ABSTRACT

Existing resilience management and assessment frameworks for Critical Infrastructure (CI), as well as resilience indicator indexes, define categories and methodologies that provide useful conceptual models. However, there is a lack of specific guidance on how to implement such conceptual models in practice, thus enabling stakeholders to conduct assessment, auditing, and consulting initiatives in a consistent manner. In this paper, we use an existing CI resilience management framework—based on the ISO 31000 risk management process–, and present guidance for implementing such a framework, based on generalized COBIT5 best practice. This is done by illustrative demonstration with a defined risk scenario that includes Information and Communications Technology (ICT) aspects, using a specific process from an existing CI resilience assessment framework.