About the Cyber Recovery Authority
The Cyber Recovery Authority (CRA) exists to define a clear, independent standard for cyber-resilient recovery. How institutions rebuild trustworthy environments after a systemic compromise, when production, DR, and continuity platforms can no longer be assumed clean.
What CRA provides
CRA brings together architecture, guidance, and assessment into a single, coherent view of cyber recovery readiness.
CRA Architecture
Reference models for sterile-first, non-persistent recovery environments that separate backup, control, and recovery planes and avoid shared blast-radius assumptions.
Body of Knowledge (CRABoK)
Patterns, practices, and playbooks for designing, operating, and validating cyber recovery capabilities in real institutions and regulated environments.
Maturity Model
A structured way to assess organisational readiness across architecture, process, evidence, and testing, moving beyond simple “backup present” checks.
Certification (in development)
A future path for practitioners and organisations to demonstrate alignment with CRA principles and reference patterns through assessment and evidence.
Why CRA exists
Most recovery planning still assumes trusted infrastructure, identities, and automation. Modern cyber incidents break those assumptions.
The gap
Traditional disaster recovery focuses on availability and failover. It rarely addresses compromised control planes, poisoned automation, or untrusted identities across primary and DR.
CRA’s role
CRA is intended to bridge that gap, treating recovery as a security discipline in its own right, with clear architecture patterns, maturity expectations, and evidence requirements.
Who is behind CRA
CRA is an independent initiative led by practitioners with experience in large-scale financial infrastructure, cyber recovery architecture, and operational resilience.
Practitioner-led
CRA grows out of practical work on backup, vaulting, clean-zone recovery, and regulatory engagement in highly regulated environments rather than purely theoretical models or vendor marketing.
Advisory and governance
As CRA evolves, details of the advisory group and governance model will be published alongside the architecture, maturity, and certification materials.