vague and unhelpful comment about the possibility of cloud based ICT recovery services - whereas cloud has become core to ICT for many organisations today, offering performance, scaleability and flexibility that can significantly increase resilience, if properly engineered.

Along similar lines, supply chain/network resilience is also conspicuously absent. The widespread coordination and tight integration of companies in many industries thanks to the Internet has huge implications on business continuity, but the draft standard offers little if any useful guidance in this critically important area.

‘True contingency thinking’ involves the organisation’s flexibility, capability, resources and dogged determination to cope with whatever situations actually eventuate, preparing for the uncertainties and challenges ahead. The draft standard only refers once to ‘contingency’, as a garbled note to a definition of “ICT readiness”.

In order to incorporate the cloud and supply chain aspects, broaden the brief beyond ICT and substantially improve its coverage of resilience and contingency, I feel the standard would need to be substantially restructured and rewritten. Given that less than two years remains on this project, the outcome seems, once again, inevitable ...


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2022 IsecT Ltd.