ANALYSIS OF METHODS AND STANDARDS FOR MANAGING CYBER RESILIENCE OF INFORMATION RESOURCES
DOI: 10.31673/2409-7292.2026.010656
DOI:
https://doi.org/10.31673/2409-7292.2026.010656Abstract
A comprehensive analysis of modern international standards and applied methodologies for assessing the cyber
resilience of information resources (IR) was conducted. It was determined that the theoretical basis for building cyber resilience
systems is the ISO/IEC 27001 standards (information security management systems), ISO/IEC 27031 (ICT readiness for
business continuity) and special NIST publications (Framework for Improving Critical Infrastructure Cybersecurity, SP 800-
160), which form a systemic approach, integrating preventive security management, incident recovery and system engineering
principles. A comparative analysis of five leading assessment frameworks was conducted: Cyber Resilience Review (CRR), Cyber Assessment Framework (CAF), Cyber Resilience Assessment Framework (C-RAF), Cyber Resilience Index (CRI) and
IT Governance Framework. Five criteria were used for comparison: the presence of a numerical (index) expression of stability,
the focus of the assessment (qualitative maturity or quantitative indicators), the dynamics of the assessment (static audit or
testing), data sources and consideration of their adequacy. Differences between existing approaches were identified. It was found
that qualitative models (CRR, CAF) focus on assessing the maturity of processes ("paper stability"), while quantitative models
(CRI) are based on time metrics (MTTD, MTTR), but often ignore the organizational context. The C-RAF experience in
implementing dynamic testing (iCAST) is separately noted, which, however, has a narrow industry specificity. The key result
of the study is the identification of a critical scientific gap - the absence of mechanisms in existing models to verify the adequacy,
completeness and reliability of input data. The need to develop a mechanism that would combine quantitative architectural
metrics with the assessment of process maturity and the coefficient of adequacy of input data is substantiated.
Keywords: cybersecurity, cyber resilience, cyber-attack, cyber resilience assessment, NIST CSF, ISO 27001, C-RAF,
data adequacy, model, method, methodology, standard, information security, cyber resilience assessment mechanism.
References
1. ISO/IEC 27001:2022. Information security, cybersecurity and privacy protection – Information security
management systems – Requirements. [Електронний ресурс]. Режим доступу: https://www.iso.org/standard/27001
2. ISO/IEC 27031:2025. Information technology – Security techniques – Guidelines for information and
communication technology readiness for business continuity. [Електронний ресурс]. Режим доступу:
https://www.iso.org/standard/27031.
3. The NIST Cybersecurity Framework (CSF) 2.0. [Електронний ресурс]. Режим доступу: https://nvlpubs.nist.
gov/nistpubs/CSWP/NIST.CSWP.29.pdf.
4. NIST Special Publication 800-160, Volume 2. [Електронний ресурс]. Режим доступу: https://nvlpubs.nist.
gov/nistpubs/SpecialPublications/NIST.SP.800-160v2r1.pdf.
5. MITRE ATT&CK Framework. [Електронний ресурс]. Режим доступу: https://attack.mitre.org/\.
6. Cyber Resilience Review. [Електронний ресурс]. Режим доступу: https://www.cisa.gov/resourcestools/services/cyber-resilience-review-crr.
7. Cyber Resilience Index. [Електронний ресурс]. Режим доступу: https://www3.weforum.org/docs/ WEF_
Cyber_Resilience_Index_2022.pdf.
8. Cyber Assessment Framework. [Електронний ресурс]. Режим доступу: https://www.ncsc.gov.uk/collection
/cyber-assessment-framework.
9. Cyber Resilience Assessment Framework. [Електронний ресурс]. Режим доступу: https://uploadsssl.webflow.com/59d28ad983887e000196f803/5fecc1fe13498132b4fa835b_HKMA CFI, Cyber Resilience Assessment
Framework, Dec 2016.pdf.
10. IT Governance Cyber Resilience Framework. [Електронний ресурс]. Режим доступу: https://www.
itgovernance.co.uk/cyber-resilience-framework.
