Professional Documents
Culture Documents
The IT Governance
Cyber Resilience
Framework (CRF)
An overview
In a world where committing crimes over the Internet offers an extremely favourable There are different ways to approach cyber security, and the ‘right’ one will depend on
reward-to-risk ratio, cyber criminals are strongly incentivised to target any business your organisation’s specific needs. Here are some points to consider:
with exploitable vulnerabilities. From the attacker’s perspective, this is a
straightforward process: automated tools can identify victims and vulnerabilities. And • What security-related regulatory and contractual requirements do I have?
they do not even need to be picky about who they are targeting, since virtually every • What are my customers’ expectations with respect to security?
organisation holds valuable information, often in huge quantities. • What are my partners and competitors doing in terms of security?
• How mature is my current security?
For organisations that rely heavily on the Internet to do business, cyber security should
As for drawing up an action plan, having an existing framework as a benchmark is
be a priority.
often a good approach. It gives you the assurance that you are taking a tried-and-
tested approach, and achieving certification to frameworks that offer it (such as Cyber
Cyber security vs cyber resilience Essentials or ISO 27001) can give you a competitive edge.
Cyber security is concerned with securing your information assets and systems on If, however, you have no interest in implementing such formal frameworks because, for
three fronts: example, you are not contractually required to do so, our Cyber Resilience Framework
1. Confidentiality (CRF) may be a better option.
Information assets and systems should only be accessible to those who need
access to them.
2. Integrity
Information assets and systems should be complete, accurate and up to date.
3. Availability
Information assets and systems should be accessible to authorised persons,
processes and entities as and when necessary.
Cyber resilience takes the stance that even the most secure organisation can still
suffer a breach, if only because an attacker needs just one exploitable weakness to
get into your systems, while you need to protect all your assets from all types of
threat. The reality is that given enough time and resources, a determined attacker
will eventually succeed.
• The CRF has been designed to account for all the different elements of
cyber resilience, drawing on various good-practice standards.
• This process selection is also extremely flexible – you only implement the
measures that you need based on your compliance and business
requirements.
• To help you identify what processes you may need, we have mapped
them against four common sets of compliance requirements, including
the General Data Protection Regulation (GDPR) and Payment Card
Industry Data Security Standard (PCI DSS) – see Figure 1 for details.
• Should you be interested in both the CRF and more formal standards
such as ISO 27001, we have also mapped our framework against these
standards. As such, you can use the CRF to build your own framework
that is based on – or comprises – internationally recognised best-practice
standards, some of which you can achieve independently audited
certification against.
• The CRF offers further flexibility in its four maturity levels. This means
that, on top of excluding any processes you do not need, you implement
the necessary processes only to the level you require, keeping your
defences cost-effective.
IT GOVERNANCE TECHNICAL PAPER | FEBRUARY 2022 4
* This is just a small selection of reference frameworks. The full CRF covers a considerably larger set, available in The Cyber Security Handbook.
IT GOVERNANCE TECHNICAL PAPER | FEBRUARY 2022 5
Measures that protect your computer systems and information from a broad range of Key output: Defined security zones that meet the organisation’s security
malware. requirements, with appropriate technical measures (such as firewalls and demilitarised
zones (DMZs)) in place to form internal perimeters, as well as the external perimeter,
Key output: Technical and organisational measures, including anti-malware software covering the entire corporate network.
and an anti-malware policy, that protect your organisation from malware.
1.12 Comprehensive risk management programme Key output: Strategically placed sensors that collect data, which is analysed by
automated tools in real time, followed up by human input. Collected data is stored so
Identifying, assessing and responding to cyber and information security risks in a it can serve as evidence in a later investigation if needed.
structured and methodical manner, as part of a wider risk management programme.
Key output: Comprehensive and structured risk assessments conducted on a regular 3.1 Incident response management
basis.
In recognition of the risk that your preventive measures can fail no matter how strong,
you need to be able to react to and mitigate incidents effectively. To do so, you need
1.13 Supply chain risk management to take preparatory steps to have the best chance of making the right decisions when
speed is of the essence.
Steps are taken, including due diligence checks and appropriate contracts, to ensure
the entire supply chain, including physical suppliers, software vendors and Cloud Key output: An incident response team, and clear and tested incident response
service providers, is secure. plans and procedures.
Key output: Processes and checklists for checking information-sharing rules and
security responsibilities are adequate and clear, and legally enforceable. 3.2 ICT continuity management
Business-critical ICT functions should be treated like any other primary business asset,
2.1 Threat and vulnerability intelligence and be resilient in the event of disruption, with risk-appropriate measures put in place
to ensure continuity.
Receiving intelligence on threats, vulnerabilities and security measures from feeds
likely to be relevant to the organisation to keep up with the ever-changing cyber Key output: Agreed thresholds and timescales for recovering ICT functions following
landscape and help inform, in particular, advance and post-incident detection an incident, along with appropriate fallback measures.
activities.
Key output: Following relevant threat bulletins and using them as inputs for your 3.3 Business continuity management
detection activities, as well as a programme of regular vulnerability scanning and
Disruptions of varying nature and scale, both foreseeable and unexpected, inevitably
penetration testing.
occur in business. Business continuity management helps you to prepare for them,
ensuring that you can continue to operate – even if at a lower level than normal – no
2.2 Security monitoring matter what you are faced with.
The organisation’s systems and networks are continually monitored for anomalies, Key output: Business continuity plans, covering multiple broad scenarios, that are
through a combination of automated tools and human input to try to detect incidents based on objective business impact analysis and risk assessment, and have been
as quickly as possible, and continually logged so incidents can be identified and tested to ensure they work as intended and staff know what is expected of them.
investigated.
