About the Cyber Recovery Authority

The Cyber Recovery Authority (CRA) defines, maintains, and governs standards for cyber recovery ready institutions – ensuring that organisations can rebuild trust after a systemic cyber compromise.

Our mandate Governance model

CRA in brief

  • Independent standards body
  • Architecture-first approach to recovery
  • Focus on trust, not just uptime
  • Transparent versioning and evolution

1. Purpose and mandate

CRA exists to define how institutions recover from systemic compromise – when production, DR, and continuity environments can no longer be trusted. CRA establishes the reference architecture, operating practices, and assessment models required to ensure that recovery is repeatable, evidence-driven, and secure.

1.1 Why CRA exists

  • Systemic cyber incidents increasingly render DR environments compromised or unsafe.
  • Institutions require clear, authoritative standards for sterile rebuild, data promotion, and trust re-establishment.
  • No single global body formally governs cyber recovery principles today – CRA fills that gap.

1.2 What CRA provides

  • CRA Architecture – a reference model for recovery-ready environments.
  • CRABoK – a body of knowledge describing practical patterns and playbooks.
  • Maturity Model – a structured assessment framework.
  • Certification (future) – alignment with practitioner and organisational assessment.

2. Scope and boundaries

CRA is explicitly focused on cyber recovery – not traditional disaster recovery, continuity planning, or general cybersecurity frameworks.

In scope

  • Sterile recovery site architecture
  • Immutable data vaulting and airlock processes
  • Identity and platform rebuild patterns
  • Recovery exercises and evidence gathering
  • Assessment and maturity criteria

Adjacent but not primary scope

  • Traditional DR and continuity plans
  • Breach detection and threat hunting
  • Business continuity documentation
  • General cybersecurity frameworks (e.g. NIST CSF)

Out of scope

  • Vendor-specific configuration guidance
  • Commercial product selection
  • Prescribing regulatory requirements (CRA supports regulators, it does not impose regulation)

3. Governance and versioning

CRA standards follow a transparent, structured governance model designed to ensure credibility, independence, and consistency across versions.

3.1 Governance principles

  • Independence: CRA is vendor-neutral and technology-agnostic.
  • Transparency: changes are documented and versioned publicly.
  • Stability: each major version remains stable for the life of the standard.
  • Consultation: feedback is welcomed from industry, academia, and regulators.

3.2 Versioning model

  • Major versions (e.g. 1.0 → 2.0): structural changes to the architecture or maturity framework.
  • Minor versions (e.g. 1.0 → 1.1): refinements to patterns or wording.
  • Annexes: domain- or sector-specific extensions published independently of core versions.

Change control

Proposed changes to CRA Architecture, CRABoK, and the Maturity Model are evaluated against impact, clarity, backwards compatibility, and alignment with industry experience before inclusion in a release.

4. Participation and contribution

CRA encourages constructive input from organisations, regulators, academics, and practitioners with relevant expertise in cyber recovery, operational resilience, and large-scale system rebuild.

4.1 Who can contribute?

  • Financial institutions and critical infrastructure operators
  • Regulators and supervisory bodies
  • Incident responders and recovery specialists
  • Academics and standards bodies
  • Vendors (subject to neutrality requirements)

4.2 How contribution works

  • Feedback may be submitted directly to CRA for review and potential inclusion in future versions.
  • CRA may periodically open structured consultation windows for major version changes.
  • Contributors may be acknowledged in release notes.

5. Roadmap

CRA publishes a roadmap for upcoming standards and updates to ensure clarity and predictability for adopters.

Planned areas of development

  • CRA Architecture v1.1 refinement
  • CRABoK pattern library expansion
  • Maturity Model scoring guidance
  • Certification scheme framework (v0.1)
  • Sector annexes for financial services and FMIs

6. Contact

CRA welcomes constructive input and engagement from the community. Enquiries can be directed through official channels as they become available.

Contact details

For now, please refer to the CRA GitHub repository for updates and contribution guidance: CRA GitHub (coming soon)