ISO IEC 27031-2011 PDF

Full title and description

ISO/IEC 27031:2011 — Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity. The standard describes concepts and principles for ICT readiness for business continuity and provides a framework of methods and processes to identify, specify and measure aspects (performance criteria, design and implementation) needed to ensure ICT can support business operations during disruptive events.

Abstract

ISO/IEC 27031:2011 sets out guidance (non-certifiable) to help organizations develop an ICT Readiness for Business Continuity (IRBC) program that aligns ICT services and infrastructure with business continuity needs. It covers identification of readiness requirements, design and implementation of ICT continuity measures, and performance measurement that correlates to business continuity objectives.

General information

• Status: Withdrawn / superseded (replaced by ISO/IEC 27031:2025).
• Publication date: 1 March 2011.
• Publisher: Joint publication by ISO and IEC (ISO/IEC JTC 1/SC 27).
• ICS / categories: 35.030 (Information technology — IT security techniques).
• Edition / version: Edition 1.0 (2011).
• Number of pages: 36 pages.

Key bibliographic and lifecycle details (publication date, edition, pages and withdrawal/revision information) are recorded in the ISO and IEC catalogues.

Scope

The standard applies to any organisation (private, governmental or non‑governmental, of any size) developing an ICT Readiness for Business Continuity (IRBC) programme. Its scope encompasses all events and incidents — including security‑related incidents — that could impact ICT infrastructure and systems. It extends practices for information security incident handling and ICT readiness planning so ICT can support the continuity of critical business functions.

Key topics and requirements

• Concepts and principles for ICT readiness for business continuity (IRBC) — definition of objectives and roles.
• Framework of processes for planning, implementing, operating, monitoring and improving ICT readiness (PDCA‑style approach).
• Identification and specification of ICT performance criteria, design and implementation requirements to meet business continuity objectives.
• Guidance on measuring ICT readiness and performance parameters that correlate with business continuity outcomes.
• Integration and alignment of ICT readiness with organizational business continuity management and information security management (complementary to ISO/IEC 27001 and ISO 22301).
• Recommendations for handling ICT incidents and dependencies (including third‑party services and cloud dependencies) as part of continuity planning.

These topics are guidance‑oriented; ISO/IEC 27031:2011 does not define certification requirements but is intended to be used alongside certifiable management system standards where applicable.

Typical use and users

Typical users include IT continuity and operations managers, business continuity managers, CISOs and information security teams, resilience and risk professionals, auditors and consultants, and organisations that rely on ICT for critical services (including cloud and service providers). The standard is used to design ICT continuity measures, assess ICT readiness, map ICT capabilities to business impact and recovery objectives, and align ICT planning with enterprise BCM.

Related standards

ISO/IEC 27031 sits in the wider ISO/IEC 27000 family and complements ISO/IEC 27001 (information security management) and ISO 22301 (business continuity management). Historical and related documents include national BCM guidance and prior ICT continuity guidance (for example BS 25777); the 2011 edition has been revised and replaced by ISO/IEC 27031:2025. Organisations typically use 27031 alongside ISO/IEC 27002, ISO/IEC 27032 and ISO 22313 when integrating ICT readiness with security and BCM practices.

Keywords

ICT readiness, business continuity, ICT continuity, information security, IRBC, resilience, recovery objectives, incident handling, continuity planning, third‑party dependencies.

FAQ

Q: What is this standard?

A: ISO/IEC 27031:2011 is an international guidance standard that provides principles and a process framework for ensuring information and communication technology (ICT) is ready to support business continuity. It is guidance (not a certification standard).

Q: What does it cover?

A: It covers planning, design, implementation and measurement of ICT readiness for business continuity, including ICT performance criteria, incident handling considerations and integration with overall business continuity management. It addresses events and incidents (including security incidents) that could affect ICT services.

Q: Who typically uses it?

A: IT and continuity professionals, CISOs, resilience teams, consultants and organisations relying on ICT for critical operations — anyone responsible for aligning ICT capabilities with business continuity objectives.

Q: Is it current or superseded?

A: The 2011 edition has been withdrawn and superseded by a revised edition published in 2025 (ISO/IEC 27031:2025). The 2011 document should be treated as superseded; users should migrate to and apply the 2025 edition for the latest guidance.

Q: Is it part of a series?

A: Yes — it is part of the ISO/IEC 27000 family of information security standards and is intended to be used alongside standards such as ISO/IEC 27001 and ISO 22301 for comprehensive security and business continuity management.

Q: What are the key keywords?

A: ICT readiness, ICT continuity, business continuity, information security, resilience, IRBC, incident management, recovery objectives.