IT GOVERNANCE TECHNICAL PAPER | FEBRUARY 2022 8
4.1 Formal information security management programme 4.4 Governance structure and processes
This metaprocess, binding together and unifying the other CRF processes, entails a As the effectiveness and reliability of an organisation’s IT products and services are
structured approach to securing information assets across the organisation, taking usually of clear strategic importance to an organisation’s ability to do business,
people, processes and technologies into account. As you establish the processes and intellectual capital and ICT should be overseen by its governing body.
implement controls, you should also decide how you will measure and monitor their
performance to validate their effectiveness. Key output: Identified directors are accountable for the delivery of the organisation’s
IT products and services, and regularly evaluate, direct and monitor IT-related
Key output: A clear management structure; defined scope; roles and responsibilities; activities.
documented policies and procedures; and a strategy for measurement.
The maturity levels, which can be used to measure individual processes as well as the Fortunately, there are a range of frameworks available – including our CRF – that you
overall framework, are: can use as guidance on your path towards becoming secure and resilient. The only
question left is to decide when and where your journey will begin.
A. Non-existent
The framework/process does not exist, or it is not consistent or reliable.
B. In progress
The organisation is implementing the framework/process or has deployed it across
part of the scope.
C. Established process
The framework/process is in place and applied consistently, and may be improved
through automation or software support for consistency, repeatability and robustness.
Speak to an expert
D. Established and endorsed by top management
The framework/process is established as above and is overseen by an engaged top
management team.
Since maturity describes how well developed and integrated an activity (or framework)
is, using these levels will help you understand both how well you are protecting your
organisation and how much more you need to do to meet your security requirements.
Having consistently defined maturity levels will also make it easier to compare your
current situation against your ideal target state, giving you a clear overview of where
your biggest gaps are. In turn, that information will inform your action plan.
IT GOVERNANCE TECHNICAL PAPER | FEBRUARY 2022 10
10
The Cyber Security Handbook – Prepare for, respond to and recover from cyber attacks
This comprehensive cyber security implementation manual gives practical guidance on each
of the CRF’s processes, helping organisations become cyber resilient.
Suitable for senior directors (CEOs, CISOs, CIOs), compliance managers, privacy managers,
IT managers, security analysts and others, the book is divided into six parts:
Part 1: Introduction
The world of cyber security and the approach taken in this book.
Part 6: Conclusion and appendices. The appendices include a glossary of all the
acronyms and abbreviations used in this book. Find out more
Make sure you understand the threats and vulnerabilities your organisation faces and how
the CRF can help you tackle them. Start your journey to cyber security now – buy this book
today!
IT GOVERNANCE TECHNICAL PAPER | FEBRUARY 2022 11
11
IT Governance solutions
IT Governance is your one-stop shop for cyber security and IT governance, risk Training
management and compliance (GRC) information, books, tools, training and
consultancy. Our products and services work harmoniously together so you can use We provide a wide range of training courses, covering areas including data privacy
them individually or combine different elements depending on your needs. and the GDPR, information security and ISO 27001, cyber security and ethical hacking,
and professional certification courses such as CISA®, CISM®, CGEIT® and CRISC®.
Books Our courses range from foundation level to advanced programmes, and are available
as classroom, Live Online and self-paced online courses.
Our sister company IT Governance Publishing (ITGP) is the world’s only niche IT
governance publisher, collaborating with industry experts to produce high-quality Visit www.itgovernance.co.uk/training for more information.
publications about best-practice frameworks, compliance and technical subjects.
Consultancy
Our books cover a wide range of GRC topics, including cyber security, data privacy
and business continuity. They also come in a range of formats, including softcover, Whatever your IT GRC needs – and whatever your budget – we have consultancy
PDF, ePub, Kindle and audiobooks. options to suit you. From fixed-price packaged solutions to bespoke and corporate
consultancy services, we can help you meet your objectives efficiently and cost-
Visit www.itgovernance.co.uk/shop/category/itgp-books to view our full catalogue. effectively.
Toolkits Our unique combination of technical expertise and practical experience managing
hundreds of projects around the world means we can deliver a complete solution,
Created by expert practitioners and used by more than 9,000 organisations managing your project from start to finish.
worldwide, our toolkits contain fully customisable documentation templates designed
to help you meet your compliance obligations. They cover ISO 27001, the GDPR and Visit www.itgovernance.co.uk/consulting for more information.
DPA 2018, Cyber Essentials, the PCI DSS, ISO 22301, and more.
Software
Each toolkit is hosted on our Cloud-based DocumentKits platform, enabling us to
regularly update them. They also come with unlimited support for account setup and Our sister company Vigilant Software develops industry-leading software tools
assistance to help you customise and use the templates. designed to make meeting your cyber security obligations and complying with data
privacy laws simple and affordable.
Visit www.itgovernance.co.uk/documentation-toolkits to view and take a free trial of
our toolkits. The CyberComply platform comprises five Cloud-based tools: the Data Flow Mapping
Tool, vsRisk, GDPR Manager, the DPIA Tool and Compliance Manager.
IT Governance Ltd
@ITGovernance
/it-governance
@ITGovernanceLtd
© 2003–2022 GRC International Group PLC | Acknowledgement of Copyrights | GRC International Group Trademark Ownership Notification
IT GOVERNANCE TECHNICAL PAPER | FEBRUARY 2022 14
Endnotes
1
IT Governance, “IT Governance releases its Cyber Resilience Framework to help organisations stay ahead of cyber risks”, February 2019,
https://www.itgovernance.co.uk/media/press-releases/it-governance-releases-its-cyber-resilience-framew.