BS 31111:2018 Cyber risk and resilience - Guidance for the governing body and executive management
What is this standard about?
Organisations need to protect themselves and their stakeholders from the consequences of cyber-related failures and errors as well as malicious cyberattacks.
At the same time, there’s an increasing need for organisations to demonstrate to stakeholders that their operations and processes are protected, particularly since organisations are now held accountable by regulation and society in general.
This standard therefore exists to improve top management’s strategic understanding of the risks associated with IT activities and support decision making that ensures good cyber resilience.
Who is this standard for?
This standard is written in user-friendly, non-technical language for all types and sizes of organisation. However it’s particularly targeted at:
- Governing bodies
- Executive management
- Risk management professionals
- Information technology professionals
Why should you use this standard?
It provides good practice for boards, senior executives and risk managers on cyber risk management by describing what cyber risk is and how to identify, assess, and mitigate these risks within the organisation’s overall risk management framework.
It provides strategic insight and guidance on where to focus to ensure that cyber resilience is built in across all levels and functions of the organisation.
It provides management with an improved business understanding of the risks associated with information technology activities and supports effective decision-making.
It also helps the organisation demonstrate to external stakeholders and interested parties that its cyber security provisions are effective, resilient and mature.
A key factor is that cyber risk is not limited to the IT department but impacts the entire organisation. So the standard is applicable to all subject areas, focusing on risk, resilience and information security rather than just on technology aspects.