CRA Body of Knowledge (CRABoK)

Practical patterns, playbooks, and operating practices that bring CRA Architecture to life – from governance and identity rebuild procedures to forensic airlock operations and recovery exercises.

View structure Explore practice domains

What is CRABoK?

CRABoK is the curated body of knowledge for cyber recovery ready institutions. It turns the reference architecture into repeatable ways of working, regardless of vendor tooling.

1. Purpose and role

Where CRA Architecture defines the target state, CRABoK describes how real organisations move towards it – the operating practices, patterns, and artefacts needed to make a recovery-ready posture real.

1.1 Objectives

  • Provide a catalogue of patterns and playbooks aligned to CRA Architecture v1.0 and beyond.
  • Help institutions translate regulatory expectations into concrete operating models.
  • Support training, certification, and assurance activities with a stable reference.

1.2 What CRABoK is not

  • Not a product manual or configuration guide for any specific vendor.
  • Not a replacement for internal policies, standards, or local regulatory requirements.
  • Not a one-off document – it is designed to be versioned and iterated over time.

2. Structure of CRABoK

CRABoK is organised around a set of practice domains that map to the CRA reference architecture and typical lines of responsibility inside an institution.

Foundations

  • Recovery governance and accountability
  • Risk appetite and recovery objectives
  • Policy alignment and control mapping

Technology & data

  • Sterile recovery site design & operation
  • Vaulting, immutable storage, and airlock pipelines
  • Identity and platform rebuild procedures

Operations & assurance

  • Runbooks, playbooks, and exercise design
  • Monitoring, logging, and evidence capture
  • Metrics and maturity measurement

Artifacts and pattern types

  • Reference patterns: repeatable designs aligned to CRA Architecture (e.g. “forensic airlock operating pattern”).
  • Playbooks: stepwise procedures for specific recovery activities.
  • Templates: example diagrams, RACI matrices, runbooks, and evidence packs.

3. Practice domains

CRABoK is grouped into domains that mirror how work is actually owned inside large institutions. Each domain contains patterns, playbooks, and artefacts at different maturity levels.

3.1 Governance and oversight

  • Board and executive responsibilities for recovery posture
  • Decision rights for invocation, cutover, and rollback
  • Alignment with enterprise risk, operational resilience, and crisis management frameworks

3.2 Architecture & engineering

  • Application of CRA Architecture to local estates
  • Reference designs for vaults, clean sites, and admin zones
  • Integration with CI/CD, infrastructure-as-code, and platform teams

3.3 Identity & platforms

  • Rebuild procedures for identity platforms (e.g. AD)
  • Patterns for “minimum viable platform” to stand up critical services
  • Segregation of production and recovery administration functions

3.4 Data & applications

  • Backup, vaulting, and promotion of “known-good” data into the clean site
  • Application-specific recovery patterns (e.g. core banking vs. market infrastructure)
  • Data validation and reconciliation approaches

3.5 Operations & exercises

  • Exercise design: scope, frequency, realism
  • Operational runbooks and communication flows
  • Evidence collection for regulators and internal assurance

3.6 Third parties & dependencies

  • Cloud and service provider recovery expectations
  • Data centre, network, and telco dependencies
  • How CRA principles apply to critical third-party relationships

4. Relationship to CRA Architecture, maturity, and certification

CRABoK is designed to be the shared reference point for how the CRA family fits together: standards, maturity, and skills.

Architecture

  • CRABoK patterns are explicitly mapped back to elements of CRA Architecture v1.0.
  • Each zone, plane, and trust boundary has corresponding operating guidance.

Maturity model

  • Maturity criteria are expressed in terms of CRABoK patterns implemented and exercised.
  • Institutions can evidence progress by reference to CRABoK artefacts.

Certification

  • Individual certification curricula are drawn from CRABoK domains.
  • Organisational certification assesses adoption of CRABoK practices.

5. Versioning and evolution

CRABoK will evolve alongside CRA Architecture and industry practice, with a transparent versioning and change-management process.

How CRABoK will evolve

  • Incremental releases aligned to architecture versions (e.g. CRABoK 1.x aligned to Architecture 1.x).
  • Sector-specific annexes (e.g. financial market infrastructures, retail banking) where needed.
  • Open feedback channels from practitioners, vendors, and supervisors to refine patterns.