Cybersecurity Resilience (Domain 3)
Domain 3: embedding cybersecurity into business continuity so services survive a cyber incident.
3 Cybersecurity Resilience tap to learn what this means 1 subdomains · 4 controls
is the ability to keep services running, and recover quickly, when something goes wrong.
In ECCIn , Domain 3 embeds cybersecurity into ; a cyber is treated as a continuity event, so plans, and the security themselves, survive disruption.
How do controls actually work?
A control is just a safeguard that lowers a risk. You reduce risk by putting the right set of controls in place, and almost every ECC control follows the same three steps:
- Policy Write the rule down and get leadership to approve it. This is the foundation, nearly everything starts here.
- Implement Put it into practice: the secure configuration, technical settings and standards that enforce the rule.
- Review Check on a schedule (an audit) that it is actually done and working, and fix what is not.
A policy with no implementation is just paper; implementation with no review quietly rots. Each control below is tagged with the step it belongs to.
-
3-1 Cybersecurity Resilience Aspects of Business Continuity Management (BCM) 4
What it isMaking cybersecurity a built-in part of , so services ; and the security themselves ; survive a disruption.
Why you need itA cyber attack can take the business down. If continuity planning ignores cyber, recovery plans fail exactly when you need them.
How to establish itEnsure cybersecurity systems keep running during disruption, build cyber- response into continuity plans, and develop and test plans.
The controls, what to implement 4- Policy 3-1-1
Put a in place; write the rules for aspects of and get leadership to formally approve them.
- Implement 3-1-2
Turn the into practice; apply the aspects of rules across the organisation (configure systems, follow ).
- Requirements 3-1-3
At a minimum: keep cybersecurity systems and running during disruption; build response plans for cyber that could hit ; and develop plans.
- Review 3-1-4
On a regular schedule, check (an ) that aspects of is still being done and is working.
Show the official ECC wording
Objective. To ensure the inclusion of cybersecurity resilience requirements in the entity's business continuity management and remediate and minimize the impacts of disruptions on the entity's critical e-services and information processing systems and facilities caused by cyber risks.
- 3-1-1 Cybersecurity requirements for business continuity management within the entity shall be identified, documented, and approved.
- 3-1-2 Cybersecurity requirements for business continuity management within the entity shall be implemented.
- 3-1-3 Cybersecurity requirements for business continuity management within the entity shall include the following as a minimum: 3.1.3.1 Ensuring the continuity of cybersecurity systems and procedures. 3.1.3.2 Developing plans for response to cybersecurity incidents that may affect the entity's business continuity. 3.1.3.3 Developing disaster recovery plans.
- 3-1-4 Cybersecurity requirements for business continuity management within the entity shall be periodically reviewed. Third-Party and Cloud Computing Cybersecurity
-
The smallest domain, a single subdomain (3-1), but a sharp idea: cybersecurity must be built into Business Continuity Management, not bolted on. A cyber incident is treated as a continuity event, so cyber scenarios appear in continuity planning, the cybersecurity systems themselves have continuity arrangements, and disaster-recovery plans explicitly handle cyber disruption, then get tested.
Trap: resilience is not the same as Backup and Recovery (2-9). Backups restore data; resilience keeps the business service running and ensures the security controls survive the disruption too.