GRCWatch
Sign inStart free trial

ID.BE-5: Service Resilience Requirements

Service resilience isn't optional—it's the difference between brief disruption and catastrophic failure. NIST ID.BE-5 requires you to define how critical services will function under attack, during recovery, and in normal conditions. This control ensures your organization can sustain operations when it matters most.

What this means

This control mandates that you establish documented resilience requirements for all critical services across three operational states: normal operations, degraded/under-attack conditions, and recovery scenarios. Rather than hoping your systems survive an incident, ID.BE-5 requires you to intentionally design, test, and validate that critical services remain available or recover quickly under adverse conditions.

How to comply

  1. 1.Identify all services critical to business continuity and revenue generation
  2. 2.Document resilience requirements for each service (availability targets, recovery time objectives, recovery point objectives)
  3. 3.Define acceptable service degradation thresholds during attacks or failures
  4. 4.Map dependencies between critical services to understand cascade risks
  5. 5.Establish recovery procedures and test them annually or after significant changes
  6. 6.Monitor service health metrics in real-time and trigger automated failover where applicable
  7. 7.Review and update resilience requirements when business operations, threat landscape, or technology change

Evidence auditors look for

  • Critical service inventory with resilience requirements documented and approved by business owners
  • RTO/RPO targets for each critical service classified by impact level
  • Disaster recovery and business continuity plans tested and validated within the past 12 months
  • Service architecture diagrams showing redundancy, failover mechanisms, and backup systems
  • Incident response logs demonstrating service recovery during simulated or actual incidents
  • Monitoring dashboards and alerting rules configured for critical service health
  • Change management records showing updates to resilience requirements following business changes

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates the tracking and evidence collection for ID.BE-5 by maintaining your critical service registry, documenting RTO/RPO targets per service, scheduling and tracking resilience test results, and flagging when plans haven't been validated—eliminating the spreadsheet chaos and ensuring auditors see proof of continuous validation.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ID.BE-1 (Business Model and Strategy)ID.BE-2 (Supply Chain Roles and Responsibilities)ID.BE-3 (Resilience and Recovery Planning)ID.BE-4 (Stakeholder Communication)RC.CO-1 (Recovery Plan Execution)